SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume X - Issue #99

December 19, 2008

Hacking the Hill: One of the very best cyber security stories of the year was published this morning in the National Journal with details about the hacking of Congress. National Journal is the authoritative publication read by most executive and legislative branch leaders in the US government, but it is expensive and rarely posted and usually the rest of us don't get to see what it contains. This time, for SANS alumni and NewswBites readers, they made an exception. Written by Shane Harris, it is at http://www.nationaljournal.com/njmagazine/cs_20081220_6787.php
Alan

P.S. Five days left for early registration savings for SANS Security West 2009 (Jan 24-Feb 1) http://www.sans.org/securitywest09 And early registration is still open (save $350) on SANS biggest program SANS 2009 Orlando (March 1-9) http://www.sans.org/sans2009

---

TOP OF THE NEWS

EU and US Agree on Personal Data Sharing Principles
Research Finds Inadequate Intellectual Property Protection at UK Firms
Cyber Security Inquiry Simulation Exercise Opens Eyes

THE REST OF THE WEEK'S NEWS

ATTACKS
CheckFree Attack Used Variety of Methods
VULNERABILITIES
Malicious ActiveX Controls in Word Docs Exploit Critical IE Flaw
Cross-Site Scripting Flaw on American Express Website
UPDATES AND PATCHES
Microsoft Issues out-of-Cycle Patch for Critical IE Vulnerability
Adobe Releases Updates for Flash Player for Linux
Mozilla Firefox Updates Include (Next-to-)Last Version of Firefox 2
Apple Issues Mac OS X Update
MISCELLANEOUS
Yahoo! to Limit Data Retention to 90 Days in Most Cases

---

**************************** Sponsored By SANS **************************

The Log Management Summit April 6-7 is a user-to-user, non-commercial conference on what works in log management. It is the only place where you can learn about the strengths and weaknesses of competing technologies, where users will share the lessons they learned about what to log and what to keep and what to report. https://www.sans.org/info/36658

*************************************************************************

TRAINING UPDATE

- - SANS 2009 in Orlando in early march - the largest security training conference and expo in the world. lots of evening sessions: http://www.sans.org/
- - SANS Security West Las Vegas (1/24-2/01) http://sans.org/securitywest09/
- - Looking for training in your own Community? http://sans.org/community/
For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

EU and US Agree on Personal Data Sharing Principles (December 17, 2008)

The European Union and the US have agreed upon a set of common principles for data sharing practices and data protection. The impetus for the Statement on Information Sharing and Personal Data Protection grew out of the agreement on the handling of EU/US passenger name record (PNR) data. This agreement establishes protections from punishment for private companies and other countries that cooperate with data-gathering projects aimed at fighting terrorism.
-http://www.fcw.com/online/news/154709-1.html?topic=privacy
-http://www.dhs.gov/xlibrary/assets/usa_statement_data_privacy_protection_eu_1212
2008.pdf
[Editor's Note (Schultz): The huge discrepancies between personal data sharing requirements in the US and EU countries have caused almost insurmountable hurdles to data sharing agreements. The fact that now the two parties have reached an in principle agreement is thus an extremely significant development.
(Northcutt): this is pretty impressive if it proves to work out. Europe tends to be more privacy focused, the US more security focused and it is good to see the potential for additional cross border cooperation. ]

Research Finds Inadequate Intellectual Property Protection at UK Firms (December 17, 2008)

The results of research commissioned by the UK's Intellectual Property Office's IP Crime Group indicates that while companies are aware of the importance of protecting intellectual property (IP), they are by and large not doing enough to protect their own IP or that of others. Forty percent of the more than 1,000 people interviewed did not have any practical measures, such as trademark registration or employee training, in place. More than 25 percent of respondents said employees are not warned against illegal downloading at work.
-http://www.theregister.co.uk/2008/12/17/ip_crime_uk_firms/
-http://nds.coi.gov.uk/content/Detail.asp?ReleaseID=387749&NewsAreaID=2
-http://www.ipo.gov.uk/report-workplaceresearch.pdf

Cyber Security Inquiry Simulation Exercise Opens Eyes (December 18, 2008)

The Cyber Strategy Inquiry held this week in Washington DC involved 230 people from government, industry and civil society. The simulation exercise was designed to demonstrate the cyber security challenges the forthcoming administration and Congress will face. Participants learned that "there were interdependencies that (they) didn't quite understand or appreciate before." Some of the issues that became evident during the exercise included regulation vs. incentives for cyber security and risk management vs. resilience. Challenges that arose included how to establish rules of engagement for a cyber attack and managing global aspects of cyber security.
-http://www.fcw.com/online/news/154725-1.html?type=pf

---

THE REST OF THE WEEK'S NEWS

ATTACKS

CheckFree Attack Used Variety of Methods (December 16, 2008)

The security breach of the CheckFree online bill paying website was conducted with a blended attack, using a variety of techniques including phishing, pharming and drive-by malware downloads. Visitors to the CheckFree website were redirected to a server located in the Ukraine that downloaded software onto their computers. However, it has not yet been determined what the software does if downloaded.
-http://www.internetnews.com/security/article.php/3791341/Several+Attacks+Behind+
CheckFree+Data+Breach.htm
[Editor's Note (Pescatore): Hmm, just a guess: the software coming from the server in Ukraine is probably up to no good. I'd like to see web sites that are found to have easy to avoid vulnerabilities treated like restaurants that have cockroach infestations: not allow them to do business for a day or two and have them post a big notice while closed: "Closed due to unsanitary business practices. Your business is important to us, though - have a nice day." ]

VULNERABILITIES

Malicious ActiveX Controls in Word Docs Exploit Critical IE Flaw (December 18, 2008)

The Internet Explorer (IE) vulnerability for which Microsoft has just released an out-of-cycle fix (see story below) is being exploited in another way; attackers are seeding Microsoft Word documents with malicious ActiveX controls. The embedded controls contain lines of code that cause the host on which the controls have been downloaded to visit a site that hosts malware. Users receive the infected Word documents as email attachments or through maliciously manipulated websites.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9123898&source=rss_topic17

Cross-Site Scripting Flaw on American Express Website (December 16, 2008)

A cross-site scripting vulnerability on the American Express website could allow attackers to steal users' authentication cookies. The flaw has been present on the site for more than two weeks; its presence is a violation of the Payment Card Industry Data Security Standards. The person who disclosed the flaw did so after two fruitless weeks of trying to get someone in the company to fix the problem. Shortly after the story was posted to the Internet, American Express fixed the vulnerability.
-http://www.theregister.co.uk/2008/12/16/american_express_website_bug/
[Editor's Note (SChultz): I wonder what happened to the Amex employee who discovered and then posted the vulnerability. In the past employees who have engaged in such actions have been treated quite punitively by their employers. ]

UPDATES AND PATCHES

Microsoft Issues out-of-Cycle Patch for Critical IE Vulnerability (December 17 & 18, 2008)

Microsoft pushed out an out-of-cycle patch (MS08-078) for a critical remote code execution vulnerability in IE's data binding function. At least seven separate exploits for the flaw have been detected in the wild. Malicious JavaScript code exploiting the vulnerability has been detected on an increasing number of legitimate websites, prompting Microsoft's decision to patch the problem in the middle of the month. Most attacks are aimed at stealing gaming passwords, but more malicious exploits could target more sensitive data. The flaw affects IE versions 5,6, 7 and 8, although the attacks have been aimed at IE 7. This is the second out-of-cycle patch for Microsoft in the last three months.
-http://www.theregister.co.uk/2008/12/17/emergency_microsoft_patch/
-http://www.smh.com.au/news/technology/security/microsoft-releases-emergency-patc
h-for-ie/2008/12/18/1229189775451.html
-http://news.bbc.co.uk/2/hi/technology/7788687.stm
-http://www.microsoft.com/technet/security/bulletin/ms08-078.mspx

Adobe Releases Updates for Flash Player for Linux (December 17, 2008)

Adobe has made available updated versions of Adobe Flash Player for Linux to address a critical security flaw that could be exploited to take control of vulnerable systems. The vulnerability can be exploited through a specially crafted SWF file. The vulnerability affects Adobe Flash Player versions 10.0.12.36 and earlier and 9.0.151.0 and earlier; users are urged to update Adobe Flash Player on their systems to version 10.0.15.3. Users who for technical reasons are unable to upgrade to 10.0.15.3 can update to version 9.0.152.0. The process requires manual download and installation. The flaw does not affect Adobe for Windows or Mac OS X.
-http://www.heise-online.co.uk/security/Critical-hole-in-Linux-Flash-Player--/new
s/112282
-http://www.adobe.com/support/security/bulletins/apsb08-24.html

Mozilla Firefox Updates Include (Next-to-)Last Version of Firefox 2 (December 17, 2008)

Mozilla has released updates for versions 2 and 3 of its Firefox web browser. Firefox 3.0.5 addresses three critical vulnerabilities, while Firefox 2.0.0.19 fixes four critical flaws. The flaws could be exploited to execute arbitrary code and install software without user interaction. Firefox users who have not done so already are urged to upgrade to version 3 because this is supposed to be the last planned update for Firefox 2. However, a "clerical error" has necessitated the release of Firefox 2.0.0.20, because 2.0.0.19 did not contain one of the necessary fixes. Mozilla expects to issue Firefox 2.0.0.20 by Monday, December 22.
-http://www.theregister.co.uk/2008/12/17/mozilla_3_0_5_and_2_0_0_1_9_updates/
-http://voices.washingtonpost.com/securityfix/2008/12/firefox_2_users_will_get_no
_mo.html?nav=rss_blog

Apple Issues Mac OS X Update (December 16, 2008)

Apple has released an update for its Mac OS X operating system to address more than a score of security flaws. The 21 vulnerabilities lie in a variety of components, including the Mac OS X kernel, core services and the Adobe Flash Player plug-in. Some of the flaws could be exploited to allow remote code execution, information disclosure and application crashes. Users are urged to upgrade to Mac OS X version 10.5.6, which addresses a number of stability issues in addition to the security flaws.
-http://www.securityfocus.com/brief/872
-http://www.vnunet.com/vnunet/news/2232667/gets-update
[Editor's Note (Pescatore): December was one of the busiest months for patches in a long time, between all the scheduled and unscheduled Windows vulnerabilities, these from Apple and others from Adobe and the like. Scarier yet, I think there have been 20 or so security patches for VMware this year - the layering of vulnerabilities in virtualized data centers is getting really complicated. ]

MISCELLANEOUS

Yahoo! to Limit Data Retention to 90 Days in Most Cases (December 17 & 18, 2008)

Yahoo! has said it will anonymize user data within 90 days. Previously, Yahoo! held user search data for 13 months. The policy applies to page views, page clicks, ad views, ad clicks and search log data. Some data may be retained beyond 90 days for security or legal reasons, such as fraud investigations. The European Union (EU) has (declared) that data should be anonymized within six months. Microsoft currently retains data for 18 months but says it could change its data retention practices to abide by EU guidelines; Google retains user information for nine months.
-http://www.vnunet.com/vnunet/news/2232805/yahoo-cuts-retention-times
-http://news.bbc.co.uk/2/hi/technology/7787846.stm
-http://www.theregister.co.uk/2008/12/17/yahoo_anonymization_explained/
-http://www.nytimes.com/2008/12/18/technology/internet/18yahoo.html?_r=1&part
ner=rss&emc=rss&pagewanted=print
-http://www.eweek.com/c/a/Search-Engines/Microsoft-Zero-Data-Retention-Not-Possib
le-to-Keep-Search-Engines-Viable/

---

*************************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescastore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Ron Dick headed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.


Alan Paller is director of research at the SANS Institute


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/