SANS NewsBites - Volume: X, Issue: 11


The nation state threat, both military and commercial, has leaked out in small ways since September 2005, has now been fully confirmed by the US Director of National Intelligence. I've included the summary at the end of the news stories. Sobering. He would not make it public if the threat were not becoming critical. If you needed a reason to upgrade your defenses, this is it.
Alan

*************************************************************************
SANS NewsBites                     February 08, 2008                    Volume: X, Issue: 11
*************************************************************************
TOP OF THE NEWS

   Higher Education Funding Bill Tied to Anti-Piracy Efforts
   Lawsuit Will Seek Clarification on Electronic Device Searches
   Spammer Fined US $2.5 Million

THE REST OF THE WEEK'S NEWS

  COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
   Taiwanese Piracy Gang Gets Jail Time
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
   Microsoft Will Issue 12 Security Bulletins on Tuesday
   Mozilla Releases Firefox Update
   Skype Fixes Cross-Zone Scripting Hole in VoIP Client Software
   Lack of Documentation Accompanying Adobe Reader Update Raises Questions
   ActiveX Flaws in Yahoo! Jukebox is Being Actively Exploited
   US-CERT Recommends Disabling All ActiveX Controls
  MISCELLANEOUS
   Undersea Cables Repairs are Underway
   Eli Lilly Confidential Document Accidentally Leaked
  DNI CYBER THREAT SUMMARY
  LIST OF UPCOMING FREE SANS WEBCASTS


************** Sponsored By RSA, The Security Division of EMC ***********

Download 3 new White Papers on Best Practices for Comprehensive Security and Event Management. Download these today and use them as a guide when reviewing your compliance and security operations requirements - and when developing best practices to maximize the success of compliance and security initiatives.

http://www.sans.org/info/23843

*************************************************************************

TRAINING UPDATE
Where can you find the newest Penetration Testing techniques, Application Pen Testing, Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, CISSP, and SANS' other top-rated courses?
- - Las Vegas (3/17 - 3/18) Penetration Testing Summit:
(an ultra cool program) http://www.sans.org/pentesting08_summit
- - San Jose (2/2 - 2/8): http://www.sans.org/siliconvalley08/event.php
- - Phoenix (2/11 - 2/18) http://www.sans.org/phoenix08/event.php
- - Prague (2/18-2/23): http://www.sans.org/prague08
- - SANS 2008 (4/18-4/25) In Orlando SANS' biggest program with myriad bonus sessions: http://www.sans.org/sans2008
- - and in 100 other cites and on line any-time: www.sans.org

*************************************************************************

TOP OF THE NEWS

Higher Education Funding Bill Tied to Anti-Piracy Efforts (February 7, 2008)
A provision of the College Opportunity and Affordability Act, which was approved this week by the US House of Representatives, requires colleges and universities that participate in federal financial aid programs to develop and implement plans to enforce antipiracy rules, either through subscription services or "technology-based deterrents to prevent" piracy. The bill will have to be reconciled with a different Senate higher education funding bill before a final version is drafted for the president's signature.
-http://www.news.com/8301-10784_3-9867146-7.html?part=rss&subj=news&tag=2
547-1_3-0-20

-http://thomas.loc.gov/cgi-bin/bdquery/z?d110:h.r.04137:
[Editor's Note (Schultz): To have college funding tied to anti-piracy enforcement is an intriguing approach. Many other anti-piracy approaches in colleges and universities that have been tried have failed. I suspect, however, that this particular approach has a high chance of succeeding given the great need for funding in higher education. ]

[Editor's Note (Ullrich): It's not clear why universities are singled out like this. Universities are already exposed to a huge workload in responding to copyright requests and should be allowed to decide if the problem is large enough to require a technical solution. ]


Lawsuit Will Seek Clarification on Electronic Device Searches (February 7, 2008)
The Electronic Frontier Foundation (EFF) and the Asia Law Caucus plan to file a lawsuit this week that would force the US government to reveal its border search policies, including policy regarding copying electronic content from devices and seizing such devices. The lawsuit was prompted by a number of cases in which travelers' laptop computers, cell phones, MP3 players and other electronic devices were searched. The searches carried out on the devices go beyond looking at items being transported; according to an Asian Law Caucus attorney, "the government is going well beyond its traditional role of looking for contraband and really is looking into the content of people's thoughts and ideas and their lawful political activities." If the searches were conducted within the country, they would require warrants and probable cause. Some companies have changed their policies to require travelers not to have company information on laptop computers. Instead, these people must access company data over the Internet.
-http://www.washingtonpost.com/wp-dyn/content/article/2008/02/06/AR2008020604763_
pf.html

[Editor's Note (Ullrich): Various countries have laws that prohibit certain data or software from being imported and exported. I kind of like the note at the end that some companies no longer allow travelers to carry any company data in and out of the country. This policy will protect users from lost laptops as well as from searches by non-US customs services. However, it does require a safe way to access the data remotely. ]


Spammer Fined US $2.5 Million (February 4 & 6, 2008)
% The Federal Trade Commission (FTC) has announced that a US judge has ordered Sili Neutraceuticals and its owner Brian McDaid to pay more than US $2.5 million for violations of the FTC Act and the CAN-SPAM Act. The company and McDaid were ordered to cease sending spam, and to cease misrepresenting the products advertised in the email. The company sent unsolicited email messages advertising weight loss and age reversing products with unsubstantiated claims and misleading subject fields, no opt-out mechanism, and no physical postal address.
-http://www.techworld.com/security/news/index.cfm?RSS&NewsID=11323
-http://www.scmagazine.com/uk/news/article/782050/judge-orders-weight-loss-spamme
r-pay-25-million/

-http://www.ftc.gov/opa/2008/02/sili.shtm



*************************** Sponsored Link: ***************************

1) Learn about testing network security and encryption technology. Complimentary Tested with Spirent Security Testing Seminar.
http://www.sans.org/info/23848

*************************************************************************

THE REST OF THE WEEK'S NEWS

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT


Taiwanese Piracy Gang Gets Jail Time (February 4, 2008)
Members of a software piracy group in Taiwan have been sentenced to prison. Maximus Technology is believed to be responsible for selling counterfeit software worth approximately US $900 million. Maximus owner Huang Jer-Sheng received a four-year prison sentence; three co-defendants received sentences ranging from 18 months to three years. Counterfeit copies of more than 20 different Microsoft software products in seven languages were produced and sold.
-http://www.channelregister.co.uk/2008/02/04/microsoft_counterfeiters_do_taiwan_j
ailtime/print.html



WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES


Microsoft Will Issue 12 Security Bulletins on Tuesday (February 7, 2008)
According to Microsoft Security Bulletin Advance Notification, the company will release 12 security bulletins on Tuesday, February 12. Seven of those have a maximum severity rating of critical, and of those, four address code execution flaws in Microsoft Office. Also in the mix is a cumulative update for Internet Explorer that addresses flaws that could allow drive-by malware attacks. Other products receiving critical fixes are Windows, VBScript, and JScript.
-http://www.eweek.com/index2.php?option=content&task=view&id=46242&po
p=1&hide_ads=1&page=0&hide_js=1

[Editor's Note (Ullrich): With all the focus on Microsoft patches, don't forget that several other popular software packages had security updates last week. ]


Mozilla Releases Firefox Update (February 7, 2008)
Mozilla has released Firefox 2.0.0.12, an update for the open source browser that addresses a number of flaws, three rated critical, one rated high, and three rated moderate. The flaws addressed could be exploited to conduct cross-site scripting attacks, execute code, and steal information that could be used to commit identity fraud. The update fixes a disclosed directory traversal vulnerability that affected the browser if it had add-ons with flat packaging.
-http://www.eweek.com/index2.php?option=content&task=view&id=46262&po
p=1&hide_ads=1&page=0&hide_js=1

-http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0
.12



Skype Fixes Cross-Zone Scripting Hole in VoIP Client Software (February 5, 6 & 7, 2008)
Skype has fixed a cross-zone scripting vulnerability in its VoIP client that has been responsible for several problems in the last few weeks. The problem lies in the fact that "Skype uses Internet Explorer (IE) web controls to render internal and external HTML pages," running them in a Local Zone, and "accessing HTML pages in an unlocked Local Zone." Skype has addressed the symptoms of each bug as it arose, but the most recent update "addresses the underlying architectural weakness ... by setting IE security control context to Internet Zone." Users are urged to update to Skype for Windows version 3.6.*.248 or later.
-http://www.theregister.co.uk/2008/02/06/skype_cross_zone_scripting_fix/print.htm
l

-http://www.heise-online.co.uk/security/Skype-closes-scripting-holes-in-Windows-c
lient--/news/110066

-http://www.skype.com/security/skype-sb-2008-001-update2.html


Lack of Documentation Accompanying Adobe Reader Update Raises Questions (February 6, 2008)
Adobe has issued an update for Adobe Reader 8 (Specifically 8.1.2), but there was no accompanying public documentation on the severity of the flaws addressed. The summary in Adobe's security advisory says "the update includes several important security fixes, among them a few of critical severity that could be remotely exploitable." An Adobe spokesperson said the company "plan
[s ]
to share further information on the topic within a few days ..., at which point the company has completed the process of responsible disclosure with third-party stakeholders." The statement suggests that at least one of the vulnerabilities involves third-party software licensed by Adobe. Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=3955
-http://www.eweek.com/c/a/Security/Adobe-Ships-Silent-Fix-for-Critical-PDF-Reader
-Flaw/

-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9061299&source=rss_topic17

-http://www.adobe.com/support/security/advisories/apsa08-01.html
[Guest Editor's Note (Raul Siles, Internet Storm Center ): It is a serious flaw that may cause remote code execution, and proof-of-concept (PoC) code is already available from a commercial pen-testing tool vendor. ]


ActiveX Flaws in Yahoo! Jukebox is Being Actively Exploited (February 4, 5 & 6, 2008)
Attackers have begun exploiting recently disclosed ActiveX flaws in Yahoo! Music Jukebox. Two ActiveX controls in the media player are vulnerable to buffer overflow attacks. The malware places backdoors on vulnerable machine; there is no fix available at this time. ActiveX vulnerabilities in other products have also been disclosed recently. Yahoo! has announced that it plans to switch its customers over to RealNetwork's Rhapsody service.
-http://www.theregister.co.uk/2008/02/05/yahoo_jukebox_vuln/print.html
-http://www.heise-online.co.uk/security/Holes-in-numerous-ActiveX-controls--/news
/103006

-http://www.scmagazineus.com/ActiveX-control-flaws-found-in-Yahoo-Music-Jukebox-F
rSIRT/article/104937/

-http://www.scmagazine.com/uk/news/article/782053/yahoo-switches-jukebox-users-rh
apsody-exploit-activex-control-flaw-appears-wild/



US-CERT Recommends Disabling All ActiveX Controls (February 5, 2008)
The recent spate of ActiveX vulnerabilities has led the US Computer Emergency Readiness Team (US-CERT) to recommend that users disable all ActiveX controls. Vulnerabilities have been disclosed in ActiveX controls in the Facebook and MySpace social network sites and Yahoo! Messenger, Instant Messenger and Music Jukebox media player. Internet Explorer users can disable ActiveX controls by setting the browser's security level to "high."
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9061101&source=NLT_PM&nlid=8

-http://www.zdnetasia.com/news/security/0,39044215,62037417,00.htm
-http://www.zdnetasia.com/news/security/0,39044215,62037415,00.htm
[Editor's Note (Ullrich): Internet Storm Center handler Tom Liston wrote a little GUI tool which will allow you to disable these ActiveX controls. See
-http://isc.sans.org/diary.html?storyid=3931]



MISCELLANEOUS


Undersea Cables Repairs are Underway (February 5 & 7, 2008)
Three undersea cables that were cut last week are expected to be repaired by the end of this weekend. The damaged cables, two off the coast of Egypt and one between Dubai and Oman, caused Internet slowdowns in the Middle East and India. There will also be a new line that follows a different route and will be "fully resilient" against the type of damage that severed the other cables, according to cable network operator FLAG Telecom.
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=206106041
-http://www.pcworld.com/businesscenter/article/142238/middle_east_cables_will_be_
repaired_soon.html

-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9061465&intsrc=hm_list

-http://news.bbc.co.uk/2/hi/technology/7228315.stm


Eli Lilly Confidential Document Accidentally Leaked (February 5 & 7, 2008)
An outside lawyer working for Eli Lilly & Co. on a confidential settlement with the US government over "marketing improprieties" accidentally sent confidential information to a New York Times reporter instead of a colleague with the same surname. It appears the pharmaceutical company was in negotiations with the government regarding a settlement for improperly marketing the drug Zyprexa; the company could pay a fine of as much as US $1 billion.
-http://www.portfolio.com/news-markets/top-5/2008/02/05/Eli-Lilly-E-Mail-to-New-Y
ork-Times

-http://news.cnet.co.uk/software/0,39029694,49295453,00.htm
-http://www.nytimes.com/2008/01/31/business/31drug.html?_r=1&oref=slogin
[Editor's Comment (Northcutt): Now, that outside law firm, Pepper Hamilton, is going to have to hire another law firm to defend itself from Eli Lilly; there may be an economic downturn for many of us, but not for lawyers. I have my doubts sometimes that email actually increases productivity, Eli Lilly should consider restricting the use of email for its employees and contractors to a minimum. Billion here, hundred million there, eventually you are talking real money. You may recall the famous Prozac reminder email:
-http://www.ftc.gov/os/2002/05/elilillycmp.htm]


DNI CYBER THREAT SUMMARY
DNI has just released a new unclassified threat assessment. Below is a summary of the assessment; the whole document can be found at:
-http://www.dni.gov/testimonies/20080205_testimony.pdf

THE CYBER THREAT

The US information infrastructure-including telecommunications and computer networks and systems, and the data that reside on them-is critical to virtually every aspect of modern life. Therefore, threats to our IT infrastructure are an important focus of the Intelligence Community. As government, private sector, and personal activities continue to move to networked operations, as our digital systems add ever more capabilities, as wireless systems become even more ubiquitous, and as the design, manufacture, and service of information technology has moved overseas, our vulnerabilities will continue to grow.

STATE AND NON-STATE CYBER CAPABILITIES Our information infrastructure-including the internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries- increasingly is being targeted for exploitation and potentially for disruption or destruction, by a growing array of state and non-state adversaries. Over the past year, cyber exploitation activity has grown more sophisticated, more targeted, and more serious. The Intelligence Community expects these trends to continue in the coming year.

We assess that nations, including Russia and China, have the technical capabilities to target and disrupt elements of the US information infrastructure and for intelligence collection. Nation states and criminals target our government and private sector information networks to gain competitive advantage in the commercial sector. Terrorist groups-including al-Qa'ida, HAMAS, and Hizballah-have expressed the desire to use cyber means to target the United States. Criminal elements continue to show growing sophistication in technical capability and targeting, and today operate a pervasive, mature on-line service economy in illicit cyber capabilities and services available to anyone willing to pay.

Each of these actors has different levels of skill and different intentions; therefore, we must develop flexible capabilities to counter each. It is no longer sufficient for the US Government to discover cyber intrusions in its networks, clean up the damage, and take legal or political steps to deter further intrusions. We must take proactive measures to detect and prevent intrusions from whatever source, as they happen, and before they can do significant damage.

At the President's direction, an interagency group reviewed the cyber threat to the US and identified options regarding how best to integrate US Government defensive cyber capabilities; how best to optimize, coordinate and de-conflict cyber activities; and how to better employ cyber resources to maximize performance. This tasking was fulfilled with the January 2008 issuance of NSPD-54/HSPD-23, which directs a comprehensive national cybersecurity initiative. These actions will help to deter hostile action in cyber space by making it harder to penetrate our networks.

LIST OF UPCOMING FREE SANS WEBCASTS
WhatWorks Webcast: WhatWorks in Intrusion Detection and Prevention: Improving Network Visibility at GraceKennedy
WHEN: Tuesday, February 12, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Alan Paller and Gregory Henry
-http://www.sans.org/info/22939

Sponsored By: Sourcefire

A need for increased visibility into its diverse network prompted GraceKennedy's security team to seek an intrusion detection system. They found a solution that met all their needs and offered great tech support, as well as a component that could establish a network activity baseline and another that included a top vulnerability scanner for the same price as other solutions they tried. GraceKennedy is one of the Caribbean's largest and most dynamic corporate entities. The company started in Jamaica in 1922 as a small trading establishment and wharf founder. It has expanded and diversified over the years, changing from a privately-owned enterprise to a public company listed on the stock exchanges of Jamaica, Trinidad, Barbados and the Eastern Caribbean. Today, the GraceKennedy Group comprises a varied network of some 60 subsidiaries and associated companies located across the Caribbean, in North and Central America and the United Kingdom. The group's operations span the food distribution, financial services, insurance, remittance, hardware retailing and food-processing industries.

Ask the Expert: You've Collected the Logs, Now What? Reducing Risk through Integrated Log Management, Database Monitoring and Real-time Event Management
WHEN: Thursday, February 14, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Dave Shackleford
-http://www.sans.org/info/23528

Sponsored By: netForensics

So you've collected event logs from security devices and other critical systems and stored them away - great. Check the compliance box. Now what?

Logs are important... but only if you are doing something with them.

They provide valuable, credible, accurate information about what is going on in your inter-connected environment. But if your logs are not being analyzed regularly and in real-time, how can you tell if data isn't seeping out of your databases and other critical applications? Manually glancing through logs may be enough to "check the box" for compliance purposes, but it is definitely not enough to detect data theft or other malicious activity.

SANS Special Webcast: Beyond Security Basics: Emerging Defensive Strategies You Shouldn't Miss
WHEN: Tuesday, February 19, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: John Strand
-http://www.sans.org/info/22954

Sponsored By: Core Security

Still think that locking down root access to operating systems is the cornerstone of security, or that your perimeter can't be tunneled under?

Please join John Strand, certified SANS instructor and security consultant with Argotek, for this free webcast.

Ask the Expert: Security Needs a New Paradigm
WHEN: Thursday, February 21, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and A.N. Ananth
-http://www.sans.org/info/22959

Sponsored By: Prism MicroSystems

In this webcast, we'll discuss the reasoning behind a "whitelist" approach, how change monitoring can complement logging and event monitoring in your security program, and common system changes that may indicate malicious activity.

Tool Talk Webcast: A Practical Approach to Cyber Security within Control System Environments
WHEN: Tuesday, February 26, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Brian Contos
-http://www.sans.org/info/22964

Sponsored By: ArcSight

Recently there has been substantial media hype surrounding cyber attacks against critical infrastructure: oil and gas, power and energy, chemical, etc. Few disagree that systems controlling critical infrastructure make valuable targets for a wide range of attackers and pursuits; but the FUD sometimes shadows the facts. So rather than debate the threat level, this webcast will focus on empirical findings derived from multiple, federally funded research projects. These collaborative projects have brought together federal agencies, academia, control system vendors, IT security vendors like ArcSight, and industry representatives to research and test practical cyber incident prevention, detection and response.

SANS Special Webcast: How to Win Friends and Influence People (for Penetration Testers)
WHEN: Tuesday, March 4, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Lenny Zeltser
-http://www.sans.org/info/22984

Sponsored By: Core Security

The success of a security test is often determined in the planning stage, when the "human element" plays a critical role. This is especially true for penetration testing projects, which sometimes encounter political hurdles before they even begin.

Please join us to learn how, with a little transparency and tact, you can not only get approval for pen testing projects but also help colleagues use the results to improve your overall security.


=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/