SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume X - Issue #62

August 08, 2008

TOP OF THE NEWS

Appeals Court to Re-Examine Definition of Interception in Valence Media email Case
Consumer Reports Publishes State of the Net 2008
Groups Offer Tools for Olympic Games Travelers to Circumvent Chinese Internet Censoring

THE REST OF THE WEEK'S NEWS

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
UK Passport Chips Easily Cloned
TSA Vendor Laptop Reported Stolen, Then Found
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Malware Pretends to be Flash Player Update
 Microsoft to Issue a Dozen Security Bulletins on Tuesday
 Kaminsky Speaks About DNS Flaw
 Oracle Issues Patch for WebLogic Vulnerability
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Breach Forces Irish Banks to Reissue Credit Cards
 Eleven Charged in Connection with Multiple Data Heists
 Cypriot Jailed for Hacking Webcams, Attempting Extortion; Florida Man Arrested in Webcam Voyeur Case
MISCELLANEOUS
Cybercrime Gang Used Coreflood to Gather Huge Amounts of Financial Data
 Snooping on Medical Files of the Famous Continues to be a Problem

---

************************ Sponsored By PacketMotion **********************



The NEW ComputerWorld Report on Security Blind Spots is Available!
We all know blind spots are bad for drivers but are you aware of how potentially disastrous they can be for IT security professionals?  Click here to download this complimentary report, which includes the perspective from government and industry thought leaders.

http://www.sans.org/info/31553

*************************************************************************

TRAINING UPDATE
- - NETWORK SECURITY 2008: Las Vegas (9/28-10/6) 50 courses; big tools expo; lot's of evening sessions: http://www.sans.org/ns2008)
- - Boston (8/9-8/16) http://www.sans.org/boston08/
- - Virginia Beach (8/21-8/29): http://www.sans.org/vabeach08/
- - Chicago (9/3-9/10) http://www.sans.org/chicago08 AUDIT & COMPLIANCE
- - and in 100 other cites and on line any time: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Appeals Court to Re-Examine Definition of Interception in Valence Media email Case (August 6, 2008)

A federal appeals court in California will decide whether to overturn a lower court decision that determined Rob Anderson did not violate the Wiretap Act; Anderson configured his former business associate's server to forward copies of corporate emails to his Google mail account.  He then sent the information gathered from filesharing company Valence Media and sent it on to the Motion Picture Association of America (MPAA), who paid him US $15,000.  At issue is the judicial definition of interception regarding electronic communication.  Judge Florence-Marie Cooper wrote in her August 2007 decision that "Anderson's actions did not halt the transmission of the messages to their intended recipients.  As such, under well-settled case law, as well as a reading of the statute and the ordinary meaning of the word 'intercept,' Anderson's acquisitions of the emails did not violate the Wiretap Act." The Electronic Frontier Foundation  (EFF) and the Electronic Privacy Information Center (EPIC) have filed amicus briefs on behalf of the defendant in the case.
-http://www.washingtonpost.com/wp-dyn/content/article/2008/08/05/AR2008080503421_
pf.html
[Editor's Note (Schultz): The Judge Florence-Marie Cooper's interpretation of "interception" in this case is incredibly different from how most information security professionals would interpret this concept. It will thus be quite interesting to see how the appeals court will rule in this matter.
(Nortchutt): Here is a more sensational version of the story including the MPAA saying "we don't care how you get it" and Anderson having "a change of heart":
-http://news.cnet.com/Torrentspy-names-alleged-MPAA-hacker---page-2/2100-1030_3-6
087146-2.html]

Consumer Reports Publishes State of the Net 2008 (September 2008)

According to Consumer Reports' State of the Net 2008 report, the odds of becoming a victim of cybercrime have dropped over the last year from one in four to one in six.  Of the 2,071 online households polled for the study, 19 percent do not have antivirus software on their computers, 36 percent do not have antispyware software on their computers, and 75 percent do not use anti-phishing toolbars.  While the incidence of spam, spyware and serious viruses have declined, phishing is on the rise, and threats overall are becoming more insidious.  Consumer Reports has also compiled a list of the top security blunders Internet users make, including accessing accounts through email links, downloading free software, and assuming security software is protecting the computer, but letting antivirus and antispyware subscriptions expire.
-http://www.consumerreports.org/cro/electronics-computers/computers/internet-and-
other-services/protect-yourself-online/state-of-the-net-2008/protect-yourself-on
line-state-of-the-net.htm
-http://www.consumerreports.org/cro/cu-press-room/pressroom/archive/2008/09/0809-
eng0809olb.htm

Groups Offer Tools for Olympic Games Travelers to Circumvent Chinese Internet Censoring (August 5 & 7, 2008)

The Chaos Computer Club is making available USB sticks with technology that will allow visitors to China for the Olympics  to circumvent Chinese Internet censorship measures.  The sticks contain copies of the TorBrowser and Torprojects software and will be available only for the duration of the Olympic Games.  Chaos has also set up a website where people can download the software.  Another  group, FoeBuD, is selling similar devices.  TOR is a network of servers around the world that allows anonymization of data sent over the Internet.  The Global Internet Freedom Consortium is also offering a package of tools to help Beijing Olympic visitors evade Chinese censorship.
-http://www.theregister.co.uk/2008/08/07/torbrowser_olympics/print.html
-http://www.guardian.co.uk/technology/2008/aug/07/censorship.hacking
-http://www.vnunet.com/vnunet/news/2223248/chinese-offered-tools-crack-firewall
[Editor's Note (Grefer): The website of The TOR Project is
-http://www.torproject.org/]

---

THE REST OF THE WEEK'S NEWS

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

UK Passport Chips Easily Cloned (August 6, 2008)

Tests conducted for The Times found that the UK's new microchipped passports can be cloned in just minutes.  The forged passports were not detected as such by Golden Reader, the software recommended for use in international airports.  The microchips were designed with the intent of protecting the country from terrorism and organized crime. The findings also raise concerns about 3,000 blank passports that were stolen last week; officials said they posed no danger because passports could not be forged.  The tests were conducted by a security researcher at the University of Amsterdam.
-http://www.timesonline.co.uk/tol/news/uk/crime/article4467106.ece
[Editor's Note (Pescatore): There is an old adage of the rope swing designed by committee ending up with the swingee slamming into the trunk of the tree. The designs of both the new passports and electronic voting machines have definitely followed that same sorry path. Both efforts seemed to have focused more on technology for technology's sake than for any increase in security, or even in maintaining prior levels of security. ]

TSA Vendor Laptop Reported Stolen, Then Found (August 5, 2008)

Earlier this week, the Transportation Security Administration (TSA) reported that a laptop containing unencrypted personally identifiable information of more than 33,000 people enrolled in the registered traveler program was missing.  When it learned the laptop was missing, the TSA suspended registration in the program.   The laptop was thought to be stolen from an office at San Francisco International Airport; the computer was later found in that same office.   The laptop belongs to Verified Identity Pass Inc., a vendor for the program.  The TSA says that Verified Identity Pass was not in compliance with TSA encryption requirements.  Verified Identity Pass has been told to notify all affected individuals and to stop using unencrypted computers.   The company is investigating whether the computer was stolen or just misplaced, but some have observed that the underlying problem is that the data on the machines were not encrypted.
-http://www.fcw.com/online/news/153393-1.html
-http://www.theregister.co.uk/2008/08/05/missing_laptop/print.html
-http://www.sfgate.com/cgi-bin/article.cgi?f=/n/a/2008/08/05/financial/f102608D05
.DTL&tsp=1
[Editor's Note (Pescatore): Lost or found: 33,000 times $80/year is about $2.6M per year in revenue and an 8% profit margin is about $211,000. Looks like there was probably room to put a $50 encryption program on the laptops. ]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Malware Pretends to be Flash Player Update (August 6 & 8, 2008)

Malware masquerading as a Flash Player update has been spreading in several guises recently.  There are reports that spam messages claim to offer a link to CNN Top 10 news stories, and MySpace and FaceBook messages purporting to offer links to interesting video clips tell users that to view the content, they must download a new version of Flash. However, instead of Flash, users' computers become infected with malware.
-http://blogs.pcmag.com/securitywatch/2008/08/facebook_worm_spreads_rapidly.php
-http://securecomputing.net.au/News/119041,faked-cnn-spam-blitz-pushes-fake-flash
.aspx
[Editor's Note (Northcutt): All and all a fairly decent fake; this should be part of your organization's next awareness briefing. ]

Microsoft to Issue a Dozen Security Bulletins on Tuesday (August 7, 2008)

Microsoft will issue twelve security bulletins next week, according to the advance notification website.  The updates will address critical flaws in Windows, Office, Internet Explorer and the media player that comes bundled with Vista.  Seven of the bulletins in the scheduled monthly release have been given severity ratings of critical, while the remaining five have severity ratings of important.  Each of the seven critical flaws could be exploited remotely; at least one of the flaws has already been exploited.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9111965&intsrc=hm_list
-http://www.microsoft.com/technet/security/bulletin/ms08-aug.mspx

Kaminsky Speaks About DNS Flaw (August 6 & 7, 2008)

Earlier this week, Dan Kaminsky spoke publicly about his discovery of a DNS vulnerability that has garnered much attention in the last few weeks.  Speaking at the Black Hat conference in Las Vegas on August 6, Kaminsky said that while patches have been available for some time, only half of the DNS servers worldwide had applied patches.  The flaw Kaminsky discovered allows attackers to redirect Internet communications (web, email, ftp, spam filter, updates, etc) to any server they wish by changing the critical mapping between domain names and IP addresses. A majority of vendors have released patches to fix this DNS vulnerability and companies worlwide should move quickly to patch their DNS servers. "Everything breaks when DNS breaks," said Kaminsky.
-http://news.bbc.co.uk/2/hi/technology/7546557.stm
-http://voices.washingtonpost.com/securityfix/2008/08/kaminsky_details_dns_flaw_a
t_b.html?nav=rss_blog
-http://news.smh.com.au/technology/major-internet-security-flaw-also-affects-emai
l-20080806-3qsx.html
-http://www.theregister.co.uk/2008/08/06/kaminsky_black_hat/print.html

Oracle Issues Patch for WebLogic Vulnerability (August 7, 2008)

Oracle has issued an out-of-cycle patch for a vulnerability in WebLogic Server and WebLogic Express.  The buffer overflow flaw could be exploited to crash or even inject code into vulnerable systems. Oracle normally issues security updates quarterly; news of this flaw emerged shortly after Oracle's scheduled July release.  Users should apply the patch as soon as possible as active exploits have been detected.
-http://www.theregister.co.uk/2008/08/07/oracle_weblogic_patch/print.html
-https://support.bea.com/application_content/product_portlets/securityadvisories/
2793.html
[Editor's Note (Veltsos): The idea of patch cycles is as outdated as the idea that firewalls alone will keep you safe. As the security community has previously reported, hackers are using the time between patches to attack with new and as-yet-undiscovered (therefore unpatched) exploits. A quarterly patch cycle gives attackers a 89-day window to develop and deploy exploits. ]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Breach Forces Irish Banks to Reissue Credit Cards (August 8, 2008)

Major banks in Ireland were forced to cancel hundreds of credit cards following a data security breach at a leading retailer.  The breach was discovered when the thieves began testing the stolen account numbers by making small purchases.  Irish Payment Service Organisation (IPSO) head of card services Una Dillon says the breach likely occurred at an Internet-based retailer.
-http://www.irishexaminer.com/irishexaminer/pages/story.aspx-qqqg=ireland-qqqm=ir
eland-qqqa=ireland-qqqid=69351-qqqx=1.asp

Eleven Charged in Connection with Multiple Data Heists (August 5 & 6, 2008)

Eleven people have been indicted in connection with the massive data theft from numerous retailers, including TJX, BJ's Wholesale Club, Barnes & Noble, DSW, Sports Authority, OfficeMax, Forever 21, Dave & Busters, Boston Market.  According to US Attorney General Michael Mukasey, the group allegedly found vulnerable computer networks with scanners,  broke into the networks and installed sniffers to harvest the information, then sold it and in some cases used it themselves to commit fraud.  The alleged ringleader, a US citizen named Albert Gonzalez, was working as an informant for the Secret Service while the scheme was unfolding; he had been arrested in 2003 for access device fraud.  Three of the people charged are US citizens; the other eight are foreign nationals living abroad.
-http://www.washingtonpost.com/wp-dyn/content/article/2008/08/05/AR2008080501859_
pf.html
-http://www.nytimes.com/2008/08/06/business/06theft.html?_r=1&hp=&adxnnl=
1&adxnnlx&oref=slogin
-http://www.securityfocus.com/news/11530?ref=rss
-http://www.theregister.co.uk/2008/08/06/retail_hacking_ring_analysis/print.html
-http://www.usdoj.gov/opa/pr/2008/August/08-ag-689.html

Cypriot Jailed for Hacking Webcams, Attempting Extortion; Florida Man Arrested in Webcam Voyeur Case (August 5, 2008)

In Cyprus, a 47-year-old man has been given a four-year jail sentence for breaking into webcams to spy on teenage girls.  The computers became infected with a Trojan horse program when users opened infected attachments.  The man used the Trojan to obtain control of the webcams, and in at least one instance, took a picture of one of his victims.  The man tried to blackmail the girl with the picture; the girl contacted police instead.  He was arrested in 2005.  In a separate story, a Florida man has been arrested for allegedly placing a program called Webcam Spy Hacker on a woman's computer; she had brought the machine to him to fix.  Craig Feigin allegedly used the webcam in her computer to take pictures of her and then sent them to a web server.  Feigin also allegedly installed the same program on the computers of seven or eight other women.
-http://www.theregister.co.uk/2008/08/05/webcam_hacker_jailed/print.html
-http://www.groundreport.com/Media_and_Tech/Marisel-Garcia-Caught-in-Webcam-Spy-H
acker-Craig-F
[Editor's Note (Northcutt): May be a bigger problem than a lot of people realize. Look at the GHB online device page:
-http://johnny.ihackstuff.com/ghdb.php?function=summary&cat=18
And it has been going on for a long time:
-http://media.barometer.orst.edu/media/storage/paper854/news/2002/11/26/News/Stud
ent.Punished.For.Webcam.Misuse-2294791.shtml]

MISCELLANEOUS

Cybercrime Gang Used Coreflood to Gather Huge Amounts of Financial Data (August 5,6 & 7, 2008)

According to information gathered by SecureWorks director of malware research Joe Stewart, Russian cybercriminals using the Coreflood Trojan managed to amass more than 500 GB of sensitive data, including financial account numbers, user names and passwords.  The attackers took advantage of Microsoft's PsExec to spread Coreflood from one infected PC to all Windows systems on the same network.  Coreflood has been operating in one form or another since 2002; the server from which Stewart obtained the information had been in operation since 2005.  The server was shut down earlier this year.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9111960&source=rss_topic17
-http://voices.washingtonpost.com/securityfix/2008/08/online_crime_gang_stole_mil
lio.html?nav=rss_blog
-http://www.gcn.com/online/vol1_no1/46837-1.html
-http://www.nytimes.com/2008/08/06/technology/06hack.html?_r=2&oref=slogin&am
p;pagewanted=print
[Editor's Comment (Northcutt) For Microsoft's introduction to PsExec, a tool designed to execute processes on remote systems, see:
-http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx]

Snooping on Medical Files of the Famous Continues to be a Problem (August 5 & 6, 2008)

An unspecified number of Sparrow Hospital employees were disciplined or fired for attempting to view the computerized medical files of Michigan Governor Jennifer Granholm.  Gov. Granholm was admitted to the hospital for surgery in late April.  The breach was detected during a routine audit; Gov. Granholm has been notified of the incident.  In a separate story, the number of UCLA Medical Center employees who improperly accessed patient files of celebrities was higher than the initial estimate.  Between January 2004 and June 2006, the number of employees believed to have accessed celebrity files is 127, nearly double the prior figure.  State regulators have chastised the hospital for not taking adequate measures to protect patient privacy.  Proposed state legislation to penalize those who improperly access patient files would impose fines of US $1,000 to US $250,000 for individual healthcare workers and US $25,000 to US $250,000 for healthcare facilities for violations.
-http://www.freep.com/apps/pbcs.dll/article?AID=/20080806/NEWS06/308060008/1008
-http://www.latimes.com/features/health/medicine/la-me-health5-2008aug05,0,798760
6,print.story

---

*************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescastore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa).  He is leading SANS' global initiative to improve application security.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.


Alan Paller is director of research at the SANS Institute


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.


Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.


Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security courses at Minnesota State University, Mankato. He is the President of Prudent Security LLC and also serves as the President of the Mankato Chapter ISSA.


Roland Grefer is an independent consultant based in Clearwater, Florida.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/