Final Week: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training - Ends Jan 27

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume IX - Issue #101

December 28, 2007


FBI Compiling Huge International Biometric Database
US Military Starting to Integrate Macs Into Systems
eBay Helps Address Cyber Fraud in Romania


Alleged Source Code Thief Arrested
NIST Releases Final Draft of Security Controls Assessment Guide
Disk Containing UK Police Data Found at Recycling Center
List Identifies Dubious Music Download Sites
Storm Worm Continues to Morph
Apple Issues Fix for Problematic Safari Patch
Cross-Site Scripting Flaws in Flash Applets
Missing NY State Worker Data Tapes Found in Missouri
Identity Thief Targets Municipal Court Website
Captured Terrorist Leader Suspect Managed Computer Security Training

**************************** Sponsored By SANS **************************

How is my Control System vulnerable? How are attackers penetrating my defenses? How can I mitigate this threat? These are some of the topics of the Process and Control and SCADA Summit. Learn what commercial and governmental solutions are available and how other have used them. January 16-17 - New Orleans.


Where can you find Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, CISSP, and SANS' other top-rated courses?
- - New Orleans (1/12-1/17):
- - San Jose (2/2 - 2/8):
- - Phoenix (2/11 - 2/18)
- - Prague (2/18-2/23):
- - and in 100 other cites and on line any-time:



FBI Compiling Huge International Biometric Database (December 22, 2007)

The FBI's Next Generation Identification system will gather biometric data of individuals around the world into the single largest database of such information. The goal of the US $1 billion system is to allow law enforcement authorities worldwide to identify suspected criminals. The FBI has already begun compiling facial, fingerprint, and palm information. In addition, at employers' requests, the FBI will retain fingerprint information of employees who have undergone criminal background checks.

[Editor's Note (Schultz): The motivation for implementing this database is very understandable, but there are many significant concerns, among which safeguarding privacy, prevention of false alarms, and implementing sufficient access control mechanisms are some of the most significant, that the FBI appears to be glossing over. ]

US Military Starting to Integrate Macs Into Systems (December 21, 2007)

The US military is quietly starting to integrate Mac computers into its systems because they have a reputation for being targeted less often than Windows machines in cyber attacks. Increasing diversity of computer systems also makes them more stable. One problem with using Macs in the past is that they have not been compatible with the Common Access Card (CAC) system, which is widely used in the military. Software is being developed that should allow Macs to use CAC as soon as February 2008. Detractors point to the fact that Apple patched almost five times as many flaws in its software over the last year as did Microsoft for Windows, but others say that the number of fixes is an indication of attention to security.


[Editor's Note (Skoudis): Being a Macintosh user myself, I may be a bit biased here. Still, with that in the open, I'm happy to see a major organization recognize that there are security benefits to having some diversity among computing platforms. But, there are downsides as well. I hope the US Military is paying attention to patching their new fleet of Macs. There are fewer centralized enterprise patching solutions for Macs than for Windows, and most orgs aren't geared up for proper Mac patching, putting the burden on Mac-toting users themselves, a dangerous plan.
(Schultz): It is true that there is less virus- and spyware-related risk in Macs. As I have said before, however, the black hat community is increasingly targeting Macs. Additionally, as mentioned in this news item, the number of security-related flaws in Macs has been comparatively large. Thinking that simply using Macs translates to good security is thus extremely naive.
(Northcutt): I hope they are not depending on security by obscurity as Pravda online and other sites are picking up the story:

eBay Helps Address Cyber Fraud in Romania (December 26, 2007)

eBay has sent a team of professionals and equipment to help authorities in Romania fight Internet auction fraud. Romanian police estimate that cyber crime gangs in their country do a multi-million dollar business in online fraud. eBay does not even operate in Romania, but acknowledges that the country is the top location for professional fraudulent activity. In the 1980s, Romanian dictator Nicolae Ceausescu refused to buy Soviet computers, instead pushing Romania to build its own machines, which it did by painstakingly reverse-engineering other countries' products. The practice has created a culture of high computer literacy in the country as well as a sophisticated level of computer crime. (Please note this site requires free registration)

[Editor's Note (Northcutt): Great story, well researched. Scambusters and other sites point out that the scammers target your ebay "name" on Gmail, Yahoo, Hotmail etc. So the security awareness tip of the day is to make sure your ebay name is different from your gmail name. Tip two is the age old truth, if it sounds too good to be true, it ain't true:

************************* Sponsored Links: ***************************

1) Listen to industry leaders discuss issues and solutions - Penetration Testing and Ethical Hacking Summit March 17-18.
|| 2) Hear what major government labs have implemented for Control Systems security at the Process Control and SCADA Summit January 16-17.




Alleged Source Code Thief Arrested (December 27 & 28, 2007)

A woman has been arrested and is being held on charges that she allegedly stole US $12 million worth of sensitive data from her former employer, Hinjewadi (India) based 3DPLM Software, just days before leaving her job there. Anjali Sharma allegedly used her work computer to send source code to her husband. Sharma's alleged actions violate a non-disclosure agreement she signed when she began work at 3DPLM.


NISTReleases Final Draft of Security Controls Assessment Guide (December 27, 2007)

The National Institute of Standards and Technology (NIST) has released the final public draft of SP 800-53A, "Guide for Assessing the Security Controls in Federal Information Systems." The document is aimed at helping federal agencies develop security assessments required by the Federal Information Security Management Act (FISMA). Comments will be accepted through January 31, 2008; the final version of the document is expected in March.
[Editor's Note (Northcutt): Draft means you have a chance to submit your comments. I have read this, there is some good stuff in it. However, it looks like one of the major effects of the document will be to create a cottage industry to help Federal Agencies develop massive Audit and Accountability Policies. In fact, I just blew up to godaddy to register AuditAccountability.Com]

Disk Containing UK Police Data Found at Recycling Center (December 26, 2007)

An obsolete computer that had been sent out to be recycled was found to contain personally identifiable information of an unspecified number of employees, including police officers, of Devon and Cornwall (UK) Police. Assistant Chief Constable Bob Pennington has issued an apology and says the incident is under investigation. Normally, disks are wiped clean before computers are sent to be recycled. The disk containing the information was found by a man looking for parts at a recycling center.
[Editor's Note (Honan): In the rush to secure data on hard drives, other technologies such as floppy disks, CDs and tapes often get overlooked. Ensure you have means to securely destroy such technologies or at least ensure data on them is encrypted.]


List Identifies Dubious Music Download Sites (December 27, 2007)

The Center for Democracy and Technology (CDT) has released a list of 34 websites it says are misleading users by implying that mainstream music can be downloaded from them. The sites charge subscription fees, which users may assume are used to pay royalty costs, but the listed websites have not obtained the necessary licensing agreements to distribute the music. Instead, users are provided peer-to-peer file sharing software, which is often available at no cost elsewhere, and given instructions on using filesharing networks.


Storm Worm Continues to Morph (December 25 & 26, 2007)

Continuing its path of evolution and adaptability, the Storm worm is now spreading in the guise of holiday-related messages. Storm has been spreading for nearly a year. At first, Storm's method was to release numerous variants almost simultaneously so as to hinder efforts of anti-virus companies to detect every one. It then progressed to using spam networks to seek out vulnerable machines, and more recently developed a method of striking back at analysts trying to find sources of infection. A variant with a rootkit designed to cloak the malicious code has also been detected.

[Editor's Note (Skoudis): Storm gets a rootkit... it was inevitable. Storm represents a massive distributed computing platform from which bad guys harvest money. They reinvest some of that profit in making it even more sinister.
(Liston): This is something that we've been predicting for some time now. Malware is now a business, and the storm worm's creator has developed a business plan for using his little creation to earn a living. Like any successful business plan, adaptability to market pressures is a primary goal. We will continue to see an increasing number of highly adaptive malware strains in the future. ]

Apple Issues Fix for Problematic Safari Patch (December 24, 2007)

Apple has had to release a fix for a Mac OS X security update issued in mid-December. The original security update addressed 31 vulnerabilities, including a cross-site scripting hole in Apple's Safari web browser both for Mac OS X and Windows. The correction was released because the original patch caused Safari to stop working when users visited certain web pages.

Cross-Site Scripting Flaws in Flash Applets (December 21 & 23, 2007)

A number of serious flaws in Adobe Flash applets could be exploited to steal personal information of users visiting vulnerable websites. There are presently no patches available for the cross-site scripting flaws in the applets, also known as SWF files. More than half a million of the problematic applets have been detected on numerous sites, including those of some government agencies and financial institutions. Adobe says fixes should be available some time in the next few weeks. Meanwhile, users would be well-advised to use some sort of script-blocking technology. The fix Adobe recently released for vulnerabilities in Flash does not address this problem.


Missing NY State Worker Data Tapes Found in Missouri (December 27, 2007)

Missing computer backup tapes containing New York State Dormitory Authority data have been located at a UPS warehouse for lost items in Missouri. The tapes were originally sent overnight from Albany to Manhattan on December 17 and were sent to the warehouse after they became separated from their packaging in a Manhattan sorting facility. A Dormitory Authority spokesperson says it appears the tapes have not been tampered with; they contain personally identifiable data of 909 current and former employees.


Identity Thief Targets Municipal Court Website (December 22, 2007)

An identity thief apparently entered random Social Security numbers (SSNs) into the Franklin County (Ohio) Municipal Court website, hoping to find a match. According to police, the thief stole personally identifiable information, such as names, ages and addresses of hundreds of people, and used the information to open bank accounts and credit cards. The site contains information about people convicted of misdemeanors; the data theft affects people from Ohio, Kentucky, South Carolina, Texas, and Wyoming.

[Editor's Note (Liston): Was anyone looking at the logs for this site? ]


Captured Terrorist Leader Suspect Managed Computer Security Training (December 11, 2007)

Coalition forces in Iraq have captured a suspected Special Groups leader near Baghdad. The individual is believed to be involved in coordinating explosive devices as well as operational security and computer security training. Ten other suspects have been detained as well.

[Editor's Note (Northcutt): there is a bit more information here, hopefully more will be forthcoming:


Internet Storm Center: Threat Update
WHEN: Wednesday, January 9, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Johannes Ullrich
Sponsored By: Core Security

This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.

SANS Tool Talk Webcast: NAC - After the Honeymoon
WHEN: Tuesday, January 15, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Alok Agrawal, Jimmy Ray Purser, and Robb Boyd
Sponsored By: Cisco Systems

Its fair to say that NAC, or Network Admission Control, has certainly enjoyed its day in the sun. Despite being a very real technology solving very real problems, NAC has now moved out of the spotlight of center stage and is firmly entrenched as a set of technologies that every enterprise has some kind of an opinion on. Whether you have deployed some type of NAC solution today, have plans for it in the future or perhaps are truly wondering what the heck we are talking about.this conversation is for you. The problems can be pretty easy to understand but the devil is in the details - we promise to sort through the details in this interactive conversation. Please join Robb Boyd from Cisco's TechWiseTV as he welcomes his panel of experts, Jimmy Ray Purser, Chief Geek for Cisco's TechWiseTV and Alok Agrawal, Manager of Technical Marketing from Cisco's NAC Business Unit.

SANS Ask the Expert Webcast: Going beyond log management to solve security, risk and audit challenges
WHEN: Wednesday, January 23, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and Vijay Basani
Sponsored By: eIQnetworks

In this webcast, learn the benefits of going beyond log management to perform end-to-end correlation and analysis, how compliance can tie into the use of security technologies, and why the future of security information management (SIM) systems is shaping up to integrate security, risk and audit management onto one platform.

SANS Special Webcast: Things That Go Bump in the Network: Embedded Device Security
WHEN: Thursday, January 24, 2008 at 1:00 PM EST (1800 UTC/GMT)
Sponsored By: Core Security

Embedded devices come into your network and appear in many different forms, including printers, iPhones, wireless routers and network-based cameras. What you might not realize is that these devices offer unique opportunities for attackers to do damage and gain access to your network - - and to the information it contains. This webcast will review known embedded device vulnerabilities and cover how these vulnerabilities can be used to gain control of devices, networks, and data - and, more importantly, what can be done about it.


Be sure to check out the following FREE SANS archived webcasts:

Internet Storm Center: Threat Update
WHEN: Wednesday, December 12, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Johannes Ullrich and John Weinschenk
Sponsored By: Cezic

This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period. SANS Special Webcast: Pinpointing and Proving Web Application Vulnerabilities with Eric Cole

WHEN: Monday, December 10, 2007 at 1:00 PM EST (1800 UTC/GMT)
Sponsored By: Core Security

The September "Internet Security Threat Report" from Symantec reported that 61% of all vulnerabilities disclosed in the first half of 2007 were web application vulnerabilities. It's no wonder, since web apps are often highly customized and can be rife with potential security holes. Fortunately, recent advances in penetration testing products can help you to pinpoint and prove web application security weaknesses - even in customized apps.

SANS Special Webcast: Analyzing a Traffic Analyzer: NIKSUN NetDetector/NetVCR 2005
WHEN: Wednesday, December 5, 2007 at 1:00 PM EST (1800 UTC/GMT)
Sponsored By: NIKSUN

How deep can traffic inspection reach without hindering data flow and how much data should it store for post-mortem analysis? Join this Webcast to hear senior SANS Analyst Jerry Shenk go over his test results on the NetDectector/NetVCR 2005 and features such as full packet inspection and the ability to call up and review raw data in its native format.


The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College,

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit