SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume X - Issue #51

June 27, 2008

Three interesting events - each for a special subset of the security community:
+ European critical infrastructure owners (utilities and oil & gas mainly) and government experts will share what works in protecting control systems and SCADA in Amsterdam September 8-9
http://www.sans.org/euscada08_summit/agenda.php
+ The smartest people in virtual security will share what doesn't work (and what does) at a gathering in Washington DC August 7-8
http://www.sans.org/virtualization08_summit/
+ Nearly all the people who know how to find the Chinese infections - like the ones that hit DoD and the one that got into Congress recently- plus how to respond when the FBI or Secret Service tell your bosses a lot of your systems have been compromised, are getting together in Las Vegas in October to share the most useful tools and techniques in forensics.
http://www.sans.org/forensics08_summit/
Alan

---

TOP OF THE NEWS

UK Information Commissioner Will Serve Enforcement Notices on HMRC and MoD
Senate Subcommittee Hearing Focuses on CBP Seizure of Electronic Devices
Privacy Officers and Marketing Depts Have Different Ideas About Data Security

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Former Employee Allegedly Deleted Organ Bank Data
SPYWARE, SPAM & PHISHING
Charter Communications Suspends NebuAd Pilot
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Two IE Flaws Discovered
Adobe Fixes JavaScript Flaw in Acrobat and Reader
Microsoft Issues List of Tools to Help Protect Sites from SQL Attacks
Ruby Patches Five Flaws
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Marshall Islands Cut Off From Incoming eMail by DDoS Attack
STATISTICS, STUDIES & SURVEYS
Ten Networks Account for Nearly Half of All Malicious Sites
MISCELLANEOUS
Dutch Government Wants to Halt Publication of Mifare Flaw Paper

---

*************************************************************************

TRAINING UPDATE
- - Wash. DC (7/22-7/31) (SANSFIRE 2008) http://www.sans.org/sansfire08
- - Singapore (6/30-7/5) http://www.sans.org/singapore08/
- - Boston (8/9-8/16) http://www.sans.org/boston08/
- - and in 100 other cites and on line any time: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

UK Information Commissioner Will Serve Enforcement Notices on HMRC and MoD (June 25, 2008)

Following the release of a verdict from the Independent Police Complaints Commission, a report from Pricewaterhouse Coopers chairman Kieran Poynter regarding the HMRC data loss incident, and a report from Sir Edward Burton regarding the incidents at MoD, UK Information Commissioner Richard Thomas says his office will serve enforcement notices on HM Revenue & Customs (HMRC) and the Ministry of Defence (MoD) for "deplorable failures" at both departments that led to violations of the Data Protection Act. Last year, HMRC acknowledged the loss of computer disks containing personally identifiable information of 25 million families; MoD acknowledged that it lost a number of laptops, one of which contained sensitive data of 600,000 recruits. Compliance with the enforcement notices will include implementing all recommendations made. The departments will be required to submit annual progress reports for the next three years.
-http://news.zdnet.co.uk/security/0,1000000189,39439030,00.htm
-http://www.vnunet.com/computing/news/2220012/hmrc-mod-guilty-deplorable
-http://www.heise-online.co.uk/security/Information-Commissioner-to-sanction-HMRC
-and-MOD-for-data-loss--/news/111004
-http://www.scmagazineuk.com/Poynter-Review-IPCC-severely-criticise-HMRC-over-dat
a-breach/article/111698/
-http://www.theregister.co.uk/2008/06/25/hmrc_data_loss_reports/print.html
[Editor's Note (Honan): The Poynter report is available at
-http://www.hm-treasury.gov.uk/media/0/1/poynter_review250608.pdf
It is a very good read including nearly 20 pages of recommendations and I would recommend you read it to see if any of them could be applicable to your organisation. ]

Senate Subcommittee Hearing Focuses on CBP Seizure of Electronic Devices (June 24 & 25, 2008)

The US Senate Judiciary Committee's Subcommittee of the Constitution, Civil Rights and Property Rights heard testimony regarding the US Customs and Border Protection (CBP) search policies that have allowed the search and seizure of personal and work laptops and other electronic devices at US borders. While some maintain that laptops are no different from luggage, others contend that the practice is unlawful, as the devices have been seized without probable cause. Earlier this year, the 9th Circuit Court of Appeals ruled that CBP does not need reasonable suspicion to conduct the searches. Electronic Frontier Foundation Lee Tien senior staff attorney said his organization "does not dispute that the Fourth Amendment works differently at the border, but 'differently' does not mean 'not at all.'"
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyId=15&articleId=9103338&intsrc=hm_topic
-http://www.nextgov.com/nextgov/ng_20080624_3037.php
[Editor's Note (Northcutt): So much for the land of the free. Let's take a look at some real people stories and remember, this could be you, just takes one customs agent that wants to jerk you around and you are jerked:
-http://www.washingtonpost.com/wp-dyn/content/article/2008/02/06/AR2008020604763.
html
-http://blogs.ittoolbox.com/security/dmorrill/archives/search-and-seizure-of-your
-laptop-at-the-border-approved-23927
-http://www.usnews.com/articles/news/national/2008/06/24/seizing-laptops-and-came
ras-without-cause.html
-http://www.freep.com/apps/pbcs.dll/article?AID=/20080626/NEWS07/806260435/1009

-http://www.truthout.org/article/us-border-agents-copying-contents-travelers-lapt
ops

(Honan): An interesting side effect of the CBP search policies is that many companies are now rethinking how best to protect sensitive data for mobile users. It is ironic though that it is the threat of a US government agency accessing a company's sensitive data that is driving this corporate rethink and not the threat of criminals getting their hands on the same information. ]

Privacy Officers and Marketing Depts Have Different Ideas About Data Security (June 23, 2008)

A study from the Ponemon Institute reveals a disconnect between what privacy and security officers believe about the level of protection afforded customer data and what the marketing department is actually doing with the data. Eighty percent of respondents from marketing departments said their companies share customer email addresses with third parties, while just 47 percent of security and privacy officers said they shared email addresses. Twenty-nine percent of marketing respondents said they believe their companies share Social Security numbers, while just seven percent of privacy professionals said their companies shared that information. There is no reason to believe that conflicting responses came from within the same company, but the general trend is worrisome. The study was funded by Strongmail.
-http://www.forbes.com/2008/06/21/privacy-security-marketing-tech-security-cx_ag_
0623privacy_print.html
[Editor's Note (Schultz): The results of this study are fascinating. It is easy to be lulled into believing that data protection is far better than it actually is. The solution is systematic and thorough compliance enforcement, something that is for the most part missing or deficient in many organizations. ]

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Former Employee Allegedly Deleted Organ Bank Data (June 26, 2008)

Danielle Duann has been indicted for allegedly breaking into the computer system at an organ bank and deleting patient data. Duann allegedly accessed the LifeGift Organ Donation Center database shortly after she was fired from her position as technology director at the Houston, TX organ bank, despite the fact that her administrative rights and passwords were revoked upon her termination. She then allegedly deleted database records and accounting invoice files. The lost data were restored from backups. If she is convicted, Duann could face up to 10 years in prison and a US $250,000 fine.
-http://news.cnet.com/8301-10789_3-9978151-57.html?part=rss&subj=news&tag
=2547-1_3-0-20
-http://houston.fbi.gov/dojpressrel/pressrel08/ho06242008.htm
More detail:
-http://www.chron.com/disp/story.mpl/headline/metro/5854484.html
[Editor's Note (Northcutt): Revoking administrative rights only works if the administrator can't create another login with administrative rights without being detected. While not perfect, this is a good read for the problem of terminating someone that had insider access. I would love to hear your insights on what organization's should do (stephen@sans.edu):
-http://searchsecurity.techtarget.com.au/contents/17984-How-to-create-and-enforce
-employee-termination-procedures]

SPYWARE, SPAM & PHISHING

Charter Communications Suspends NebuAd Pilot (June 25 & 26, 2008)

Charter Communications says it has suspended its planned pilot of the NebuAd online behavioral advertising system. NebuAd has come under increased scrutiny and criticism for unauthorized deep packet modification and other questionable means of tracking consumer behavior. Charter said that if it uses NebuAd in the future "it should be on the basis that NebuAd will not intercept customers' data and plant false code in it."
-http://www.heise-online.co.uk/security/US-ISP-backs-off-from-NebuAd--/news/11099
7
-http://www.internetnews.com/ec-news/article.php/3755631/NebuAd+The+Third+Rail+fo
r+ISPs.htm
[Editor's Comment (Northcutt): we wrote a short course once at SANS, titled Staying Invisible on the Internet. No one ever signed up for it. People even asked, "why would I take the course unless I had something to hide". For the life of me, I do not understand why people tolerate total invasion of personal privacy, but they do. That means NebuAd did not succeed with this one ISP, but mark my words, unless we educate people and explain why privacy is a good thing, they will. The Wikipedia article has a list of ISPs using or considering deploying NebuAd in case you think Charter is the only one:
-http://en.wikipedia.org/wiki/NebuAd
-http://www.nebuad.com/company/press_releases/press_01_28_08.php]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Two IE Flaws Discovered (June 26, 2008)

Two flaws in Internet Explorer (IE) have been discovered. The first is a cross-site scripting flaw in IE6 in the form of a validation error when the browser handles the "location" or "location.href" property of a window object. Until a fix is available, users should disable scripting in IE6 or upgrade to IE7. The other flaw affects IE7 and is a spoofing vulnerability.
-http://www.eweek.com/c/a/Security/Researchers-Reveal-Security-Holes-in-Internet-
Explorer/

Adobe Fixes JavaScript Flaw in Acrobat and Reader (June 25, 2008)

Adobe has released updated versions of its Acrobat and Adobe Reader to address a critical JavaScript input validation vulnerability that could be exploited to allow remote code execution. The flaw is being actively exploited. It affects versions 8.1.2 and earlier of both products. Users are urged to update to the newest versions of Reader and Acrobat as soon as possible.
-http://www.scmagazineuk.com/Vulnerability-in-Adobe-Acrobat-leads-to-public-explo
it/article/111674/
-http://www.heise-online.co.uk/security/New-danger-from-PDF-files--/news/110996
-http://www.adobe.com/support/security/bulletins/apsb08-15.html

Microsoft Issues List of Tools to Help Protect Sites from SQL Attacks (June 24 & 26, 2008)

Microsoft has issued a security advisory regarding the recent escalation of SQL injection attacks. The "attacks do not exploit a specific software vulnerability, but instead target web sites that do not follow secure coding practices for accessing and manipulating data stored in a relational database." The advisory includes a list of suggested tools to help administrators protect their sites.
-http://www.eweek.com/c/a/Security/Microsoft-Responds-To-The-SQL-Injection-Proble
m/
-http://www.heise-online.co.uk/security/Microsoft-warns-of-SQL-injection-attacks-
-/news/110998
-http://www.theregister.co.uk/2008/06/26/microsoft_hp_sql_injection_tools/print.h
tml
-http://www.microsoft.com/technet/security/advisory/954462.mspx

Ruby Patches Five Flaws (June 23, 24, 2008)

The Ruby Project has fixed five serious security flaws in versions 1.8 and 1.9 of the open-source programming language. The flaws, which would be trivial to exploit, could allow remote code execution or a denial-of-service attack. Users are urged to upgrade to the newest versions, available on the Ruby website.
-http://www.theregister.co.uk/2008/06/23/group_patches_ruby/print.html
-http://www.techworld.com/security/news/index.cfm?newsID=101993
-http://www.securityfocus.com/brief/761

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Marshall Islands Cut Off From Incoming eMail by DDoS Attack (June 25 & 26, 2008)

A distributed denial-of-service (DDoS) attack on the Marshall Islands' only Internet service provider (ISP) left the tiny country without the capability to receive incoming email. While messages can be sent between National Telecommunications Authority (NTA) customers, mail from other ISPs is still not making its way to NTA customers. NTA general manager Anthony Muller servers would be added to help prevent a recurrence. The attack began on Tuesday and it could be days before the system is back to normal.
-http://www.smh.com.au/news/security/marshall-islands-hit-by-zombie-attack/2008/0
6/25/1214073315525.html
-http://www.scmagazineuk.com/Pacific-island-knocked-off-internet-by-DDoS-attack/a
rticle/111744/
-http://www.theregister.co.uk/2008/06/25/email_ddos/

STATISTICS, STUDIES & SURVEYS

Ten Networks Account for Nearly Half of All Malicious Sites (June 25, 2008)

Analysis of more than 213,000 sites hosting malware found that more than half are running under Chinese IP addresses. The analysis was conducted by Stopbadware.org, which acknowledged that it couldn't say how many of the sites are deliberately serving malware and how many are legitimate sites that were infected. The total number of malware-infected sites detected is up 300 percent over last year. Stopbadware.org manager Maxim Weinstein says that the increase could be attributed in part of increased efforts to find malicious sites, but that other statistics cited by other groups recently indicate the likelihood that malware infection is on the rise, likely because of SQL attacks. The US network spreading the most malware is Google, which is a Stopbadware.org sponsor and the source of the analyzed data. In addition, just 10 networks hosted nearly half of the sites. They acknowledge that Google bots searching for malware are concentrating on Chinese servers, which could also explain the results.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9103378&source=rss_topic17
-http://www.theregister.co.uk/2008/06/24/stopbadware_report/print.html
[Editor's Note (Ranum): According to Chinese Government announcements, the internet population of China is about the same as that of the US, or higher. And, because unlicensed copies of Windows are prevalent, and patches are not available, we predict that the number of vulnerable systems and websites in China is probably the highest in the world. Thus, simple demographics argues that a majority of jump-off points for mal-hosting and attacks will originate in China. What is less clear is whether the people behind the systems and sites are in China, or not.
(Cole): The key lesson is that if you block a small subset of sites that your organization does not need, you can go a long way to block malicious content from coming into your site. You should also check Incident Storm Center (incidents.org) on a regular basis to update your IP block list. ]

MISCELLANEOUS

Dutch Government Wants to Halt Publication of Mifare Flaw Paper (June 25, 2008)

Dutch government officials have called on researchers at Radboud University to not publish a paper detailing security flaws in the Mifare RFID chip used in the UK's Oyster prepaid public transportation smartcard. The chip was also being used in a Dutch travel system card; that project has been postponed. One of the researchers said that the content of the paper is not attack code, but acknowledged that other groups may have begun developing exploit code. "Killing the messenger does not solve the problem," said researcher Bart Jacobs. "This paper serves the interest of our society."
-http://www.theregister.co.uk/2008/06/25/publication_chip_flaws_under_threat/prin
t.html

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security courses at Minnesota State University, Mankato. He is the President of Prudent Security LLC and also serves as the President of the Mankato Chapter ISSA.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/