SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume X - Issue #39

May 16, 2008

TOP OF THE NEWS

Botnet Spreading Powerful SQL Injection Attack Tool
Legislators Decry Secrecy Surrounding National Cyber Security Initiative
Brute Force SSH Attacks on the Rise

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Woman Indicted in Deadly MySpace Hoax
Pair Sign Plea Agreements in Identity Fraud Case
MySpace Wins Judgment Against Spammer
Man Indicted for Cyberstalking
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
DNS Trouble at NSA
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Vulnerability in Debian and Ubuntu PRNG
Microsoft Releases Four Bulletins, Three Critical
STATISTICS, STUDIES & SURVEYS
Study Finds Cox Throttles Filesharing Traffic, Too
BSA Says Software Piracy is Both Up and Down
LIST OF UPCOMING FREE SANS WEBCASTS

---

************************* Sponsored By StillSecure **********************

StillSecure specializes in commercial and open source secure network infrastructure solutions. Products include network access control (NAC), intrusion detection/prevention (IDS/IPS), vulnerability management and a unified networking/security platform. By converging networking and security, StillSecure provides innovative, intuitive and affordable solutions to operate secure networks. For more information call 303-381-3830 or visit our website at http://www.sans.org/info/29073

*************************************************************************

TRAINING UPDATE Where can you find the newest Penetration Testing techniques, Application Pen Testing, Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, both new Pen Testing courses, CISSP, and SANS' other top-rated courses plus evening sessions with Internet Storm Center handlers. - - SANSFIRE 2008 in Washington DC (7/22-7/31) SANS' biggest summer program with many bonus sessions and a big exhibition of security products: http://www.sans.org/info/26774 - - London (6/2-6/7) and Amsterdam (6/16-6/21) and Brussels (6/16-6/21) http://www.sans.org/secureeurope08 - - Denver (6/7-6/13) http://www.sans.org/rockymnt2008/ - - Singapore (6/30-7/5) http://www.sans.org/singapore08/ - - Boston (8/9-8/16) http://www.sans.org/boston08/ - - and in 100 other cites and on line any time: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Botnet Spreading Powerful SQL Injection Attack Tool (May 14 & 15, 2008)

The Asprox botnet is being used to infect websites through SQL injection attacks. Systems that have been infected by the Asprox botnet are being forced to search for .asp pages that contain certain terms and then launching SQL injection attacks against those sites. The attacks attempt to inject an iFrame into the identified websites; the iFrame content will try to 'persuade' surfers who visit that site to download a JavaScript file. That file redirects the surfers to another site containing more malicious JavaScripts; and that site attempts to install copies of Asprox, a password stealing Trojan and the SQL injection attack tool.
-http://www.eweek.com/c/a/Security/Botnet-Installs-SQL-Injection-Tool/
-http://www.heise-online.co.uk/security/Asprox-botnet-now-equipped-with-SQL-injec
tion-tool--/news/110742
-http://www.theregister.co.uk/2008/05/14/asprox_attacks_websites/print.html
-http://www.scmagazineus.com/Asprox-botnet-malware-morphs/article/110169/
[Editor's Note (Pescatore): We are definitely seeing attackers find web sites to be easy pickings for new forms of attack. Time to check up on your secure web app development processes (do you check all software for vulnerabilities before allowing it on product web servers?) and your vulnerability management processes for web servers (are you doing web app scanning after any site change and when any new attacks/vulnerabilities are announced?) In July the new Payment Card Industry standards for web application security testing will kick in and drive some well needed attention back towards this problem.
(Paller): Early in June, SANS is hosting a workshop in Las Vegas, chaired by Jeremiah Grossman, where experienced users will share data on which software testing tools actually work and on the most promising practices for improving application security.
-http://www.sans.org/info/24609]

Legislators Decry Secrecy Surrounding National Cyber Security initiative (May 12 & 15, 2008)

US legislators are expressing concerns about the Department of Homeland Security's (DHS) secrecy surrounding the National Cyber Security Initiative. A report from the US Senate Armed Services Committee says that because nearly all of the initiative is highly classified or "For Official Use Only," it "precludes public education, awareness and debate about the policy and legal issues, real or imagined, that the initiative poses in the areas of privacy and civil liberties." The report goes on to say, "It is difficult to conceive how the United States could promulgate a meaningful deterrence doctrine if every aspect of our capabilities and operational concepts is classified." In addition, two weeks ago, the Senate Homeland Security Committee asked for more information about the initiative before they would be willing to approve any additional funding.
-http://www.fas.org/sgp/congress/2008/sasc-cyber.html
-http://blog.washingtonpost.com/securityfix/2008/05/government_secrecy_and_the_my
s.html?nav=rss_blog
-http://gsnmagazine.live.netconcepts.com/cms/features/news-analysis/749.html

Brute Force SSH Attacks on the Rise (May 12, 13 & 14, 2008)

Brute force secure shell (SSH) attacks have increased significantly over the last several days. "An SSH attack is a type of dictionary attack that aims to guess secure shell client usernames and passwords." On Monday, May 12, statistics from denyhosts.net indicated close to 10,000 SSH attacks; normally that figure would be 2,000. Some of the attacks were coming through botnets so attackers could stay beneath detection thresholds; others were using a "low and slow" approach to avoid detection and locking out accounts. The SANS Internet Storm Center (ISC) provides specific guidance on how to protect their systems (the first url below).
-http://isc.sans.org/diary.html?storyid=4408
-http://www.scmagazine.com/uk/news/article/809222/brute-force-ssh-attacks-surge/
-http://www.securityfocus.com/news/11518

---

********************** Sponsored Links: *******************************

1) Recent SANS Analyst White Paper and web cast available, "Security and Performance on Converged Networks" Click here to listen and get the paper. http://www.sans.org/info/29078

2) Upcoming SANS Ask the Expert Webcast, "Enterprise Incident Management with Security Monitoring" Register Today! http://www.sans.org/info/29083

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Woman Indicted in Deadly MySpace Hoax (May 15, 2008)

Lori Drew, the Missouri woman who allegedly used a phony identity on a MySpace account to trick a 13-year-old neighbor, has been indicted in Los Angeles. The girl committed suicide following a nasty message sent from the phony account. Drew has been charged with one count of conspiracy and three counts of accessing protected computers without authorization to obtain information used to torment the girl. The case names the girl and MySpace as victims. According to the indictment, MySpace members must agree to terms of service that include not posting information they know is false or misleading and not using information gathered from MySpace to "harass, abuse or harm other people." No lawsuit was filed after the investigation in Missouri because there was no statute under which Drew could be prosecuted.
-http://www.cnn.com/2008/CRIME/05/15/internet.suicide.ap/index.html
-http://www.latimes.com/news/nationworld/la-me-myspace16-2008may16,0,1266040.stor
y

Pair Sign Plea Agreements in Identity Fraud Case (May 13 & 15, 2008)

Jocelyn Kirsch and Edward K. Anderton have been charged with conspiracy, aggravated identity theft and other offenses for stealing financial information from friends, neighbors, co-workers and others and using it to commit fraud totaling nearly US $120,000. They used stolen identities to open PayPal and eBay accounts, sometimes offering items for sale on the auction website, collecting the funds and never delivering what was promised. Both have signed plea agreements.
-http://www.theregister.co.uk/2008/05/15/aggravated_identity_theft_charges/print.
html
-http://seattletimes.nwsource.com/html/localnews/2004410469_webidtheft13m.html

MySpace Wins Judgment Against Spammer (May 14, 2008)

MySpace has won a US $223 million judgment against spammer Sanford Wallace and his business partner Walter Rines. The two created thousands of phony MySpace profiles and used them to send hundreds of thousands of spam messages. They also broke into about 300,000 existing MySpace profiles and posted comments that linked to commercial sites. Wallace and Rines were not present in court and it is unlikely that MySpace will ever collect any of the money.
-http://www.siliconrepublic.com/news/news.nv?storyid=single11014
-http://www.theregister.co.uk/2008/05/14/myspace_spam_ruling/print.html
-http://www.scmagazineus.com/MySpace-wins-major-spam-judgment/article/110088/

Man Indicted for Cyberstalking (May 9, 2008)

A Kansas City, Missouri man has been indicted for cyberstalking. Shawn D. Memarian allegedly made postings to various online communities and social websites that exposed personally identifiable information of a woman who had obtained a restraining order that prohibited Memarian from contacting her. Memarian allegedly made postings posing as the woman and sent her threatening email messages.
-http://www.cybercrime.gov/memarianIndict.pdf

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

DNS Trouble at NSA (May 15, 2008)

The US National Security Agency's (NSA) website has been unavailable since Thursday morning due to apparent problems with its DNS servers. It is not clear what the trouble with the servers is: an internal routing problem, a firewall or access control list problem, or a technical glitch or attack. One clear problem is that the NSA's DNS servers are hosted on the same machine, which is also a web server for the NSA's National Computer Security Center.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9085940

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Vulnerability in Debian and Ubuntu PRNG (May 13 & 15, 2008)

A vulnerability in Debian and Ubuntu makes it easier for attackers to guess cryptographic keys. The weakness could be exploited to forge digital signatures and steal sensitive data. The problem lies in the Pseudo Random Number Generator (PRNG) used to create keys. SANS ISC is urging users to regenerate affected keys and certificates as soon as possible.
-http://isc.sans.org/diary.html?storyid=4421
-http://isc.sans.org/diary.html?storyid=4414
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9085980&intsrc=hm_list
[Editor's Note (Honan): Note that the Internet Storm Center has raised its Infocon status to yellow. If the ISC is treating this issue so seriously then so should you. Also note that HD Moore has updated Metasploit to exploit this vulnerability with the "Debian OpenSSL Predictable PRNG Toys"
-http://metasploit.com/users/hdm/tools/debian-openssl/.]

Microsoft Releases Four Bulletins, Three Critical (May 13, 2008)

On Tuesday, May 13, Microsoft released four security bulletins to address a total of six vulnerabilities. Three of the four bulletins have severity ratings of critical; the other is rated moderate. The critical vulnerabilities affect Microsoft Word, Microsoft Publisher and Microsoft Jet Database Engine and could be exploited to allow remote code execution. The moderate vulnerabilities affect Microsoft Malware Protection Engine and could be exploited to cause denial-of-service conditions.
-http://isc.sans.org/diary.html?storyid=4411
-http://www.channelregister.co.uk/2008/05/13/microsoft_may_patch_tuesday/print.ht
ml
-http://www.informationweek.com/news/security/app_security/showArticle.jhtml?arti
cleID=207603294
-http://www.microsoft.com/technet/security/bulletin/MS08-may.mspx?pubDate=2008-05
-13

STATISTICS, STUDIES & SURVEYS

Study Finds Cox Throttles Filesharing Traffic, Too (May 15, 2008)

A study from the Max Planck Institute says that Comcast throttled or blocked BitTorrent files 24/7 instead of just at peak traffic times, as the cable giant claimed. The study also says that Cox Communications throttles BitTorrent traffic as well. Net neutrality has become a hot topic. At US Federal Communications Commission (FCC) hearings on the subject in March, Comcast agreed to stop interfering with BitTorrent traffic by the end of the year. Comcast says it is moving toward limiting speeds for any users consuming unusually large amounts of bandwidth.
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=207800375
-http://blogs.wsj.com/washwire/2008/05/15/cox-about-to-feel-wrath-of-net-neutrali
ty-activists/
-http://www.usatoday.com/tech/products/services/2008-05-15-cox-comcast-blocks_N.h
tm?csp=34

BSA Says Software Piracy is Both Up and Down (May 14 & 15, 2008)

A report conducted by IDC on behalf of the Business Software Alliance (BSA) examines software piracy rates in 108 countries; in 67 of those countries, the piracy rate has fallen; piracy rates increased in just eight of the countries. In some countries the piracy rate is high despite the statistical decline; for instance, in Russia the piracy rate dropped to 73 percent. BSA defines piracy as "the total number of units of pirated software installed divided by the total number of units of software installed." However, because the PC market is growing quickly in countries with high rates of piracy, the overall rate of software piracy worldwide actually increased from 35 to 38 percent in 2007.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9085758&source=rss_topic17
-http://news.smh.com.au/technology/software-piracy-increases-in-asiapacific-indus
try-group-20080515-2een.html
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=207800168
-http://news.bbc.co.uk/2/hi/technology/7400260.stm
[Editor's Note (Schultz): The proof is in the pudding, so to speak, and the fact that the music recording industry is taking such a beating with regard to profits appears to be that proof. ]

UPCOMING SANS WEBCAST SCHEDULE

WHEN: Tuesday, May 20, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Rush Carskadden
-http://www.sans.org/info/27119

Sponsored By: Cisco Systems
-http://www.cisco.com/


Effective mitigation of application-layer threats requires defeating attempts to obfuscate malicious headers and payloads. However, active evasion protections can introduce misleading results in the testing of a network IPS. This session will present well-known and recent obfuscation techniques, methods for their mitigation and prevention, and guidelines for effective testing.

***
SANS Special Webcast: Understanding and Selecting a Database Activity Monitoring Solution
WHEN: Wednesday, May 21, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Rich Mogull
-http://www.sans.org/info/27124
Sponsored by the Following:

Guardium
-http://www.guardium.com/
Imperva
-http://www.imperva.com/
Secerno
-http://www.secerno.com/
Setrigo
-http://www.sentrigo.com/
Tizor
-http://www.tizor.com/


Thanks to increasing compliance requirements and growing security threats, enterprises must adopt new strategies and techniques to protect their databases. Security and database administrators are charged with protecting these essential corporate assets, but are challenged to improve security and auditing in the least intrusive way possible. Database Activity Monitoring is emerging as a powerful tool to ensure compliance while detecting, and sometimes preventing, database attacks and internal abuse. In this webcast independent consultant Rich Mogull will review the inner workings of Database Activity Monitoring, highlight key features, and present a three step selection process.

***
Ask the Expert: Enterprise Incident Management with Security Monitoring
**** Previously scheduled for Thursday, May 8, 2008****
WHEN: Thursday, May 22, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Adrien de Beaupre and A.N. Ananth
-http://www.sans.org/info/27104
Sponsored By: Prism MicroSystems

Some of the issues revolving around log management include privacy, storage requirements, and meeting regulatory or legislative requirements. Finally, integration of LM into an organization's overall security dashboard will be the focus of this presentation.

***
SANS Special Webcast: Virtual Roundtable with Eric Cole, Mike Poor, and Ed Skoudis
WHEN: Thursday, May 29, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Dr. Eric Cole, Mike Poor, and Ed Skoudis
-http://www.sans.org/info/27139
Sponsored By: Core Security
-http://www.coresecurity.com/


Ever want to pull a chair up to the SANS lunch table? Here's your chance to get some virtual face time with three of the "cool kids" from SANS as they discuss the latest topics on the information security threat horizon, including new attacks to look out for and what to do about them.

*******************************************************************

Be sure to check out the following FREE SANS archived webcasts:

Tool Talk Webcast: The ABC's of Dealing with Unique Network Security Risks in a World of Open Campus Networks
WHEN: Wednesday, March 5, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Brian Mehlman
-http://www.sans.org/info/22979
Sponsored By: Q1 Labs

SANS Special Webcast: A Response to the "Cold Boot Attack" Announcement
WHEN: Thursday, March 6, 2008 at 3:00 PM EST (1900 UTC/GMT)
FEATURING: John Strand
-https://www.sans.org/webcasts/show.php?webcastid=91884


********************************************************************

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/