OnDemand SME Support = Get Your Questions Answered! Get an iPad mini, Surface Go 2, of $300 Off Now

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume IX - Issue #23

March 20, 2007

FLASH ANNOUNCEMENT: The White House just released (at 9 AM Tuesday, March 20) a directive to all Federal CIOs, requiring that all new IT system acquisitions, beginning June 30, 2007, use a common secure configuration and, even more importantly, requiring information technology providers (integrators and software vendors) to certify that the products they deliver operate effectively using these secure configurations. This initiative builds on the pioneering "comply or don't connect" program of the US Air Force; it applies to both XP and Vista, and comes just in time to impact application developers building applications for Windows Vista, but impacts XP applications as well. No VISTA application will be able to be sold to federal agencies if the application does not run on the secure version (SSLF) of Vista. XP application vendors will also be required to certify that their applications run on the secure configuration of Windows XP. The benefits of this move are enormous: common, secure configurations can help slow bot-net spreading, can radically reduce delays in patching, can stop many attacks directly, and organizations that have made the move report that it actually saves money rather than costs money.

The initiative leverages the $65 billion in federal IT spending to make systems safer for every user inside government but will quickly be adopted by organizations outside government. It makes security patching much more effective and IT user support much less expensive. It reflects heroic leadership in starting to fight back against cyber crime. Clay Johnson and Karen Evans in the White House both deserve kudos from everyone who cares about improving cyber security now.

PS. SANS hasn't issued a FLASH announcement in more than two years. IOW this White House action matters.


Web Site Owner Suing Crawler
Anti-Spyware Bill Supporters Hope Third Time's the Charm
Most Junk Web Pages Traced to Just Two Hosting Companies
McAfee Maps Internet Safety
The Cost of Stolen Identities


Contract Employee Stole and Sold Printing Company Customer Data
DHS CIO's Increased Powers to Include IT Budget Approval, Hiring
UK MP's Plan to Offset Cost of National ID Database by Selling Verification Services
BSA Takes Action Against Software Pirates in US and Europe
Ohio School District Employees' Data on Stolen Computer
Advice for Thwarting Data Leaks
Go Daddy Investigating Last Week's DDoS Attack
Internet Auction Fraud Most Commonly Reported Online Crime
SANS Security Tip of the Day

*********************** Sponsored By Symantec ***************************

Take a 5 minute compliance test. How well do your security policies and practices hold up under regulatory mandates? Take a five minute test to get an overall "compliance score". Then learn how Symantec solutions can help you monitor and report on compliance through a single compliance architecture that enables you to manage multiple regulations.
SANS Expands Security Training Opportunities
SANS award winning security training is available in more than 70 cities in nine countries just in the next four months. Better still, you can schedule SANS training on-site or even take it live online or on demand. *Complete schedule:
*SANS courses on site at your facility: http://www.sans.org/onsite/


Web Site Owner Suing Crawler (March 16, 2007)

A Colorado woman has sued web crawler Internet Archive "for conversion, civil theft, breach of contract and violations of the Racketeering Influence and Corrupt Organizations Act and the Colorado Organized Crime Act." Suzanne Shell's web site contains the warning "If you copy or distribute anything on this website, you are entering into a contract." The Uniform Electronic Transactions Act (UETA) allows that a "contract may be formed by the interaction of electronic agents of the parties, even if no individual was aware of or reviewed the electronic agents' actions or the resulting terms and agreements." Last month, a court dismissed all the charges except for the breach of contract.
[Editor's Note: (Ullrich): Nice to see that a court dismissed most of the charges. If electronic agents are supposed to agree to contracts, then they better be written in a language they understand. Did she use a 'robots.txt' file to express her contract in a language understood by the internet archive's agent?
(Ranum): That's what "norobots.txt" is for. Every legitimate crawler that I've seen respects it. I do admit that, in the best of all possible worlds, crawlers would favor positive action - i.e.: not crawl your site unless there was a "crawlme.txt" or something like that. ]

Anti-Spyware Bill Supporters Hope Third Time's the Charm (March 18, 2007)

Anti-spyware legislation, which has twice been approved by the US House of Representatives, only to be struck down by the US Senate, is being heard again by the House Subcommittee on Commerce, Trade and Consumer Protection. The bill would ban software that takes control of computers, modifies registry keys or collects data "through misrepresentation." Any software that does collect data must first obtain the consent of the computer user. The bill would also give the Federal Trade Commission (FTC) more power to "pursue companies and individuals responsible for spyware." Opponents of the bill feel it is too restrictive and "could punish legitimate advertisers and marketing firms."
[Editor's Note (Ullrich): Spyware comes in two forms: either with shrinkwrap EULA's that ask the user to agree, or from sources that don't care about laws in the first place. Either way: This law doesn't look like it will make a difference.
(Schultz): It is not going to be easy to pass anti-spyware legislation because many Internet-based businesses depend on spyware, something of which many legislators are well-aware. The outcry against those who install spyware in systems is growing, however, and it is just a matter of time before some kind of US spyware legislation is passed and signed into law. ]

Most Junk Web Pages Traced to Just Two Hosting Companies (March 19, 2007)

Researchers from Microsoft and the University of California, Davis, have published a paper revealing the companies behind the growing number of web pages that exist merely to lure surfers to their advertisements. The study found that most of the pages emanate from two web hosting companies and more than two-thirds of the advertisements come from three advertising syndicators. Those behind the scheme often falsely inflate the pages' search engine rankings. For certain search terms, 30 percent of results led to advertisement-laden pages. Overall, 11 percent of the 1,000 search terms returned pages that were only advertisements. Please note this site requires free registration:


McAfee Maps Internet Safety (March 13 & 15, 2007)

McAfee has conducted a study to map the Internet in terms of safety. The study looked at 265 top-level country and generic domains and ranked the web pages within those domains using red, yellow and green ratings for the sites they visited. A red rating means the site tested positive for malware, spam or a close association with other poorly-ranked sites. A yellow rating denotes a site with annoyances, such as excessive pop-up advertisements. A green rating means the site does not pose a threat. The most risky domains among large countries are Romania (.ro) where 5.6 percent of sites generated warnings, and Russia (.ru) where 4.5 percent of sites generated warnings. Among generic domains, .info has the highest percentage of risky sites (7.5 percent) while .com had 5.5 percent of sites that generate warnings. Both domains rank high on the list of sites that host exploits or drive-by downloads. However, because .com is such a prevalent domain, its effect is magnified. The domain for the US government, .gov, had virtually no risky sites.

The Cost of Stolen Identities

Symantec's latest Internet Security Threat Report claims that the online criminals are exchanging stolen full identities for between $14 and $18. A full identity includes the victim's Social Security number, bank account details including passwords and other personal information such as date of birth and the mother of the victim's maiden name. The main victims of online identity theft appear to be US citizens with 86% of the credit and debit cards advertised for sale on the online underground issued by U.S. based banks. Elsewhere in the report Symantec claim to have seen an 11% rise in the use of bot networks, with China accounting for 26% of all bot networks. U.S. sites were also the victim of 52% of all DOS attacks.



************************** Sponsored Links: ***************************

1) Upcoming SANS Ask the Expert Webcast, "The State of Malware Today", March 21 at 1pm EDT.

2) Learn to select and implement the right tools at the Log Management Summit April 23-25.

3) Protect your company from phishing expeditions. New FREE report has the facts.



Contract Employee Stole and Sold Printing Company Customer Data (March 12 2007)

A contract employee at Dai Nippon Printing Company in Japan allegedly stole approximately nine million pieces of customer data by copying the information onto a variety of recording media. Affected clients include the Toyota Motor Corp., American Home Assurance and Aeon Co. A spokesperson for Dai Nippon is in negotiations with customers regarding compensation. The data were stolen between May 2001 and March 2006. An investigation was triggered when the employee allegedly sold 150,000 pieces of data to a criminal group. The investigation led to the discovery that far more information was stolen than first believed. The individual was arrested on February 20 and indicted on charges of theft because the disk he used to copy the information did not belong to him. Japan's personal information protection law does not provide for penalties for stealing data. If the former contract worker had used his own disk to copy the information, authorities would have had a harder time filing any charges against him.
(In a lovely touch of irony, Dai Nippon Printing, along with Ivex, plans to release security software to guard against unauthorized access next month.


DHS CIO's Increased Powers to Include IT Budget Approval, Hiring (March 15 & 16, 2007)

US Department of Homeland Security (DHS) chief Michael Chertoff issued a directive increasing the authority of DHS CIO Scott Charbo. Among the new powers Charbo will have are approval of the budgets of other CIOs in DHS, approval over their IT investment projects and performance evaluations of CIOs in component agencies.

UK MP's Plan to Offset Cost of National ID Database by Selling Verification Services (March 12, 2007)

In an effort to recoup some of the estimated GBP 540 million (US$1.049 billion) a year it will cost to run the UK's government ID database, Members of Parliament (MPs) want to charge companies to verify information with the database. Businesses would require citizens' consent to access their information in the database. Citizens have already expressed displeasure with the fact they have to pay GBP 93 (US$180) for the cards, which hold 49 separate pieces of personal data. MPs want to charge businesses 60p (US$1.16) for each ID check. The companies would submit data to the system and be given a "yes" or "no" answer for verification purposes.


BSA Takes Action Against Software Pirates in US and Europe (March 13, 2007)

The Business Software Alliance (BSA) is taking legal action against five alleged software pirates in the US, the UK, Germany and Austria. In each of the cases, BSA was made aware of the alleged piracy through consumer complaints. The BSA is making a concerted effort to fight piracy on a global level.


Ohio School District Employees' Data on Stolen Computer (March 16, 2007)

A laptop computer stolen from the vehicle of an Ohio state auditor's office employee holds personally identifiable information of approximately 2,000 current and former Springfield City Schools employees. The employees have been notified of the data breach by mail. The breach affects people who were considered permanent employees as of June 2004, June 2005 and February 2006 and who received paychecks on three different dates in 2003 and 2004. The employee has been reprimanded for violating office policy by leaving equipment unattended in a vehicle.

Advice for Thwarting Data Leaks (March 19, 2007)

Several recent cases of proprietary data theft by employees highlight the need for companies to exercise internal control over their data. Experts recommend taking a number of steps to mitigate the risk of data leaks, including monitoring network traffic, limiting user privileges, and controlling and monitoring devices that can be used to copy data.

Go Daddy Investigating Last Week's DDoS Attack (March 12 & 13, 2007)

The Go Daddy Group was hit with a "significant and sustained" distributed denial-of-service (DDOS) attack that made some customers' websites unavailable for several hours on March 11. Other services were affected by the attack as well. At its peak, the attack was sending 70,000 packets a second to Go Daddy systems. Go Daddy security and network teams contained the attack and implemented protective measures to guard against such an attack in the future. Go Daddy runs a major domain registrar and web hosting provider. The company is trying to determine the source and motive for the attack.





Internet Auction Fraud Most Commonly Reported Online Crime

According to the 2006 annual report released U.S. Federal Bureau of Investigation's Internet Crime Complaint Center (IC3), Internet auction fraud is the most commonly reported online crime. 45% of the 207,492 complaints received by the IC3 in 2006 related to auction fraud which was down significantly from the 2005 figure of 65%. Overall the reported number of complaints received by IC3 is down 10% from the 2005 figures but the total dollar cost of these crimes is up to $198 million in 2006 from $183 million in 2005. The overall average sum per complaint was $724.

SANS Security Tip of the Day

Tip: People Forget, Computers Don't

In 2003, the British Government published a report on Iraq's security and intelligence organizations. Then a Cambridge University lecturer discovered that much of the document was copied from three different articles, one written by a graduate student. How did he know? The document contained a listing of the last 10 edits, even showing the names of the people who worked on the file. Hidden data can often be found within Microsoft Office documents particularly Word. Whenever you exchange documents with clients, either convert them to PDF format (WYSIWYG) or else run them through Microsoft's Hidden Data Removal tool.

For more info, and to download Microsoft's Hidden Data Removal tool, see

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit