SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume X - Issue #76

September 26, 2008

Registration just opened for the largest Washington DC security training program featuring DoD 8570 courses required for security certification and the new penetration testing courses that have won rave reviews. In all 16 six-day courses plus a dozen one- and two-day courses including the new "Secure Coding in .NET" course. December 10-16, 2008 http://www.sans.org/cdi08

---

TOP OF THE NEWS

ISPs Promise Not to Use Targeted Advertising Without Obtaining Explicit Consent from Users
Judge Grants New Trial in Jammie Thomas Music Sharing Case
Researchers Find Users Often Click Through Dialog Windows Without Reading

THE REST OF THE WEEK'S NEWS

COURT CASES & LEGAL ISSUES
No Charges in Palin eMail Hacking Case
ARRESTS, CHARGES & CONVICTIONS
Another Guilty Plea in TJX Case
Man Charged in Maserati Customer Database Hack (September 22 & 23, 2008)
SPAM, PHISHING & ONLINE SCAMS
Timberland and Partner to Pay Us $7 Million to Settle SMS Spam Case
UPDATES AND PATCHES
Cisco Issues a Dozen Security Advisories
Mozilla Updates Firefox
STUDIES AND STATISTICS
Study: Most Distributed Denial-of-Service Attacks Originate in US
MISCELLANEOUS
Upstream Provider Steps in to Save Intercage
Cyber War Games - You Are Invited

---

*************************************************************************

TRAINING UPDATE

- - SANS CDI in Washington 30 courses; big security tools expo; lots of evening sessions: http://www.sans.org/ cdi08/
- - Monterey (10/31-11/6) http://www.sans.org/info/30738
- - Sydney Australia (10/27-11/1) http://www.sans.org/sydney08/
- - Vancouver (11/17-11/22) http://www.sans.org/vancouver08/
and in 100 other cites and on line any time: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

ISPs Promise Not to Use Targeted Advertising Without Obtaining Explicit Consent from Users (September 25, 2008)

Representatives from three of the four largest US Internet service providers (ISPs), Verizon, AT&T and Time Warner Cable, told the Senate Committee on Commerce, Science and Transportation that if they ever decide to use targeted advertising systems, they will provide details of their plans to their customers and require their explicit permission to participate in the programs. They also told the members of the panel that they want a chance to develop and establish best practices for targeted advertising systems and customer data collection before privacy legislation is considered. Thomas J. Tauke, executive VP of public affairs, policy and communications at Verizon added that a simple click-to-opt-in approach does not take the issue seriously enough. Many users are prone to clicking to agree with the measures without reading the details. Tauke said the process should be more comprehensive, making the details of the program clear, and also give them the option of withdrawing themselves from the program at a later date.
-http://www.washingtonpost.com/wp-dyn/content/article/2008/09/25/AR2008092504135_
pf.html
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9115612&source=rss_topic17
[Editor's Note (Pescatore): Taking the opt-in approach is definitely the way to go, with a few "are you sure?" clicks thrown in for good measure. Equally important, however, is how well the carriers will protect their storage of the customer data. ]

Judge Grants New Trial in Jammie Thomas Music Sharing Case (September 25, 2008)

A US federal judge in Minnesota has granted a new trial for Jammie Thomas, who was convicted last year of copyright infringement and fined US $220,000. US District Judge Michael Davis ruled that he had erred in his jury instructions in such a way as to have "substantially prejudiced" Thomas's rights. In his ruling, Judge Davis also urged US legislators to change copyright laws so people could not be fined excessively in similar cases. The issue is whether the plaintiffs have to prove that people downloaded the music Thomas had made available or if merely making the files available in and of itself constitutes copyright infringement. Davis said an earlier ruling set a precedent for having to prove downloading actually took place; he had told the jury that the need for proof was not necessary.
-http://news.smh.com.au/technology/judge-grants-new-trial-in-music-downloading-ca
se-20080925-4nle.html
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9115621&source=rss_topic17

Researchers Find Users Often Click Through Dialog Windows Without Reading (September 23 & 25, 2008)

An experiment conducted by psychologists at North Carolina State University found that computer users often fail to distinguish fake Windows dialog boxes from legitimate ones. Sixty-three percent of the 42 students participating in the experiment clicked OK whenever a pop-up window appeared, ignoring anomalies that should have clued them in to the potential for malicious activity. The subjects appeared to view pop-up windows as hindering their intended activity; clicking the OK button is the virtual equivalent of brushing away flies.
-http://www.networkworld.com/news/2008/092508-computer-users-overeager-to-click.h
tml?hpg1=bn
-http://arstechnica.com/news.ars/post/20080923-study-confirms-users-are-idiots.ht
ml
[Editor's Note (Schultz): This research confirms the obvious, but it nevertheless significant in that it provides controlled, experimental data that shed some light on the magnitude of the problem of users clicking OK just to get rid of security related dialog boxes that pop up. ]

---

************************** Sponsored Links: ***************************

1) 2-Day Training Class Hosted by the FISMA Center FISMA 101: Certification & Accreditation Concepts November 13-14, 2008 Columbia, Maryland http://www.sans.org/info/33553
2) ALERT: Forrester Webcast: How Hackers Launch Web 2.0 Browser Exploits and Methods for Protecting your Users http://www.sans.org/info/33563

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

COURT CASES & LEGAL ISSUES

No Charges in Palin eMail Hacking Case (September 23 & 24, 2008)

A grand jury has failed to return charges against a Tennessee college student who has been implicated in the case of hacking Governor Sarah Palin's Yahoo! email account. It is unclear what prevented the jury from returning charges. It is possible that certain key evidence is not yet ready, or it could be a point of law, as the intruder looked at email that had already been opened.
-http://www.theregister.co.uk/2008/09/24/palin_hack_no_charges_yet/
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=cybercrime_and_hacking&articleId=9115371&taxonomyId=82&ints
rc=kc_top

ARRESTS, CHARGES & CONVICTIONS

Another Guilty Plea in TJX Case (September 23 & 24, 2008)

A second man has pleaded guilty to charges stemming from the TJX data security breach case. Christopher Scott has pleaded guilty to computer hacking, access device fraud and identity theft charges. Under the terms of his plea bargain deal, Scott could face up to 22 years in prison and a fine of up to US $ 1 million. A statement from the US Attorney's office in Boston indicates that Scott specialized in breaking into wireless networks. Another man charged in the case, Damon Patrick Toey, pleaded guilty to four felony counts last week. The alleged mastermind of the scheme, Albert Gonzalez, could face life in prison if he is convicted; he has pleaded not guilty. Eight other suspects in the case have yet to enter their pleas.
-http://www.theregister.co.uk/2008/09/23/tjx_hack_suspect_guilty_plea/
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9115458&source=rss_topic17

Man Charged in Maserati Customer Database Hack (September 22 & 23, 2008)

A California man has been arraigned on a variety of charges, including extortion and illegally accessing a protected computer, for allegedly breaking into a Maserati North America website earlier this year, stealing customer data and threatening to divulge the security problems he exploited unless he received payment. Bruce Mengler has pleaded not guilty to the charges. Mengler allegedly used a program that guessed customer PINs; when the program was successful, he would allegedly log in to the site as that customer and obtain the associated information, most often a name and address.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9115385&source=rss_topic17
-http://www.signonsandiego.com/news/northcounty/20080922-1725-bn22indict.html
[Editor's Note (Veltsos): In its privacy policy, Maserati North America claims "privacy to be of utmost importance and takes its responsibilities regarding the security of your personal information seriously." Yet, it decided that the best way to provide this assurance was through a weak authentication mechanism consisting solely of customer last name and PIN.
"You are required to have a unique PIN and a valid Last Name to access information (on) this Web site..."
-http://www.maseratiamerica.com/LegalNotice.aspx]


[Editor's Note (Veltsos): This story highlights how important the automatic lockout of an account after x number of failed attempts is.]

SPAM, PHISHING & ONLINE SCAMS

Timberland and Partner to Pay Us $7 Million to Settle SMS Spam Case (September 21 & 23, 2008)

Timberland, the outdoor gear company, and its partner GSI Commerce Inc. will pay US $7 million to settle a lawsuit brought on behalf of people who received unsolicited text messages advertising Timberland products. Unsolicited commercial text messages are illegal in the US under the Telephone Consumer Protection Act. The money will go into a fund to reimburse people who received the messages; in addition, US $200,000 will be given to a local charity. Timberland and GSI both maintain they are not at fault in the situation; a third party company was responsible for obtaining the consent of the people who received the message.
-http://news.idg.no/cw/art.cfm?id=7D463458-17A4-0F78-317F29F8A7231B04
-http://www.masshightech.com/stories/2008/09/22/daily19-Timberland-laces-up-7M-te
xt-spam-settlement.html
-http://www.theregister.co.uk/2008/09/23/timberland_sms_lawsuit_payout/

UPDATES AND PATCHES

Cisco Issues a Dozen Security Advisories (September 24 & 25, 2008)

Cisco has released a dozen security advisories to address flaws in its IOS software and Cisco Unified Communications Manager. The flaws could be exploited to gain access to sensitive data, gain control of vulnerable devices, interrupt voice services, crash systems, or create denial-of-service conditions, in most cases without the need for login credentials.
-http://www.theregister.co.uk/2008/09/25/cisco_patch_batch/print.html
-http://www.heise-online.co.uk/security/Cisco-cleans-up-Numerous-DoS-vulnerabilit
ies-in-IOS-resolved--/news/111604
-http://www.cisco.com/en/US/products/products_security_advisories_listing.html
Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=5078

Mozilla Updates Firefox (September 24, 2008)

Mozilla has released Firefox updates to address a dozen security flaws. All of the vulnerabilities affect Firefox 2.x; users are urged to upgrade to version 2.0.017 or manually upgrade to version 3. About half of the vulnerabilities affect Firefox 3.x; users should upgrade to version 3.0.2. The fixes will be automatically pushed to current users and will be apparent the next time the browser is restarted. Mozilla has rated four of the vulnerabilities as critical; they could be exploited to cause crashes with memory corruption, allow privilege escalation and arbitrary code execution.
-http://news.cnet.com/8301-1009_3-10049925-83.html?part=rss&subj=news&tag
=2547-1009_3-0-20
[Editor's Note (Pescatore): Comment on the Cisco (the previous story) and Mozilla vulnerabilities, along with the ones Microsoft and Apple announced earlier this month: A lot of critical vulnerabilities exposed this month and a lot of "malformed input" vulnerabilities starting to show up, including ones in complex documents and audio streams. Looks like it is time for the software vendors to ratchet up the security focus in development life cycles to address these more complex vulnerabilities before products ship.
(Ullrich): Firefox 3.0.2 has a known issue if you store passwords with international characters in Firefox. If you use this feature, please wait until version 3.0.3 is released. It should be out shortly (maybe by the time you read this?). ]
Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=5081
-http://isc.sans.org/diary.html?storyid=5074

STUDIES AND STATISTICS

Study: Most Distributed Denial-of-Service Attacks Originate in US (September 22, 23 & 24, 2008)

According to statistics gathered by SecureWorks, the United States tops the list of the source of distributed denial-of-service attacks. The information is culled from data about attacks on Secure Works' customers so far this year. The figures indicate that 20.6 million attacks originated in the US; China follows with 7.7 million attacks. A SecureWorks researcher says the numbers demonstrate that the US and China have large numbers of compromised PCs that are being manipulated as part of botnets and observes that by not ensuring their PCs are secure, people are putting others at risk as well as themselves.
-http://www.gcn.com/online/vol1_no1/47200-1.html?topic=security
-http://www.theregister.co.uk/2008/09/23/us_based_cyber_attacks/
-http://www.securityfocus.com/brief/827

MISCELLANEOUS

Upstream Provider Steps in to Save Intercage (September 23 & 24, 2008)

Just days after the ISP Intercage lost its last upstream provider, another provider has stepped in to allow the controversial network provider to continue operations. Intercage has received considerable press about the amount of malware hosted on its network, causing its upstream suppliers to sever their business relationships with the company. Provider UnitedLayer has agreed to provide service to Intercage after the company severed ties with Esthost, a webhost believed to be responsible for much of the malware on Intercage's network. Intercage also plans to establish a system that allows users to submit complaints about malicious sites on its network. Pacific Internet Exchange (PIE), the last company that had been providing service to Intercage, dropped the company as a customer after Spamhaus placed blocks on of 1,000 of its IP addresses.
-http://www.theregister.co.uk/2008/09/24/intercage_back_online/
-http://www.pcworld.com/businesscenter/article/151437/controversial_isp_intercage
_now_back_online.html
[Editor's Note (Ullrich): It appears that Intercage is without upstream again as of this morning. ]

Cyber War Games - You Are Invited

Come see this year's Integrated Cyber Exercise II (ICE II) October 1-3 at SANS Network Security 2008 ICE II will feature Paul and Larry of pauldotcom.com in a Hacker throw-down to see who is the best network attacker and defender. Paul and Larry will each have a major network to defend while they also attack each other. The event is open to all SANS Las Vegas attendees. Players can pick a side, defend their own network, attack at will or view and snipe from a distance. This year's event will feature more hardware including VoIP and SCADA. Enhanced scoring visualization and 3D graphics and even a complete traffic generator to hide the attackers. Come hang out in the spectator room and be eligible for random prize drawings sponsored by ThinkGeek, AirScanner, Syngress, CACE Technologies and Lone Pine Embroidery. Watch as phones, servers, cameras and even our own power grid are attacked and defended across three nights of fun, education and mayhem. Fortinet will be providing complete IDS monitoring and reporting while Core Security and Immunity will be demonstrating in the Red Cell room.

---

*************************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescastore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.


Alan Paller is director of research at the SANS Institute


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security courses at Minnesota State University, Mankato. He is the President of Prudent Security LLC and also serves as the President of the Mankato Chapter ISSA.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/