SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume X - Issue #87

November 04, 2008

We welcome Ron Dick to the NewsBites Editorial Board - Ron headed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members. He has uncommon pragmatism, clarity of vision and a sense of humor, as you'll see in his Editor's Note on the UK Memory Stick story below.
Alan

---

TOP OF THE NEWS

Group Challenges Texas Law Requiring Computer Repair Technicians to Have Private Investigator Licenses
French Senate Approves Law That Would Cut Off Pirates' Internet Access
Test Finds Recertified Data Storage Tapes Expose Old Information
Memory Stick Containing Sensitive UK Government Passwords Found Outside Pub

THE REST OF THE WEEK'S NEWS

GOVERNMENT SYSTEMS AND HOMELAND SECURITY
US Defense Department Takes Cyber Security Seriously
UPDATES AND PATCHES
Updates Available for Two Critical OpenOffice Flaws
DATA LOSS, THEFT & EXPOSURE
Bank of Ireland Acknowledges Missing USB Stick
Trojan Responsible for Theft of Half a Million Records of Financial Account Data
US State Department Warns of Passport Application Data Theft
ACTIVE EXPLOITS, WORMS & VIRUSES
In-the-Wild Worm Exploits Flaw Fixed by Microsoft Out-of-cycle patch
STUDIES AND STATISTICS
Microsoft Security Intelligence Report for First Half of 2008
MISCELLANEOUS
Orange Will Not Use Phorm

---

************************* Sponsored By ArcSight, Inc. ******************

Complimentary Whitepaper: Extracting Value from Enterprise Log Data Compliance, forensics, security and IT operations teams have long recognized the value that log data can deliver. An effective log management solution can help organizations cut costs and time, improve investigation efficiency, and adhere to SLAs. Despite these tangible benefits, organizations continue to struggle with even the basic steps of log management such as collection and analysis.
This whitepaper outlines the drivers for log management as well as their underlying challenges and drive towards a common set of requirements for evaluation of log management tools. http://www.sans.org/info/34894

*************************************************************************

TRAINING UPDATE

- - SANS CDI in Washington 30 courses; big security tools expo; lots of evening sessions: http://www.sans.org/cdi08/
- - London (12/1- 12/9) http://sans.org/london08/
- - Vancouver (11/17-11/22) http://www.sans.org/vancouver08/
- - Las Vegas (1/24-2/01) http://sans.org/securitywest09/
- - Orlando SANS SCADA Security Summit http://www.sans.org/scada09_summit
and in 100 other cites and on line any time: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Group Challenges Texas Law Requiring Computer Repair Technicians to Have Private Investigator Licenses (October 31, 2008)

The Texas Private Security Board has once again refused to approve a rule that would exempt computer repair technicians from licensing requirements. Presently, anyone in Texas who performs an action on a computer that is deemed an investigation must have a valid, government-issued private investigator's license. The Board tabled a proposal exempting repair technicians from the requirement earlier this year and did so again last week. The law also punishes consumers who have their computers repaired by unlicensed individuals. The law is Being challenged under the Texas Constitution by the Institute for Justice Texas Chapter.
-http://www.ij.org/index.php?option=com_content&task=view&id=2438&Ite
mid=129
[Editor's Note (Pescatore): Uh oh, next dry cleaners will have to get PI licenses if they look in the pockets of garments to remove items before cleaning.
(Ranum): Generally, these kind of regulations are more about cutting out an economic niche than anything else. Anyone who thinks the private investigators didn't instigate that requirement is naive. ]

French Senate Approves Law That Would Cut Off Pirates' Internet Access (October 31, 2008)

The French Senate has approved a "graduated response" law that would cut off Internet users who habitually download digital content in violation of copyright law. The law still needs to be approved by the lower house before it can be enacted. First time violators would receive an email warning. If they continue to download illegally, they will receive a letter in the mail, and continued infractions will result in Internet service being cut off for one year. If enacted, the law would be at odds with a European Parliament amendment that prohibits cutting off Internet service for illegal downloading.
-http://euobserver.com/9/27026

Test Finds Recertified Data Storage Tapes Expose Old Information (October 30, 2008)

In a test of 100 erased and recertified data storage tapes conducted by storage media maker Imation, researchers were able to read sensitive bank and hospital information, as well as field research and Human Genome Project data. The test "confirms industry guidance that the only way to properly dispose of data is to destroy the media itself." Other companies that sell data storage technology have conducted similar studies that drew similar conclusions, but a company that sells recertified tapes says that "any data that remains on the tape is not usable/readable."
-http://www.darkreading.com/security/storage/showArticle.jhtml?articleID=21180037
0
[Editor's Note (Schultz): There appears to be no end in sight for ways that duplicated data can be compromised. The test reported in this news item has shown something that many of us (myself included) never suspected, namely that even erased tapes can contain data that was supposedly completely removed. ]

Memory Stick Containing Sensitive UK Government Passwords Found Outside Pub (November 2 & 3, 2008)

The UK's Government Gateway website was shut down after a memory stick containing pass codes for the system was found in a pub parking lot. The Gateway site allows citizens to access services from 50 government departments, including managing parking tickets, pension entitlements and tax returns; someone with those pass codes could access personally identifiable information of the 12 million people who have registered on the site. The system was restored after it was found that the data on the stick were encrypted. The stick belongs to Atos Origin, the company that manages the website; an investigation is underway. Atos said the employee violated company policy by taking the memory stick off business premises. Prime Minister Gordon Brown has taken some heat for remarking that "It is important to recognize that we cannot promise that every single item of information will always be safe because mistakes are made by human beings."
-http://www.smh.com.au/news/technology/security/memory-stick-loss-sparks-governme
nt-system-shutdown/2008/11/03/1225560695249.html
-http://www.scmagazineuk.com/Government-website-briefly-closed-following-USB-loss
/article/120275/
-http://www.scmagazineuk.com/Lib-Dems-call-for-ban-on-memory-sticks-to-carry-conf
idential-data/article/120277/
-http://www.timesonline.co.uk/tol/news/politics/article5064274.ece
-http://www.mailonsunday.co.uk/news/article-1082467/I-make-promises-keeping-perso
nal-details-safe-admits-Brown-wake-latest-data-blunder.html
-http://www.scmagazineuk.com/Prime-Minister-criticised-over-data-loss-comment/art
icle/120276/
[Editor's Note (New Editor Ron Dick): While probably not the most politically correct thing to say, Prime Minister Gordon Brown is right. People make mistakes that cause harm to others. The challenge is how we educate and reinforce in people to do what is correct. I have said for years there needs to be a law entitled U.S. Code Title 18 "Stupid". In my former life, I would have had a lot more convictions. However, I am not sure what the consequences should be for stupid.]

---

************************* SPONSORED LINKS ******************************

1) Click here to view Free SANS' Analyst Webcast and Whitepaper- Log Management in the Cloud: A Comparison of Do-it-yourself Versus Cloud Services sponsored by Alert Logic http://www.sans.org/info/34899
2) Hear what major government labs have implemented for Control Systems security at the SCADA & Process Control Security Summit February 2-3. http://www.sans.org/info/34904

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

GOVERNMENT SYSTEMS AND HOMELAND SECURITY

US Defense Department Takes Cyber Security Seriously (October 30, 2008)

Speaking at the National Homeland Defense Foundation's Cyber Threats Symposium, Rear Admiral Jan Hamby says that cyber security has become a priority in the US military ever since the 2005 Titan Rain attacks on military systems. The Defense Department's Joint Task Force Global Network Operations (JTF-GNO) has stepped forward as a model in cyber security best practices, including banning YouTube, MySpace and other such sites from military computers. JTF-GNO has also taken a hard line on patch management on military computer systems.
-http://mail.google.com/mail/?shva=1#inbox/11d6494cdc0443b4

UPDATES AND PATCHES

Updates Available for Two Critical OpenOffice Flaws (October 31, 2008)

Two updates for OpenOffice address a pair of remote code execution flaws that affect all versions of OpenOffice prior to version 2.4.2. The flaws lie in the way OpenOffice handles WMF and EMF files; attackers could create malicious files that would cause overflow errors, allowing them to run code on the vulnerable computers. There is no known exploit for either of the flaws. Users are urged to update as soon as possible. The recently released OpenOffice 3.0 is not believed to be vulnerable to the flaws.
-http://www.vnunet.com/vnunet/news/2229501/open-office-gets-security-fixes

DATA LOSS, THEFT & EXPOSURE

Bank of Ireland Acknowledges Missing USB Stick (November 3, 2008)

Bank of Ireland has confirmed that a USB memory device containing personally identifiable information of nearly 900 customers has been lost. The drive contains names, addresses and contact numbers but no financial account information. Bank of Ireland policies and procedures do not allow storage of customer data on unencrypted memory devices.
-http://www.breakingnews.ie/ireland/mhideygbkfsn/

Trojan Responsible for Theft of Half a Million Records of Financial Account Data (October 31, 2008)

Researchers have uncovered a trove of financial account data stolen by a Trojan horse program known as Sinowal over the last several years. As many as half a million accounts have been compromised; more than 20 percent were stolen in the last six months alone. Sinowal, which is also known as Torpig and Mebroot, spreads through websites onto unpatched PCs without any user interaction. That the Trojan had been operating for nearly three years has been called "extraordinary." It lies in wait on infected PCs; when a user enters a banking URL, it offers up a phony site to collect the pertinent data and then sends the information back to a drop server.
-http://www.theregister.co.uk/2008/10/31/sinowal_trojan_heist/
-http://www.theregister.co.uk/2008/10/31/torpig_banking_trojan/
-http://news.bbc.co.uk/2/hi/technology/7701227.stm
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9118718&intsrc=hm_list
[Editor's Note (Ullrich): Note that this is only one specific trojan's "password dump" that was recovered. The total number of accounts lost is probably at least an order of magnitude larger. ]

US State Department Warns of Passport Application Data Theft (October 31, 2008)

The US State Department has notified 383 people that their personal information supplied when applying for a passport may have been compromised. A man arrested earlier this year was found to have credit cards in nearly 20 different names; several passport applications in his possession matched the names on some of the cards. The information from the applications was allegedly used to open the fraudulent credit card accounts. The suspect told authorities at the time that he had two accomplices, one at the State Department and the other at the US Postal Service.
-http://www.msnbc.msn.com/id/27475651/
-http://www.washingtonpost.com/wp-dyn/content/article/2008/10/30/AR2008103004716_
pf.html
[Editor's Note (Ranum): A classic example of the trust problem. ]

ACTIVE EXPLOITS, WORMS & VIRUSES

In-the-Wild Worm Exploits Flaw Fixed by Microsoft Out-of-cycle patch (November 3, 2008)

Malware that exploits the vulnerability for which Microsoft released an out-of-cycle patch less than two weeks ago has been detected. The worm, which has been named Wecorl and MS08-067.g, appears to have originated in China and targets Chinese language versions of Windows 2000. The worm is not the same malware that prompted the patch's unusual release date. It appears to install several components on machines it infects, including a Trojan downloader and rootkit code to help it evade detection. Once it has infected a PC, the worm attempts to infect all other machines on the same subnet. Users who have not yet applied the MS08-067 update should do so as soon as possible.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9118885&source=rss_topic17

STUDIES AND STATISTICS

Microsoft Security Intelligence Report for First Half of 2008 (November 3, 2008)

According to Microsoft's most recent semi-annual Security Intelligence Report, while machines running Windows Vista are less likely to be infected with malware than their Windows XP counterparts, ActiveX browser plug-ins still pose a threat to the newer operating system. During the first six months of 2008, for each thousand times Microsoft's Malicious Software Removal Tool (MSRT) was executed, it scrubbed malware from three Vista SP1 machines, 10 Windows XP SP2 machines and eight Windows XP SP3 machines. Of the top 10 browser-based attacks against Vista during that same period, eight were ActiveX vulnerabilities. The report also found that 90 percent of disclosed vulnerabilities were in applications, while just six percent were in operating systems.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9118879&source=rss_topic17
-http://news.cnet.com/8301-1009_3-10080428-83.html?part=rss&subj=news&tag
=2547-1009_3-0-20
[Editor's Note (Pescatore): There are far more applications than there are operating systems, so that last bit is not very surprising. The most meaningful data in this report is the chart that shows what types of installed malware the MSRT found and removed. It shows that Trojans and "potentially unwanted software" are getting through desktop defenses pretty easily - the signature and patch-centric approach to protecting desktops isn't dealing with the new, targeted threats that aim at the user, not unpatched PCs. ]

MISCELLANEOUS

Orange Will Not Use Phorm (October 31, 2008)

UK mobile service and broadband provider Orange has announced that it will not use Phorm, the controversial targeted advertising technology. Orange said of the Phorm technology, "The way it was proposed, the privacy issue was too strong." It should be noted that Orange uses another targeted advertising service "to study anonymous usage trends on (its) own portal." An Orange representative went on to differentiate between the web-based data model and the telecoms data model for targeted behavioral advertising products.
-http://news.zdnet.co.uk/security/0,1000000189,39536632,00.htm?r=2
-http://blog.wired.com/business/2008/10/british-isp-ora.html

---

*************************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescastore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Will Pelgrin is Chief Information Security Officer of New York State, chair of the Multi-State Information Sharing and Analysis Center and co-chair of the National ISAC Council.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.


Alan Paller is director of research at the SANS Institute


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/