MacBook Air, Dell XPS 13, or $600 Off with SANS Online Training for a limited time!

Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume IX - Issue #5

January 16, 2007

Over the next several weeks, you'll begin to hear about US military services standardizing on secure configurations of common operating systems (VISTA and XP to start) (1) so they can avoid costs and errors of tens of thousands of sites doing their own hardening, (2) so they can get the operating system vendors to test patches on the standard configurations before releasing them - so patches can be installed much more quickly, and (3) so they can ensure application vendors deliver software that doesn't force configuration changes that conflict with their standard configuration. That's big news. Civilian US government agencies will quickly take advantage of the work done by DoD, as will other governments and many large companies. DoD's success was the direct result of community-wide consensus led by NSA and the Center for Internet Security (CIS). The SANS community has been helping CIS expand the products for which consensus secure configurations are available ( and ). If you would like to help, the last item in this issue offers ways you can participate.



Australian Banks Lobby For Consumer Liability for Online Bank Fraud


NJ Teens Charged in Grade Altering Scheme
Chinese Court Cracking Down on Copyright Violators
MI5 Takes Steps to Improve Security Alert eMail System
EU Officials Accept US Data Collection Program; Privacy Groups Don't
Exploits Target Java Flaws
Windows VML Flaw Exploit Code Released
MoneyGram Acknowledges Cyber Intrusion
Missing Laptop Chronicles
-- North Carolina Department of Revenue
-- University of Idaho Advancement Services Office
-- Arrest Made in Towers Perrin Laptop Theft
Study: 30 Percent of Large UK Companies Still Sending Spam
Finjan Report: Attackers Using Dynamic Code Obfuscation
Google Malware Warning Page Generates Complaints from Web Site Operators
It's Not So Easy to Opt Out of UK NHS Database
Invitation To Help With Secure Configuration Projects

************************* Sponsored By ArcSight, Inc. *******************

Free Whitepaper: Extracting Value From Log Data. Discover how to extract the value in your event log data. Learn how to capture log data across your enterprise, reduce long-term retention costs and simplify access to historical data with this free whitepaper. Brought to you by ArcSight, the SIM leader that turns operational data into action.



Australian Banks Lobby For Consumer Liability for Online Bank Fraud (15 January 2007)

Australian banking officials, stung by Internet fraud losses in excess of $25 million a year, are lobbying the Australian Securities & Investments Commission for permission to make theor customers pay for losses in so-called email "phishing" attacks, or from mistakes made during online transactions. Today the banks reimburse their depositers. Consumer groups argue against the change. One says: "It's now almost an entire occupation in itself to try and keep up with the new problems that you face in an online environment and to expect that average consumers are going to be able to do that when industry itself is struggling with it, I think is a bit rich."
[Editor's Note (Paller): US banks are experiencing proportionally more cyber fraud losses and often, but not always, reimburse depositors for losses. US bank CEOs, facing 500% increases in 2006 over 2005, are asking "how much longer can we be expected to take on these losses?" However, so far, banks still see cost of strong authentication as greater than the cost of paying for the losses. The tipping point is less that two years way, and the trends will force banks to step up to stronger authentication earlier than that.
(Pescatore): If a bank allows online transactions with weak authentication on both ends (user enters password, bank uses nothing other than today's meaningless SSL server certificates), who is acting irresponsibly when a phishing attack succeeds?
(Kreitner): The banks might want to think twice about this policy. It could backfire by diminishing the public's interest in online banking.
(Dhamankar): Banks should not be allowed to wash their hands of this matter so easily. At the least, they should be made to invest in a "Phish Resistance Training" program for all their online users. Only users who pass such tests should be allowed online. This is similar to the "Defensive Driving" programs required for automobile drivers' licenses. ]

************************* Sponsored Link: *****************************

1) Visit Utimaco and Lenovo at RSA Booth 531 to learn about our layered security solution.



NJ Teens Charged in Grade Altering Scheme (11 January 2007)

Two Cherry Hill, New Jersey teenagers have been charged with breaking into a high school computer system and altering grades. One of the two is 18 and could face up to 10 years in prison if he is convicted. The other is a juvenile and could be detained until he is 21. The problem was discovered during a routine audit of grade reports and school transcripts.
[Editor's Note (Liston): Allegedly, the two used stolen passwords to change grades for four other students for pay at a highly competitive New Jersey high school. I think that fellow NewsBites editor (and New Jersey resident) Ed Skoudis really needs to step forward and explain how he financed his swimming pool.
(Shpantzer): Movies like "Wargames," "Ferris Bueller's Day Off" and their modern incarnations should come with a warning label: "Hacking the school attendance/grade system may be easy but you will get caught and expelled and/or go to prison." ]

Chinese Court Cracking Down on Copyright Violators (11 January 2007)

Luo Zhiguo admitted in a Shanghai court that he profited from illegally operating an on-line game at prices considerably below those of the legitimate version. Luo and two accomplices allegedly copied Mir 3 and made it available for 300 yuan (US$38.50) for permanent access. Authorized accounts could cost players that much in just one month, depending on the amount of time they play. "Luo said he was not aware that they were committing a crime because a lot of other people were also doing the same." One of Luo's accomplices, You Tangcun, was arrested in May and sentenced to three years house arrest. The other accomplice, Ye Weilong, turned himself in last spring "but fled while on bail." The scheme was discovered when an investigation was launched in response to complaints from the game's authorized operator that they were losing millions of yuan every month because of the illegal activity.


MI5 Takes Steps to Improve Security Alert eMail System (15 January 2007)

MI5's recently launched email alert service to keep people informed of changes in the national security threat level has come under fire in recent days for information privacy concerns. The service was apparently sending unencrypted registration information to a US contractor. The service is no longer using the US company; now information is sent to servers in the UK over SSL links. The information being sent to the US raised concerns that it would be subject to government inspection.
[Editor's Note (Shpantzer): Let's all take a deep breath here, OK? Please visit the homepage and look at the subscription application: Name and email. You can use JackD Ripper as your name and any email address you want. So some US contractor knows that you ( JackDRipper@freeemailservice.kom) are subscribed to a British government email service that alerts you to terror warnings. AND??? I'm more concerned about the security of the service's infrastructure being compromised to send out fake terror alerts than a subscriber list with no meaningful data being compromised.]

EU Officials Accept US Data Collection Program; Privacy Groups Don't (12 January 2007)

Although EU officials say they are satisfied that the US Department of Homeland Security's Automated Targeting System is in accord with an agreement reached between the EU and the US in October 2006, privacy rights groups say the program violates that agreement. The agreement allows for up to 34 specific pieces of information to be collected on each traveler; there are restrictions on sharing and using data. The American Civil Liberties Union (ACLU) and Privacy International have written a letter to privacy officials of 27 EU countries saying the Automated Targeting System allows collected data to be stored for up to 40 years and makes no provisions for passengers "to see, modify or correct the information."


Exploits Target Java Flaws (12 January 2007)

Users are encouraged to install patches for remote code execution flaws in Sun Microsystems' Java Runtime Environment (JRE) and Java Software Development Kit (SDK) as exploit code for the vulnerabilities has been released. Patches for the flaws were released in December. The flaws exist in JRE 1.3.x, 1.4.x and 1.5.x and in SDK versions 1.3.x and 1.4.x; Java Development Kit version 1.5.x is also affected.
[Editor's Note (Liston): The issues are caused by buffer/stack overflows in the platform specific native code implementation of Java. The two exploitable flaws center around image parsing (which, in general, has a time-honored tradition of overflow issues) and an array bounds overflow. ]

Windows VML Flaw Exploit Code Released (11 January 2007)

The need to install a recently issued patch for Windows has intensified due to the release of an exploit. The critical flaw in the Vector Markup Language (VML) implementation in Windows could allow attackers to take control of vulnerable PCs. The exploit was made available just hours after the patch, described in the MS07-004 bulletin, was released. A note in the advisory indicates the flaw was being exploited in zero-day attacks prior to the patch's release.
[Editor's Note (Honan): The news that this flaw was exploited within hours of the patch being released highlights the need for organisations to think beyond patching as being their core defence in vulnerability management. By the time a patch is downloaded, tested, authorised through change management and then deployed could be too late. Other strategies including virus updates, IDS systems, firewall rules, file type filtering at the network perimeter and regular reviews of incident response plans should be part of an overall defensive posture. Of course having securely designed and written software in the first place is the best defence.


MoneyGram Acknowledges Cyber Intrusion (12 January 2007)

Global payment services provider MoneyGram has acknowledged that an intruder breached the security of a company server in December 2006. The server holds personally identifiable information of approximately 79,000 customers. The company plans to notify those affected by the breach.

Missing Laptop Chronicles

North Carolina Department of Revenue (13 January 2007)

The North Carolina Department of Revenue has sent letters to 30,000 taxpayers notifying them that their personal information was held on a laptop computer stolen from a NC Dept. of Revenue employee's car. The data include Social Security numbers (SSNs); law enforcement officials are investigating the theft.

University of Idaho Advancement Services Office (11 January 2007)

Three laptop computers missing from the University of Idaho's Advancement Services Office hold personally identifiable information of more than 331,000 alumni, students, employees and donors. The apparent theft took place over the Thanksgiving weekend.

Arrest Made in Towers Perrin Laptop Theft (10 January 2007)

Towers Perrin has issued a statement saying that "a junior level administrative employee" has been arrested in connection with the theft of laptop computers from the New York City-based pension company. The computers hold personally identifiable information belonging to current and retired United Technologies Corporation (UTC) employees and current and former Altria employees. UTC is based in Hartford, CT; Altria is the parent company of Philip Morris USA.


Study: 30 Percent of Large UK Companies Still Sending Spam (12 January 2007)

A study of EU Directive on Privacy and Electronic Communications compliance among large UK companies found that 31 percent of those companies do not provide "non-customers the opportunity to actively opt-in or otherwise consent to further marketing emails when their details were recorded as the result of a promotion or enquiry." The survey notes a three percentage point improvement over the 2005 survey. The directive has been in place since the end of 2003.

Finjan Report: Attackers Using Dynamic Code Obfuscation (12 & 8 January 2007)

Malware purveyors are turning to dynamic code obfuscation to evade signature-based anti-virus systems, according to Finjan's quarterly web security trends report. Attackers are using utilities that allow them to give different code to each visitor to a malicious web site, rendering virus signatures useless. The report also noted recent attacks that exploit "Web 2.0 technologies to embed malicious code in .. web sites."
[Editor's Note (Liston): I've been predicting this privately for a couple of years now, and I've even played around with some code to actually create random executable images on the fly. This is too effective and too easy for the bad guys to pass up. ]


Google Malware Warning Page Generates Complaints from Web Site Operators (11 January 2007)

Organizations whose web sites have been identified by Google as possibly containing malware have expressed frustration with the process for appeal. If Google believes malware resides on a given web site, an "interstitial" page will pop up, warning the user that visiting the site could potentially harm the computer. Users are not blocked from visiting the labeled sites, but they must type in the address if they wish to continue. The warning page provides a link to, which will examine sites if users submit queries; Google will remove the warning page if it is determined that the site is free of malware. Web site operators have expressed frustration that the process can take up to 10 business days. According to, some site owners may be unaware that their sites have been infected with malware.

[Editor's Note (Pescatore): With the new IE7 and Firefox 2 browsers including malicious web site warnings, as well as Google and other search engines doing the same, users are going to get a lot of pop-ups warning them that the site they are about to visit might be dangerous. When smoke detectors first became required in buildings, industry, insurance agencies and government agencies learned they needed to do campaigns to tell people what to do if the detector went off and to remind them to change the batteries periodically. The IT industry needs to do something similar around malware sites - Microsoft, Mozilla, Google et al need to invest in a public service campaign around increasing online consumer safety.
(Liston): At the Internet Storm Center, we're constantly faced with the challenge of trying to contact the owners of compromised sites that are hosting malware. Google's warning page is a great stop-gap measure when it is difficult or impossible to get site owners to wake up and do something. If their site is so important that a 10 business day wait is unacceptable, then perhaps they should be paying a bit more attention to securing it.
(Kreitner) This is the sort of inconvenience we need to get used to; it is part of the price we pay for better protection. A metaphor is a police roadblock in a neighborhood where a criminal suspect is on the loose -- an inconvenience for those stopped, but better protection for the neighborhood by increasing the chances the suspect will be caught. However, this sort of mechanism should be executed efficiently to minimize inconvenience. I hope Google's process for determining that a suspected site is free of malicious software, and removal of the warning, are expeditious and accurate.
(Grefer): Similar heads-up warnings are available for free with McAfee SiteAdvisor, which is available for Internet Explorer and Firefox

It's Not So Easy to Opt Out of UK NHS Database

In December, we ran a story that said UK citizens could opt out of having their health care information incorporated into the National Healthcare System database, affectionately known as The Spine. We have since learned that the situation is not so simple. While individuals may opt out of having certain components of their records put on the national database by demonstrating that it would cause "substantial mental distress," other components, including current general practitioner (doctor) and hospital records, will be uploaded to regional hosting centers without any provisions for opting out. There are plans to implement "sealed envelopes" that would allow individuals to seal portions of their health care records. However, the information would still be stored at the regional hosting center and doctors and NHS employees could break the seal in an emergency. Citizens are urged to write their GPs and demand their data not be uploaded. `


An Invitation To Participate In the SCORE Configuration Standards

Periodically I will be posting opportunities to contribute to SCORE and CIS projects. We are currently looking for contributors and authors in the following technical areas:

- -MySQL
- -SQL Server 2005
- -Check Point Firewall
- -Juniper JunOS
- -PostgreSQL
- -Microsoft Vista
- -Microsoft Office
- -Virtual Machines
- -Debian Linux

- -We have the following additional opportunities:
-Participate on the team cross-referencing the CIS benchmarks with the NIST 800-53 Recommended Security Controls for the Federal Information Systems standard.
-Participate on the team cross-referencing the CIS benchmarks with the Payment Card Data Security Industry (PCIDSS) standard.
-Participate in CIS scoring tool testing. (This is a chance to evaluate some of these tools before they are publicly available)

Some of these areas are more technical (the checklist creation and the CIS benchmarks), others are not as technical. If you are a subject matter expert or aspiring to be one, are interested in becoming more involved in the security community (specifically SANS/CIS) and would like to have the opportunity to benefit from contributing to projects of this type, please read on and..

EMAIL ME: with the following information:

- ------------------------------------------------------------------------
Area(s) of expertise:
Contact information:
- ------------------------------------------------------------------------

While I haven't been asked this question, I personally would be asking "What's in it for me?" The following is a list describing some of the benefits for those that contribute to SCORE/CIS:

*Helping to increase security awareness.
*Having your name credited as an author (or contributor) when you are a team member on one of the projects.
*Networking. This is a great way to meet other security experts and share information.
*CPE's for CISSP credits.
*Recognition within the security community.
*Becoming more involved with two great organizations SANS and CIS!

To see some examples of popular SCORE checklists, checkout the following:
The SCORE Oracle Checklist (V3.1)
The SCORE OSX Checklist
The SCORE Windows 2000/XP DSS Auditing Checklist
The SCORE Linux Checklist
The SCORE Handhelds Checklist (V1.0)
** This list is popular, but could use updating. If you are a subject matter expert in this area, please let me know!

Below is a quick summary of the relationship between SANS "SCORE"
(Security Consensus Operational Readiness Evaluation) and CIS
(Center for Internet Security):

"SCORE is a cooperative effort between SANS/GIAC and the Center for Internet Security (CIS). SCORE is a community of security professionals from a wide range of organizations and backgrounds working to develop consensus regarding minimum standards and best practice information, essentially acting as the research engine for CIS. After consensus is reached and best practice recommendations are validated, they may be formalized by CIS as best practice and minimum standards benchmarks for general use by industry at large."

I look forward to hearing from you! Please email me the information requested above and I will put you in contact with other team members, the team leader or the SANS/CIS contact you will be working with. Do not hesitate to email me with questions or suggestions.

"Opportunity is missed by most people because it is dressed in overalls and looks like work." - Thomas A. Edison


The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College,

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit