SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume X - Issue #56
July 18, 2008
Fascinating news stories in this issue. Plus.. +For everyone, registration is now open for the annual Network Security Conference in Las Vegas. http://www.sans.org/info/29439 +And for DC area folks, there's a briefing next Thursday on the inside data of how the Chinese attacks work.
See http://www.sans.org/washington_troy/
Alan
TOP OF THE NEWS
Unpatched Windows PCs "Own3d" In Less Than Four Minutes (or Maybe 16 Hours)Romanian Police Arrest 24 Cybercrime Suspects
More Privacy Offices Proposed Under New Bill
European Court to Hear Case on Swedish Surveillance Law
THE REST OF THE WEEK'S NEWS
LEGAL MATTERSSpammer Gets 30 Months for Inundating AOL
Charges Against New Zealand Botmaster Dropped
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Information Assurance Certification Guidelines Issued by The DoD
POLICY & LEGISLATION
EU Commission Wants UK Government To Probe Targeted Advertising
U.K.'s ICO Fears Communications Database is "A Step Too Far"
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
PDF Vulnerability in Blackberry Enterprise Server.
Mozilla Patches Two Critical Firefox Flaws
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Rogue Employee Locks San Francisco's Network
Facebook Bug Exposes Members' Data
STATISTICS, STUDIES & SURVEYS
Structure of Cybercrime Gangs Revealed
Researchers Find Partially Encrypted Disks Leak Data
*************************************************************************
TRAINING UPDATE
- - Wash. DC (7/22-7/31) (SANSFire 2008) http://www.sans.org/sansfire08
- - Boston (8/9-8/16) http://www.sans.org/boston08/
- - Virginia Beach (8/21-8/29): http://www.sans.org/vabeach08/
- - and in 100 other cites and on line any time: www.sans.org
*************************************************************************
TOP OF THE NEWS
Unpatched Windows PCs "Own3d" In Less Than Four Minutes (or Maybe 16 Hours) (July 14, 2008)
Researchers at the Internet Storm Center estimate that it takes about four minutes for an unpatched Windows PC to be compromised once it connects to the Internet (if unprotected by a well-configured firewall). The survival time has consistently dropped over the past years due to the increasing number of worms and viruses and hackers using more and more automated attacking tools. However, a researcher with the German Honeypot Project claims the survival time is much higher than 4 minutes and in fact is nearer 16 hours. Either way, both researchers agree that systems that are not set up with a secure configuration, fully patched, and protected appropriately should not be connected to the Internet.-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9109938&source=rss_topic17
-http://www.theregister.co.uk/2008/07/15/unpatched_pc_survival_drops/
[Editor' Note (Paller): Compromised PCs enable malicious access through VPNs to critical systems. This is why the secure configurations under the Federal Desktop Core Configuration are so valuable. Companies around the world are beginning to use them, because they make computers far harder to compromise and because it saves money and keeps you more secure through Microsoft testing patches for you. The patches can be installed immediately on all conforming systems without wasted patch testing time and cost. ]
Romanian Police Arrest 24 Cybercrime Suspects (July 16, 2008)
In a joint operation between the FBI and Romanian law enforcement, Romanian police conducted a number of raids in the cities of Bucharest, Ramnicu Valcea, Sibiu, Alexandria, Dragasani, and Hundeoara and arrested 24 people suspected of belonging to a cybercrime gang. The gang is believed to be involved in a number of online scams such as identity theft, credit card and auction fraud scams that netted approximately EUR 400,000 or (US $634,000). It is believed the gang targeted their victims on websites such as eBay, craigslist.com and Equine.com. The alleged leader of the gang, Romeo Chita, was arrested in a property owned by Romanian politician Dumitru Puzdrea, who denies all knowledge of the criminal activity.-http://www.pcworld.com/businesscenter/article/148519/romainian_authorities_arres
t_cybercrime_suspects.html?tk=rl_noinform
-http://www.theregister.co.uk/2008/07/17/romania_cybercrime_arrests/
-http://www.mediafax.ro/engleza/alleged-internet-fraud-network-leader-found-in-ro
manian-lawmaker-s-home.html?6966;2782723
More Privacy Ofices Proposed Under New Bill (July 15, 2008)
Privacy officers for each of the Homeland Security Department's components will be a requirement under a bill, H.R. 5170, which is currently under consideration in the House of Representatives. "The presence of a full-time Component Privacy Officer would ensure that privacy considerations are integrated into the decision-making process at all of the DHS Components," the measure's authors wrote. Of the nine components within the DHS, four of them have full-time privacy officers.-http://www.fcw.com/online/news/153141-1.html?topic=privacy
European Court to Hear Case on Swedish Surveillance Law (July 15, 2008)
The Swedish government will have to defend its introduction of a recent telecommunications surveillance law. An independent group, the Centrum for Rattvisa (CFR) or Justice Center, claims the bill violates Articles 8 and 13 of the European Convention on Human Rights. Article 8 guarantees European citizens the right to privacy, while Article 13 gives them the right to hold authorities accountable for violations of the human rights convention. The controversial law was narrowly voted in last month and allows Swedish security services to eavesdrop on all international calls into and out of Sweden. In response to the new law TeliaSonera, the Finnish-Swedish telecoms operator, has moved its servers from Sweden to Finland and Google is also considering a similar course of action.-http://www.thelocal.se/13052/20080715/
-http://www.theregister.co.uk/2008/07/17/echr_swedish_wiretap_law_review/
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
Spammer Gets 30 Months for Inundating AOL (July 16, 2008)
A 27 year old New Yorker, Adam Vitale, has been sentenced to 30 months imprisonment after being convicted of sending spam to 1.2 million AOL members. Vitale was also ordered to pay compensation of $180,000 to AOL. Vitale and his accomplice, Todd Moeller, used open relay proxies and falsified email headers to bypass the AOL spam filters. Vitale and Moeller were arrested after they tried to sell their spam distribution list to a government informant.-http://www.cio.com/article/437918/Spammer_Gets_Months_for_Inundating_AOL
-http://www.theregister.co.uk/2008/07/16/aol_spam_sentencing/
Charges Against New Zealand Botmaster Dropped (July 15, 2008)
A judge in New Zealand dismissed charges against an 18 year old man, Owen Thor Walker , who had pleaded guilty for his part in an international cyber-crime network that stole over $20.4m from private bank accounts. Walker, who went by the online moniker of "Akill," was accused of writing a sophisticated Trojan which employed encryption techniques enabling it to bypass anti-virus software. New Zealand investigators claimed it was one of the "most advanced" programs they had seen. After both the prosecution and defense counsels pleaded for leniency so that Walker could work with the police in the future, Judge Judith Potter dismissed the charges against Walker. She did so as she believed a conviction could jeopardise a bright career and that Walker was a man with a potentially outstanding future in law enforcement.-http://www.theregister.co.uk/2008/07/15/nz_botmaster_escapes_conviction/
-http://www.vnunet.com/vnunet/news/2221717/kiwi-hacker-walks-free-court
-http://news.bbc.co.uk/2/hi/asia-pacific/7509052.stm
[Editor's Note (Skoudis): I'm deeply troubled by the logic of this decision. I personally think it opens the doors for more of this kind of crime. If we want to curb cyber attacks, we have to go in the opposite direction -- to make people realize that there are serious penalties for engaging in this behavior. Love letters from judges and prosecutors extolling the advanced technical skills and promising future of someone who abetted cyber crime don't help at all. ]
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Information Assurance Certification Guidelines Issued by The DoD (July 17, 2008)
The U.S Department of Defense's "Information Assurance Workforce Improvement Program" details the industry standard certifications that technical and management personnel must attain if they are responsible for running a governmental organization's Information Assurance program. Some people feel that this is an important development as these requirements will also become de-facto standards for the private sector.-http://www.networkworld.com/newsletters/sec/2008/071408sec2.html?nladname=071708
securitystrategiesal&code=nlsecstrat149147
-http://www.dtic.mil/whs/directives/corres/pdf/857001m.pdf
[Editor's Note (Pescatore): While these requirements will definitely spill over to those who contract with the DoD, the way the DoD does Information Assurance is very different, and not always better, than the way private industry firms do Information Security.]
POLICY & LEGISLATION
EU Commission Wants UK Government To Probe Targeted Advertising (July 16, 2008)
Viviane Reding, the European Union commissioner for information society and media, has warned the UK government that it needs to take actions to safeguard consumer privacy in relation to behavioral ad targeting technology such as that provided by Phorm. Phorm's technology can be used by Internet Service Providers to track end user activity on the Internet and place advertisements based on their online activity. Phorm already has agreements in place with some of the U.K.'s top ISPs such as the BT Group PLC (BT), Carphone Warehouse's (CPW.LN) Talk Talk and Virgin Media. In a letter to the U.K. government Ms Reding said "It is very clear in E.U. directives that unless someone specifically gives authorization (to track consumer activity on the Web) then you don't have the right to do that,". She went on to say that if the U.K. government didn't resolve the issue, the commission could take it to the European Court of Justice.-http://www.easybourse.com/bourse-actualite/marches/eu-commission-wants-uk-govern
ment-to-probe-targeted-488767
-http://www.theregister.co.uk/2008/07/16/eu_warns_uk_over_phorm/
U.K.'s ICO Fears Communications Database is "A Step Too Far" (July 15, 2008)
As the U.K.'s Information Commissioner Richard Thomas published his office's annual report, he has raised concerns that a central database to hold records of all phone and internet communications of U.K. citizens would be "a step too far for the British way of life". Currently under EU Data Retention legislation each ISP and telecommunications company in the U.K. holds their own individual database. Police and other security agencies have to apply for separate search warrants to access each database. It is thought a centralized database would provide better efficiencies in the fight against serious crime and terrorism. Mr. Thomas said the proposals to implement such a database under the upcoming Communications Data Bill should not proceed without proper public and parliamentary debate.-http://news.bbc.co.uk/2/hi/uk_news/politics/7507627.stm
-http://www.vnunet.com/computing/news/2221699/communcations-database-step-far
-http://www.heise.de/english/newsticker/news/112905
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
PDF Vulnerability in Blackberry Enterprise Server (July 16, 2008)
RIM, the makers of the Blackberry handheld devices, has issued an advisory warning of a critical vulnerability in the PDF Distiller component of the attachment service for Blackberry Enterprise Server. This service is used to prepare PDF email attachments for display on Blackberry handhelds. The vulnerability can be used to inject and execute code on the server and affects versions BlackBerry Enterprise Server 4.1 Service Pack 3 (4.1.3) to 4.1 Service Pack 5 (4.1.5) and BlackBerry Unite! prior to 1.0 Service Pack 1 (1.0.1) Bundle 36. Until a patch is released RIM are advising users of the Blackberry Enterprise Server to disable PDF processing in the Attachment Service.-http://news.zdnet.co.uk/security/0,1000000189,39448050,00.htm
-http://www.heise.de/english/newsticker/news/112904
-http://www.blackberry.com/btsc/dynamickc.do?externalId=KB15766&sliceId=SAL_P
ublic&command=show&forward=nonthreadedKC&kcId=KB15766
[Editor's Note (Skoudis): This flaw indicates a very promising attack vector for the bad guys -- exploiting servers that render documents on behalf of clients. It's an interesting twist -- using an exploit that is very similar to the multitude of client-side exploits today, but targeting a server's document-rendering code. Look for more of these kinds of flaws in the future, and not just in RIM's products. The hunt is on for more of this kind of issue, to be sure.
(Pescatore): There was a similar BES Attachment Services vulnerability with PNG files several years ago. While there do not seem to be active exploits out yet, since you can allow attachment viewing in general while disabling PDF viewing in particular, that is the prudent path until they patch. I hope RIM is thoroughly testing Attachment Services for other malformed file vulnerabilities and not just reacting to each new one reported. ]
Mozilla Patches Two Critical Firefox Flaws (July 17, 2008)
Mozilla has released patches to address two critical flaws in the Firefox browser. Firefox 2.0.0.16 and Firefox 3.0.1 address the "carpet bomb" threat to Windows users who had both the Apple Safari and Firefox installed on the same system. The other vulnerability addressed is in Firefox's CSSValue array data structure which could be exploited to force a crash and to run malicious code. Users of Firefox 2.0 were also reminded by Mozilla that support for that version of the browser will end in December of this year in line with its policy of only supporting older versions of software for six months after a major release.-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9110199&source=NLT_AM&nlid=1
-http://www.heise.de/english/newsticker/news/112947
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Rogue Employee Locks San Francisco's Network (July 15, 2008)
San Francisco city officials are unable to access the city's computer network after a disgruntled computer engineer, 43 year old Terry Childs, reset all network administrator passwords. The network affected is the city's Fibre WAN network which contains about 60% of all network traffic for city officials. It is believed Childs took the action after a security assessment discovered evidence of tampering with the network resulting in the police investigating the case. Police have arrested Childs and he has been charged with four counts of alleged computer tampering on the network. Childs was previously convicted in 1982 for aggravated burglary and served five years probation.-http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/07/14/BAOS11P1M5.DTL
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9110176&source=NLT_SEC&nlid=38
-http://www.vnunet.com/vnunet/news/2221855/san-francisco-government-locked
-http://news.zdnet.co.uk/security/0,1000000189,39448038,00.htm
[Editor's Note (Veltsos): Security staff should be closely scrutinized before, during, and after employment. A strong password policy would have required that network device passwords be changed after the firing of any staff member with those access credentials.
(Schultz): This incident serves as yet another an ugly reminder of the damage and disruption that one strategically placed individual can do in the world of computing. Too often system and network administrators, both of whom "own the keys to the shop" in IT environments, can do virtually anything without sufficient scrutiny. ]
Facebook Bug Exposes Members' Data (July 16, 2008)
A beta version of the Facebook website enabled the birth date of members to be viewed even if they had requested the information to be kept confidential. The problem was discovered over the weekend and Facebook has now fixed the problem. In a statement the company said "For a brief period of time, a small number of users were able to access a private beta of Facebook's new site design meant only for developers. During that time, some of those users had their birthdays revealed due to a bug."-http://www.vnunet.com/vnunet/news/2221777/facebook-exposes-members
-http://www.metro.co.uk/news/article.html?in_article_id=221076&in_page_id=34
-http://www.heise-online.co.uk/security/Facebook-fixes-data-leak--/news/111117
STATISTICS, STUDIES & SURVEYS
Structure of Cybercrime Gangs Revealed (July 17, 2008\)
In its recent Malicious Code Research Center (MCRC) report, Finjan Inc. provided details on how the world of cybercrime is changing. According to the report the days of individual groups of hackers dealing in stolen credit card details are over and are now being replaced by an organizational structure similar to that found in the business world. The report also highlights a sharp drop in the price for compromised financial details due to an overabundance of supply. Prices for bank account details with PIN numbers have dropped from $100 each to $10 or $20. The report notes that criminals are now moving to other types of stolen data such as medical records, business information and personnel files, which may prove to be more lucrative.-http://www.networkworld.com/news/2008/071508-researchers-trace-structure-of-cybe
rcrime.html?page=1
-http://www.scmagazineuk.com/Business-booms-for-organised-cybercriminals/article/
112499/
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=209100133
Researchers Find Partially Encrypted Disks Leak Data (July 15, 2008)
A joint research team consisting of members from the University of Washington and British Telecom, and which included Bruce Schneier, have discovered that applications such as Microsoft Word and Google Desktop can leave data exposed even when it is stored on a partially encrypted drive. Users employing full disk encryption do not face the same issue. The problem appears to be in the way certain applications temporarily stores files in non-encrypted parts of the disk making that data available for recovery with forensic tools. The problems were discovered when examining TrueCrypt's implementation of the 'Deniable File System' (DFS). The data leakage was discovered in version 5.1a of TrueCrypt and appears to be addressed in TrueCrypt 6.0.-http://www.cio.com/article/print/437919
-http://news.zdnet.co.uk/security/0,1000000189,39448526,00.htm
-http://www.heise-online.co.uk/security/Vista-Word-and-Google-Desktop-circumvent-
TrueCrypt-function--/news/111118
=========================================================================
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescastore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security courses at Minnesota State University, Mankato. He is the President of Prudent Security LLC and also serves as the President of the Mankato Chapter ISSA.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/