SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume X - Issue #90

November 14, 2008

If you are thinking of coming to this winter's big national security training program (SANS Security West, Jan 24-Feb 1, Las Vegas, http://www.sans.org/securitywest09),">http://www.sans.org/securitywest09), a few of the following may prove useful. They'll help your bosses know that SANS training is worth far more to your organization than any other training, because SANS provides up-to-the-minute defensive information you can put to work immediately upon returning to the office:
"I have taken dozens of training courses, and this is the best training I have ever received." (William Okula, Suffolk County Police Department) "If you have any managerial responsibilities in the field of cyber security, you must take this course to be effective and successful." (William J. Riegger, IRS)
"SANS courses bring the best of the best to one place to share cutting edge information. (Jeremy Baca, Sandia National Labs) "SANS provides the best education you will ever find. (Mike Gauthier, Heartland Business Systems)
"SANS training is like a catalyst. It not only boosts your knowledge but also inspires you to learn more. (Tan Koon Yaw, IDA) "I have attended courses by several of SANS rivals, and SANS blew them away." (Alton Thompson, US Marines)
"SANS has the highest quality instructors and the most relevant, current information of any training I have attended." (Melodee McHone, Hallmark) "Never before has so much useful information been compiled into a single source that is both accessible and understandable." (Wayne Slocum, PEO C4I PMW 160)
"This is the only training I've ever attended at which I learned techniques and found tools I could apply immediately." (Dwight Leo, DLA) Several thousand students have provided similar written comments. More information on SANS Security West at http://www.sans.org/securitywest09
Alan

---

TOP OF THE NEWS

Spam Levels Drop After Hosting Company Disconnected
Report Finds ISPs Devoting More Resources to DDoS Defense
Group Published Guidelines for Anti-Malware Testing

THE REST OF THE WEEK'S NEWS

LEGAL ISSUES
NebuAd Sued for Invasion of Privacy
ARRESTS, CHARGES, CONVICTIONS & SENTENCES
Former Student Charged with eMail Hacking
Former Network Admin Pleads Guilty to Multiple Offenses
NASA, DOE Hacker Gets Suspended Sentence in Romania, May Face Extradition
UPDATES AND PATCHES
Mozilla Releases Firefox 3.0.4
Microsoft Patch Tuesday Includes Fix for Seven-Year-Old Flaw
ATTACKS
Express Scripts Offers Reward in Cyber Extortion Case
Computer Security Breach at U of Florida College of Dentistry Affects More Than 300,000
MISCELLANEOUS
ICANN Will Revoke EstDomains Registrar Credentials

---

******************** Sponsored By Norwich University ********************

Norwich University
The Master of Science in Information Assurance program provides you with the skills to manage and lead an organization-wide information security program. Graduates will be prepared to assume professional management responsibilities such as those of CSO's, CISO's and Enterprise Risk Managers. The NSA and Department of Homeland Security have designated Norwich University as a Center of Academic Excellence in Information Assurance.
http://www.sans.org/info/35304

*************************************************************************

TRAINING UPDATE

- - SANS CDI in Washington (12/10-12/16) 30 courses; big security tools expo; lots of evening sessions: http://www.sans.org/cdi08/
- - London (12/1-12/9) http://sans.org/london08/
- - Vancouver (11/17-11/22) http://www.sans.org/vancouver08/
- - Las Vegas (1/24-2/01) http://sans.org/securitywest09/
- - Orlando SANS SCADA Security Summit http://www.sans.org/scada09_summit
and in 100 other cites and on line any time: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Spam Levels Drop After Hosting Company Disconnected (November 12, 2008)

The amount of spam being sent worldwide dropped noticeably after McColo, a northern California-based hosting provider identified as hosting spamming organizations, was cut off by its Internet providers. It is estimated that McColo hosted the machines responsible for 75 percent of spam sent worldwide. McColo's upstream service was severed on Tuesday, November 11; that same afternoon, organizations tracking spam noted a sharp decrease in the volume being sent. The relief is likely to be temporary, as operations that send the unsolicited commercial email seek out other avenues to help them spread their wares.
-http://www.washingtonpost.com/wp-dyn/content/article/2008/11/12/AR2008111200658.
html?nav=rss_technology
-http://www.theregister.co.uk/2008/11/12/mccolo_goes_silent/
-http://news.bbc.co.uk/2/hi/technology/7725492.stm
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9119963&source=rss_topic17
-http://hostexploit.com/downloads/Hostexploit%20Cyber%20Crime%20USA%20v%202.0%201
108.pdf
Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=5333
[Editor's Note (Ullrich): This story, as well as the story about EstDomains below, is showing a trend of increased self-policing of network service providers. Due to the impact these bad players have to their business, and the attention paid to them by the media, it has become harder to hide. Compare this to residents of an area shining bright lights at drug dealers and prostitutes to drive them away.]

Report Finds ISPs Devoting More Resources to DDoS Defense (November 11 & 12, 2008)

The 2008 Worldwide Infrastructure Security Report from Arbor Networks covers a 12-month period from August 2007 through July 2008. Among the report's most significant findings are that Internet service providers (ISPs) spend the majority of their security resources defending their systems against distributed denial-of-service (DDoS) attacks and that the largest DDoS attacks now exceed 40 gigabits-per-second. ISPs also noted that application-level attacks have resulted in prolonged outages of Internet services. In addition, more than half of the responding ISPs are concerned about the possibility of new security threats accompanying IPv6.
-http://asert.arbornetworks.com/2008/11/2008-worldwide-infrastructure-security-re
port/
-http://news.zdnet.co.uk/security/0,1000000189,39549409,00.htm
-http://www.vnunet.com/vnunet/news/2230250/isps-fear-ipv6-security-threats
[Editor's Note (Schultz): One study after another has shown that denial of service attacks have been the most frequent type of attack over the years. Because the state of the art in defending against denial of service attacks is currently not all that advanced, this trend is likely to continue well into the future. ]

Group Published Guidelines for Anti-Malware Testing (November 11, 2008)

The Anti-Malware Testing Standard Organization (AMTSO) has published a pair of documents aimed at standardizing the way antivirus scanners and malware defense tools are tested. The "Fundamental Principles of Testing" include "testing must not endanger the public; testing should be reasonably open and transparent; and testing methodology must be consistent with the testing purpose." "Best Practices for Dynamic Testing" addresses issues such as reproducibility, product and sample selection, testing environment, and logging and auditing. AMTSO was founded amid rising concern about "inconsistent test regimes" and the questionable ethics of certain testing schemata.
-http://www.securityfocus.com/brief/852
-http://www.amtso.org/documents/cat_view/13-amtso-principles-and-guidelines.html
[Editor's Note (Ullrich): I like the focus of the "Dynamic Testing" document on fresh and relevant malware. Current anti-malware has significant issues with current relevant threats. The "Fundamental Principles of Testing" document, while it doesn't say anything wrong, misses this focus. We have to move away from testing anti-malware using stale (older then 24hrs) and static malware zoos. ]

---

THE REST OF THE WEEK'S NEWS

LEGAL ISSUES

NebuAd Sued for Invasion of Privacy (November 13, 2008)

More than a dozen Internet service subscribers have filed a lawsuit against NebuAd and six Internet service providers (ISPs) claiming that NebuAd's web surfing habit tracking technology and the companies that used it without customers' knowledge violated anti-wiretapping statutes. The plaintiffs are asking for more than US $5 million in damages and are seeking class action status for the lawsuit. All of the ISPs named in the lawsuit stopped using NebuAd technology after just a few months. NebuAd has paid the ISPs to allow it to install monitoring equipment on their networks, which examined user habits and delivered targeted advertising based on their perceived interests.
-http://www.mercurynews.com/portal/breakingnews/ci_10976851?_loopback=1
-http://blog.wired.com/27bstroke6/2008/11/net-spying-firm.html
[Editor's Note (Northcutt): A copy of the suit is shown below, I would say this looks bad for NebuAd:
-http://www.docstoc.com/docs/document-preview.aspx?doc_id=2497992
There are several of these companies including Phorm and FrontPorch:
-http://www.phorm.com/
-http://www.frontporch.com/html/index.html
You may recall there was a hullabaloo in the UK in 2006 when it was announced that Phorm and BT were secretly tracking BT customers:
-http://www.theregister.co.uk/2008/04/01/bt_phorm_2006_trial/
There is an interesting paper referenced in the suit by Professor Paul Olm where he asserts, "Nothing in society poses as grave a threat to privacy as the Internet Service Provider (ISP). He goes on to say ISPs have the means and the motive to snoop on their customers:
-http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1261344#]

ARRESTS, CHARGES, CONVICTIONS & SENTENCES

Former Student Charged with eMail Hacking (November 13, 2008)

Former University of Maine student James Wieland has been charged with aggravated criminal invasion of privacy, a felony offense, for allegedly breaking into hundreds of university email accounts. Wieland allegedly installed keystroke logging programs on the victims' computers; authorities do not know his motives. Wieland's surreptitious activity began to unravel after a student received an email message from a friend while that friend did not have computer access.
-http://www.wcsh6.com/news/breaking/story.aspx?storyid=95880&catid=112
-http://www.bangornews.com/detail/93201.html

Former Network Admin Pleads Guilty to Multiple Offenses (November 10 & 12, 2008)

Andrew Madrid has pleaded guilty to charges of hacking, identity theft, burglary and drug possession in Santa Clara County (California) Superior Court. Madrid destroyed data on a former employer's computer system hoping that they would hire him back to fix the problem he had created. He also placed spyware on computer systems to steal passwords. Madrid used a neighbor's wireless network to disguise his digital tracks. Dressed as a security guard, Madrid strolled through various companies stealing computer equipment. He faces up to 12 years in prison when he is sentenced.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9119940&source=rss_topic17
-http://www.mercurynews.com/business/ci_10949785
-http://www.sccgov.org/portal/site/da/agencyarticle?path=%252Fv7%252FDistrict%252
0Attorney%252C%2520Office%2520of%2520the%2520%2528DEP%2529&contentId=ae30638
3d969d110VgnVCM10000048dc4a92____&cpsextcurrchannel=1

NASA, DOE Hacker Gets Suspended Sentence in Romania, May Face Extradition (November 11, 2008)

A Romanian man received a 16-month suspended prison sentence in his home country for breaking into computer systems at the US Navy, NASA and Department of Energy, but still could face extradition to the US. In 2006, Victor Faur was indicted in the US on nine counts of computer intrusion and one count of conspiracy. Faur's defense included arguments that his actions were intended to help the US by demonstrating vulnerabilities in its government and military computer systems; he was also fined the equivalent of US $238,000.
-http://www.theregister.co.uk/2008/11/11/us_navy_hack_sentencing/
-http://ap.google.com/article/ALeqM5hfpRlmAltvPNjKBY6nCLqoRg-26AD94C54SG1
-http://oig.nasa.gov/press/pr2007-C.pdf

UPDATES AND PATCHES

Mozilla Releases Firefox 3.0.4 (November 13, 2008)

Mozilla has released Firefox version 3.0.4 to address a dozen security flaws, several of which could be exploited to execute code on vulnerable machines. Six of the flaws have been rated critical; one of these involved privilege escalation following a session restore. Others could be exploited to crash vulnerable computers.
-http://www.heise-online.co.uk/security/Firefox-3-0-4-closes-nine-security-holes-
-/news/111952
-http://news.cnet.com/8301-17939_109-10096399-2.html
Apple also released Safari 3.2 addressing 11 vulnerabilities in the browser.
-http://news.zdnet.co.uk/security/0,1000000189,39551914,00.htm

Microsoft Patch Tuesday Includes Fix for Seven-Year-Old Flaw (November 12 & 13, 2008)

Microsoft has issued two security bulletins to address vulnerabilities in Windows 2000, XP, Server 2003, Vista, Server 2008 and Office 2003 and later versions. MS08-069, which has a critical rating, addresses remote code execution issues in Windows XML Core Services versions 3.0, 4.0 and 6.0. MS08-068 has been given a rating of important by Microsoft; it involves a vulnerability in Microsoft Server Message Block that could be exploited to allow remote code execution as well. This particular flaw has been known since March 2001. A security program manager in the Microsoft Security Response Center wrote in a blog post that the issue has not been addressed until now because it would have "render(ed) many ... customers' network-based applications then inoperable."
-http://www.heise-online.co.uk/security/Microsoft-closes-critical-hole-in-Windows
--/news/111941
-http://www.gcn.com/online/vol1_no1/47547-1.html?topic=security
-http://www.theregister.co.uk/2008/11/12/ms_patch_tuesday_november/
-http://news.cnet.com/8301-1009_3-10096611-83.html?part=rss&subj=news&tag
=2547-1009_3-0-20
-https://www.microsoft.com/technet/security/bulletin/ms08-nov.mspx
-http://isc.sans.org/diary.html?storyid=5330
There is some concern that the patch does not fully address the issue
-http://news.zdnet.co.uk/security/0,1000000189,39550710,00.htm

ATTACKS

Express Scripts Offers Reward in Cyber Extortion Case (November 13, 2008)

Express Scripts, the prescription benefits provider that was targeted by data extortionists, has offered US $1 million reward fund for information leading to the capture and prosecution of those responsible for a series of attack and extortion threats. In October, Express Scripts received a letter saying that the senders had breached the company's computer system and stolen customer information; the letter included personal details of 75 customers and a demand for money or they would expose millions of additional records. When the company did not respond to their demands, the extortionists sent threatening letters to some of the Express Scripts's clients, prompting the announcement of the reward fund. Express Scripts is cooperating with the FBI's investigation.
-http://www.securityfocus.com/brief/854
-http://www.theregister.co.uk/2008/11/13/express_scripts_extortion/
-http://phx.corporate-ir.net/phoenix.zhtml?c=69641&p=irol-newsArticle&ID=
1225263&highlight=
[Editor's Note (Honan): Express Scripts should be applauded for the way they are handling this incident and we could all do well to learn from them on how to proactively deal with an extortion type breach. ]

Computer Security Breach at U of Florida College of Dentistry Affects More Than 300,000 (November 12 & 13, 2008)

More than 300,000 current and former patients at the University of Florida College of Dentistry have been notified that their personal information may have been compromised. IT department staff members found evidence of a breach on October 3, 2008; at that time, they discovered remotely installed software and cut off the infected server so the attackers could no longer access it. It has since been put back online with stronger protection. The patients affected by the data breach were notified within the 45-day time frame required by Florida law.
-http://www.networkworld.com/news/2008/111208-ufla.html?hpg1=bn
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9120188&source=rss_topic17

MISCELLANEOUS

ICANN Will Revoke EstDomains Registrar Credentials (November 13, 2008)

The Internet Corporation for Assigned Names and Numbers (ICANN) has decided to revoke the registrar credentials of Estonia-based EstDomains, which has been the home to domain names associated with malicious activity. ICANN had intended to revoke the credentials earlier this month, but allowed for a stay in its decision pending review of appeal information made by the company. ICANN based its decision in part of the conviction of EstDomains President Vladimir Tsastsin on charges of credit card fraud, money laundering and document forgery. After reviewing the material, ICANN issued a notice that the credentials will be revoked as of November 24, 2008.
-http://www.theregister.co.uk/2008/11/13/estdomains_loses_icann_appeal/
The overview at ICANN:
-http://www.icann.org/en/announcements/announcement-12nov08-en.htm
The ICANN letter to EstDomain:
-http://www.icann.org/correspondence/burnette-to-poltev-07nov08-en.pdf

---

*************************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescastore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Ron Dick headed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.


Alan Paller is director of research at the SANS Institute


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/