SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume X - Issue #84

October 24, 2008

FLASH: Microsoft's out-of-band announcement requires immediate attention. As you will read in the first story, at least one NewsBites editor believes the worms (one has already been released in the wild) that exploit the newly announced Microsoft vulnerability may have Blaster-worm-level impact.
Also, unless you use Safari, when you get a chance, uninstall it. The editors point out the risks in the long editorial note after the story about Google Chrome (in UPDATES and PATCHES section)
Five more days to the cost-saving deadline for the big security training program in Washington DC: http://www.sans.org/cdi08
Alan

---

TOP OF THE NEWS

Microsoft Issues Out-of-Cycle Patch
Dutch Judge Orders Google to Reveal IP Addresses Associated with Suspect Gmail Account

THE REST OF THE WEEK'S NEWS

ARRESTS, CHARGES & CONVICTIONS
Virtual Crime = Real Punishment I: Trouble in Maple Story
Virtual Crime = Real Punishment II: RuneScape Thefts
UPenn Student Sentenced for Role in DDoS Attack
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Microsoft Australia Goes After Resellers Offering Pirated Software
DATA PROTECTION & PRIVACY
Continuing Coverage of Rumored UK Mobile Phone Registry Database
UPDATES AND PATCHES
Opera Update Fixes Three Flaws
Google Takes Another Step Toward Fixing Carpet-Bombing Flaw in Chrome Browser
DATA LOSS & EXPOSURE
Computer Stolen From Risk Management Firm Hold Fresno, CA City Employee Data
MISCELLANEOUS
Russian Hacker Takes Credit for Attacks on Georgia Parliament
Chinese Users Unhappy With Windows Genuine Advantage Tactics
Researchers Read Electromagnetic Emanations From Wired Keyboards

---

************************ Sponsored By IBM (ISS) *************************

An important upcoming webcast - The Intelligent Network: Protecting the Evolving Network and Securing Virtual Environments featuring Stephen Northcutt.
Sponsored by IBM/ISS, this webcast will cover the evolution of network components into intelligent convergence equipment, able to deliver Unified Threat Management from a single, consolidated device. Learn how these trends can impact your organization's IT security resources. http://www.sans.org/info/34534">http://www.sans.org/info/34534

*************************************************************************

TRAINING UPDATE

- - SANS CDI in Washington 30 courses; big security tools expo; lots of evening sessions: http://www.sans.org/ cdi08/
- - Monterey (10/31-11/6) http://www.sans.org/info/30738
- - Sydney Australia (10/27-11/1) http://www.sans.org/sydney08/
- - Vancouver (11/17-11/22) http://www.sans.org/vancouver08/
and in 100 other cites and on line any time: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Microsoft Issues Out-of-Cycle Patch (October 22 & 23, 2008)

Microsoft has released an out-of-cycle patch for a critical remote code execution vulnerability today, October 23, 20008. The flaw could be exploited to allow a worm to spread without any user interaction. The flaw affects Windows 2000, XP, Server 2003, Server 2008 and Vista. The "privately reported" vulnerability in the Server service "could allow remote code execution if an affected system received a specially crafted RPC (remote procedure call) request."
-http://voices.washingtonpost.com/securityfix/2008/10/microsoft_to_issue_emergenc
y_s_1.html?nav=rss_blog
-http://www.securityfocus.com/brief/844
-http://www.theregister.co.uk/2008/10/23/windows_emergency_update/
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9117878&source=rss_topic17
-http://news.cnet.com/8301-1009_3-10074072-83.html?part=rss&subj=news&tag
=2547-1009_3-0-20
-http://www.us-cert.gov/cas/techalerts/TA08-297A.html
-http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
[Editor's Note (Skoudis): This is big, guys... really big. Enterprise folks should get the patch, test it quickly to make sure it doesn't blow up your environment, and then push it to their production systems. Kudos to Microsoft for having the guts to go out of cycle when it's really important to do so. Thankfully, they don't have to do this very often. But, now is the time. Patch early and patch often.
(Honan): The first worm to exploit this vulnerability, GIMMIV.A, has already been discovered in the wild,
-http://www.sophos.com/security/analyses/viruses-and-spyware/trojgimmiva.html?_lo
g_from=rss
. This vulnerability affects the RPC service which could lead to a worm similar to MSBlaster. US-CERT have issued guidelines on how to mitigate the risk until you test and rollout the patch
-http://www.us-cert.gov/cas/techalerts/TA08-297A.html
.
(Schultz): The fact that Microsoft has alerted special customers of this vulnerability indicates that this vulnerability is extremely serious. The potential urgency will, however, present Microsoft customers with a tough dilemma--whether to install the patch without the opportunity to sufficiently test it, or to "bite the bullet" and install the patch anyway. ]

Dutch Judge Orders Google to Reveal IP Addresses Associated with Suspect Gmail Account (October 20, 2008)

A judge in the Netherlands has ordered Google to turn over IP addresses associated with a Gmail account that was used in a case of alleged industrial espionage. Google had refused to comply with the initial request from the company, iMerge, because "disclosing the user's identity violated rulings on the balance between freedom of expression and a person's right to his reputation." The suspect had been chief technology officer at iMerge. He allegedly installed a backdoor server in the hosting center configured to forward messages from a corporate director's mailbox to the Gmail account in question.
-http://www.theregister.co.uk/2008/10/20/dutch_court_orders_google_to_reveal_gmai
l_user/
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=211201988

---

************************* SPONSORED LINK ******************************

1) Please sign up for SANS' Analyst Webcast and Whitepaper- Log Management in the Cloud: A Comparison of Do-it-yourself Versus Cloud Services sponsored by AlertLogic Thursday, October 30, 2008 at 1 PM EDT http://www.sans.org/info/34539

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CHARGES & CONVICTIONS

Virtual Crime = Real Punishment I: Trouble in Maple Story (October 23, 2008)

A Japanese woman has been jailed for allegedly killing the virtual persona of her online husband in the Maple Story interactive online game. The woman apparently became angry when the online character that her online character was married to in the virtual world divorced her suddenly. She allegedly used the person's password and ID to access his account and "kill" the character. The woman has not yet been formally charged, but it is likely she will face charges of illegally accessing a computer and manipulating electronic data. She could receive a prison sentence of up to five years and a fine of US $5,000.
-http://www.usatoday.com/tech/news/2008-10-23-avatar-murder_N.htm?loc=interstitia
lskip
-http://technology.timesonline.co.uk/tol/news/tech_and_web/article5002721.ece

Virtual Crime = Real Punishment II: RuneScape Thefts (October 22, 2008)

Two Dutch teens have been sentenced to community service for coercing another teen into transferring virtual items from his RuneScape account into theirs. The two allegedly physically threatened the victim, but the court focused on whether or not the theft of virtual items constituted actual theft. The court determined that "these virtual goods are goods, so this is theft."
-http://www.nzherald.co.nz/games/news/article.cfm?c_id=38&objectid=10538822
-http://www.theregister.co.uk/2008/10/22/teens_sentenced_for_runescape_item_theft
/
-http://www.telegraph.co.uk/connected/main.jhtml?xml=/connected/2008/10/22/dlthef
t122.xml
-http://www.radionetherlands.nl/currentaffairs/region/netherlands/081022-virtual-
theft-is-real
[Editor's Note (Skoudis): The application of real-world laws in virtual worlds is going to be a fascinating trend over the next few years, providing lots of opportunities for savvy lawyers. Also, the jurisdictional issues are going to get mighty complicated, given the cross-border nature of these virtual worlds. ]

UPenn Student Sentenced for Role in DDoS Attack (October 22 & 23, 2008)

University of Pennsylvania student Ryan Goldstein has been sentenced to three months in prison, three months in a halfway house, three months of home confinement and five years on probation, for his role in a distributed denial-of-service (DDoS) attack that targeted a University of Pennsylvania server. Goldstein was arrested as part of Operation Bot Roast II, an FBI initiative. He will also pay a US $30,000 fine and US $6,100 in restitution. Goldstein could have faced much harsher penalties because child pornography was found on his computer, but he was not charged with those offenses in return for his cooperation with authorities. Goldstein had convinced New Zealand teenager Owen Walker to launch the attack. Walker was charged in New Zealand; he pleaded guilty and was fined, but received no prison time.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9117811&source=rss_topic17
-http://www.nzherald.co.nz/technology/news/article.cfm?c_id=5&objectid=105391
02
-http://www.philly.com/inquirer/local/pa/20081022_Penn_student_jailed_90_days_in_
hacking_case.html

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

Microsoft Australia Goes After Resellers Offering Pirated Software (October 21, 2008)

Microsoft's director of intellectual property in Australia, Vanessa Hutley, said that the company will never be able to prevent all instances of piracy; if people are intent on getting unlicensed copies of software, they will find a way to do it. Instead, Microsoft will focus its energies on resellers who offer pirated copies of the company's software that appear to customers to be legitimate. Similar efforts are taking place in 49 countries around the world. According to statistics from the Business Software Alliance, 28 percent of software used in Australia is pirated. Brick-and-mortar enterprises have already been targeted; Microsoft is now seeking out resellers who operate over the Internet.
-http://www.smh.com.au/cgi-bin/common/popupPrintArticle.pl?path=/articles/2008/10
/21/1224351224128.html

DATA PROTECTION & PRIVACY

Continuing Coverage of Rumored UK Mobile Phone Registry Database (October 20, 2008)

There are reports that GBP 1 billion has been earmarked to establish a program wherein people purchasing mobile phones in the UK will be required to provide positive identification in the form of a passport or other government-issued ID. That information will reportedly be entered into a national database in an effort to identify the estimated 40 million people who purchase pay-as-you go plans, which previously required no identification. The government has neither confirmed nor denied the rumors. A spokesperson for the Information Commissioner's office said that "With regards to the database that could contain details of all mobile users, ... we would expect that this information would be included in the database proposed in the draft Communications Data bill." Vodafone has denied that buyers would be required to provide identification.
-http://www.money.co.uk/article/1001726-latest-big-brother-proposal-no-new-mobile
-phone-without-a-passport.htm
-http://www.computeractive.co.uk/computeractive/news/2228645/vodafone-denies-plan
s-ask-pay

UPDATES AND PATCHES

Opera Update Fixes Three Flaws (October 22, 2008)

Opera has released an updated version of its eponymous browser to address a trio of security vulnerabilities. The first flaw could be exploited to gain access to users' browsing histories. The second flaw is a cross-site scripting vulnerability in fast forward, and the third involves a problem with news feed subscriptions. Users are urged to upgrade to Opera version 9.61.
-http://www.heise-online.co.uk/news/Security-update-for-Opera--/111769
-http://www.opera.com/docs/changelogs/windows/961/

Google Takes Another Step Toward Fixing Carpet-Bombing Flaw in Chrome Browser (October 22, 2008)

Google has released a partial security fix for its Chrome browser to address the carpet-bombing vulnerability that affects an array of other browsers. The blended threat was disclosed earlier this year; the problem arises when Apple's Safari browser is installed on computers along with other browsers. The Chrome fix is not being pushed out as an automatic update; instead, it is available only through the developer version of the browser.
-http://www.theregister.co.uk/2008/10/22/chrome_carpet_bombing/
[Editor's Note (Northcutt, with Skoudis): This is a bit complicated. There is increasing evidence that having more than one browser on a system increases risk:
-http://www.theregister.co.uk/2008/04/17/alt_browser_updates/
One browser that has had some security problems in 2008 is Safari. They have all had vulnerabilities, of course, but apparently Safari downloaded resources from a web server if the server tells the browser to do so, and did not prompt the user. Also the default location to download is the Desktop. It turns out some browsers like, Internet Explorer, can be directed to take action by files on the desktop and this is called carpet bombing:
-http://www.theregister.co.uk/2008/05/15/apple_safari_carpet_bombing_vuln/
-http://www.theregister.co.uk/2008/06/10/apple_safari_carpet_bombing_demo/
Back in May, Apple added Safari to the updater software for iTunes. This caused the number of Windows systems with Safari to be tripled virtually overnight, increasing the number of systems at risk because they have multiple browsers installed:
-http://www.theregister.co.uk/2008/05/02/safari_share_triples/
In addition, people who got Safari through iTunes probably still have the June 2008 patch. Apple released a fix for Safari in June 2008, but once again, if there are multiple browsers installed on a system, the fix might fix Safari, but not protect the user who has multiple browsers installed:
-http://www.channelregister.co.uk/2008/06/23/safari_security/
For this latest Chrome bug, Google used Apple WebKit in coding Chrome, and the code in Chrome still has the older, non-patched caret bomb vulnerability:
-http://www.theregister.co.uk/2008/09/03/google_chrome_vuln/
I think I am going to uninstall Safari. I have been waiting to install Chrome and think I will keep waiting, perhaps a very long time. I primarily use Firefox and hope and pray noscript will save me somehow from this dangerous web world:
-http://noscript.net/]

DATA LOSS & EXPOSURE

Computer Stolen From Risk Management Firm Hold Fresno, CA City Employee Data (October 22 & 23, 2008)

On October 13, 2008, thieves stole more than two dozen computers from the Fresno, California office of KRM Risk Management. One of the computers contains personally identifiable information of more than 5,000 Fresno city employees who had filed worker's comp claims as far back as 1973. KRM was hired by the city to manage its compensation claims. Police are offering a US $5,000 reward for information leading to the arrest of those responsible for the theft. Law enforcement agents are analyzing video from a neighboring business for clues.
-http://abclocal.go.com/kfsn/story?section=news/local&id=6462368
-http://abclocal.go.com/kfsn/story?section=news/local&id=6465115
-http://www.cbs47.tv/news/local/story.aspx?content_id=853f41c4-1055-44a8-b78c-05d
f4a7c80af

MISCELLANEOUS

Russian Hacker Takes Credit for Attacks on Georgia Parliament (October 23, 2008)

Leonid "R0id" Stroikov claims he is responsible for attacks on the Georgia parliament. Reported in the latest edition of Xakep ("Hacker") magazine, Stroikov describes his attack and why he decided to do it.
-http://blog.wired.com/defense/2008/10/government-and.html
[Editor's Note (Paller): Stroikov may be falsely boasting after the fact, but that's not likely. His thought process is interesting none the less. ]

Chinese Users Unhappy With Windows Genuine Advantage Tactics (October 22, 2008)

Chinese computer users are expressing their displeasure with Microsoft's Windows Genuine Advantage (WGA) program. WGA checks to make sure that users have valid licenses for the Microsoft software on their computers; if pirated software is detected, the computer's screen turns black. There is some concern that Microsoft's actions could "cause serious functional damage to users' computers."
-http://www.msnbc.msn.com/id/27321572/

Researchers Read Electromagnetic Emanations From Wired Keyboards (October 20 & 22, 2008)

Swiss researchers have demonstrated that keystrokes from wired keyboards can be read remotely from distances of up to 20 meters. The keyboards emit electromagnetic waves. The researchers at Security and Cryptography Laboratory at Ecole Polytechnique Federale de Lausanne have described four different methods of eavesdropping on keystrokes on wired keyboards.
-http://news.cnet.com/8301-1009_3-10072967-83.html?tag=mncol;title
-http://www.theregister.co.uk/2008/10/20/keyboard_sniffing_attack/

---

*************************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescastore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.


Alan Paller is director of research at the SANS Institute


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/