Register now for SANS Cyber Defense Initiative 2016 and save $400.

Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume IX - Issue #72

September 11, 2007


(1) What are the most important things effective application developers do to make sure their programs are as secure as possible? If you are involved in application security, please consider helping with a new community project to build a on consensus secure coding/development guidelines. Your participation will be confidential or we'll give you full credit - at your option. To participate, just share your organization's secure coding guidelines. Send to apaller@sans.org. We'll weave your input in with the secure coding blueprints from the GSSP common body of knowledge and information from CERT/CC and OWASP and, possibly, Gary McGraw and then circulate it back to participants until we can publish a consensus policy document that organizations can adapt for their use.

(2) Just going live: December 3-4 in Orlando:
WhatWorks in Stopping Data Leakage and Insider Threat Summit
http://www.sans.org/leakage07_summit/
WhatWorks in Mobile Encryption Summit
http://www.sans.org/encryption07_summit/
"This was my first SANS Summit, and I definitely will attend more. Now I can go back with better knowledge of data security, vendors (key) and what to do when looking for the correct tool to use to protect confidential/business data."- El Dimayuvga, Honda R&D

Alan

TOP OF THE NEWS

Other Countries' Government Systems Attacked, Too
DHS Scraps Data-Mining Program
Worm Spreading Through Skype

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Four Plead Guilty in US $20 Million Pump-and-Dump Scheme
Texas A&M Alum Faces Charges for Alleged Computer Intrusion
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Malware-Infested Computers With Spoofed Pfizer Addresses Implicated in Spam Attack
Patch Tuesday to Comprise Four Security Bulletins
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Attackers Target UK eBay Accounts
Patient Data on Stolen Computers
STANDARDS & BEST PRACTICES
NIST Issues Draft of Active Content Guide Draft and Final Version of CVSS
MISCELLANEOUS
Ericsson Hellas Fined in Olympic Wiretap Case
LIST OF UPCOMING FREE SANS WEBCASTS


********************* Sponsored By ArcSight, Inc. ***********************

Free Whitepaper: Selecting a SIM Solution for Compliance

The right SIM technology offers great benefits to easing compliance requirements. Discover the best practices - based on actual customer experiences - that should be an integral part of your evaluation process when assessing a SIM. Brought to you by, ArcSight, a leading provider of security and compliance management solutions.
http://www.sans.org/info/15831

*************************************************************************

TRAINING UPDATE
Where can you find Hacker Exploits and SANS other top-rated courses?
Las Vegas (9/23-9-28): http://www.sans.org/ns2007/event.php
Chicago (11/2-11/7): http://www.sans.org/chicago07/event.php
Tokyo (11/5-11/10): http://www.sans.org/sanstokyo2007_autumn/event.php
London (11/26 - 12/1): http://www.sans.org/london07/
Washington DC (12/13-12/18): http://www.sans.org/london07/
New Orleans (1/12-1/17): http://www.sans.org/security08/event.php

How good are the courses? Here's what past attendees said:
"An extraordinary amount of information covered in a week, backed up with excellent documentation for those long winter nights." (Keith Mellism, Canada Life)
"This course has valuable information that can be implemented immediately in the work place." (Christopher O'Brien, Booz Allen Hamilton)
"You will never ever find anything more valuable than SANS super knowledge. Worth the price!!" (Carlos Fragoso, CESCA)

*************************************************************************

TOP OF THE NEWS

Other Countries' Government Systems Attacked, Too (September 10, 2007)

In the wake of a recent report alleging that China's People's Liberation Army was behind a June attack on US Department of Defense computer systems, other countries have begun stepping forward, saying their governments' systems have been targeted by foreign hackers. In New Zealand, attackers breached official websites, stole information, and installed spyware. In France, websites "concerned
[with ]
the services of the state" were breached. In the weeks prior to the story about the attack on Pentagon computers, Germany reported that its government systems had been infiltrated.
-http://www.bangkokpost.com/breaking_news/breakingnews.php?id=121510
-http://computerworld.co.nz/news.nsf/scrt/337662022F9A53F5CC25734F000A573B?opendo
cument&utm_source=

-http://www.australianit.news.com.au/story/0,25197,22391592-15306,00.html
[Editor's Note (Skoudis): A few months ago, I remarked in NewsBites that we might see a shift in our dominant threat vector toward nation-state cyber attack activity, just as we had seen our threat change from hobbyists to organized crime in the 2003 timeframe. Now, some organizations must consider how they can deal with determined, long-term, well-funded, nation-state adversaries. As an exercise, consider what this changed threat might imply for changes to your defenses. It's good that some of this discussion has (finally!) begun happening in the open over the last couple of weeks. At least some leaders are publicly admitting that there is an issue here, and not merely sweeping it under the rug as they have before.
(Ullrich): The short summary: Everybody is attacking everybody. Its just so easy! You will find these accusations in news releases periodically when they are politically convenient, like before larger international meetings. But the fact that you are reading about these intrusions now is not related to their being new or currently particularly bad. ]

DHS Scraps Data-Mining Program (August 5 & 6, 2007)

The Department of Homeland Security's (DHS) ADVISE data-mining program has been scrapped. ADVISE, which stands for Analysis, Dissemination, Visualization, Insight and Semantic Enhancement, "was capable of analyzing one billion pieces per hour of structured information, such as databases, and one million pieces per hour of unstructured information, such as intelligence reports, emails or new articles." The program was put on hold last spring after a report indicated the DHS had failed to assess the privacy impact of their system tests in which they used real, personally identifiable data. A June report from the DHS Office of the Inspector General found fault with the program as well. A DHS spokesperson has said that "ADVISE is not expected to be restarted."
-http://www.theregister.co.uk/2007/09/06/advise_cancelled_data_mining/print.html
-http://www.msnbc.msn.com/id/20604775/
-http://news.com.com/8301-10784_3-9773243-7.html?tag=head&tag=nl.e757
-http://www.dhs.gov/xoig/assets/mgmtrpts/OIG_07-56_Jun07.pdf

Worm Spreading Through Skype (September 10, 2007)

A worm spreading through Skype's instant messenger "injects code into the Explorer.exe process to force it to run the actual malware;" it also puts phony entries in the Windows hosts file to prevent security software from getting updates. A number of anti-virus companies "have already updated their signature definitions to detect and delete the new malware." The worm spreads by sending itself to contacts from infected machines. Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=3363
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9035198&source=rss_topic17

-http://blogs.zdnet.com/security/?p=502
[Guest Editor's Note (Frantzen): The malware spreads through the chat function of Skype, and there is a strong link to Lithuania due to the language choices in the interface of the malware (Lithuanian and English). ]


************************* Sponsored Links: ***************************

1) ALERT: Hacking Web 2.0- Ajax Security Dangers- White Paper How Hackers are attacking Ajax Web Apps. Download this SPI Dynamics white paper.
http://www.sans.org/info/15836

2) 63% of malware distributed by US hosted web sites. New ID Theft and Fraud Report provides the latest stats.
http://www.sans.org/info/15841

3) Find out what Seagate knows about secure storage. It could improve your company's security.
http://www.sans.org/info/15846

*************************************************************************

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Four Plead Guilty in US $20 Million Pump-and-Dump Scheme (September 10, 2007)

Four men have pleaded guilty to fraud charges stemming from a pump-and-dump scheme that netted the group US $20 million. The group obtained shares of stocks from small corporations and then sent phony emails touting those same companies. They sold the stocks after trading activity generated by the emails had artificially inflated their value. Each of the four faces five years in prison on each fraud charge. Three other people involved in the scheme were sentenced earlier this year.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9035158&source=rss_topic17

Texas A&M Alum Faces Charges for Alleged Computer Intrusion (September 6, 2007)

A Texas A&M University alumnus has been charged with felony reckless damage to a protected computer for allegedly breaking into the university's network and accessing personally identifiable information of students, faculty and staff without authorization. A breach in the server that holds logins and passwords of the network users was detected earlier this year. Luis Castillo, who received a degree in computer science from the school in December, could face up to five years in prison.
-http://www.washingtonpost.com/wp-dyn/content/article/2007/09/06/AR2007090602336_
pf.html

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Malware-Infested Computers With Spoofed Pfizer Addresses Implicated in Spam Attack (September 6, 7 & 9, 2007)

Computers at Pfizer appear to be sending out spam advertising a variety of products. One report says that nearly 140 IP addresses associated with Pfizer have been linked to the spam. However, the spam does not appear to come from Pfizer itself. The IP addresses used to send the messages are associated with the company, but the "From" addresses have been spoofed. In recent months, Pfizer has acknowledged three security breaches exposing employee data. There has been no connection made between the data security breaches and the spam.
-http://www.heise-security.co.uk/news/95645
-http://www.zdnet.co.uk/misc/print/0,1000000169,39289155-39001093c,00.htm
-http://www.wired.com/politics/security/news/2007/09/pfizerspam
[Editor's Note (Ullrich): It has been pointed out a number of times that large corporations, government departments and military installations are frequently hit by the same spam-sending worms that hit home users. In some cases, compromised web sites from these large organizations have even been used to house the advertised websites. ]

Patch Tuesday to Comprise Four Security Bulletins (September 7, 2007)

Microsoft plans to release four security bulletins on Tuesday, September 11. Just one of the bulletins has a maximum security rating of critical; it addresses a remote code execution flaw in Windows Server 2000 Service Pack 4. The other three bulletins have maximum severity ratings of important. Other Microsoft products getting patches include Messenger, Windows Services for UNIX, and developer tools. Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=3357
-http://www.theregister.co.uk/2007/09/07/microsoft_announces_5_patches_for_septem
ber/print.html

-http://www.heise-security.co.uk/news/95635
-http://www.microsoft.com/technet/security/bulletin/ms07-sep.mspx
[Editor's Note (Ullrich): The regular monthly web cast helping you understand the highlights of Microsoft's Patch Tuesday is scheduled for Wednesday, Sept. 8 at 1 PM EDT.
-http://www.sans.org/webcasts/show.php?webcastid=90816]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Attackers Target UK eBay Accounts (September 10, 2007)

A botnet is targeting eBay customers, particularly those in the UK, to try to steal account information and change users' settings so that items are sent to the wrong people. The botnet is composed of computers that became infected with a Trojan horse program when they visited seeded websites. In addition, the attackers have set up phishing websites to try to gain access to more eBay accounts.
-http://www.theregister.co.uk/2007/09/10/ebay_botnet_attack/print.html

Patient Data on Stolen Computers (September 10, 2007)

Two computers stolen from the offices of McKesson healthcare services company hold personally identifiable information of an undetermined number of patients. McKesson "helps pharmaceutical manufacturers set up assistance programs for patients in need." The company has sent letters to the patients whose data they believe may have been compromised by the theft.
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201804872

STANDARDS & BEST PRACTICES

NIST Issues Draft of Active Content Guide Draft and Final Version of CVSS (September 6, 2007)

The National Institute of Standards and Technology (NIST) has released Special Publication 800-28 Revision 2, "Guidelines on Active Content and Mobile Code." The guide is designed to help organizations manage active content and deal with the attendant security concerns. Public comment on the draft document will be accepted through October 12, 2007. NIST has also released the final version of the Common Vulnerability Scoring System (CVSS).
-http://www.gcn.com/online/vol1_no1/44972-1.html
-http://csrc.nist.gov/publications/drafts/sp800-28-rev2/Draft-SP800-28v2.pdf
-http://csrc.nist.gov/publications/nistir/ir7435/NISTIR-7435.pdf

MISCELLANEOUS

Ericsson Hellas Fined in Olympic Wiretap Case (September 6, 2007)

The Hellenic Authority for Information and Communication Security and Privacy (ADAE) has fined Ericsson Hellas 7.36 million Euros (US $10.15 million) in connection with widespread wiretapping of Greek officials' and others' mobile phones during the time of the 2004 Athens Olympics. ADAE has not released any details about the wiretapping case, apart from having indicated that the company's equipment was used to tap the phones. Ericsson Hellas plans to appeal the fine. The Greek unit of Vodafone is also appealing a 76 million Euro (US $104.9 million) fine imposed by ADAE in December 2006. It is not known who placed the wiretaps or for what reasons the phones were tapped.
-http://www.reuters.com/article/technology-media-telco-SP/idUSL0682035520070906?p
ageNumber=1&sp=true

LIST OF UPCOMING FREE SANS WEBCASTS

Internet Storm Center: Threat Update
WHEN: Wednesday, September 12, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Johannes Ullrich and Mike Yaffe
-http://www.sans.org/info/15586

Sponsored By: Core Security

This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.

Ask the Expert: Encryption Face-Off: Software Encryption vs. DriveTrust Technology
WHEN: Thursday, September 20, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Jim Hietala and Joni Clark
-http://www.sans.org/info/15596

Sponsored By: Seagate Technology

The stakes have never been higher for organizations that process and store sensitive information on customers and employees. This webcast will explore the business drivers for encryption of system disks and provide the results of a hands-on evaluation comparing SeagateR DriveTrustT against a software-based approach.

Ask the Expert Webcast: Separated at Birth - Identity and Access Reunited!
WHEN: Tuesday, September 25, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Andrew Hay and Stuart Rauch
-http://www.sans.org/info/15601

Sponsored By: Secure Computing

This webcast will focus on the trend toward reuniting Access and Identity and why it is important to consider strong authentication right from the planning phase of a remote access project. We will also review key criteria associated with choosing and deploying two-factor authentication in an enterprise environment.

Ask the Expert Webcast: Curing The Common Cold With Log Management
WHEN: Wednesday, September 26, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and A.N. Ananth
-http://www.sans.org/info/15606

Sponsored By: Prism MicroSystems EventTracker

Well, perhaps that is a stretch, but Log Management is incredibly valuable to help solve a host of other real problems in IT beyond simple compliance. Compliance drives most log management purchases but IT Managers are constantly challenged to maximize investments in technology.



=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/