SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume X - Issue #81

October 14, 2008

If you use *any* tools to help with compliance with PCI, FISMA, SOX, FDCC or other laws/regulations, check out the last story of this issue about "What Works in Compliance Tools."
Early results from the new 2008 security professional salary survey seem to be illuminating the coming changes in valuation of various cyber security jobs. The only way to get access to the information is to participate in the survey. This is not your typical salary survey. In addition to measuring and comparing salaries, we are taking a deeper look at the value of education and certification as well as geographic location, industry, and years of experience. Try to complete it today (takes 15 minutes or less) at http://survey.sans.org/survey"
Alan

---

TOP OF THE NEWS

New Anti-Piracy Law Imposes Stronger Penalties
World Bank Servers Have Been Attacked a Half-Dozen Times in the Last Year
Allegations of Wiretapping Improprieties at NSA Facility
Bugged Chip-and-Pin Machines Stealing Payment Card Data

THE REST OF THE WEEK'S NEWS

ARRESTS, CHARGES & CONVICTIONS
Man Behind CastleCops DDoS Attack Draws Two-Year Sentence
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
TIGTA Report Finds Lack of Management Control on Some Computer Systems
SPAM, PHISHING & ONLINE SCAMS
Malware-Laden Spam Pretends to be Windows Security Update
ACTIVE EXPLOITS, WORMS & VIRUSES
Proof-of-Concept Code Released for Windows Privilege Elevation Flaw
DATA LOSS & EXPOSURE
Stolen Laptop Holds Pension Data
STUDIES AND STATISTICS
NRI Secure Technologies (Japan) Web Application Security Assessment Trend Analysis Report
Consumer Reports Online Security Guide
MISCELLANEOUS
Microsoft to Introduce Two Security Enhancements on October 14
What Works In Security Compliance Tools?

---

************************* Sponsored By CA *******************************

How can your organization utilize identity management technologies to cost-effectively manage and control user identities and demonstrate security compliance? Information provided in this IDC whitepaper can be used to guide your efforts on how to optimize and improve identity management deployments to make them more efficient. Learn more at http://www.sans.org/info/34203">http://www.sans.org/info/34203

*************************************************************************

TRAINING UPDATE

- - SANS CDI in Washington 30 courses; big security tools expo; lots of evening sessions: http://www.sans.org/ cdi08/
- - Monterey (10/31-11/6) http://www.sans.org/info/30738
- - Sydney Australia (10/27-11/1) http://www.sans.org/sydney08/
- - Vancouver (11/17-11/22) http://www.sans.org/vancouver08/
and in 100 other cites and on line any time: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

New Anti-Piracy Law Imposes Stronger Penalties (October 13, 2008)

US President George W. Bush has signed into law the Prioritizing Resources and Organization for Intellectual Property Act (PRO-IP), which imposes more stringent penalties on people convicted of music and movie piracy. The bill creates an executive-level position, Intellectual Property Enforcement Coordinator, who will advise the White House on protecting both domestic and international IP. The law has the backing of the Recording Industry Association of America (RIAA) and the Motion Picture Association of America (MPAA) as well as of the US Chamber of Commerce. The US Justice Department opposed the creation of the IP czar, saying such a position would undermine its authority.
-http://uk.reuters.com/article/technologyNews/idUKTRE49C7EI20081013
-http://news.cnet.com/8301-13578_3-10064527-38.html
-http://www.pcmag.com/article2/0,2817,2332432,00.asp

World Bank Servers Have Been Attacked a Half-Dozen Times in the Last Year (October 10 & 12, 2008)

The World Bank Group's computer network has reportedly come under attack at least half a dozen times since the middle of 2007. At least 18 servers were compromised. A World Bank spokesperson said "that at no point in time was any sensitive information accessed." However, it is nearly impossible to determine whether data were stolen, and attackers are known to install malware that collects sensitive information and seeks out other vulnerable computers on the network. Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=5161
-http://www.foxnews.com/story/0,2933,435681,00.html
-http://news.cnet.com/8301-1009_3-10063522-83.html?part=rss&subj=news&tag
=2547-1009_3-0-20
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9116933&source=rss_topic17
-http://www.usatoday.com/money/industries/banking/2008-10-12-world-bank-hackers_N
.htm?csp=34
The World Bank says the problem is not as great as press reports imply:
-http://www.theregister.co.uk/2008/10/13/world_bank_hack_attack/
-http://www.vnunet.com/vnunet/news/2228040/hackers-aim-world-bank
-http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID
=211100222

Allegations of Wiretapping Improprieties at NSA Facility (October 10, 2008)

Three former workers at the National Security Agency (NSA)'s wiretapping facility at Fort Gordon, Georgia between 2001 and 2007 have alleged that US spies listened to personal conversations of Americans living abroad and on occasion, shared the conversations they heard with each other. The employees say there was scant supervision and conflicting instructions regarding expectations. Senate intelligence committee Senator John D. Rockefeller IV (D-W.Va.) says his staff is gathering more information about the allegations and may hold hearings.
-http://www.washingtonpost.com/wp-dyn/content/article/2008/10/09/AR2008100902953_
pf.html
-http://blog.wired.com/27bstroke6/2008/10/kinne.html
[Editor's Note (Pescatore): This type of thing always goes in cycles. The abuses of the McCarthy and Nixon eras in the US lead to privacy laws and clear limitation of the intelligence agencies' domestic charter in the 1970s. As a 21 year old new hire at NSA in 1978, I got called on the carpet and reprimanded for tuning a lab receiver across domestic mobile phone frequencies to test a piece of gear - there was strong supervision and very clear instructions. The pressure swung too far in that direction and lead to intelligence failures that enabled events like the terrorist attacks of 2001. Now things have swung too far the other way and it is time to correct again.]

Bugged Chip-and-Pin Machines Stealing Payment Card Data (October 10 & 11, 2008)

Crime syndicates with members in China and Pakistan have managed to place devices in chip-and-pin machines that steal payment card data. The devices were planted in the machines before they were sent from China to stores in England, Ireland, Denmark, Belgium and the Netherlands. The stolen information was sent over mobile phone networks to people in Pakistan who then used the cards to make fraudulent purchases and withdrawals. The simplest way of determining if a given machine has data stealing capabilities is to weigh it; the devices add several ounces to each of the machines. The attack has been going on for nine months; losses are estimated to be between US $50 million and US $100 million, but could ultimately be higher.
-http://www.telegraph.co.uk/news/newstopics/politics/lawandorder/3173346/Chip-and
-pin-scam-has-netted-millions-from-British-shoppers.html

-http://online.wsj.com/article/SB122366999999723871.html

[Editor's Note (Veltsos): The FBI has also been investigating instances of counterfeit networking and computer gear having been sold to the Department of Defense. The threat posed by outsourced electronic parts is real.
-http://www.businessweek.com/magazine/content/08_41/b4103034193886.htm
-http://www.businessweek.com/magazine/content/08_41/b4103038201037.htm]

---

************************* SPONSORED LINK ******************************

1) Cisco IT Security Forum Learn about data leakage, PCI compliance, identity theft, botnets, crimeware, security trends, and more. Register Today http://www.sans.org/info/34208

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CHARGES & CONVICTIONS

Man Behind CastleCops DDoS Attack Draws Two-Year Sentence (October 8 & 13, 2008)

Gregory King has been sentenced to two years in prison and ordered to pay more than US $69,000 in restitution for launching distributed denial-of-service (DDoS) attacks against the CastleCops and KillaNet technologies websites. The attacks took place in early 2007 and caused an estimated US $70,000 in damage. King admitted to the attacks in June. He had faced a maximum sentence of 20 years in prison and a fine of half-a-million dollars, but prosecutors agreed to a reduced sentence in exchange for guilty pleas to two felony counts of transmitting code to cause damage to protected computers.
-http://www.theregister.co.uk/2008/10/13/castlecops_attacker_sentenced/
-http://www.centralvalleybusinesstimes.com/stories/001/?ID=10031
[Editor's Note (Northcutt): Curiously, I was trying to access
-http://www.castlecops.com/CLSID.html
several times today and timed out each time, wonder if there is any correlation between the two events. ]

GOVERNMENT SYSTEMS AND HOMELAND SECURITY

TIGTA Report Finds Lack of Management Control on Some Computer Systems (October 9, 2008)

According to a report from the Treasury Inspector General for Tax Administration (TIGTA), three computer systems at the US Internal Revenue Service (IRS) Office of Research, Analysis and Statistics lack adequate access management controls. The IRS's security policies were found to be adequate, but enforcement needs improvement. The report found there to be insufficient guidance and compliance oversight of IRS security policies; in addition, no vulnerability scanning software had been deployed. Eleven percent of employees on the systems reviewed were permitted access without required authorization from managers; systems were not configured to disable inactive accounts.
-http://www.nextgov.com/nextgov/ng_20081009_3974.php
-http://www.treas.gov/tigta/auditreports/2008reports/200820176fr.pdf

SPAM, PHISHING & ONLINE SCAMS

Malware-Laden Spam Pretends to be Windows Security Update (October 11, 2008)

New spam messages are spreading, purporting to contain "an experimental private version of an update for all Microsoft Windows OS users." While there is nothing new about malware spreading in the guise of security updates, the fact that these messages are arriving just as Microsoft is scheduled to release its October update makes it more likely that the attackers will have a greater level of success. The executable file attached to the message infects users' computers with malware. The spam offers several clues that it is not legitimate; the grammar is dodgy and the message claims that the update addresses versions of Windows that are no longer supported and for which patches would not therefore be issued. Microsoft never sends security updates as email attachments.
-http://www.vnunet.com/vnunet/news/2228041/malware-writers-spoof-patch
[Editor's Note (Ullrich): An interesting feature of this e-mail is the use of a fake PGP signature. The signature block is actually just random data, but it is supposed to provide the e-mail with more credibility. (Skoudis): It's also interesting that the bad guys continue to have massive grammar problems in their phishing schemes. Some of their prose is almost comical. Perhaps someday we'll see organized cyber crime rings employing in-house grammarians to clean up their wording before they foist it on unsuspecting users.
(Pescatore): this is another data point why "private patches" (patches that come from other than the software vendor) are a very bad idea. ]

ACTIVE EXPLOITS, WORMS & VIRUSES

Proof-of-Concept Code Released for Windows Privilege Elevation Flaw (October 10, 2008)

Proof-of-concept exploit code for a privilege elevation vulnerability in Windows XP, Vista, Server 2003 and Server 2008 has been published. The person who disclosed the flaw earlier this year has now published the exploit code because he feels that six months is long enough to have had time to create a fix for the problem. The flaw was first noted back in March, when Microsoft initially dismissed it as a "design flaw." The company later agreed that it was a bona fide security problem. It is not known if the flaw will be addressed in this month's Microsoft security update, which is scheduled to be released on Tuesday, October 14.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9116924&source=rss_topic17
-http://www.microsoft.com/technet/security/advisory/951306.mspx

DATA LOSS & EXPOSURE

Stolen Laptop Holds Pension Data (October 10 & 13, 2008)

Deloitte has acknowledged that a laptop stolen from an employee's bag contains personally identifiable information of more than 150,000 pension holders. The data include names, National insurance numbers and salaries, but not bank data or addresses. A notice from Deloitte says that the security measures implemented on the laptop include encryption.
-http://www.theregister.co.uk/2008/10/13/deloitte_data_loss_vodafone/
-http://news.bbc.co.uk/2/hi/uk_news/7664274.stm

STUDIES AND STATISTICS

NRI Secure Technologies (Japan) Web Application Security Assessment Trend Analysis Report

A security assessment survey of 169 websites conducted by Japan's leading cyber security consulting organization, NRI Secure Technologies, Ltd., during the 2007 fiscal year found that 41 percent of the sites had critical security flaws that could allow access to sensitive information. An additional 30 percent of the sites were found to have vulnerabilities that could lead to information leaks. The majority of vulnerabilities in websites were found to be due to "incomplete measures," in which security measures have been applied to some extent, but not broadly enough to prevent access to sensitive data.
-http://www.nri-secure.co.jp/news/2008/1010_report.html
[Editor's Note (Skoudis): This report offers great insights into the problems we face with web security. In particular, it makes it clear that, from a defensive perspective, we aren't getting any better. And, as the bad guys ramp up their attack skills and techniques, we are in fact falling behind, relatively speaking (i.e., with a constant level of vulnerabilities and steadily increasing threat, our relative risk rises). The remaining prevalence of XSS attacks is particularly disheartening, as this vector offers attackers major opportunities for controlling victim's browsers to undermine applications.
(Pescatore): This is a fairly optimistic view, probably because the survey was skewed towards financial companies and overall security in Japan tends to be higher in general. Most similar studies show more like 75% of sites have critical security flaws. One factoid they did state, which mirrors what I see a lot, is that web sites that have never had a vulnerability assessment are four times more likely to have a critical flaw than those that had assessments. Seems simple but I'm always surprised to find how many businesses do not regularly check their web sites for vulnerabilities - even if you are sure you locked the doors, rattling the door knobs to be sure is a very good idea. ]

Consumer Reports Online Security Guide

This consumer education guide to making online experiences safe includes information about auction scams, spam, viruses, spyware, phishing, ID theft and a special section regarding keeping children safe online. There are also ratings for security suites and antiphishing toolbars, an interactive phishing quiz, and videos about cell phone spam, phishing and methods CR uses to test the security suites.
-http://www.consumerreports.org/cro/electronics-computers/resource-center/cyber-i
nsecurity/cyber-insecurity-hub.htm
[Editors' Note (Veltsos and Paller): Year after year, Consumer Reports is one of the best all-in-one resources for home users and end users; it provides clear and simple advice and remains vendor neutral. ]

MISCELLANEOUS

Microsoft to Introduce Two Security Enhancements on October 14 (October 9 & 13, 2008)

Along with its anticipated 11 security bulletins, Microsoft will introduce a new feature and a new program on Tuesday, October 14. The "Exploitability Index" is a three-step scale that will accompany each flaw addressed; the added information is intended to help users and administrators prioritize the patches. The scale's levels are Consistent Exploit Code Likely; Inconsistent Exploit Code Likely; and Functioning Exploit Code Unlikely. Microsoft will also launch the Microsoft Active Protections Program (MAPP) which will allow vendors advance knowledge of flaws that will be patched each month.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9117018&source=rss_topic17
-http://www.networkworld.com/news/2008/100908-11-microsoft-security-updates-due.h
tml?hpg1=bn
-http://blogs.technet.com/msrc/archive/2008/10/09/october-2008-advanced-notificat
ion.aspx
[Editor's Note (Skoudis): This additional information from Microsoft looks very promising. Sure, bad guys may use it to determine where to focus their efforts in creating exploits. However, the bad guys can figure that out on their own pretty well now anyway. On balance, I believe this information will be more useful to organizations in prioritizing fixes than it will be to bad guys in prioritizing their exploit writing. ]

What Works In Security Compliance Tools? (October 14, 2008)

Twenty five leading software vendors jointly developed a list of which laws, regulations, standards are driving the sales of their products. In order from most to least important, they are: (1) PCI-DSS, (2 tie) FISMA and SOX, (4 tie) HIPAA and GLBA, (6) NERC, (7 tie) ISO 17799 and FDCC (OMB06-16). The next big step is to ask readers to look at this from the user side: If you have ever bought a tool to help with compliance, please take a moment and answer three quick questions: 1. Which of the laws/regulations/standards drove the purchase of the tool? 2. Which tool did you buy (and rate it from 1 great to 3 poor in its effectiveness to help you make compliance easier. 3. In what way did the tool improve your organization's actual security (beyond compliance). Remember John Pescatore's sage guidance: First secure your systems, then worry about compliance." Send answers to apaller@sans.org with subject "compliance tools"

---

*************************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescastore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.


Alan Paller is director of research at the SANS Institute


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security courses at Minnesota State University, Mankato. He is the President of Prudent Security LLC and also serves as the President of the Mankato Chapter ISSA.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/