SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume X - Issue #9

February 01, 2008

If we as a community are ever going to improve software security, programmers are the key. They write the code; they will take the lead. More than 100 programmers have now taken the new secure coding skills exams (GSSP) and more than 70% passed. Here's my favorite response from one of the test takers (who passed):

"This exam helped me to enhance my Java coding skills. Now to code a line for my project, I am considering the security leaks and doing the coding to avoid possible leaks. (After passing it) my manager asked me to give a class for other programmers."

Government CIOs and large financial organization CIOs have begun telling their contractors and outsourcers that by the end of 2008, their programmers will need to have demonstrated mastery of the Essential Skills for Secure Programming. Your programmers can demonstrate mastery by taking the test (and providing feedback to help make it better) in five cities in the next 120 days (Phoenix, Washington, DC, Orlando, Las Vegas, and San Diego.) See http://www.sans.org/gssp for the schedule and the test blueprints.
Alan

---

TOP OF THE NEWS

Severed Cables Disrupt Service in Mediterranean and Asia
EU Court: ISPs Don't Have to Surrender Customer ID in Civil Cases

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
FTC Asks Court to Hold Alleged MySpace Hijackers in Contempt
DOD Pay System Fraudsters Sentenced
Acquittal for S5 Wireless Founder
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
U2 Manager Calls for ISPs to Help Fight Piracy
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
ActiveX Control Flaws Affect MySpace and Facebook Users
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Employee Literally Pulls Plug on Attempted Cyber Theft
Stolen Laptop Holds Info on 300,000 NJ HMO Members
More Stolen Laptops Hold Medical Data
Stolen Hard Drive Holds Georgetown Univ. Data
MISCELLANEOUS
Sarkozy Reportedly Angry He Wasn't Told About SocGen Situation Immediately

---

*************************** Sponsored By SANS ***************************
Fulfill a New Year's Resolution: learn how to better protect your organization's assets while becoming a more valuable employee. Join us for technical computer and network security training at SANS Phoenix 2008, Feb 11-16. Experience the Sonoran Desert with its warm weather and spectacular sunsets while you meet your training goals early in 2008!
http://www.sans.org/info/23409
*************************************************************************
TRAINING UPDATE
Where can you find the newest Penetration Testing techniques, Application Pen Testing, Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, CISSP, and SANS' other top-rated courses?

- - Las Vegas (3/17 - 3/18) Penetration Testing Summit: (an ultra cool program) http://www.sans.org/pentesting08_summit
- - San Jose (2/2 - 2/8): http://www.sans.org/siliconvalley08/event.php
- - Phoenix (2/11 - 2/18) http://www.sans.org/phoenix08/event.php
- - Prague (2/18-2/23): http://www.sans.org/prague08
- - SANS 2008 (4/18-4/25) In Orlando SANS' biggest program with myriad bonus sessions: http://www.sans.org/sans2008
- - and in 100 other cites and on line any-time: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Severed Cables Disrupt Service in Mediterranean and Asia (January 31, 2008)

Two undersea communications cables in the Mediterranean - one near Marseilles, France and the other near Alexandria, Egypt - were accidentally cut on Tuesday, January 29. Different groups operated the two cables, but the damage to both occurred within a matter of hours. Undersea cables can be damaged by movement along fault lines or by ships' anchors. Internet access was disrupted in most of Egypt and in India, and some Verizon customers experienced slow service. Most communications were rerouted through other cables.
-http://www.nytimes.com/2008/01/31/business/worldbusiness/31cable.html?ei=5088&am
p;en=95a9e51bf6c
-http://news.bbc.co.uk/2/hi/technology/7218008.stm
-http://news.smh.com.au/damaged-cables-cut-internet-in-mideast/20080131-1p5a.html
[Editor's Note (Schultz): Although it appears that this incident was completely accidental, it is hugely significant in that it provides a glimpse of what might happen when a massive denial of service attack designed to bring the entire Internet down occurs, something that I have predicted will happen this year.
(Honan): If your company outsources services to countries overseas have you reviewed your business continuity plans lately to determine how an outage like this would impact on your business and what to do in the event that it does? ]

EU Court: ISPs Don't Have to Surrender Customer ID in Civil Cases (January 29, 2008)

The European Court of Justice has ruled that Internet service providers (ISPs) do not have to disclose the identities of their customers who download copyrighted files in civil cases. ISPs could be required to disclose names in criminal cases. The ruling came in response to a complaint from Spanish record trade industry association Promusicae against Spanish ISP Telefonica to obtain the identities of its customers who traded files on KaZaA.
-http://euobserver.com/9/25559
-http://today.reuters.co.uk/news/articlenews.aspx?type=internetNews&storyID=2
008-01-29

---

************************** Sponsored Links: ***************************
1) SANS Third Annual Log Management Survey What are the challenges in log management? Have perceptions changed since last year? Help us find out! Take the survey at
http://www.sans.org/info/23414

2) Learn about testing network security and encryption technology. Complimentary Tested with Spirent Security Testing Seminar.
http://www.sans.org/info/23419
*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

FTC Asks Court to Hold Alleged MySpace Hijackers in Contempt (January 31, 2008)

The Federal Trade Commission (FTC) has asked a US district court to hold alleged MySpace hijackers in contempt for violating an earlier FTC order that bars them from unfair and deceptive practices. Walter Rines, Sanford Wallace and Rines's company Online Turbo Merchant allegedly used a variety of techniques to redirect MySpace users to other websites where they were inundated with ads, earning the accused commissions. Rines, who previously ran a company called Odysseus Marketing, was accused in October 2005 of offering users free software that came bundled with spyware that bombarded users with pop-ups, replaced legitimate search results with results that benefited the company, and stole information from users. In October 2006, the FTC obtained a permanent injunction that barred the defendants from redirecting users' computers, changing their browser default home pages and from altering functions of other applications.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9060482&source=rss_topic17
-http://www.ftc.gov/opa/2008/01/contempt.shtm

DOD Pay System Fraudsters Sentenced (January 28, 2008)

Two people have been sentenced for their roles in a scheme that defrauded the US government of approximately US $700,000 through a pay-processing computer system. Lilia Delgadillo and Saul Granados were civilian employees at the US Department of Defense (DOD) when they submitted phony pay adjustments into the system, causing wire transfers to be made into a bank account in Delgadillo's name. Delgadillo was sentenced to 33 months in prison followed by probation, as well as 100 hours of community service. Granados was sentenced to three years of probation and 150 hours of community service.
-http://elpaso.fbi.gov/dojpressrel/pressrel08/govtfraud012808.htm

Acquittal for S5 Wireless Founder (January 24, 2008)

William "Kurt" Dobson has been acquitted of all charges in a case involving alleged unauthorized email access. Dobson and two partners founded a company called S5 Wireless in 2003, but Dobson resigned from the company in late 2004 due to business disagreements with his co-founders. He faced allegations that after he left, he accessed a company computer that hosted its email, set up a new mailbox and instructed the server to send it copies of all messages sent to the mailboxes of the two executives remaining at S5. Dobson's attorney maintained that he was acting within his authority and that his interests were "of a fiduciary nature, not for commercial advantage, or any unlawful purpose."
-http://www.sltrib.com/ci_8066377

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

U2 Manager Calls for ISPs to Help Fight Piracy (January 30, 2008)

The manager of Irish rock bank U2 says that Internet Service Providers (ISPs) should cut off service to users who are downloading files illegally and that governments should make sure that they do. Paul McGuinness called on ISPs to "take responsibility for protecting the music they are distributing, and ..., by commercial agreements, sharing their enormous revenues with the content makers and owners."
-http://www.nzherald.co.nz/section/story.cfm?c_id=5&objectid=10489563
-http://www.smh.com.au/news/web/isps-have-snouts-in-the-the-trough/2008/01/30/120
1369193338.html

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

ActiveX Control Flaws Affect MySpace and Facebook Users (January 31, 2008)

Vulnerabilities in two ActiveX controls that Facebook and MySpace members use to upload images to their pages could be exploited to crash Internet Explorer (IE) and possibly allow remote code execution, which could in turn allow attackers to take control of the machine on which IE runs or steal data. The ActiveX controls in question are based on a commercial control known as Image Uploader.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9060483&source=rss_topic17

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Employee Literally Pulls Plug on Attempted Cyber Theft (January 31, 2008)

A scheme to steal money from a bank using remote access equipment was foiled when an attentive bank employee realized something was amiss with his computer and unplugged it. The thieves were attempting to transfer a large sum of money from the bank into an account that they would later presumably empty. Swedish police arrested seven people earlier this week in connection with the incident, which occurred last August.
-http://www.theregister.co.uk/2008/01/31/remote_access_bank_robbery_unplugged/pri
nt.html
-http://news.smh.com.au/swedish-bank-stops-digital-theft/20080131-1p53.html
-http://www.citynews.ca/news/news_19122.aspx
[Editor's Note (Ullrich): It's nice to see someone paying attention! However, before you start unplugging your systems, consider removing the network cable instead. In some cases, memory forensics can be important. I know some malware researchers who snapped off the little tap on their network cable to make them easier to pull, after accidentally setting off malware (not that I recommend doing so on production systems.
(Ullrich): Kudos to the employee for spotting this attack and reacting to it. Two takeaways from this story, does your security awareness program educate users on what they should do if they see suspicious activity on their system? How stringent are your background checks on the employees, contractors, cleaners and other people who have physical access to sensitive systems? ]

Stolen Laptop Holds Info on 300,000 NJ HMO Members (January 30 & 31, 2008)

A stolen laptop computer contains personally identifiable information of approximately 300,000 members of New Jersey-based Horizon Blue Cross/Blue Shield health insurance. The compromised data include names and Social Security numbers (SSNs), but not medical information. The laptop was not encrypted, but a security feature on the computer was programmed to delete the data on January 23. The computer was stolen from an employee on January 5. That employee was authorized to have the data on the computer, but taking it off premises without taking proper security precautions was a violation of company policy.
-http://www.njherald.com/345987573807788.php
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9060299&source=rss_topic17
-http://www.nj.com/news/ledger/jersey/index.ssf?/base/news-9/1201671434279680.xml
&coll=1

More Stolen Laptops Hold Medical Data (January 29 & 30, 2008)

A laptop computer stolen from the Wake County (North Carolina) Emergency Medical Services holds personally identifiable information of approximately 850 patients served by ambulances in the county. The data, which include names, addresses, and SSNs, were not encrypted. In a separate story, a computer stolen from the Royal Bolton Hospital in Lancashire, UK holds personally identifiable information of approximately 200 cancer patients, including names, addresses, diagnoses, and treatment. Affected patients have been notified of the theft, which occurred in October.
-http://www.firefightingnews.com/article-US.cfm?articleID=44430
-http://www.theboltonnews.co.uk/misc/print.php?artid=2003952

Stolen Hard Drive Holds Georgetown Univ. Data (January 29, 2008)

An external hard drive stolen from the office of Student Affairs at Georgetown University contains personally identifiable information of approximately 40,000 of the school's students, alumni, faculty, and staff. The theft occurred on January 3. The drive was not encrypted. The theft affects students who were enrolled at the school between 1998 and 2006.
-http://www.thehoya.com/node/15151

MISCELLANEOUS

Sarkozy Reportedly Angry He wasn't Told About SocGen Situation Immediately (January 26, 28, & 29, 2008)

French president Nicolas Sarkozy was apparently not told about the massive losses incurred by Socit Gnrale (SocGen) for three days after the fraud was uncovered. SocGen futures trader Jerome Kerviel allegedly made fraudulent trades that lost the bank more than 5 billion Euros (US $7.4 billion). There is mounting evidence that SocGen had been warned several times in the last few months about unauthorized transactions. Comments from Sarkozy's advisors indicate that there is a healthy amount of skepticism that one person alone was responsible for the fiasco, and that other high-ranking officials may lose their jobs. Kerviel has gained a cult following of sorts.
-http://timescorrespondents.typepad.com/charles_bremner/2008/01/post-6.html
-http://www.businessweek.com/globalbiz/content/jan2008/gb20080128_400149.htm?camp
aign_id=rss_daily
[Editor's Note (Schultz): What is also so troubling about the Socit Gnrale fraud incident is that security for large financial transactions depended upon passwords. The perpetrator (allegedly Kerviel) was able to bypass the "two-man rule" for approval of these transactions by obtaining passwords of accounts belonging to colleagues who had transaction approval authority. ]

---

LIST OF UPCOMING FREE SANS WEBCASTS

SANS Special Webcast: The SANS Database and Compliance Survey
WHEN: Tuesday, February 5, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Barb Filkins
https://www.sans.org/webcasts/show.php?webcastid=91486
Sponsored By: Lumigent Technologies

How many organizations really understand their data privacy rules well enough to know where and how to protect their regulated data with proper audit?
What are their perceptions of data privacy regulations, and how are they integrating compliance into their data management practices, starting at the database?
These and other questions will be answered when, on Feb. 5, SANS analyst Barbara Filkins uncovers the findings in the SANS Database Auditing and Compliance Survey. Conducted over three months, 348 respondents answered a variety of questions ranging from their perceptions of compliance issues to security frameworks and roles and responsibilities for data privacy protection inside their organizations.

We will also be announcing the $250 American Express card winner from among nearly 200 respondents who signed up for our drawing.

SANS Special Webcast: A Brief History of Hacking with Dave Shackleford
WHEN: Wednesday, February 6, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Dave Shackleford
https://www.sans.org/webcasts/show.php?webcastid=91521
Sponsored By: Core Security

Quick quiz: What do Phreaking, Captain Crunch, Blue boxes, LoD and MoD have in common?
Answer: They were all milestones in the evolution of hacking and information security.

Please join Dave Shackleford, CTO at the Center for Internet Security and SANS certified instructor, for a look at the evolution of hacking and hackers. You'll hear Dave's take on lessons learned from hacking milestones, including: The early days of phone phreaks and bulletin boards The growth of hacker gangs and 2600: The Hacker Quarterly The 75-cent accounting error that led to an international crime investigation Bill Cheswick's evening with "Berferd" The first malware and Trojan horse programs At the same time, Dave will give his predictions for the coming year of hacking - and discuss which hacker movies are most realistic (if any)!

WhatWorks Webcast: WhatWorks in Intrusion Detection and Prevention: Improving Network Visibility at GraceKennedy
WHEN: Tuesday, February 12, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Alan Paller and Gregory Henry
http://www.sans.org/info/22559
Sponsored By: Sourcefire

A need for increased visibility into its diverse network prompted GraceKennedy's security team to seek an intrusion detection system. They found a solution that met all their needs and offered great tech support, as well as a component that could establish a network activity baseline and another that included a top vulnerability scanner for the same price as other solutions they tried. GraceKennedy is one of the Caribbean's largest and most dynamic corporate entities. The company started in Jamaica in 1922 as a small trading establishment and wharf founder. It has expanded and diversified over the years, changing from a privately-owned enterprise to a public company listed on the stock exchanges of Jamaica, Trinidad, Barbados and the Eastern Caribbean. Today, the GraceKennedy Group comprises a varied network of some 60 subsidiaries and associated companies located across the Caribbean, in North and Central America and the United Kingdom. The group's operations span the food distribution, financial services, insurance, remittance, hardware retailing and food-processing industries.

********************************************************************

Be sure to check out the following FREE SANS archived webcasts:

WhatWorks in Firewalls and Anti-Malware Gateways: Flexible Firewalling at Harris Corporation
WHEN: Wednesday, January 30, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Alan Paller and Ronda Henning
http://www.sans.org/info/21659
Sponsored By: Secure Computing

The company that handles information security for major broadcast networks and such government agencies as the FAA, needed a very robust, very secure and very flexible firewall platform that could be tailored and customized to address both new and ancient legacy protocols and applications. Denial of service was a significant concern for Harris Corp. clients so the company turned to a solution that provided a highly available and high performance firewall.

Internet Storm Center: Threat Update
WHEN: Wednesday, December 12, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Johannes Ullrich and John Weinschenk
http://www.sans.org/info/20062
Sponsored By: Cezic http://www.cenzic.com/

This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.

SANS Special Webcast: Pinpointing and Proving Web Application Vulnerabilities with Eric Cole
WHEN: Monday, December 10, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Dr. Eric Cole
http://www.sans.org/info/20057
Sponsored By: Core Security


The September "Internet Security Threat Report" from Symantec reported that 61% of all vulnerabilities disclosed in the first half of 2007 were web application vulnerabilities. It's no wonder, since web apps are often highly customized and can be rife with potential security holes. Fortunately, recent advances in penetration testing products can help you to pinpoint and prove web application security weaknesses - even in customized apps.

SANS Special Webcast: Analyzing a Traffic Analyzer: NIKSUN NetDetector/NetVCR 2005
WHEN: Wednesday, December 5, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Jerry Shenk
http://www.sans.org/info/20052
Sponsored By: NIKSUN

How deep can traffic inspection reach without hindering data flow and how much data should it store for post-mortem analysis? Join this Webcast to hear senior SANS Analyst Jerry Shenk go over his test results on the NetDectector/NetVCR 2005 and features such as full packet inspection and the ability to call up and review raw data in its native format.

*************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.orgI