SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume X - Issue #36

May 06, 2008

A few months ago I mentioned two new penetration testing courses -- one for testing networks and systems and one for testing applications. The student feedback is now flowing in, and they are the highest rated courses we have ever run. But more importantly, they are changing the face of penetration testing because the students are learning techniques that have previously been kept secret by the most advanced testers. For Network/System penetration testing:
see courses at http://www.sans.org/pentesting08_summit/
For Web Application testing:
see courses at http://www.sans.org/appsec08_summit

Alan

PS The deadline for early registration savings is May 7 (tomorrow).

---

TOP OF THE NEWS

US Intelligence Agencies to Gather Info on Cyber Threats
Indian Government Sites Penetrated; Chinese Hackers Blamed
Phony Subpoena Whaling Has "Incredibly High" Penetration

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Swedish Man Convicted of File Sharing
Military Contractor Arrested After Selling Data Stick to Undercover Agent
Japanese City Employee Demoted for Surfing Porn at Work
POLICY & LEGISLATION
Virginia Board of Ed. Mandates Internet Safety Education
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Head of Indian PGI Targeted By Email Attack
Nine Memory Sticks Stolen from Hong Kong Hospitals
UCSF Delays Notifying Patients of Data Exposure
STATISTICS, STUDIES & SURVEYS
Purdue's CERIAS Program Rated the Top US Information Security Program
MISCELLANEOUS
US Considers Options After DDoS Attack and Diplomat Expulsions
Microsoft Bluehat Sessions Highlight Weaknesses In Anti-Virus Software
Hundreds of Laptops Missing at U.S. Dept of State.
LIST OF UPCOMING FREE SANS WEBCASTS

---

****************** Sponsored By HP (SPI Dynamics) ***********************

Top 4 AJAX Security Dangers - Free White Paper!
Are you ready for AJAX? Hackers definitely are!
With the growth of Web 2.0 and Rich Internet Applications (RIA), developers are rapidly adopting AJAX and unknowingly exposing serious security risks.
This free whitepaper, from HP Software, 'AJAX Security Dangers', provides more information about AJAX and its risks.
http://www.sans.org/info/28543

*************************************************************************

TRAINING UPDATE
Where can you find the newest Penetration Testing techniques, Application Pen Testing, Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, both new Pen Testing courses, CISSP, and SANS' other top-rated courses plus evening sessions with Internet Storm Center handlers.
- - SANSFire 2008 in Washington DC (7/22-7/31) SANS' biggest summer program with many bonus sessions and a big exhibition of security products:
http://www.sans.org/info/26774
- - London (6/2-6/7) and Amsterdam (6/16-6/21)
http://www.sans.org/secureeurope08
- - San Diego (5/9-5/16) http://www.sans.org/securitywest08
- - Toronto (5/10-5/16) http://www.sans.org/toronto08
- - and in 100 other cites and on line any time: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

US Intelligence Agencies to Gather Info on Cyber Threats (May 2, 2008)

According to an unnamed senior Bush administration official, US spy agencies will be required to gather intelligence on cyber threats to the country's computer networks. A January Presidential directive gave US intelligence agencies the authority to monitor federal network traffic to prevent intrusions and data theft. The new directive will allow gathered information to be shared with the private sector. The problem with such arrangements is that when information about attacks and intrusions is shared, it has the potential to disclose some avenues of infiltration and attack that US intelligence agencies use offensively.
-http://www.washingtonpost.com/wp-dyn/content/article/2008/05/02/AR2008050201646_
pf.html
[Editor's Note (Skoudis): The story describes an interesting dilemma faced by many governments: revealing too much information about bad guy attack techniques with the goal of helping defend infrastructures may impact that governments' ability to use the same techniques for intelligence or military activities. There's a related aspect as well - -- by revealing too much information about sophisticated attacks, we could be inviting copy-cat attacks and spreading attack blueprints to a whole new group of bad guys. I'm not against this sharing of information to help defenders, but I do note that there is a difficult balance to achieve here. ]

Indian Government Sites Penetrated; Chinese Hackers Blamed (May 5, 2008)

Reports are coming out that Chinese attackers used :sophisticated and complete" attacks to break into the computer networks of the Indian National Informatics Centre aimed at the National Security Agency, and into the network of the Ministry of External Affairs. This is early evidence that the massive attacks against US and other Western countries has expanded to India. The attackers are seeking military and financial advantage.
-http://www.dailytech.com/India+Accuses+China+Of+Attacks+Seeks+To+Defend+Itself+I
n+Digital+War/article11687.htm
-http://www.financialexpress.com/news/A-virtual-war-on-terror/305242/

Phony Subpoena Whaling Attack Has "Incredibly High" Penetration (May 5 2008)

Attackers sent realistic, but phony legal documents to executives at Citibank, eBay and America Online, among many others, fooling them into clicking on a link that installed keystroke logging software. The legal document appears to be a subpoena from the US Federal District Court in San Diego. The fake documents were effective both because of their use of legal language and because they included the exact names, phone numbers and companies of the target.
-http://afp.google.com/article/ALeqM5icpWGNHQrwvd-ohpTweHi-pmr0IA

---

********************** Sponsored Links: ******************************* 1) The Gartner IT Security Summit will help you break through conventional thinking and position yourself for the future of Information Security - technically, organizationally, politically, economically and globally. The Summit will provide insight and a vision of how things will evolve over the long term and provide road maps on how enterprises and solutions providers will get there. To learn more:
http://www.gartnerinfo.com/tr/g/sec14_23

2) Recent SANS Analyst White Paper and web cast available, "Security and Performance on Converged Networks" Click here to listen and get the paper.
http://www.sans.org/info/28548

3) Upcoming SANS Webcast on May 8th at 1pm EDT, Ask The Expert Webcast: Enterprise Incident Management with Security Monitoring. Register Today!
http://www.sans.org/info/28553

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Swedish Man Convicted of File Sharing (May 5, 2008)

Andreas Karlson has been found guilty in a Swedish court in what has become Sweden's largest file sharing case to date. Karlson denied charges of making over 4,500 music files and more than 30 movies available for download from the Internet in March 2006. The court fined Karlson 10,000 Swedish Kronor (US$ 1,655) and imposed a suspended sentence. The case is seen as a landmark ruling in Sweden's fight against charges that it has become a centre for Internet piracy.
-http://www.thelocal.se/11550/20080505/
-http://news.smh.com.au/swedish-court-convicts-man-of-file-sharing/20080506-2b7i.
html

Military Contractor Arrested After Selling Data Stick to Undercover Agent (May 2, 2008)

A former US military contractor employee has pleaded guilty to aggravated identity theft. Randall Craig worked at the Marine Corps Reserve Center in San Antonio, TX and was arrested after he sold a thumb drive containing the names and Social Security numbers (SSNs) of 17,000 military employees to an individual he believed to be a representative of a foreign government. The individual was, in fact, an undercover FBI agent. Craig also pleaded guilty to exceeding authorized access to a computer. The unauthorized access charge carries a maximum sentence of five years and a maximum fine of US $250,000. The identity theft charge carries a mandatory two-year sentence to be served consecutively with the other sentence and also carries a maximum fine of US $250,000. He is currently being held without bond.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9082158&intsrc=news_ts_head

Japanese City Employee Demoted for Surfing Porn at Work (May 2, 2008)

An unnamed city employee in Kinokawa, Japan has been demoted for logging hundreds of thousands of hits on pornographic web sites on his computer at work in just nine months. The situation came to light when the man's computer became infected with malware and officials looked at his browser history. While he has not been fired, his demotion comes with a pay cut of approximately 20,000 yen (US $190) a month.
-http://news.bbc.co.uk/2/hi/asia-pacific/7379742.stm

POLICY & LEGISLATION

Virginia Board of Ed. Mandates Internet Safety Education (May 3, 2008)

Virginia public schools will be teaching Internet safety education to students in grades K-12 to satisfy state Board of Education mandated Internet safety instruction. Ultimately, Internet safety and skills lessons will be integrated into the district's curriculum rather than being taught as a separate subject.
-http://www.washingtonpost.com/wp-dyn/content/article/2008/05/02/AR2008050203831_
pf.html
[Editor's Note (Skoudis): This is good news. People need to understand the basics of securing their Internet activities, or else attacks will continue to escalate. This knowledge doesn't seem to be innate, unlike locking your front door in a bad neighborhood, so it must be taught. I applaud efforts like this.
(Kreitner): I hope this instruction includes some content on personal responsibility and other cultural perspectives as well as safety. I think we adults greatly underestimate the cultural aspects of the Internet in terms of its influence on young people's thinking. For example, I am astounded at the potentially embarrassing information students put on My Space and Facebook apparently based on some extension of their assumption about anonymity on the Internet.

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Head of Indian PGI Targeted By Email Attack (May 3, 2007)

An email sent to the friends of PGI director K K Talwar said the director was in Nigeria and in dire need of money. A nearly identical attack targeted Panjab University's former vice-chancellor K N Pathak.
-http://timesofindia.indiatimes.com/India/Cyber_crime_PGI_heads_email_hacked/rssa
rticleshow/3006104.cms

Nine Memory Sticks Stolen from Hong Kong Hospitals (May 5, 2008)

In the last year, nine memory sticks have been stolen from five Hong Kong hospitals. In all, the devices hold personally identifiable information of more than 3,000 patients, including 700 children with developmental problems. Those files also hold patient interviews, assessments, and for some, photographs and identity card numbers. A task force has been set up to investigate the thefts and develop ways to avoid similar data security breaches.
-http://www.monstersandcritics.com/news/health/news/article_1403455.php/Hospitals
_in_Hong_Kong_lose_data_on_3000_patients_in_thefts
-http://www.thestandard.com.hk/news_detail.asp?pp_cat=30&art_id=65404&sid
=18791577&con_type=1
[Editor's Note (Schultz): A six month delay in notifying potential victims of identity theft is inexcusable. Until harsh punishments are handed out for such negligence, this kind of thing will continue to occur. ]

UCSF Delays Notifying Patients of Data Exposure (May 2, 2008)

The University of California San Francisco (UCSF) waited nearly six months to notify more than 6,000 patients that their personally identifiable information had been accessible on the Internet for more than three months. UCSF discovered the data security breach in early October 2007, but sent out notification letters in early April 2008. UCSF has been sharing patient information with Target America and paying that company US $12,000 a year to establish a list of potential donors from the patient list. Target America performs data mining on lists they are provided to determine who would be a good target for donation solicitations. Shortly after discovering the breach, UCSF terminated its relationship with Target America. As of January 2008, health care providers in California are required to inform patients if their information has been compromised.
-http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/05/01/MNKE10DRGN.DTL&t
sp=1

STATISTICS, STUDIES & SURVEYS

Purdue's CERIAS Program Rated the Top US Information Security Program (1 May 2008)

Purdue University's CERIAS (Center for Education and Research in Information Assurance and Technology) program has been rated the top university information security program in the US. Academic Analytics LLC, which bases its rankings of doctoral programs on the basis of scholarly output, found that the CERIAS faculty members had the highest productivity. CERIAS is different from many other information security programs in that it takes a multidisciplinary approach that involves not only computer science, but also psychology, law, political science, industrial technology, and other disciplines.
-http://news.uns.purdue.edu/x/2008a/080502SpaffordRanking.html

MISCELLANEOUS

US Considers Options After DDoS Attack and Diplomat Expulsions (May 2 & 4, 2008)

For the time being, the United States will not sever diplomatic ties with Belarus following a distributed denial of service (DDoS) attack on US-supported Radio Free Europe/Radio Liberty in late April. The attack was followed by a decision from the Belarusian government to expel 10 US diplomats, reducing the diplomatic force in that region to four. The US State Department may take some action at a later date. The expulsions are the latest move in an escalating situation resulting from US-imposed sanctions against a state-owned energy conglomerate. US State Department spokesperson Tom Casey said "we are considering the full range of options in terms of our respective diplomatic presences. But at this point we have not made any formal decisions."
-http://www.upi.com/International_Security/Emerging_Threats/Analysis/2008/05/02/a
nalysis_us-belarus_row_escalates/2468/
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9082258&source=rss_topic17

Microsoft Bluehat Sessions Highlight Weaknesses In Anti-Virus Software (May 5, 2008)

A presentation by Feng Xue from Nevis Networks given at the latest Microsoft Bluehat Session demonstrated how hackers can circumvent anti-virus software installed on target machines. Microsoft's Bluehat sessions are invitation only events held every six months where computer security researchers interact with Microsoft's software developers to help identify weaknesses in Microsoft's products. Other highlights included a talk on design weaknesses in Windows, security issues with web browsers, and how scripts can monitor the online activity of a targeted user.
-http://www.zdnetasia.com/news/security/0,39044215,62040947,00.htm

Hundreds of Laptops Missing at U.S. Dept of State. (May 2,2008)

An internal audit has discovered that hundreds of employee laptops are unaccounted for within the U.S. Department of State. Up to 400 of those laptops belong to the Department's Anti-Terrorism Assistance Program, which provides assistance to foreign police and security forces in the form of counterterrorism training and equipment.
-http://www.cqpolitics.com/wmspage.cfm?docID=hsnews-000002716318&cpage=1

UPCOMING SANS WEBCAST SCHEDULE

NEW DATE/TIME: Wednesday, May 7, 2008 at 1:00pm EDT (1700 UTC/GMT)
FEATURING: Dr. Eric Cole and Michael Yaffe
-http://www.sans.org/info/25519
Sponsored By: Core Security
-http://www.coresecurity.com/
">
-http://www.coresecurity.com/



The information security world is taxing. We spend a lot of time fixing problems that often don't stay fixed. New vulnerabilities are discovered daily, and applying one update or patch sometimes exposes weaknesses elsewhere. We hope that our IPS and firewalls can cover while we try to keep up, but how do we really know that things are working the way they should be?

***
Ask the Expert Webcast: Enterprise Incident Management with Security Monitoring
WHEN: Thursday, May 8, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Adrien de Beaupre
-http://www.sans.org/info/27104
Sponsored By: Prism MicroSystems
-http://www.prismmicrosys.com/


Some of the issues revolving around log management include privacy, storage requirements, and meeting regulatory or legislative requirements. Finally, integration of LM into an organization's overall security dashboard will be the focus of this presentation.

***
Internet Storm Center Webcast: Threat Update
WHEN: Wednesday, May 14, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Johannes Ullrich
-http://www.sans.org/info/27109
Sponsored By: Core Security
-http://www.coresecurity.com/
">
-http://www.coresecurity.com/



The SANS Internet Storm Center (ISC) uses advanced data correlation and visualization techniques to analyze data collected from thousands of sensors in over sixty countries. Experienced analysts constantly monitor the Storm Center data feeds searching for trends and anomalies in order to identify potential threats. When a threat is identified, the team immediately begins an intensive investigation to gauge the threat's severity and impact. This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.

***
Security Inside the Perimeter: Confronting the Gap Between Talking About the Threat and Doing Something About it
WHEN: Thursday, May 15, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Paul Smith
-http://www.sans.org/info/27114
Sponsored By: PacketMotion
-http://www.packetmotion.com/


Most security and IT professionals agree that the corporate network "perimeter" is no longer viable due to laptops, tunneling applications, VPNs and wireless, etc. But network security conventional wisdom is still very perimeter oriented. Why the inconsistency? Perhaps people really don't think the problem is that significant and the risk is not that high. Or maybe they do think it's a real problem, but hesitate to act because of cost, complexity, and risk to application availability. This webinar will review the key aspects of this inconsistency and offer solutions to better manage the "inside risk."

*******************************************************************

Be sure to check out the following FREE SANS archived webcasts:

Tool Talk Webcast: The ABC's of Dealing with Unique Network Security Risks in a World of Open Campus Networks
WHEN: Wednesday, March 5, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Brian Mehlman
-http://www.sans.org/info/22979
Sponsored By: Q1 Labs

SANS Special Webcast: A Response to the "Cold Boot Attack" Announcement
WHEN: Thursday, March 6, 2008 at 3:00 PM EST (1900 UTC/GMT)
FEATURING: John Strand
-https://www.sans.org/webcasts/show.php?webcastid=91884


********************************************************************

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/