SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume X - Issue #60

August 01, 2008

TOP OF THE NEWS

Collaborative Blacklisting Significantly Improves Results
US Government Slow to Adopt Encryption on Mobile Devices
Nearly 4,000 Laptops Lost or Stolen in European Airports Every Week
IBM's Internet Security Systems X-Force Report

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
McKinnon Extradition Appeal Denied
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
IRS Employee Pleads Guilty to Accessing Celebrity Files
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
MPAA Lawsuits Target Movie Streaming Sites
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
FBI Warns of "FBI vs. Facebook" Spam Spreading Storm Worm
Oracle Issues Out-of-Cycle Alert, Says it Will Issue Patch
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Attack May Have Compromised Univ. of Texas at Dallas Data
DNS Attack Affects BreakingPoint Server
MISCELLANEOUS
Olympic Journalists May Not Have Unfettered Internet Access in Beijing
PRC Offers Guide to Credit Monitoring Services

---

******** A Challenge/Gift for People Who have CEH Certifications *******

The new GPEN (GIAC Penetration Tester) Certification measures mastery of tools that are so up to date and measures pen testing skills so effectively that people who buy penetration testing have begun asking for it in potential pen testers. As a gift to the CEH community, SANS is offering free testing to 50 active CEH holders who want to demonstrate that their skills cover the most up to date set of tools and effective pen testing procedures, as well. The first 50 CEH's who ask will be allowed to take the exam at no cost. If you want to take the exam, email me (apaller@sans.org).

*************************************************************************

TRAINING UPDATE
- - Las Vegas (9/28-10/6) http://www.sans.org/ns2008 NETWORK SECURITY 2008)
- - Boston (8/9-8/16) http://www.sans.org/boston08/
- - Virginia Beach (8/21-8/29): http://www.sans.org/vabeach08/
- - Chicago (9/3-9/10) http://www.sans.org/chicago08 AUDIT & COMPLIANCE
- - and in 100 other cites and on line any time: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Collaborative Blacklisting Significantly Improves Effectiveness (July 31, 2008)

At the USENIX Security Conference this week in San Jose, researchers from SRI and the Internet Storm Center released the results of a test implementation of a new service, called Highly Predictive Blacklisting. Rather than relying on general shared lists or highly specific and personalized ones, HPB uses a link analysis algorithm similar to Google's PageRank to rank attackers based on an estimation of how dangerous the site is and how closely it is associated with other sites being attacked by the same attackers. Together the algorithm does a pretty good job of estimating the probability that the attacker will target a user's network in the future. Details of the new service are outlined in a paper that won Best Paper at the USENIX Security conference.
-http://www.securityfocus.com/brief/780
-http://www.usenix.org/events/sec08/tech/zhang.html
[Editor's Note (Ullrich): DShield will allow you to generate these blacklists. All submitters are able to retrieve "HPB" s for their account. (
-http://isc.sans.org/howto.html).
dShield participation is a free service of the SANS Institute.
(Paller): For more than a decade, governments have been searching for a way to get companies to share cyber security data. The project described in this paper may provide the first good answer to that question, because no organization can gain the benefit of improved blacklisting unless they share the attack data their site is experiencing. Thousands of sites are already participating in the collaborative data project at the Internet Storm Center resulting in some of the best data available anywhere (see the "Top 10 Rising Ports" and "World Map" of the sources of attacks at
-http://isc.sans.org),
but this new project could make Storm Center data even more useful and the participants much better protected than those who do not participate. ]

US Government Slow to Adopt Encryption on Mobile Devices (July 29, 2008)

According to a report from the Government Accountability Office (GAO), just 30 percent of mobile devices at 24 federal agencies are encrypted. The GAO's report recommends that the Office of Management and Budget (OMB) "clarify governmentwide encryption policy," particularly what types of data need to be encrypted. There is no federal law that specifically requires encryption to protect data, but has OMB recommended that agencies use it and required that computers and other devices containing sensitive data be encrypted.
-http://www.gcn.com/online/vol1_no1/46758-1.html?topic=security&CMP=OTC-RSS
-http://www.gcn.com/newspics/GAOencrypt_06-27-2008.pdf
-http://www.fcw.com/online/news/153305-1.html?topic=security
-http://www.securityfocus.com/brief/784
-http://www.pcworld.com/businesscenter/article/149080/most_sensitive_data_on_gove
rnment_laptops_unencrypted.html

Nearly 4,000 Laptops Lost or Stolen in European Airports Every Week (July 29, 30 & 31, 2008)

Research conducted by the Ponemon Institute on behalf of Dell found that nearly 4,000 laptop computers are lost or stolen every week in major European airports. The airports reporting the largest number of missing laptops are London Heathrow, Amsterdam Schiphol, and Paris Charles De Gaulle. The study gathered information about airports in the entire EMEA (Europe, Middle East, Africa) region. Nearly 60 percent of machines missing in the EMEA region's eight largest airports are never reclaimed. Forty-two percent of business travelers in the EMEA region say they have not backed up company data on their laptops, and 55 percent have not safeguarded the data from access by unauthorized users should their devices get lost or stolen. A similar study of business travelers in US airports found that 12,000 laptops a week are lost or stolen in US airports.
-http://www.siliconrepublic.com/news/article/11124/cio/missing-4-000-laptops-a-we
ek-in-european-airports
-http://www.vnunet.com/vnunet/news/2223012/eu-travellers-losing-laptops-airports
-http://www.finfacts.com/irishfinancenews/article_1014326.shtml
[Editor's Note (Schultz): These are truly dismal, although entirely believable findings. At a minimum, organizations need to beef up their information security awareness efforts to help employees become more aware of risks associated with lost or stolen laptops and what to do to help prevent laptops from being lost or stolen. ]

IBM's Internet Security Systems X-Force Report (July 29, 30 & 31, 2008)

Cyber attackers are closing the lag time between vulnerability disclosures and actively exploiting the flaws - less than 24 hours in many cases. This means that fewer people will even be aware of the vulnerability, let alone have taken action to mitigate the risk of exploit. Attack code was available for 94 percent of disclosed flaws in web browsers less than 24 hours after their disclosure. The figure for PC vulnerability exploits released within 24 hours of disclosure is 80 percent. The statistics come from IBM Corp.'s Internet Security Systems X-Force report, which examined cyber attack events during the first half of 2008. The report states that attackers are less often searching for vulnerabilities on their own, and more often are using automated tools to exploit disclosed vulnerabilities, so the work is in essence being done for them. The report takes researchers to task for releasing information about vulnerabilities in a way that makes it easier for attackers to exploit them.
-http://news.smh.com.au/technology/online-threats-materializing-faster-study-show
s-20080729-3mhx.html
-http://www.theregister.co.uk/2008/07/29/x_force_threat_report/print.html
-http://www.vnunet.com/vnunet/news/2222896/security-researchers-aiding-crooks
-http://www.zdnetasia.com/news/security/0,39044215,62044358,00.htm
[Editor's Note (Northcutt): The report is worth reading! The biggest eye opener for me is the increase in medium level vulnerabilities:
-http://www-935.ibm.com/services/us/iss/xforce/midyearreport/xforce-midyear-repor
t-2008.pdf
(Honan): This report highlights that you can no longer depend on your patching processes to keep you secure. You need to look at other areas such as enhancing permitter security, security awareness training and ensuring you are monitoring logs for suspicious activity. It should also serve to remind you to review your incident response plan as the likelihood of your systems being compromised is higher given the speed at which exploit code is being published combined with the automated tools attackers are using. ]

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

McKinnon Extradition Appeal Denied (July 30 & 31, 2008)

The UK Law Lords have voted to allow Gary McKinnon's extradition to the US to face hacking charges. McKinnon admits to having infiltrated computer systems at NASA, The Pentagon and other US government agencies, but maintains he was searching for information on UFOs; the US government says McKinnon caused hundreds of thousands of dollars worth of damage. McKinnon rejected initial plea deals from US authorities, which would have had him serving most of his sentence in the UK. McKinnon's lawyers are opposed to the extradition because they say he could be treated like a terrorist and that he could face up to 60 years in prison. Having lost the appeal to the Law Lords, McKinnon's attorney says the case will be taken to the European Court of Human Rights.
-http://www.guardian.co.uk/technology/2008/jul/30/gary.mckinnon?gusrc=rss&fee
d=networkfront
-http://www.out-law.com/page-9311
-http://news.bbc.co.uk/2/hi/uk_news/7532713.stm
-http://www.washingtonpost.com/wp-dyn/content/article/2008/07/30/AR2008073000758_
pf.html
-http://www.heise.de/english/newsticker/news/113593
-http://www.publications.parliament.uk/pa/ld200708/ldjudgmt/jd080730/mckinn-1.htm

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

IRS Employee Pleads Guilty to Accessing Celebrity Files (July 28, 2008)

US Internal Revenue Service (IRS) employee John Snyder has pleaded guilty to snooping into tax files of celebrities. Snyder is believed to have accessed the accounts of nearly 200 well-known individuals since 2003. Snyder worked with business accounts and was not supposed to access individuals' files. He faces up to one year in jail and a fine of US $250,000 when he is sentenced on August 20.
-http://www.upi.com/Top_News/2008/07/28/Man_pleads_to_snooping_in_tax_records/UPI
-62491217290237/
[Editor's Note (Northcutt): The IRS is to be commended. They have researched over 4k potential snooping events. This is going to improve deterrence. By the way, Mr. Snyder is a well known author on baseball and has published 17 books. Is it just me, or does he bear a resemblance to Saddam H? Here is a related story below with a photo:
-http://news.cincinnati.com/apps/pbcs.dll/article?AID=/20080729/NEWS0103/80729035
0/0/NEWS0103]

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

MPAA Lawsuits Target Movie Streaming Sites (July 29 & 30, 2008)

The Motion Picture Association of America (MPAA) has sued two websites for allegedly streaming movies free-of-charge, including some new releases, such as the new Batman movie, The Dark Knight. One of the sites, FOMDB.com, was no longer available as of Wednesday, but the other, MovieRumor.com, was still showing pirated films. The MPAA's lawsuits allege the sites violated movie studios' copyrights; they seek damages and ask that the court order the sites to shut down.
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=209900532
-http://news.cnet.com/8301-1023_3-10001721-93.html
[Editor's Note (Northcutt): As part of my research for NewsBites I went to MovieRumor to determine whether it was still possible to download Dark Knight. The web page says "this account has been suspended" ]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

FBI Warns of "FBI vs. Facebook" Spam Spreading Storm Worm (July 30, 2008)

The FBI and the Internet Crime Complaint Center (IC3) have both issued warnings about a new batch of spam emails that are trying to spread the Storm worm. The emails have "FBI vs. Facebook" in the subject line and ask recipients to click on a link that purports to be a story about the FBI and Facebook, but which actually downloads malware onto their computers and makes them part of the Storm worm botnet.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9111094&source=NLT_PM&nlid=8
-http://news.cnet.com/8301-1009_3-10002760-83.html
-http://www.stripes.com/article.asp?section=104&article=56497
-http://www.fbi.gov/pressrel/pressrel08/stormworm073008.htm

Oracle Issues Out-of-Cycle Alert, Says it Will Issue Patch (July 29 & 30, 2008)

Oracle has released an out-of-cycle security alert for a buffer overflow flaw in the Apache Connector component (mod_weblogic) of the Oracle Weblogic Server, which used to be known as BEA WebLogic server. The vulnerability could be exploited remotely without authentication. A fix is not yet available, but Oracle offers two workarounds users can employ to protect vulnerable machines until a patch is available. Attack code for the vulnerability was released just days after Oracle's scheduled quarterly security release in mid-July.
-http://www.oracle.com/technology/deploy/security/alerts/alert_cve2008-3257.html
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=209900007
-http://www.theregister.co.uk/2008/07/29/oracle_unpatched_weblogic_flaw/print.htm
l
-http://www.gcn.com/online/vol1_no1/46764-1.html?topic=security&CMP=OTC-RSS

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Attack May Have Compromised Univ. of Texas at Dallas Data (July 31, 2008)

A cyber attack on the computer network at the University of Texas at Dallas may have compromised personally identifiable information of as many as 9,100 people. The attack was discovered in mid-July. The potentially compromised data include Social Security numbers (SSNs), names, addresses and email addresses. The campus is notifying those affected by the breach: 8,298 former students or graduates and 804 faculty and staff members.
-http://www.dallasnews.com/sharedcontent/dws/dn/latestnews/stories/080108dnmetUTD
.1f0bd372.html
[Editor's Note (Veltsos): While many universities across the US have stopped using Social Security Numbers (SSNs) as identifiers, SSNs can still be found in many instances of databases and spreadsheets stored by various departments and business units. Academic institutions should engage in broad information security assessments to locate and either secure or destroy what non-IT staff often refer to as "shadow databases. ]

DNS Attack Affects BreakingPoint Server (July 30 & 31, 2008)

A server at BreakingPointSystems was redirecting users to phony websites because of a DNS cache-poisoning attack on a local Internet service provider (ISP). BreakingPoint researcher HD Moore's Metasploit Project was the first to release an exploit for the widely publicized Kaminksy DNS flaw. The attack caused BreakingPoint employees' machines to be redirected from Google.com to a phony Google page running advertisements. Moore pointed out that it was the ISP, not the company, that suffered the attack and that no systems or data were compromised.
-http://www.vnunet.com/vnunet/news/2222925/dns-exploit-comes-back
[Editor's Comment (Ullrich): This attack shows how we depend on infrastructure we do not control.
(Northcutt): Several blogs/web articles claim that HD Moore himself was a victim of the DNS exploit; I do not believe it. I do believe this illustrates the danger of talking with reporters, Infoworld URL was still active at the time I posted this:
-http://www.infoworld.com/article/08/07/30/DNS_attack_writer_a_victim_of_his_own_
creation_1.html
-http://valleywag.com/5031005/dns-hack-author-gets-dns-hacked
-http://www.genwi.com/read/6913656]

MISCELLANEOUS

Olympic Journalists May Not Have Unfettered Internet Access in Beijing (July 30 & 31, 2008)

The International Olympic Committee (IOC) has acknowledged that it accepted a deal with Chinese officials that will have foreign journalists unable to access certain Internet sites during the summer games in August. Earlier, China had promised to allow journalists to "report freely" while they are in Beijing. However, when the Olympic Village press center opened last week, reporters have found they are unable to access "Web sites carrying content that the Chinese propaganda authorities deemed harmful to national security and social stability." The Internet restrictions are similar to those imposed on Chinese citizens. In an apparent show of good faith, the Chinese language BBC website has been unblocked in China, although some are concerned that it will be blocked again once the Olympic Games are over. China unblocked the English language BBC website in March.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9111159&source=rss_topic17
-http://www.nytimes.com/2008/07/31/sports/olympics/31china.html?hp=&pagewante
d=print
-http://www.washingtonpost.com/wp-dyn/content/article/2008/07/30/AR2008073000747_
pf.html
-http://news.bbc.co.uk/2/hi/asia-pacific/7535280.stm

PRC Offers Guide to Credit Monitoring Services (July 28, 2008)

In the interest of the growing industry offering credit monitoring and protection, The Privacy Rights Clearinghouse (PRC) has published an online guide called "Straight Talk About Identity Theft Monitoring Services." The various services offered on the open market "vary tremendously," and many of the services offered by the companies can be had at little or no cost to savvy consumers. The guide describes what types of identity theft are and are not covered by monitoring services and lists steps consumers can take on their own to protect their identities and credit. It also offers a list of what to look for in a credit monitoring service.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9111019
-http://www.privacyrights.org/fs/fs33-CreditMonitoring.htm

---

*************************************

The Editorial Board of SANS NewsBites



Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).



John Pescastore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.



Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.



Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.



Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.



Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.



Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.



Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.



Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.



Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.



Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.



Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.



Alan Paller is director of research at the SANS Institute



Clint Kreitner is the founding President and CEO of The Center for Internet Security.



Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.



Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.



Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.



Brian Honan is an independent security consultant based in Dublin, Ireland.



Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security courses at Minnesota State University, Mankato. He is the President of Prudent Security LLC and also serves as the President of the Mankato Chapter ISSA.



Roland Grefer is an independent consultant based in Clearwater, Florida.



Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/