SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume X - Issue #40

May 20, 2008

Virtualization and security: Tom Liston compiled a very cool list of important security issues faced by people using virtual systems (VMware's GSX Server and ESX Server, Microsoft's Virtual Server, or others). I was surprised by several of them. I will send you the list if you don't mind helping us prioritize these issues (and telling us about any you think Tom missed). Please email apaller@sans.org with subject "virtual security."
Alan

---

TOP OF THE NEWS

Legal Experts Say MySpace Terms of Agreement Violation Charge is Problematic
Tennessee Law Would Require Paper Ballots
Google Takes a Drubbing for Providing Orkut User Info to Indian Authorities

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
38 Charged in Phishing Scheme
Japanese Student Draws Suspended Sentence For Spreading Malware
Alleged Australian Government Hacker Denied Bail
American Arrested in Korea for Alleged Cyber Extortion
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
IRS Employees Charged with Illegal File Access
POLICY & LEGISLATION
Missouri Legislators Approve Measure to Make Cyber Stalking a Crime
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Paypal Patches Cross-Site Scripting Flaw in EV-SSL Page
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Card Skimming Scheme Nets One Million Euro From Irish Bank Accounts
STATISTICS, STUDIES & SURVEYS
Orphaned Accounts Still a Security Problem
LIST OF UPCOMING FREE SANS WEBCASTS

---

************** Sponsored By RSA, The Security Division of EMC ***********

Start estimating your storage requirements today and develop a cost effective storage strategy. Access our RSA enVision storage calculator tool and also download two free White Papers -- Storing More Intelligently and End-to-End Solutions to Enable Best Practices in Log Management.
http://www.sans.org/info/29093

*************************************************************************

TRAINING UPDATE
Where can you find the newest Penetration Testing techniques, Application Pen Testing, Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, both new Pen Testing courses, CISSP, and SANS' other top-rated courses plus evening sessions with Internet Storm Center handlers.
- - SANSFIRE 2008 in Washington DC (7/22-7/31) SANS' biggest summer program with many bonus sessions and a big exhibition of security products: http://www.sans.org/info/26774
- - London (6/2-6/7) and Amsterdam (6/16-6/21) and Brussels (6/16-6/21) http://www.sans.org/secureeurope08
- - Denver (6/7-6/13) http://www.sans.org/rockymnt2008/
- - Singapore (6/30-7/5) http://www.sans.org/singapore08/
- - Boston (8/9-8/16) http://www.sans.org/boston08/
- - and in 100 other cites and on line any time: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Legal Experts Say MySpace Terms of Agreement Violation Charge is Problematic (May 16, 2008)

The decision to charge Lori Drew, the woman accused of using a MySpace page obtained under a fictitious name to trick and torment a 13-year old neighbor, is causing concern among some legal experts. Investigators in Drew's home state of Missouri could find no statute under which to charge her, so federal prosecutors in Los Angeles charged her with conspiracy and hacking for violating MySpace's terms of service agreement. The concern lies not in prosecuting Drew, but in the vagueness of the indictment, which suggests that anyone who has used a pseudonym on the Internet could be charged with a federal crime. John Morris, general counsel for the Center for Democracy and Technology said, "There is nothing in the indictment that differentiates between what is a serious violation of the terms of service and a trivial violation of the terms of service."
-http://www.securityfocus.com/news/11519/1

Tennessee Law Would Require Paper Ballots (May 18, 2008)

The Tennessee State Senate has unanimously approved the Tennessee Voter Confidence Act. The law, which is expected to go before Governor Phil Bredesen this week, would require that voting systems purchased and deployed after January 1, 2009 use precinct based optical scanners. By 2010, all counties will be expected to use voting systems that produce paper records. In addition, the law would forbid the use of electronic voting systems that have wireless capabilities, and require that manufacturers disclose their source code, software, and firmware.
-http://www.votetrustusa.org/index.php?option=com_content&task=view&id=28
56&Itemid=113
-http://www.tennessean.com/apps/pbcs.dll/article?AID=/20080516/NEWS0201/805160421
/1009/NEWS01

Google Takes a Drubbing for Providing Orkut User Info to Indian Authorities (May 19, 2008)

Google has been criticized for providing Indian law enforcement authorities with information that led to the arrest of an Orkut user who had uploaded derogatory comments about an Indian politician. Google, which is the parent company of Orkut, says it "supports the free expression of
[its ]
users," but also complies with local laws, which in this case meant divulging the man's IP address. Freedom of personal expression is a protected right in India.
-http://www.theregister.co.uk/2008/05/19/google_india_gandhi/print.html
-http://www.washingtonpost.com/wp-dyn/content/article/2008/05/18/AR2008051800657_
pf.html
-http://www.pcworld.com/businesscenter/article/146049/google_defends_helping_poli
ce_nab_defamer.html

---

********************** Sponsored Links: *******************************

1) Where Is Your Confidential Data and How Do You Protect It? A Customer Success Story
http://www.sans.org/info/29098

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

38 Charged in Phishing Scheme (May 19, 2008)

Two US federal indictments charge 38 people in the US and Romania in connection with a phishing scheme designed to steal credit and debit card numbers. The information was used to manufacture phony credit and debit cards, which were in turn used to withdraw funds from various accounts. The charges include conspiracy to violate the Racketeer Influenced and Corrupt Organizations (RICO) Act, conspiracy in connection with access devices, unauthorized access to a protected computer, bank fraud, and aggravated identity theft.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9086678&source=rss_topic17
-http://www.informationweek.com/news/security/client/showArticle.jhtml?articleID=
207801060
[Editor's Note (Cole): Phishing continues to be a problem, so be very careful of any emails you receive. One of the best preventive measures is to turn off HTML embedded email, which will stop many of the tricks that attackers try.
(Paller): Eric Cole's comment illustrates the reason SANS does not embed html in NewsBites. ]

Japanese Student Draws Suspended Sentence For Spreading Malware (May 16, 2008)

Japanese graduate student Masato Nakatsuji has been found guilty in Kyoto District Court of copyright infringement. Nakatsuji spread malware called Harada by hiding it in an animation image that he had copied in violation of copyright law. He claims to have created the malware to punish illegal downloaders. Nakatsuji received a two-year sentence suspended for three years. The case illustrates the lack of existing laws in Japan to prosecute certain computer crimes.
-http://news.smh.com.au/technology/japan-uses-copyright-conviction-to-crack-down-
on-student-who-allegedly-spread-computer-virus-20080516-2f0y.html
-http://www.govtech.com/gt/323943?topic=117671

Alleged Australian Government Hacker Denied Bail (May 16, 2008)

An IT contractor from Palmerston, Northern Territory (NT) who allegedly broke into the computer systems and shut down databases at the NT Health Department, the Royal Darwin Hospital, Berrimah Prison and the Supreme Court has been denied bail. David Anthony McIntosh allegedly deleted the user accounts of more than 10,000 government workers. Police contested McIntosh's bail application because they were concerned that he had made copies of the passwords and data he had accessed. Law enforcement authorities found a file of NT government passwords when they seized equipment tied to the attack; all Northern Territory public servants have been instructed to change their passwords. McIntosh allegedly accessed a virtual private network (VPN) to gain access to the government system. The alleged attacks on the government databases occurred on May 5. Estimates for repairing the damage run to the hundreds of thousands of dollars, and it could take months to fix the systems.
-http://www.ntnews.com.au/article/2008/05/16/4125_ntnews.html
[Editor's Note (Shpantzer): Several NewsBites editors have been saying for years that an improperly secured and authenticated VPN is merely an opaque pipe into your organization, rather than a protective measure. ]

American Arrested in Korea for Alleged Cyber Extortion (May 16, 2008)

Korean police have arrested an American man for allegedly breaking into a computer system of a Korean savings bank. The man, identified only by the initial "J," allegedly encrypted the customer database and then attempted to extort money from the bank to release the information. The man has been on a work visa in Korea since 2003.
-http://english.chosun.com/w21data/html/news/200805/200805160012.html

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

IRS Employees Charged with Illegal File Access (May 16, 2008)

Five US Internal Revenue Service (IRS) employees have been charged with accessing and inspecting the tax return information of individuals unlawfully and without authorization. The defendants' activity was caught by the IRS security system. It is not known at this time what relationship, if any, the employees had with the people whose information they accessed. One employee is accused of accessing one file, two are accused of accessing two files, and two of accessing four files.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9086238&source=rss_topic17
[Editor's Note (Schultz): These incidents once again illustrate that insider threats almost always constitute the greatest security risk to organizations. The possibility of a data security breach due to externally initiated attacks has motivated the IRS to invest a considerable amount of effort and resources over the years. I wonder, however, whether the IRS realized the seriousness of insider risk and acted accordingly.
(Kreitner): This episode serves as a helpful reminder about internal access control policies, one of those mundane but important areas of enterprise discipline. It's also a reminder that effective security is mostly about basic everyday blocking and tackling. The IRS deserves credit for discovering this internal illicit activity. ]

POLICY & LEGISLATION

Missouri Legislators Approve Measure to Make Cyber Stalking a Crime (May 19, 2008)

State legislators in Missouri have passed a bill that would add electronic communications, including computers and text messaging, to the state's harassment laws. It would also allow felony prosecution of stalking charges in some cases. Governor Matt Blunt is expected to sign the bill, which came about in part due to an Internet Harassment Task Force formed by Governor Blunt in reaction to the MySpace case.
-http://www.informationweek.com/news/internet/social_network/showArticle.jhtml?ar
ticleID=207801021
-http://www.crn.com/networking/207800926

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Paypal Patches Cross-Site Scripting Flaw in EV-SSL Page (May 16 & 19, 2008)

Paypal has fixed a cross-site scripting vulnerability in Paypal that could be exploited to create spoofed pages that attempt to steal users' credentials. The flaw existed despite the fact that Paypal uses an Extended Validation-SSL (EV-SSL) certificate, which is supposed to offer increased web page security. Browsers that support EV-SSL certificates turn the address bar green when users are visiting an EV-SSL web page. Paypal said it does not believe that the flaw has been exploited in any attacks.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9086700&intsrc=hm_list
-http://www.heise-online.co.uk/security/Cross-site-scripting-hole-in-Paypal-casts
-doubt-on-EV-SSL--/news/110759
-http://www.theregister.co.uk/2008/05/16/paypal_page_succumbs_to_xss/print.html

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Card Skimming Scheme Nets One Million Euro From Irish Bank Accounts (May 18, 2008)

Fraudsters have stolen approximately one million euro (US $1.55 million) from 300 Irish bank accounts. The thieves apparently worked with store and restaurant employees in the Dublin area to skim credit cards and shoulder surf for their associated PINs. The information was then used to withdraw funds in various countries in mainland Europe.
-http://www.independent.ie/breaking-news/national-news/1-million-euro-stolen-in-b
ank-card-fraud-1379228.html

STATISTICS, STUDIES & SURVEYS

Orphaned Accounts Still a Security Problem (May 16, 2008)

A study of 850 IT, security, HR, and C-level executives found that 27 percent reported more than 20 "orphaned" accounts on their systems. More than 38 percent said they have no way of knowing if terminated employees have accessed systems through their orphaned accounts; 15 percent said they have experienced it at least once. About 30 percent of respondents said it takes more than three days to terminate an account after an employee leaves; 12 percent said it takes more than a month.
-http://www.eweek.com/c/a/Security/Old-User-Accounts-Pose-Current-Security-Risks-
for-Enterprises/
[Editor's Note (Weatherford) "Three days to a month to de-provision a user account? And these are the people with authority to make the changes. It's OUR job to make OUR organizations understand that this is unacceptable due to the significant liabilities it subjects us to."
(Shpantzer): Every account should be tied to a role which is tied back to a person. Person gone, all roles associated with the account are gone, all accounts are gone. Easier said than done in real life...
(Grefer): Virtually any server operating system and any decent backend database offers basic functionality to identify when an account was last used. As such, it is hard to fathom why these companies would not be able to track this information. ]

UPCOMING SANS WEBCAST SCHEDULE

SANS Special Webcast: Understanding and Selecting a Database Activity Monitoring Solution
WHEN: Wednesday, May 21, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Rich Mogull
-http://www.sans.org/info/27124

Sponsored by the Following:

Guardium
-http://www.guardium.com/
Imperva
-http://www.imperva.com/
Secerno
-http://www.secerno.com/
Sentrigo
-http://www.sentrigo.com/
Tizor
-http://www.tizor.com/


Thanks to increasing compliance requirements and growing security threats, enterprises must adopt new strategies and techniques to protect their databases. Security and database administrators are charged with protecting these essential corporate assets, but are challenged to improve security and auditing in the least intrusive way possible. Database Activity Monitoring is emerging as a powerful tool to ensure compliance while detecting, and sometimes preventing, database attacks and internal abuse. In this webcast independent consultant Rich Mogull will review the inner workings of Database Activity Monitoring, highlight key features, and present a three step selection process.

***
Ask the Expert: Enterprise Incident Management with Security Monitoring
**** Previously scheduled for Thursday, May 8, 2008****
WHEN: Thursday, May 22, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Adrien de Beaupre and A.N. Ananth
-http://www.sans.org/info/27104
Sponsored By: Prism MicroSystems

Some of the issues revolving around log management include privacy, storage requirements, and meeting regulatory or legislative requirements. Finally, integration of LM into an organization's overall security dashboard will be the focus of this presentation.

***
SANS Special Webcast: Virtual Roundtable with Eric Cole, Mike Poor, and Ed Skoudis
WHEN: Thursday, May 29, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Dr. Eric Cole, Mike Poor, and Ed Skoudis
-http://www.sans.org/info/27139
Sponsored By: Core Security
-http://www.coresecurity.com/


Ever want to pull a chair up to the SANS lunch table? Here's your chance to get some virtual face time with three of the "cool kids" from SANS as they discuss the latest topics on the information security threat horizon, including new attacks to look out for and what to do about them.

*******************************************************************

Be sure to check out the following FREE SANS archived webcasts:

Tool Talk Webcast: The ABC's of Dealing with Unique Network Security Risks in a World of Open Campus Networks
WHEN: Wednesday, March 5, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Brian Mehlman
-http://www.sans.org/info/22979
Sponsored By: Q1 Labs

SANS Special Webcast: A Response to the "Cold Boot Attack" Announcement
WHEN: Thursday, March 6, 2008 at 3:00 PM EST (1900 UTC/GMT)
FEATURING: John Strand
-https://www.sans.org/webcasts/show.php?webcastid=91884

********************************************************************

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/