SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume X - Issue #53

July 08, 2008

Free briefing on how the Chinese attacks work: "Is Troy Burning?" Thursday, July 24, at SANSFIRE 2008 in Washington DC. See item after the third story.

Folks involved in IT and process control in utilities, pipelines and other critical infrastructures should plan for a trip to Amsterdam in early September for the SCADA Security Summit. Most major European nations helped plan the program; it is really good. Registration just opened:
http://www.sans.org/euscada08_summit/

Early registration savings (up to $350) for SANS Virginia Beach ends at midnight (EDT) on Wednesday night July 9.
http://www.sans.org/vabeach08/

---

TOP OF THE NEWS

New Bavarian Law Allows Police to Physically Install Spyware
Texas Law Requires Computer Technicians to Have PI Licenses
Viacom Seeks YouTube Viewing Database

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Stolen Backup Tapes Recovered, Three People Arrested
Lawyer Gets Two Year Suspension for Breaking Into eMail Accounts
ACLU and EFF Sue US Justice Dept. for Cellphone Tracking Information
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Virgin Media Filesharing Warning Letters are Part of Education Campaign
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Microsoft to Issue Four Security Bulletins in July
Mozilla Updates Firefox 2.0, Announces End of Support for 2.x in December
Coreflood Trojan Exploits Admin Tool to Spread
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Cyber Thieves Targeted Citibank ATMs in 7-Eleven Stores
Freedom Credit Union Issues New Debit Cards After Breach
NHS Manager Suspended After Laptop Stolen From Car
STATISTICS, STUDIES & SURVEYS
McAfee Releases Results of Global SPAM Experiment
MISCELLANEOUS
Google Caches Retain Stolen Data

---

************ Sponsored By the Virtualization Security Summit ************

What are the economic and flexibility payoffs from going virtual? How can they be quantified? Which of the four leading virtual platforms provides the most security today? Attend the Virtualization Security Summit August 7-8 and learn the answers to these and other key Virtualization security questions.
http://www.sans.org/info/30618

*************************************************************************

TRAINING UPDATE
- - Wash. DC (7/22-7/31) (SANSFire 2008) http://www.sans.org/sansfire08
- - Boston (8/9-8/16) http://www.sans.org/boston08/
- - Virginia Beach (8/21-8/29): http://www.sans.org/vabeach08/
- - and in 100 other cites and on line any time: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

New Bavarian Law Allows Police to Physically Install Spyware (July 7, 2008)

Legislators in the German state of Bavaria have approved a law that would allow police to place spyware on the computers of individuals suspected of being terrorists or posing other serious criminal threats. The measure goes beyond federal laws, which allow authorities to place spyware on suspects' computers remotely. The Bavarian law allows authorities to enter suspects' homes and physically place the spyware on the computer if remote installations do not work. Judicial warrants would not be required. Authorities would also be permitted to conduct searches of the homes. Opponents of the measure say it is unconstitutional.
-http://www.theregister.co.uk/2008/07/07/bavaria_police_spyware_plan/print.html
[Editor's Note (Pescatore): Every society has to achieve a balance between privacy and law enforcement. In many modern societies, the need to obtain a court-ordered warrant has been the mechanism to assure that in each individual case law enforcement needs outweigh privacy rights. While this approach is certainly not perfect, serious abuses have occurred almost without exception every time the warrant requirement has been removed from the process. Worse, when such abuses are detected they often lead to over-reaching privacy legislation that hampers law enforcement and intelligence abilities for years to come. Maintaining that balance is good for both sides.
(Veltsos): Allowing law enforcement to install spyware without a warrant is a slippery slope from both privacy and legal standpoints. Imagine that spyware is installed at the home of an American businessman living in Bavaria. How would his employer respond? How would the US government respond? ]

Texas Law Requires Computer Technicians to Have PI Licenses (June 26, 208)

The Institute for Justice has filed a lawsuit against the Texas Private Security Board because of a 2007 law that requires computer repair technicians to obtain government-issued private investigators' (PI) licenses. Technicians could face both civil and criminal penalties if they take "any action that the government deems to be an 'investigation.'" The definition of investigation is broad and includes many commonly performed repairs. To obtain a license, computer repair shop owners would have to obtain a criminal justice degree or complete a three-year apprenticeship with a licensed PI. Consumers who knowingly use an unlicensed operation to conduct an "investigation" would also be subject to penalties.
-http://www.ij.org/first_amendment/tx_computer_repair/6_26_08pr.html
[Editor's Note (Guest Editor, Rob Lee): Part of this suit began when Best Buy's Geek Squad was served a cease and desist letter for stating to customers that they can perform "computer forensics" to aid clients in discovering how they were compromised. Does this PI license requirement make sense to anyone? ]

(Northcutt): The State of Texas is putting the Geek Squad tag line to test, "There's nothing we haven't seen. Go ahead. Use us." This legislation goes beyond dumb. The Geek Squad's "forensics" would be to help the end users understand the errors they made that caused their systems to become compromised. One would think this is something government would want to support. I would be surprised if Best Buy doesn't hand Texas its hat.
(Schultz): Hopefully, reason will prevail, and this nonsensical law will be repealed. Requiring a PI license to perform a computer repair just does not make sense. ]

Viacom Seeks YouTube Viewing Database (July 3 & 4, 2008)

YouTube has been ordered to turn over its logging database of users' viewing habits. The order stems from a lawsuit brought by Viacom against Google, which owns YouTube. The lawsuit alleges that YouTube users are encouraged to upload pirated content from Viacom-owned networks, including MTV, VH1 and Nickelodeon. The suit aims to demonstrate that the pirated clips are viewed more frequently than are clips of amateur content uploaded to YouTube. The database includes viewers' usernames and IP addresses. YouTube has asked permission to remove the usernames and IP addresses before submitting the information. Viacom General Counsel Michael Fricklas says the company is not pursuing individual viewers, but instead wants the information to prove its contention that the pirated content is more popular than non-pirated content. Privacy advocates are concerned that even with user names and IP addresses removed, other data could be used to identify individual users. The judge did refuse to grant Viacom's request for access to the Google search engine source code.
-http://www.washingtonpost.com/wp-dyn/content/article/2008/07/03/AR2008070302359_
pf.html
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9106518&intsrc=hm_list
-http://www.cnn.com/2008/TECH/biztech/07/03/youtubelawsuit.ap/index.html
-http://www.msnbc.msn.com/id/25522070/
-http://www.latimes.com/business/la-fi-youtube4-2008jul04,0,7881532.story

---

************ How The Chinese Attacks Work: "Is Troy Burning?" ***********

Free briefing on how the Chinese attacks work: "Is Troy Burning?" Thursday July 24, at SANSFire 2008 in Washington DC. Limited to SANS alumni, their bosses, and DoD employees. If you have been wondering exactly how the Chinese attacks are executed, you and/or your bosses may attend a private briefing at SANSFire by Internet Storm Center handler Maarten Van Horenbeeck. (You do not need to be registered for SANSFire to attend; but you must be on the invited list - see below)

Maarten led investigations of the targeted attacks since 2002. He forged relationships with various NGOs (non-governmental organizations) who shared information about these targeted attacks with him. He has been able to connect these attacks against various NGOs to a small number of attackers, and determined that the attacks originate from PRC nationals. During his research, he found that the same groups attack US government contractors and US government agencies. The talk will cover the methods used to launch the malware and infect targets, how the malware is controlled and how certain waves of attacks relate to current political events (e.g Falun Gong, Tibet) and more. You'll need to be on the invited list. Email info@sans.org with subject "Is Troy Burning?" with the name(s) and title(s) and organization of proposed attendees. If you are accepted, we'll send the exact time and place by return mail. SANSFire attendees will have a second, separate briefing by Maarten.

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Stolen Backup Tapes Recovered, Three People Arrested (June 3, 2008)

Three people have been arrested in connection with the theft of tapes containing personal information of 1.5 million University of Utah Hospital patents. More than 950,000 of the records include Social Security numbers (SSNs). The tapes have been recovered. The FBI is conducting an investigation to see if they can determine whether or not the data were accessed; both local law enforcement and hospital representatives believe it is unlikely. Nonetheless, many patients have expressed concern that their medical information could be disclosed or their driver's license numbers misused and have joined two potential class-action lawsuits. The tapes were stolen from the car of a courier for Perpetual Storage, a company hired by the hospital. The courier violated company policy by leaving the tapes in his car.
-http://www.sltrib.com/news/ci_9765160
[Editor's Note (Ullrich): Interesting to see proof that backup tapes are actually targeted for theft, and don't just get lost in the mail. The reaction of the hospital is the by-now-predictable "oh... it's not that bad" dance. ]

Lawyer Gets Two Year Suspension for Breaking Into eMail Accounts (July 3, 2008)

Charleston, West Virginia attorney Michael P. Markins has been suspended from the state bar for two years for breaking into the email accounts of nine attorneys at another law firm. Markins, whose wife worked at the other firm, suspected she was having an affair with one of her clients. He accessed other attorneys' accounts out of curiosity. When he resumes his practice, Markins must be supervised for one year. He must also complete 12 hours of legal ethics education, and pay court costs of more than US $1,500.
-http://sundaygazettemail.com/News/200807020721
[Editor's Note (Ullrich): is it just me, or does the punishment sound like a weak "slap on the wrist"?
(Northcutt): It is worth noting that Offutt, Fisher and Nord systematically used the attorney's last names as their password. According to this story Mrs. Markins got pregnant during this period and had twins, so I hope they can get their marriage back on track:
-http://www.herald-dispatch.com/homepage/x1985634761]

ACLU and EFF Sue US Justice Dept. for Cellphone Tracking Information (July 2, 2008)

The American Civil Liberties Union (ACLU) and the Electronic Frontier Foundation (EFF) have filed a lawsuit against the US Department of Justice under the Freedom of Information Act (FOIA) seeking records about the US government's use of cellphones as tracking devices. The ACLU and the EFF want to find out how frequently cellphones were used to track people's locations without first establishing probable cause. The ACLU filed a FOIA request with the Department of Justice in November 2007 seeking the information, but received an incomplete response. The ACLU's original request was prompted by a Washington Post article that revealed that federal agents were "asking courts to order cellphone companies to furnish real-time tracking data on individuals and that courts sometimes have ordered the data released without first requiring a showing of probable cause."
-http://www.washingtonpost.com/wp-dyn/content/article/2008/07/01/AR2008070102884_
pf.html
-http://www.eweek.com/c/a/Security/DOJ-Sued-Over-Cell-Phone-Tracking-Practices/
-http://www.aclu.org/images/asset_upload_file864_35873.pdf

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

Virgin Media Filesharing Warning Letters are Part of Education Campaign (July 3, 2008)

Virgin Media has sent letters to approximately 800 customers warning them against illegal content downloading. The letters are part of a cooperative campaign between Virgin and the BPI (British Phonographic Industry), the body that represents the British recorded music business. The BPI is pushing all UK ISPs to implement a three-strikes policy regarding illegal downloads. Users would receive two warnings and then have their Internet service disconnected if they continue to download pirated content. Virgin is the only ISP to respond positively to the suggestion and is adamant that the letters are part of an education campaign and do not constitute implementation of a three-strikes policy. Other ISPs have pointedly refused to cooperate. The BPI is considering taking ISPs that do not cooperate to court. Presently, the BPI monitors filesharing networks and identifies downloaders by their IP addresses. The BPI then notifies ISPs of the suspected illegal activity. There is no distinction made between individuals who download one file and those who download thousands.
-http://news.bbc.co.uk/2/hi/technology/7486743.stm

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Microsoft to Issue Four Security Bulletins in July (July 3 & 4, 208)

According to its Advance Notification website, Microsoft will release four security bulletins on Tuesday, July 8; all four have been given severity ratings of important. Two of the flaws could allow elevation of privilege, one could allow remote code execution, and the fourth could allow spoofing. Affected products include Microsoft Windows, Microsoft SQL Server and Microsoft Exchange Server. One of the updates affects Windows Vista. Some of the updates will require restarts.
-http://www.microsoft.com/technet/security/bulletin/ms08-jul.mspx
-http://www.vnunet.com/vnunet/news/2220734/low-key-patch-tuesday-planned
-http://www.channelregister.co.uk/2008/07/04/ms_july_patch_tuesday_pre_alert/prin
t.html
-http://www.pcpro.co.uk/news/210534/nothing-on-the-critical-list-for-patch-tuesda
y.html
[Editor's Note (Ullrich): Microsoft released an important bulletin yesterday (Monday 7-7). While not a patch, it is yet another ActiveX control users should enable via a killbit.
-http://www.microsoft.com/TechNet/security/advisory/955179.mspx
-http://isc1.sans.org/diary.html?storyid=4672]

Mozilla Updates Firefox 2.0, Announces End of Support for 2.x in December (July 2, 2008)

Mozilla has issued an update for Firefox 2.0 to address 13 security flaws. Five of the vulnerabilities fixed in Firefox 2.0.0.15 are rated critical. Of those, three can be exploited to execute malicious code; the other two could allow "crashes with evidence of memory corruption" and could lead to remote code execution exploits. Mozilla also noted that it will discontinue support for Firefox 2.x in mid-December 2008. Users are encouraged to upgrade to Firefox 3.0.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9106278&source=NLT_PM&nlid=8

Coreflood Trojan Exploits Admin Tool to Spread (July 2 & June 30, 2008)

The Coreflood Trojan horse program uses Microsoft's PsExec administration tool to spread through computer networks. The malware has infected hundreds of thousands of computers. Coreflood, also known as AFcore, steals sensitive information, including banking and brokerage accounts usernames and passwords; it has amassed a 50GB database of stolen information. This marks a change for Coreflood; previous versions were used to launch denial-of-service attacks.
-http://www.infoworld.com/archives/emailPrint.jsp?R=printThis&A=/article/08/0
7/02/Trojan_lurks_waiting_to_steal_admin_passwords_1.html

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Cyber Thieves Targeted Citibank ATMs in 7-Eleven Stores (July 3, 2008)

According to court documents from a banking computer system security breach case, attackers focused on the computers that approve ATM withdrawals to steal PIN numbers. The ATM machines in question are Citibank-branded and in 7-Eleven convenience stores, but belong to a company called Cardtronics, which also operates some of them; a company called Fiserv operates the others. While industry standards require that PINs and other sensitive financial information be protected with strong encryption, not all ATM operators have implemented that measure. The attacks targeted data in real-time transactions. There are approximately 5,700 Citibank-branded ATMs in 7-Eleven stores. Three people have been arrested in the case and have been charged with conspiracy and fraud. The attackers allegedly stole more than US $2 million.
-http://www.foxnews.com/story/0,2933,375484,00.html
-http://business.timesonline.co.uk/tol/business/money/consumer_affairs/article425
9009.ece

Freedom Credit Union Issues New Debit Cards After Breach (July 2, 2008)

Freedom Credit Union in Springfield, Massachusetts has issued new debit cards and PINs to its customers following a data security breach. The card information may have been captured and used to commit fraud. The number of affected customers has not been disclosed.
-http://www.masslive.com/news/index.ssf/2008/07/freedom_credit_union_warns_cus.ht
ml?category=Business+category=Chicopee+category=Crime+category=Franklin%20County
+category=Northampton+category=Springfield

NHS Manager Suspended After Laptop Stolen From Car (June 30, 3008)

A National Health Service hospital manager has been suspended following the theft of a work laptop computer from his car on June 18 in Edinburgh, Scotland. The computer holds unencrypted data belonging to more than 20,000 patients and includes names and medical information. The manager faces disciplinary action. Affected patients have been notified. An investigation is underway but no arrests have been made.
-http://www.theherald.co.uk/news/news/display.var.2371758.0.NHS_manager_is_suspen
ded_after_losing_computer.php
[Editor's Note (Pescatore): there are a lot of things wrong here. It sounds good to say "Leaving unprotected personal information on laptop computers is against NHS guidelines." and it is easy to say "you shouldn't leave your laptop in a car." However, why give out laptops if people are not going to carry them around to get work done? If you do give employees laptops, you *know* they *are* going to download sensitive information and the laptops *are* going to be lost or stolen. If you pretend that is not true, please change the policy to say "We have provided you with laptops but leave them at work and don't use them."
(Veltsos): While NHS had a policy against storing unencrypted information on laptops, it obviously had not deployed encryption on all of its laptops. ]

STATISTICS, STUDIES & SURVEYS

McAfee Releases Results of Global SPAM Experiment (July 1 & 2, 2008)

McAfee has released findings from its Global SPAM Experiment (SPAM stands for Spammed Persistently All Month). The 50 participants from 10 different countries were each given a PC and an email account and expected to surf the web unprotected for one month to see what effect the activity would have on the level of spam each received. The volunteers were expected to respond to every spam email and click on all pop-ups. Volunteers received an average of 70 spam messages every day. US participants received the most spam - 23,233 messages in one month. The next highest rate was found in Brazil, where volunteers received a total of 15,856 messages in one month. Volunteers from France and Germany received fewer than 3,000 messages during the month.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=management&articleId=9106258&taxonomyId=14&intsrc=kc_feat
-http://news.bbc.co.uk/2/hi/technology/7482991.stm
-http://www.mcafee.com/us/about/press/corporate/2008/20080701_181015_c.html

MISCELLANEOUS

Google Caches Retain Stolen Data (July 7, 2008)

Stolen sensitive personal data, including financial account information, have been found to linger in Google caches for months even after the server holding the stolen information has been disabled. Cyber criminals collect information through keystroke loggers and store the data on servers. When the servers are discovered, they are taken down, but the Google pages are not unless specific requests are made. A Google spokesperson said that in general, the company does not remove cached information, but that it eventually disappears on its own after the original source is no longer accessible.
-http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/07/07/BUHR11CK6Q.DTL&t
ype=printable
[Editor's Note (Pescatore): Google does provide a lot of tools (assuming you have a Googlemail account) to remove content from their site, but the real issue is that the sensitive information was somewhere it shouldn't be - Google just found it. Google could surely do more proactive things like voluntarily "redacting" certain formatted information (like a Social Security Number or Tax ID number or credit card number) but that's a very slippery slope. Probably Google's best move would be to facilitate a process by which responsible parties (law enforcement, government, card companies) can facilitate getting the content flushed before a Googlebot would normally get back and see an error 404. ]

---

*************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security courses at Minnesota State University, Mankato. He is the President of Prudent Security LLC and also serves as the President of the Mankato Chapter ISSA.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit

http://portal.sans.org/