SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume X - Issue #35
May 02, 2008
The SANS Secure Programming Council has completed a first draft of procurement language that ensures software developers build security into the applications they deliver. The Council is looking for other large user organizations that have created procurement language to ensure custom programs and COTS software have few or no security flaws. Email apaller@sans.org and tell us what you have done so far.
Alan
TOP OF THE NEWS
US Court Says Making Music Available is Not Copyright InfringementCourt Ruling on Electronic Border Searches
THE REST OF THE WEEK'S NEWS
LEGAL MATTERSHSBC Clerk Charged with Trying to Steal 70 Million GBP
Man Draws 18-Month Sentence for Infecting NASA Employee's Computer
Former UCLA Medical Center Employee Indicted For Allegedly Selling Celebrity Medical Info
Warez Purveyor Sentenced to Two-and-a-Half Years in Prison
Israeli PIs Sentenced for Using Trojan to Steal Data
21 Months in Prison for Spammer
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Kraken Cracked; Now What?
MISCELLANEOUS
HMRC Says 600 Have Been Disciplined for Unauthorized Record Access
Childnet Campaign Focuses on Dangers of Illegal Filesharing
Jerome Kerviel Has New Job
LIST OF UPCOMING FREE SANS WEBCASTS
******************** Sponsored By PacketMotion **************************
How do you safeguard intellectual property, sensitive information and compliance-relevant data without hampering employee and contractor productivity? Find the facts, blind spots and new technology regarding real-time visibility and control of network user transactions and information assets.
Download the FREE, must-read whitepaper "TRUST BUT VERIFY: 24/7 User Activity Monitoring to Protect Business Critical Information" now.
http://www.sans.org/info/28488
*************************************************************************
TRAINING UPDATE
Where can you find the newest Penetration Testing techniques, Application Pen Testing, Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, both new Pen Testing courses, CISSP, and SANS' other top-rated courses plus evening sessions with Internet Storm Center handlers.
- - SANSFire 2008 in Washington DC (7/22-7/31) SANS' biggest summer program with many bonus sessions and a big exhibition of security products:
http://www.sans.org/info/26774
- - London (6/2-6/7) and Amsterdam (6/16-6/21)
http://www.sans.org/secureeurope08
- - San Diego (5/9-5/16) http://www.sans.org/securitywest08
- - Toronto (5/10-5/16) http://www.sans.org/toronto08
- - and in 100 other cites and on line any time: www.sans.org
*************************************************************************
TOP OF THE NEWS
US Court Says Making Music Available is Not Copyright Infringement (April 29 & 30, 2008)
A US District Court judge in Arizona has denied the Recording Industry Association of America's (RIAA) request for a summary judgment against Pamela and Jeffrey Howell for making music files on their computer available to filesharers. The Howells copied music files from CDs they owned onto their computer and downloaded peer-to-peer file sharing software onto the same machine. Judge Neil V. Wake said that merely making music files available is not tantamount to distribution or primary copyright infringement. Even if the Howells had placed the files in a shared folder, which they maintain they did not, they would be responsible only for contributing to copyright infringement if someone copied the file. The RIAA maintains the couple is guilty of piracy and offered screenshots that show the music files as publicly available. Jeffrey Howell said that Kazaa copied content from folders that were not public. The Electronic Frontier Foundation (EFF) has filed an amicus brief on behalf of the Howells. The suit will now go to trial.-http://www.informationweek.com/news/personal_tech/music/showArticle.jhtml;?artic
leID=207403664
-http://www.news.com/8301-10784_3-9932004-7.html?part=rss&subj=news&tag=2
547-1_3-0-20
[Editor's Note (Shpantzer): In a separate federal court decision, the songwriters and publishers are owed untold millions by online music streaming companies, including RealNetworks, Yahoo! and AOL in this recent case:
-http://www.news.com/8301-10784_3-9933626-7.html?tag=nefd.top]
Court Ruling on Electronic Border Searches (April 23, 30 & May 1, 2008)
The Association of Corporate Travel Executives (ACTE) is warning members "and all business travelers to limit proprietary information on laptop computers when crossing US borders." ACTE issued the warning after an April 21 federal appeals court decision that "gives customs officials the unfettered authority to examine, copy, and seize traveler's laptops - - without reasonable suspicion." The decision covers a range of electronic devices; in addition to seizing data from laptops, US Customs and Border protection officials can seize data from cell pones, handheld computers, digital cameras and USB drives. The EFF, the American Civil Liberties Union (ACLU), and the Business Travel Coalition have written a letter asking that the House Committee on Homeland Security "consider legislation to prevent abusive search practices by border agents and protect all Americans against suspicionless digital border inspections."-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9081358&source=rss_topic17
-http://www.acte.org/resources/press_release.php?id=284
-http://www.theregister.co.uk/2008/05/01/electronic_searches_at_us_borders/print.
html
[Editor's Note (Ranum): It's as if someone in the administration mistook his copy of "1984" for a road-map not a novel.
(Schultz): Customs officials' ability to seize any kind of property without reasonable suspicion lamentably once again shows the current level of disregard for individual rights in the United States. Big brother is not only watching; big brother is being totalitarian.
(Honan) A number of organisations outside the US have banned staff from travelling to the US with laptops or other electronic devices. ]
********************** Sponsored Links: *******************************
1) Upcoming SANS Webcast on May 8th at 1pm EDT, Ask The Expert Webcast: Enterprise Incident Management with Security Monitoring. Register Today!
http://www.sans.org/info/28493
*************************************************************************
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
HSBC Clerk Charged with Trying to Steal 70 Million GBP (May 1 & 2, 2008)
HSBC administrative clerk Jagmeet Channa has been charged with conspiracy to defraud, money laundering and abusing a position of trust for attempting to steal GBP 70 million from the bank. Channa's responsibilities included checking trade records at the end of the day. He allegedly used his position to transfer funds from one account into another; the bank detected the suspicious activity and notified police.-http://www.mailonsunday.co.uk/pages/live/articles/news/news.html?in_article_id=5
63304&in_page_id=1770
-http://www.independent.co.uk/news/business/news/hsbc-calls-in-police-over-allege
d-16370m-fraud-attempt-819796.html
Man Draws 18-Month Sentence for Infecting NASA Employee's Computer (May 1, 2008)
A Nigerian man has received an 18-month prison sentence for tricking a NASA employee into installing spyware on her computer. Posing as a man from Texas, Akeem Adejumo met the woman on an online dating site. He sent a phony photograph to the woman at her work email address; when she opened it, her computer was infected with spyware. While it did not spread to other NASA computers, it did capture her email, passwords, Social Security number (SSN) and other sensitive information, including 25,000 screen shots. Some NASA information was taken as well, but the woman did not have access to sensitive data. NASA IT security team sensors detected the screenshots being sent from the network and began an investigation. Through analysis of traffic logs, and email account information obtained through warrants and subpoenas, investigators determined the attacker's IP address and contacted law enforcement officials in Nigeria.-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9081838&source=rss_topic17
[Editor's Note (Northcutt): A key point is that he did the online dating scam from Nigeria pretending to be in Texas and tried this on several hundred women with more than a few successes. According to the DOJ press release NASA Office of Inspector General worked pretty hard on this one. But the big key is that NASA detected the information being sent out. A lot of organizations that blindly trust in their IPS would not detect the bad event:
-http://www.usdoj.gov/usao/dc/Press_Releases/2008%20Archives/April/08-099.html]
Former UCLA Medical Center Employee Indicted For Allegedly Selling Celebrity Medical Info (April 30, 2008)
A federal grand jury has indicted Lawanda Jackson for allegedly using her position as an administrative specialist at UCLA Medical Center to access celebrities' health records and selling the information to tabloids. Lawanda Jackson could receive a prison sentence of up to 10 years if she is convicted. Additional defendants may be charged in the case. Jackson allegedly accessed information about Farrah Fawcett, Maria Shriver, and 60 other well-known people, and allegedly leaked medical information about Fawcett to a tabloid. The charges against Jackson were brought under the Health Insurance Portability and Accountability Act (HIPAA). Jackson resigned from UCLA Medical Center last summer.-http://www.latimes.com/news/local/la-me-ucla30apr30,0,6169637,full.story
[Editor's Note (Ranum): Ultimately, all computer security problems resolve down to trust. The broader question is "why did an administrative specialist" have unfettered read access to a patient database?"
(Paller): Databases can lock down access as Marcus points out. The counter question is whether medical service will be substantively damaged by limiting access to information. This is one of a series of tough issues medical facilities are facing as organized crime groups increasingly target them for data theft/extortion schemes.]
Warez Purveyor Sentenced to Two-and-a-Half Years in Prison (April 29, 30 & May 1, 2008)
David M. Fish, of Woodbury, Connecticut, has been sentenced to 30 months in prison for operating warez websites. Fish pleaded guilty to charges of criminal copyright infringement and circumvention. The websites offered pirated copies of music, movies and software for downloading. The arrest and conviction are part of Operation Copycat, a joint investigation by the FBI and the US Attorney's Office. Fish will serve three years of supervised release upon completion of his prison sentence; he will also forfeit all equipment, including computers, used to commit the offenses.-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9081198&source=rss_topic17
-http://www.usdoj.gov/usao/can/press/2008/2008_04_29_fish.sentenced.press.html
Israeli PIs Sentenced for Using Trojan to Steal Data (April 28 & 29, 2008)
Four Israeli private investigators have been sentenced for using Trojan horse programs to steal sensitive data. All four worked at the Modi'in Ezrahi private investigation firm. Three of the four were given jail terms of between nine and 18 months; the other was fined 250,000 Israeli shekels (US $72,565) and given 10 months of probation. Three other defendants were also fined and had their private investigator's licenses revoked. The malware used in the case was developed by Michael and Ruth Haephrati and sold to the agency; the Haephratis were sentenced to jail in 2006.-http://www.theregister.co.uk/2008/04/29/spyware-for-hire/print.html
-http://www.jpost.com/servlet/Satellite?cid=1208870514347&pagename=JPost%2FJP
Article%2FShowFull
-http://www.techworld.com/security/news/index.cfm?newsID=12121&pagtype=all
-http://www.vnunet.com/vnunet/news/2215484/gumshoes-come-unstuck-trojan
21 Months in Prison for Spammer (April 28 & 29, 2008)
Edward Davidson has been sentenced to 21 months in federal prison for tax evasion and sending spam. Davidson sent hundreds of thousands of spam messages with falsified header data over a period of nearly five years. According to authorities, Davidson made US $3.5 million sending the spam for a number of companies; some of the spam attempted to manipulate stock prices with false investment tips. Davidson was also ordered to pay more than US $700,000 to the Internal Revenue Service (IRS).-http://www.usatoday.com/tech/news/computersecurity/2008-04-29-spam-sentencing_N.
htm?csp=34
-http://www.denverpost.com/news/ci_9094336
-http://www.lawfuel.com/show-release.asp?ID=17786
[Editor's Note (Shpantzer): Manipulating stock prices with false investment tips, the old 'pump and dump' scheme of the boiler room callers, transferred to fax and then went online years ago, along with other forms of fraud. The SEC's watching and taking action on this and other cases. Start looking here
-http://www.sec.gov/cgi-bin/txt-srch-sec?text=pump+and+dump§ion=Enforceme
nt&sort=date]
(Grefer): Unless I am missing something here, this decision sends the wrong message. With US $3.5 million of revenue from the operation and owing US $700,000 to the IRS, this still leaves US $2.8 million. Even if we were to allow for very generous operating costs of $700,000 (far out of proportion), this would result in a profit of US $100,000 for each month to be spent in jail on the tax payers' expense. ]
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Kraken Cracked; Now What? (May 1, 2008)
Now that researchers have reverse-engineered and potentially gained control of the Kraken botnet, the question becomes what to do next. Their ability to control the infected computers gives them the power to redirect the computers and even send them updates through the Kraken protocol to remove the zombie. Some are in favor of the idea, while others question the ethics behind removing something, even malware, from someone's computer without their consent.-http://www.theregister.co.uk/2008/04/29/kraken_botnet_infiltrated/
-http://www.eweek.com/c/a/Security/Kraken-Botnet-Infiltration-Triggers-Ethics-Deb
ate/
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9081258&source=rss_topic17
MISCELLANEOUS
HMRC Says 600 Have Been Disciplined for Unauthorized Record Access (May 1, 2008)
Since 2005, more than 600 HM Revenue and Customs (HMRC) employees have been disciplined, some even losing their jobs, for accessing tax data without authorization. HMRC policy forbids staff from accessing records unless there is "a legitimate business need" to do so. HMRC's data security practices have come under scrutiny since they acknowledged that disks containing sensitive personal information of millions of individuals were lost.-http://www.financialdirector.co.uk/accountancyage/news/2215656/tax-staff-discipl
ined-snooping
-http://www.itpro.co.uk/security/news/193587/hmrc-staff-fired-for-looking-at-sens
itive-data.html
[Editor's Note (Ranum): Do you notice something wrong here? "HMRC policy forbids staff from accessing records unless there is 'a legitimate business need' to do so." How about building databases so that staff can't access things they don't have a legitimate business need to access? ]
Childnet Campaign Focuses on Dangers of Illegal Filesharing (April 30, 3008)
Childnet International is launching a campaign to inform children about the dangers inherent in illegal music downloading. A pamphlet distributed to schools and colleges in 21 countries around the world lets the children know that copying and sharing digital content without permission or payment is illegal, and that people who share files in this way are opening their computers to viruses and other malware. In addition, the pamphlet explains that parents can be held liable for the actions of their children. It also lets the children know that there are legal websites where they can purchase music. The pamphlet effort was funded in part by the International Federation of the Phonographic Industries.-http://news.bbc.co.uk/2/hi/technology/7375621.stm
-http://www.childnet-int.org/music/advice_p.html
Jerome Kerviel Has New Job (April 25 & 28, 2008)
Jerome Kerviel, the former Societe Generale trader whose alleged surreptitious activity caused the bank losses of 4.9 billion Euros (US $7.6 billion), has found a new job. Kerviel was hired last month as a computer consultant by the French firm Lemaire Consultants & Associates. He is permitted to have the job because the judge in his case changed the terms of his provisional release from prison. He spent five weeks in custody and was released on bail on March 18. Kerviel may not be near any place where financial trading occurs. He is facing charges of breach of trust, forgery, and unauthorized computer activity. He could be sentenced to as many as three years in prison and fined 370,000 Euros (US $572,260).-http://www.guardian.co.uk/business/2008/apr/25/kerviel.job?gusrc=rss&feed=ne
tworkfront
-http://www.nytimes.com/2008/04/26/business/worldbusiness/26socgen.html?_r=1&
scp=1&sq=kerviel&st=nyt&oref=slogin
UPCOMING SANS WEBCAST SCHEDULE
WhatWorks in Intrusion Detection and Prevention: Easing the Pains of PCI Compliance at AirTran Airways:WHEN: Tuesday, May 06, 2008 at 1:00 PM EDT (UTC/GMT)
FEATURING: Alan Paller and Michelle Stewart
-http://www.sans.org/info/27099
Sponsored By: Lancope
-http://www.lancope.com/
Looking for a solution to ease the pains of PCI compliance, the data security manager for AirTran Airways needed a product that provided increased visibility into network behavior and accountability. It had to be behavior based and capable of collecting information from a widely dispersed network. She found a solution that was scalable, cost-effective and helps to quickly identify and resolve network and security issues.
****This Webcast was previously scheduled for 4/15/08****
NEW DATE/TIME: Wednesday, May 7, 2008 at 1:00pm EDT (1700 UTC/GMT)
FEATURING: Dr. Eric Cole and Michael Yaffe
-http://www.sans.org/info/25519
Sponsored By: Core Security
-http://www.coresecurity.com/
">
-http://www.coresecurity.com/
The information security world is taxing. We spend a lot of time fixing problems that often don't stay fixed. New vulnerabilities are discovered daily, and applying one update or patch sometimes exposes weaknesses elsewhere. We hope that our IPS and firewalls can cover while we try to keep up, but how do we really know that things are working the way they should be?
***
Ask the Expert Webcast: Enterprise Incident Management with Security Monitoring
WHEN: Thursday, May 8, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Adrien de Beaupre
-http://www.sans.org/info/27104
Sponsored By: Prism MicroSystems
-http://www.prismmicrosys.com/
Some of the issues revolving around log management include privacy, storage requirements, and meeting regulatory or legislative requirements. Finally, integration of LM into an organization's overall security dashboard will be the focus of this presentation.
***
Internet Storm Center Webcast: Threat Update
WHEN: Wednesday, May 14, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Johannes Ullrich
-http://www.sans.org/info/27109
Sponsored By: Core Security
-http://www.coresecurity.com/
">
-http://www.coresecurity.com/
The SANS Internet Storm Center (ISC) uses advanced data correlation and visualization techniques to analyze data collected from thousands of sensors in over sixty countries. Experienced analysts constantly monitor the Storm Center data feeds searching for trends and anomalies in order to identify potential threats. When a threat is identified, the team immediately begins an intensive investigation to gauge the threat's severity and impact. This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.
***
Security Inside the Perimeter: Confronting the Gap Between Talking About the Threat and Doing Something About it
WHEN: Thursday, May 15, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Paul Smith
-http://www.sans.org/info/27114
Sponsored By: PacketMotion
-http://www.packetmotion.com/
Most security and IT professionals agree that the corporate network "perimeter" is no longer viable due to laptops, tunneling applications, VPNs and wireless, etc. But network security conventional wisdom is still very perimeter oriented. Why the inconsistency? Perhaps people really don't think the problem is that significant and the risk is not that high. Or maybe they do think it's a real problem, but hesitate to act because of cost, complexity, and risk to application availability. This webinar will review the key aspects of this inconsistency and offer solutions to better manage the "inside risk."
*******************************************************************
Be sure to check out the following FREE SANS archived webcasts:
Tool Talk Webcast: The ABC's of Dealing with Unique Network Security Risks in a World of Open Campus Networks
WHEN: Wednesday, March 5, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Brian Mehlman
-http://www.sans.org/info/22979
Sponsored By: Q1 Labs
SANS Special Webcast: A Response to the "Cold Boot Attack" Announcement
WHEN: Thursday, March 6, 2008 at 3:00 PM EST (1900 UTC/GMT)
FEATURING: John Strand
-https://www.sans.org/webcasts/show.php?webcastid=91884
********************************************************************
=========================================================================
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/