SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #1

January 06, 2009

A fascinating article: Kevin Poulson's Wired Magazine article tells the
story of Max Butler who tried to corner the black market on stolen
credit card numbers.
http://www.wired.com/techbiz/people/magazine/17-01/ff_max_butler?currentPage=1

We now know have ratings that show the top seven security courses for
people who have to upgrade defenses in light of the new nation-state
attacks:
1. Network penetration Testing
2. Web Application Penetration Testing
3. Hacker Techniques and Exploits
4. Wireless Ethical Hacking, Penetration Testing and Defenses
5. Auditing Networks, Perimeters, and Systems
6. Computer Forensics, Investigation & Response
7. Intrusion Detection In Depth
Best place to take them with the highest rated instructors is SANS2009
in Orlando in early March, where you can also do Security Essentials and
prepare for the CISSP exam. Full course matrix at
http://www.sans.org/sans2009/event.php
Alan

---

TOP OF THE NEWS

MD5 Hash Algorithm Flaw Allows Fraudulent Certificates
Twitter Hit by Phishing Attack and Account Hijacking
RIAA Switches Companies for Evidence Gathering

THE REST OF THE WEEK'S NEWS

GOVERNMENT SYSTEMS AND HOMELAND SECURITY
UK Government Denies Plans to Expand Remote Warrantless PC Surveillance
Proposed UK Communications Database Could be Managed by Private Company
RFP for Report on China's Cyber Warfare Posture
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Chinese Court Sentences 11 to Prison for Software Piracy
VULNERABILITIES
Microsoft Says Windows Media Player Problem is a Reliability Issue
ATTACKS
Pro-Hamas Attackers Gained Access to Israeli Domain Registration Server
MISCELLANEOUS
Some Banks Want to Know Travel Plans
Japanese Fingerprint Immigration Control System Thwarted by Special Tape
Attack Can Block SMS and MMS Messages to Nokia Phones

---

************************* Sponsored By CA *******************************

Web-Based Security for Business Enablement
While "secure" and "Web" were once incompatible notions, they are now co-elements that support dynamic Web-based commerce. Technologies such as Web access management, single sign-on, identity management, federation, and strong authentication - when leveraged together - represent a more efficient way to conduct IT-enabled business. This IDC whitepaper explores how competitive advantage can be effectively realized through secure Web business enablement technologies. Learn more https://www.sans.org/info/36793

*************************************************************************

TRAINING UPDATE

- - SANS 2009 in Orlando in early March - the largest security training conference and expo in the world. lots of evening sessions: http://www.sans.org/
- - SANS Security West Las Vegas (1/24-2/01) http://sans.org/securitywest09/
- - Looking for training in your own Community? http://sans.org/community/
For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

MD5 Hash Algorithm Flaw Allows Fraudulent Certificates (December 30 & 31, 2008 & January 5, 2009)

A vulnerability in the MD5 hash algorithm used to generate digital certificates could allow cyber criminals to generate fraudulent certificates. The phony certificates could be used to create phishing sites that would appear to browsers to be legitimate. The problem was the subject of a presentation at the chaos Communications Conference in Berlin last month. Certificate authorities that use MD5 hashes should change to SHA1 hashes to protect their certificates' integrity. A number of certificate authorities are still are using MD5, and some estimates say that 14 percent of all websites are using certificates generated with MD5.
-http://isc.sans.org/diary.html?storyid=5590&rss
-http://gcn.com/Articles/2008/12/31/SSL-certs-busted.aspx?p=1
-http://www.securityfocus.com/news/11541
-http://www.heise-online.co.uk/security/25C3-MD5-collisions-crack-CA-certificate-
-/news/112327
-http://www.securityfocus.com/brief/880
[Editor's Note (Honan): This attack should not come as a major surprise as weaknesses in the MD5 hash algorithm have been known since 2004. The SANS Internet Storm Center has a good write up of the issue with a list of vendor statements regarding the status of their certificates at
-http://isc.sans.org/diary.html?storyid=5590.
You can also use this site
-http://www.networking4all.com/nl/helpdesk/tools/site+check/
to check what SSL certificates are being used by a site you are visiting. ]

Twitter Hit by Phishing Attack and Account Hijacking (January 5, 2009)

Twitter users are the latest targets of phishing attacks. Some users have reported receiving messages that direct them to phony login pages. Once the login credentials have been harvested, the accounts are used to send more phishing messages. Users are advised to login to Twitter on Twitter.com instead of sites to which they have been directed. In what Twitter says is an unrelated attack, bogus messages have been sent from several compromised high profile Twitter accounts. The attacker apparently hacked into Twitter support team tools that have been taken off line until the problem can be addressed.
-http://voices.washingtonpost.com/securityfix/2009/01/phishers_now_twittering_the
ir.html?wprss=securityfix
-http://news.cnet.com/8301-17939_109-10130566-2.html?part=rss&subj=news&t
ag=2547-1009_3-0-20
-http://www.pcmag.com/article2/0,2817,2337833,00.asp
-http://blog.wired.com/27bstroke6/2009/01/twits-get-phish.html
-http://www.heise-online.co.uk/security/Major-security-problem-for-Twitter--/news
/112357
[Editor's Note (Honan): Phishing in Twitter via tweets or direct messages is easier than in emails as most URLs are converted to the tinyurl format thus hiding the original URL from the recipient. If in doubt about a tinyurl link you can preview it by using tinyurl.com's preview feature at
-http://tinyurl.com/preview.php.]

RIAA Switches Companies for Evidence Gathering (January 4 & 5, 2009)

The Recording Industry Association of America (RIAA) has ended its business relationship with MediaSentry, the company it employed to gather information used to establish copyright violation cases. MediaSentry has faced criticism that their methods are invasive and excessive. The RIAA now plans to work with DtecNet Software ApS, a Danish company. The RIAA's legal tactics were dealt a blow last year when a judge ruled that making files available for download did not constitute copyright infringement. The RIAA also recently announced that it will stop filing lawsuits against suspected copyright violators; instead, the organization has reached agreements with several Internet service providers (ISPs) to warn chronic filesharers about their illegal behavior and throttle bandwidth of those who continue to make copyrighted files available for downloading.
-http://news.cnet.com/8301-1023_3-10130785-93.html
-http://weblog.infoworld.com/robertxcringely/archives/2009/01/is_the_riaa_adm.htm
l
[Editor's Note (Paller): The type of language used in the Infoworld article is counterproductive. I mention this because I have seen too many highly capable security people use hyper-critical and disdainful language in botched attempts to appear superior. The actual impact of that language is to make them appear childish and churlish and not worthy of deference. The net result: their good security ideas do not get implemented. ]

---

THE REST OF THE WEEK'S NEWS

GOVERNMENT SYSTEMS AND HOMELAND SECURITY

UK Government Denies Plans to Expand Remote Warrantless PC Surveillance (January 4 & 5, 2009)

The UK Home Office has denied reports in two papers that the government plans to expand its authority to search citizens' PCs remotely without a warrant. The Computer Misuse Act of 1990 already allows remote searches of computers, and the practice is regulated under the Regulations of Investigatory Powers Act (RIPA). The searches can be conducted through Trojans sent in emails, WiFi eavesdropping or through physically installed keystroke loggers. The European Union's Council of Ministers has decided to adopt a plan that would allow member states to expand the potential scope of remote warrantless surveillance of PCs; it would also allow other member nations to request such surveillance from UK police.
-http://www.heise-online.co.uk/security/Government-backs-more-remote-searching-of
-private-PCs--/news/112350
-http://www.theregister.co.uk/2009/01/05/police_remote_snoop/
-http://www.timesonline.co.uk/tol/news/politics/article5439604.ece
-http://www.telegraph.co.uk/news/newstopics/politics/lawandorder/4109031/Governme
nt-plans-to-extend-powers-to-spy-on-personal-computers.html
[Editor's Note (Schultz): I do not believe the UK Home Office's denial in the least bit. Whether we like it or not, the ever growing seriousness of terrorist and other threats makes extensive government-conducted surveillance, including at-will remote access to privately owned PCs, an inevitability. ]

Proposed UK Communications Database Could be Managed by Private Company (December 31, 2008 & January 3 & 5, 2009)

In an effort to save money, the UK government plans to use a private company to manage a proposed database of all phone calls, text messages, emails and web surfing details. The database would contain information about when and where the communications took place, but no content would be retained; there would be stringent penalties for misusing the information. The database, which is aimed at helping with criminal investigations, has met with resistance from privacy advocates.
-http://www.vnunet.com/vnunet/news/2233212/uk-government-outsource
-http://news.bbc.co.uk/2/hi/uk_news/politics/7805610.stm
[Editor's Note (Ranum): The problem with outsourcing such a project is that the outsourcers can bid "sure, we can do that!" to virtually any ridiculous objective, then either fail outright or string the project along indefinitely. ]

RFP for Report on China's Cyber Warfare Posture (December 29, 2008)

The US-China Economic and Security Review Commission has issued a request for proposals to create an unclassified report that analyzes Chinese cyber warfare capabilities. Submissions are due on or before January 21, 2008. The Commission was established in 2000; its mission is "to monitor, investigate, and submit to Congress an annual report of the national security implications of the bilateral trade and economic relationship between the United States and the People's Republic of China, and to provide recommendations, where appropriate, to Congress for legislative and administrative action."
-http://fcw.com/Articles/2008/12/29/Commission-to-fund-research-on-Chinas-cyberwa
rfare-capabilities.aspx
-http://www.uscc.gov/about/overview.php

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

Chinese Court Sentences 11 to Prison for Software Piracy (December 31, 2008 & January 1, 2009)

Eleven people in China have been sentenced for their roles in a piracy scheme that was responsible for manufacturing and distributing more than US $ 2 billion worth of counterfeit Microsoft software. The sentences of between 18 and 78 months are the longest to be handed down for piracy in China. The investigation leading to the convictions involved China's Public Security Bureau, the US FBI and hundreds of customers and partners.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9124624&source=rss_topic17
-http://www.washingtonpost.com/wp-dyn/content/article/2008/12/31/AR2008123103061.
html

[ ]

VULNERABILITIES

Microsoft Says Windows Media Player Problem is a Reliability Issue (December 29 & 30, 2008)

Microsoft has played down reports of a security flaw in Windows Media Player, saying the problem is a "reliability issue with no security risk to customers." Researchers maintain the integer overflow vulnerability could be exploited to inject malicious code, and have published proof-of-concept code to demonstrate the attack. In a Microsoft blog post, the company expressed its disappointment with the researcher's decision to publicize his assertions without first contacting the company.
-http://www.csoonline.com/article/473114/Microsoft_Downplays_Windows_Media_Player
_Bug?source=nlt_csonewswatch
-http://www.theregister.co.uk/2008/12/30/wmp_bug_spat/
-http://news.cnet.com/8301-1009_3-10129682-83.html?part=rss&subj=news&tag
=2547-1009_3-0-20
-http://blogs.technet.com/msrc/archive/2008/12/29/questions-about-vulnerability-c
laim-in-windows-media-player.aspx

ATTACKS

Pro-Hamas Attackers Gained Access to Israeli Domain Registration Server (January 2 & 5, 2009)

Pro-Hamas hackers based in Morocco managed to break into DomainTheNet, an Israeli domain registration server. For several hours, Internet users attempting to visit the Ynet English and Bank Discount websites were instead directed to a server in Japan that was hosting a site filled with propaganda. DomainTheNet Technologies CEO Yoav Keren said the attackers obtained the passwords necessary to access the domain management system through the online customer service system.
-http://www.scmagazineuk.com/Israeli-websites-hit-by-pro-Hamas-hackers/article/12
3490/
-http://www.ynetnews.com/articles/0,7340,L-3649281,00.html
[Editor's Note (Northcutt): A sign of things to come and things of the past, The Nanking Massacre, Estonia, Georgia, the Muhammad cartoons and now this. Eleven years ago, I remember there were some brief discussions between Russia and the US about some form of information warfare dtente. At the time I thought the term information warfare arms race was a bit sci fi, but now I wonder what the next couple of years will bring.
-http://news.bbc.co.uk/1/hi/world/asia-pacific/618520.stm
-http://blog.wired.com/defense/2007/06/cyberwar_panic_.html
-http://www.jamestown.org/single/?no_cache=1&tx_ttnews

[tt_news ]
=34178
-http://www.nydailynews.com/news/us_world/2007/10/09/2007-10-09_muhammad_cartoon_
in_swedish_paper_spurs_.html]

MISCELLANEOUS

Some Banks Want to Know Travel Plans (January 2, 2009)

Some banks in the UK are requiring their credit and debit card customers to notify them of their travel plans to avoid fraudulent transactions abroad. Customers have found their accounts frozen when they attempt to conduct transactions while traveling outside the country. Computerized systems used by the banks analyze behavior and may trigger account freezes if the transaction appears to be out of the ordinary. More than 40 percent of UK payment card fraud incidents took place overseas; the transactions totaled GBP 301 million (US $439.3 million). Banks particularly want to know if customers plan to travel outside the European Union or to Eastern Europe.
-http://www.timesonline.co.uk/tol/news/uk/crime/article5429773.ece

Japanese Fingerprint Immigration Control System Thwarted by Special Tape (January 1, 3 & 6, 2009)

A South Korean woman thwarted a biometric immigration control system when she entered Japan in April 2008 with a phony passport and special tape on her fingers. The woman had been deported from Japan in 2007 for overstaying her visa and was prohibited from re-entering the country for five years. The biometric system was installed in 30 airports in 2007; it aims to prevent terrorists from entering the country. The government plans to review the system.
-http://www.yomiuri.co.jp/dy/national/20090101TDY01303.htm
-http://www.yomiuri.co.jp/dy/national/20090106TDY04303.htm
-http://search.japantimes.co.jp/cgi-bin/nn20090103a3.html
-http://www.google.com/hostednews/afp/article/ALeqM5jwMl9y-RtlCG0LXfKIF5yX0uxgzg
[Editor's Note (Ranum): Problems with biometric systems have made them a laughingstock for decades and are well-understood and widely documented. It's sad that the government has to "review the system" now that it's been installed; the time for system review is prior to deciding to buy it. ]

Attack Can Block SMS and MMS Messages to Nokia Phones (December 31, 2008)

A proof-of-concept attack has demonstrated that a single maliciously crafted text message can prevent Nokia phones from receiving future SMS and MMS messages. Certain versions of the phones' software will stop receiving the messages after just one bad message is received; other versions fail after receiving 11 such messages. Still other versions merely warn of memory problems after receiving bad messages. At least one anti-virus company has released a fix for the problem.
-http://www.csoonline.com/article/473270/Security_Vendors_Ready_Fix_for_Curse_of_
Silence_SMS_Attack?source=nlt_csonewswatch

---

*************************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescactore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Ron Dick headed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.


Alan Paller is director of research at the SANS Institute


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/