SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume X - Issue #31

April 18, 2008

Wireless threats and countermeasures: A free, exhaustive compilation of all wireless vulnerabilities and exploits (WVE) is being compiled by Josh Wright, the best wireless security teacher we've ever seen. It covers WiFi, WiMax & Bluetooth, and is being adopted by the vendor products. You'll find it at www.wve.org. Josh also made a scary YouTube video on Bluetooth ear piece hacking: http://youtube.com/watch?v=1c-jzYAH2gw And Josh created an extraordinary course on pen testing and securing wireless networks, that you can take at home or four cities: SANS @Home (May 1-Nuly 24) www.sans.org/athome/details.php?nid=10714 San Diego (5/11-16) www.sans.org/securitywest08/description.php?tid=1637 Brussels (6/16-21) www.sans.org/securebrussels08/description.php?tid=1637 Washington DC (7/24-29) www.sans.org/sansfire08/description.php?tid=1637 Boston (8/11-16) www.sans.org/boston08/description.php?tid=1637

Alan

---

TOP OF THE NEWS

PayPal to Ban Unsafe Browsers
Man Pleads Guilty in Botnet Wiretapping Case
Proposed Australian Law Would Allow Some Employers to Intercept Employee Electronic Communications
Latest Major Whaling Attack Uses US District Court Subpoena

THE REST OF THE WEEK'S NEWS

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
NIST Releases Draft Info Systems Risk Management Document for Comments
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Firefox and Safari Browsers Updated
BT Home Hub Wireless Routers Vulnerable in Default Setting
Windows XP SP3 Expected Out Later This Month
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Executable That Infected Thousands of Websites Uncovered
OK Dept. of Corrections Fixes Data Leak
STATISTICS, STUDIES & SURVEYS
Data Breach Can Cost a Business Customers
MISCELLANEOUS
Ships Responsible for Undersea Cable Damage Located With Satellite Imagery
LIST OF UPCOMING FREE SANS WEBCASTS
Data Breach Can Cost a Business Customers
MISCELLANEOUS
Ships Responsible for Undersea Cable Damage Located With Satellite Imagery
LIST OF UPCOMING FREE SANS WEBCASTS

---

************************ Sponsored By SANS ******************************

Is your organization considering a database security solution? Read SANS latest white paper ("Understanding & Selecting a Database Activity Monitoring Solution") on the growing D.A.M. market and learn what key criteria to consider when selecting products. Authored by independent security consultant Rich Mogull, this report explores how Database Activity Monitoring gives insight into our most sensitive systems in a non-intrusive way, and can evolve into a proactive security defense. It's one of the few tools that can immediately improve security and http://www.sans.org/info/27868

*************************************************************************

TRAINING UPDATE
Where can you find the newest Penetration Testing techniques, Application Pen Testing, Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, both new Pen Testing courses, CISSP, and SANS' other top-rated courses plus evening sessions with Internet Storm Center handlers.
- - SANSFire 2008 in Washington DC (7/22-7/31) SANS' biggest summer program with many bonus sessions and a big exhibition of security products: http://www.sans.org/info/26774
- - London (6/2-6/7) and Amsterdam (6/16-6/21) http://www.sans.org/secureeurope08
- - San Diego (5/9-5/16) http://www.sans.org/securitywest08
- - Toronto (5/10-5/16) http://www.sans.org/toronto08
- - and in 100 other cites and on line any time: www.sans.org
*************************************************************************

---

TOP OF THE NEWS

PayPal to Ban Unsafe Browsers (April 17, 2008)

PayPal plans to implement a scheme to prevent users from conducting transactions through browsers that do not have anti-phishing technology. The web-based payment company likened conducting transactions on unsafe browsers to selling a car with no seatbelts. The company presently warns users that they are using unsafe browsers, but allows them to access the site. In a future phase of the plan, users will not be permitted to access the site if they are using unsafe browsers.
-http://www.eweek.com/c/a/Security/PayPal-Plans-to-Ban-Unsafe-Browsers/
[Editor's Note (Pescatore): IE7 and the latest versions of Firefox, et al, have the anti-phishing technology, so this is not that big a deal to PC users. But for many mobile devices it means no PayPal use. PayPal will surely back off. PayPal would be better off re-energizing its efforts in moving PayPal users away from reusable passwords. ]

Man Pleads Guilty in Botnet Wiretapping Case (April 16, 2008)

John Schiefer has pleaded guilty to accessing protected computers to conduct fraud, disclosing illegally intercepted electronic communications, wire fraud, and bank fraud. Schiefer used the computers he infiltrated to create a botnet that he then used to search out other vulnerable systems. He used spybot malware to harvest sensitive information such as account user names and passwords that he then used to steal funds. The case marks the first guilty plea to wiretapping in connection with botnets. Schiefer also provided the purloined information to others who used it to commit fraud. He is scheduled for sentencing on August 20, 2008, when he will face up to 60 years in prison and a fine of up to US $1.75 million.
-http://www.cybercrime.gov/schieferPlea.pdf
[Editor's Note (Schultz): Let's hope that the judge who sentences him will give Schiefer a sentence that is proportional to the horrendous crime that he committed. ]

Proposed Australian Law Would Allow Some Employers to Intercept Employee Electronic Communications (April 14, 2008)

Proposed legislation in Australia would give employers the power to intercept employees' email and Internet communications without their consent. The powers are part of a law aimed at protecting the country's critical infrastructure from cyber attacks; the law would amend the Telecommunications (Interception) Act. The powers would apply to employers who operate elements of the critical infrastructure; presently, only security agencies have that power. Australian Attorney General Robert McClelland says he has been told that a major cyber attack could cause "far greater economic damage than would ... a physical attack." Civil rights groups are opposed to the proposed expanded powers, saying they could be abused.
-http://www.smh.com.au/news/technology/bosses-power-to-check-email/2008/04/13/120
8024990775.html?page=fullpage#contentSwap1
[Editor's Note (Schultz): Allowing employers to monitor employee email and other Internet activity without consent has become a precedent for quite a while ago in the US. What disturbs me about the proposed legislation then is that there appears to be no requirement for employers to pre-warn employees that such activity is occurring, something that ought to be done to help employees be aware that they have no privacy when they are on company-owned computing systems. ]

Latest Major Whaling Attack Uses US District Court Subpoena (April 16 & 17, 2008)

A spear phishing attack emerged this week targeting high-level executives at US firms. The emails, which include the executives' names and other specific information, appear to be subpoenas from the US District Court in San Diego. The link, which is supposed to be a copy of the subpoena, actually installs malware on the victim's computer that is capable of logging keystrokes and sending the harvested information to the attacker. An additional piece of malware allows the attacker to take remote control of the victim's computer. Phishing attacks that target corporate "big fish" have been referred to as "whaling."
-http://www.nytimes.com/2008/04/16/technology/16whale.html?_r=1&ei=5088&e
n=6440ba388ff2ce84&ex=1366084800&oref=slogin&partner=rssnyt&emc=
rss&pagewanted=print
-http://www.theregister.co.uk/2008/04/16/whaling_expedition_continues/print.html
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9078398&source=rss_topic17
[Editor's Note (Honan): As these "Whaling" attacks are becoming more prevalent you should ensure you make your senior management on this threat. Reviewing their profiles on online business networks and Googling their names is one way of highlighting to them the amount of personal information they are leaking which could be used against them. ]

---

********************** Sponsored Links: *******************************

1) PacketMotion delivers unprecedented visibility and real-time control of insider threats. Learn more and first 100 respondents receive a complementary Elsevier book "Insider Threat" - $35 value. http://www.sans.org/info/27873

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

NIST Releases Draft Info Systems Risk Management Document for Comments (April 16, 2008)

The National Institute for Standards and Technology (NIST) has released the second public draft of Special Publication 800-39, "Managing Risk from Information Systems: An Organizational Perspective." NIST is accepting public comment on the document through April 30. The new draft includes considerable revisions based on comments on the previous draft. NIST expects to publish a draft revision of Special Publication 800-30, "Risk Management Guide for IT Systems," in July.
-http://www.gcn.com/online/vol1_no1/46131-1.html?topic=security&CMP=OTC-RSS
-http://csrc.nist.gov/publications/drafts/800-39/SP800-39-spd-sz.pdf
[Editor's Note (Pescatore): This is not a bad document but the reality is while risk management frameworks haven't really changed since the mainframe days (there are only so many ways you can say Categorize/Select/Implement/Assess/Authorize/Monitor), the actual processes and mechanisms that business have to use to protect rapidly changing business processes, that depend on a rapidly changing technology infrastructure, against a rapidly changing threat have to change constantly. So, it is always good to have defined and consistent risk management processes as a starting point, but just think of all the financial institutions that have just melted down, even though they had huge, formal risk management processes. The rubber meets the road in actually protecting critical business systems and information. ]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Firefox and Safari Browsers Updated (April 16 & 17, 2008)

Both Firefox and Safari have been updated to address security flaws. The Firefox update, which brings the Mozilla browser to version 2.0.0.14, fixes a flaw in its JavaScript Garbage Collector function that could be exploited to cause memory corruption and execution of arbitrary code. Apple released updates for Safari for both Windows and Mac OS X to fix a number of vulnerabilities - some that affect both versions and some that affect just the Windows version. One of the flaws addressed was the one used to crack the MacBook Air at a recent security conference contest. Safari users running either operating system should update to version 3.1.1.
-http://www.theregister.co.uk/2008/04/17/alt_browser_updates/print.html
-http://www.heise.de/english/newsticker/news/106641
-http://www.eweek.com/c/a/Security/Apple-Patches-MacBook-Air-Hijack-Flaw/
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9078378&source=rss_topic17
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9078399&source=rss_topic17
[Editor's Note (Grefer): Given the stunt Apple pulled by pushing Safari onto iTunes customers' computers, there was a dire need to fix some of Safari's vulnerabilities. ]

BT Home Hub Wireless Routers Vulnerable in Default Setting (April 14 & 17, 2008)

Default settings on the BT Home Hub, the wireless router supplied to BT Broadband customers in the UK, could allow attackers to discover Wired Equivalent Privacy (WEP) keys in an average of 80 guesses. If someone were to gain access to another person's wireless router, s/he could be privy to the owner's Internet activity or even launch attacks on other systems on the same network. A BT spokesperson says users are encouraged to change the routers' default settings. Users should also consider changing from WEP to WPA, or Wi-Fi Protected Access.
-http://www.csoonline.com/article/334163/Researcher_BT_Home_Hub_Wi_Fi_Security_Ea
sy_to_Crack
-http://www.theregister.co.uk/2008/04/14/bt_home_hub_encryption_weakness/print.ht
ml
-http://www.vnunet.com/vnunet/news/2214556/hackers-bt-home-hub-security
-http://news.zdnet.co.uk/security/0,1000000189,39386034,00.htm
[Editor's Note (Pescatore): Anyone out there in the UK know if the "Mind the Gap" announcements and t-shirts and the like have reduced the number of incidents in the Tube where people fall into the gap between the train and the station platform? Being pessimistic about human nature changing, I sort of doubt it - but if it actually worked, perhaps the IT industry can sponsor a similar "Mind the Default" campaign...]

Windows XP SP3 Expected Out Later This Month (April 15, 2008)

Microsoft plans to release Windows XP Service Pack 3 (SP3) later this month, according to an internal document. SP3 will be available to computer manufacturers, volume licensing customers and posted to the TechNet and Microsoft Developer Network on April 21; it will be made available to all users through Windows Update eight days later, on April 29. SP3 will not be pushed out to users until June 10.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9077958&source=NLT_PM&nlid=8

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Executable That Infected Thousands of Websites Uncovered (April 16 & 17, 2008)

Researchers at the SANS Institute's Internet Storm Center (ISC) have found the malicious tool responsible for infecting thousands of legitimate websites earlier this year so that they served malware to visitors. The tool performs automates SQL injection attacks against vulnerable web sites and inserts an iFrame that tries to infect website visitors' computers. To review the analysis at the source (Internet Storm Center):
-http://isc.sans.org/diary.html?storyid=4294
-http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1310067,00.h
tml
-http://www.theregister.co.uk/2008/04/16/mystery_web_compromise_unpicked/
-http://www.heise-online.co.uk/news/Mysterious-infection-of-ten-thousand-web-site
s-explained--/110556

OK Dept. of Corrections Fixes Data Leak (April 16 & 17, 2008)

A coding error on the Oklahoma Department of Corrections website potentially exposed thousands of records containing sensitive information on the Internet. The problem, which existed for approximately three years, has been fixed. The vulnerability affected personal information, including some Social Security numbers (SSNs) of individuals listed in Oklahoma's Sexual and Violent Offender Registry as well as of department employees. The vulnerability could also have been exploited to alter records' content.
-http://www.computerworld.com/action/article.do?command=viewA
-http://www.scmagazineus.com/Coding-error-exposes-sex-offender-personal-data/arti
cle/109109/

STATISTICS, STUDIES & SURVEYS

Data Breach Can Cost a Business Customers (April 15 & 17, 2008)

A study from the Ponemon Institute found that nearly one-third of people who were notified of a data security breach affecting their personal information no longer conduct business with the company that suffered the breach. Fifty-five percent of respondents said they had been notified of more than one breach of their personal data in the last two years; eight percent had received four or more breach notifications. Sixty-three percent of respondents said their notification letters offered no information about steps to take to protect their data. More than half of the respondents said they were notified of breaches more than a month after the fact. Just two percent of respondents said they had been victims of identity fraud as a result of a data breach.
-http://www.darkreading.com/document.asp?doc_id=151378
-http://www.marketwire.com/mw/release.do?id=844160
[Editor's Note (Schultz) Finally! Evidence exists that the risk of data security breaches needs to be taken more seriously by businesses because if not, they are likely to lose a substantial portion of customers whose data were compromised.
(Paller): As in all scientific research, confirmation of these results must be found before relying upon them. However, if they hold true, they are quite important. Reasons the research needs confirmation: potential bias in the responders' self selection and potential mis-informaion in answers. If they were angry, they might have been more likely to respond, and angry people sometimes say they stopped using a service when they meant they wanted to stop but the convenience costs of stopping were too high. ]

MISCELLANEOUS

Ships Responsible for Undersea Cable Damage Located With Satellite Imagery (April 7 & 14, 2008)

India-based cable company Reliance Globalcom used satellite imagery to identify two ships whose anchors damaged the company's undersea cables earlier this year. The ships were located in the port of Dubai and impounded. Owners of a Korean-owned ship, the MT Ann, admitted liability, paid US $60,000, and had the MT Ann released. The other ship remains impounded. The MV Hounslow, which is believed to be Iraqi-owned, allegedly abandoned the anchor that caught in the cable and caused the damage; Reliance is seeking US $350,000 in connection with the incident.
-http://www.hinduonnet.com/thehindu/thscrip/print.pl?file=2008040759181200.htm&am
p;date=2008/04/07/&prd=th&
-http://www.democraticunderground.com/discuss/duboard.php?az=view_all&address
=116x16610

UPCOMING SANS WEBCAST SCHEDULE

SANS Special Webcast: Monthly Series: Security Insights with Dr. Eric Cole This month's topic: DLP
WHEN: Tuesday, April 22, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Dr. Eric Cole
-http://www.sans.org/info/25528

Sponsored By: Code Green Networks
-http://www.codegreennetworks.com/

Cyber security is all about reducing risk to critical assets. Protecting and controlling data flow is a critical part of an organizations security arsenal. Therefore data loss prevention would seem like a perfect solution for reducing risk. However, just because a product is called a data loss prevention solution, does not necessarily mean that it properly reduces risk. Before purchasing or deploying a solution it is critical to understand the key risks you are trying to reduce and make sure the solution is the most cost effective way to reduce risk. This talk will provide insight into what product features are most valuable and which solutions should be avoided. To accomplish this it will provide a detail understanding of the landscape and the best way to protect data at an organization. Register now for this free webcast!

***
Tool Talk Webcast: Log Management for Security Monitoring and IT Operations
WHEN: Wednesday, April 23, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Ansh Patnaik
-http://www.sans.org/info/25533
Sponsored By: ArcSight
-http://www.arcsight.com/


While Log Management investments have primarily focused on compliance, the right platform can be used for much more - security monitoring, forensics analysis and IT operations. However, to effectively address these use cases log management solutions must offer a broader set of platform capabilities. It's not just about compliance - it's about analysis optimized data collection, simplicity of ad hoc searches, flexibility of reporting, personalized dashboards, real time correlation alerts and more. Most importantly it's about unleashing the value of logs to a broader set of constituents within the enterprise.

***
Analyst Webcast: Security and Performance on Converged Networks
WHEN: Thursday April 24, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and Karl Schaub
-http://www.sans.org/info/25538
Sponsored By: NIKSUN
-http://www.niksun.com/


Events from security and monitoring devices fire off an unmanageable number of alarms with no way of telling how they're related, or how they impact performance. As networks converge their video, voice and data traffic over IP networks, these alarms will only increase, while providing less visibility into what set them off. This Webcast discusses what will be needed of security monitoring tools as these data, voice, video convergence becomes ubiquitous.

***
SANS Special Webcast: How to Stop Serious Threats from Evading Detection
WHEN: Monday, April 28, 2008 at 1:30PM EDT (1730 UTC/GMT)
FEATURING: Amit Yoran, CEO NetWitness Corporation
-http://www.sans.org/info/27094
Sponsored By: NetWitness
-http://www.netwitness.com/


This Webcast will describe an approach that will enable your organization to detect and stop designer malware, zero-day attacks, and non-signature-based threats to improve overall network visibility, and to detect the leakage and exfiltration of valuable corporate data. We will employ specific technical case studies and demonstrations to highlight the value of such an approach.

***
Tool Talk Webcast: Staying on Top of the SANS Top 20 with CORE IMPACT
WHEN: Tuesday, April 29, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Alex Horan
-http://www.sans.org/info/25539
Sponsored By: Core Security

The 2007 "SANS Top 20 Internet Security Risks" report makes it clear that attackers can now circumvent many traditional countermeasures, so simply implementing countermeasures is no longer enough. In fact, short of experiencing a breach, the only way to really know your security posture is by continually testing the defenses you've worked so hard to put in place.

***
SANS Special Webcast: The Little Hybrid Web Worm That Could
WHEN: Wednesday, April 30, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Billy Hoffman
-http://www.sans.org/info/24614
Sponsored By: HP

This webcast examines the possibility of hybrid web worms which use several methods to overcome the limitations of current web worms. Specifically the authors examine how a hybrid web worm: mutates itself to evade defenses; updates itself with new attack vectors while in the wild; and finds and exploits targets regardless of whether they are client web browsers or web servers.

*******************************************************************

Be sure to check out the following FREE SANS archived webcasts:

Tool Talk Webcast: The ABC's of Dealing with Unique Network Security Risks in a World of Open Campus Networks
WHEN: Wednesday, March 5, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Brian Mehlman
-http://www.sans.org/info/22979
Sponsored By: Q1 Labs

SANS Special Webcast: A Response to the "Cold Boot Attack" Announcement
WHEN: Thursday, March 6, 2008 at 3:00 PM EST (1900 UTC/GMT)
FEATURING: John Strand
-https://www.sans.org/webcasts/show.php?webcastid=91884


********************************************************************