Final Week: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training - Ends Jan 27

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume IX - Issue #78

October 02, 2007

This morning Air Force General Bob Elder keynoted the DoD-DHS Software Assurance Forum. Gen. Elder led the establishment of the Cyberspace Command, and he explained what that new command was doing (it isn't just defense). One thing that was illuminating was his focus on the changing definition of defense in depth. He said they still invest heavily in building and continuously improving perimeter (and user) security to stop attacks, but it is now equally important to deploy a second deep layer of defense made up of tools and skilled technical people to find the attackers who have successfully evaded the perimeter defenses and are already inside stealing and changing information. He emphasized the need for improved detection of successful penetrations in the defense industrial base (defense contractors).

Best practices in tools and techniques for identifying the enemy inside is the current target for a new SANS course (on continuous and intelligent log analysis) being built by Mike Poor, and will be a major topic for the optional evening sessions at the December Cyber Defense Initiative conference in Washington in December.

Registration information at:



New Oregon Laws Toughen Data Security Measures
Evidence on Student's Computer Connects Dots Between Terrorist Plots
Security Top Reason for Using Open Source Software


FTC Reaches Settlement with ERG Ventures in Spyware Case
California Man Indicted for Alleged Botnet Attack
Judge Questions TJX Settlement Proposal, Maintains Court Date
MPAA Seeks to Shutter Alleged Pirated Movie Sites
iPhone Update Renders Modified Devices Inoperable
Hole in OpenSSL Not Wholly Fixed
Woman in Greece Arrested for Allegedly Stealing Hospital Data
Stolen Laptop Holds Gap Applicant Data
Student Won't be Expelled for Accessing Applicant Data
Ohio University Steps Up IT Security
Hospital Server Room Overheats, Destroys Equipment

*********** Sponsored By SPI Dynamics ***********

ALERT: "How A Hacker Launches A XPATH Injection Attack Step-by-Step"- White Paper:
One particular form of injection attack, XPath Injection, is rapidly gaining in popularity due to the spread of AJAX applications and their inherent use of XML to store data. XPath Injection can be just as dangerous as SQL Injection, and can be even easier to exploit. Learn how to identify XPath Injection vulnerabilities and which methods of recourse to take to prevent them. Download this *FREE* white paper from SPI Dynamics for a complete guide to protection!


Where can you find the top rated training in Hacker Exploits, Security Essentials, Forensics, Wireless, Auditing, CISSP, and SANS' other SANS?

- - Washington DC (12/13-12/18):
- - New Orleans (1/12-1/17):
- - London (11/26 - 12/1):
- - Chicago (11/2-11/7):
- - Tokyo (11/5-11/10):

How good are the courses? Here's what past attendees said:
"An extraordinary amount of information covered in a week, backed up with excellent documentation for those long winter nights." (Keith Mellism, Canada Life)
"This course has valuable information that can be implemented immediately in the work place." (Christopher O'Brien, Booz Allen Hamilton)
"You will never ever find anything more valuable than SANS super knowledge. Worth the price!!" (Carlos Fragoso, CESCA)

Looking at Data Leakage or Encryption, hear lessons learned by the pioneers:
***WhatWorks in Stopping Data Leakage and Insider Threat Summit
***WhatWorks in Mobile Encryption Summit



New Oregon Laws Toughen Data Security Measures (October 1, 2007)

As of October 1 Oregon businesses are required to inform customers when their personal data have been compromised in a way that poses a risk of identity fraud. Residents will be allowed to request freezes on their credit files. The freeze can be requested at no charge if the individual's personal information has been compromised; a US $10 charge will apply in other cases. In addition, businesses may no longer print Social Security Numbers (SSNs) on cards or other documents, nor may SSNs be publicly displayed.
[Editor's Note (Schultz): This legislation is significant in that it provides protection to victims of data security breaches that until now no state legislation has provided. ]

Evidence on Student's Computer Connects Dots Between Terrorist Plots (October 1, 2007)

Robert Mueller, director of the FBI, said that evidence gathered from the computer of a London student drew connections between three seemingly separate terrorist plots, underscoring the fact that the Internet is a valuable method of communication for terrorists. Mueller used the case to support his contention that legislation needs to be created and changed to meet the challenges of evolving technology.
[Editor's Note (Northcutt): Hold the fort! Younes Tsouli was arrested in 2005 and has been taught, for over a year, as a case study of current low end information warfare in the Management 512 Security Leadership Essentials class I author and teach for well over a year. Tsouli's claim to fame is that he was one of the people who developed the methodology for beheading videos. You may recall the impact that had on Japan when one of their citizens was beheaded.

Security Top Reason for Using Open Source Software (September 28, 2007)

According to a survey of companies in India, Australia, China and Korea, security is the number one reason for using open source software. Budget concerns and availability of management tools and utilities rank second and third, respectively. More small and medium sized businesses than large businesses are using open source software; companies in China and India are more likely to use open source software than are companies in Australia and Korea. The results of the study also indicate that companies use open source software because it can "fulfill their requirements for specific functionalities."
[Editor's Note (Boeckman): A report was released by MITRE back in 2003 on the use of Free and Open Source Software with in the DoD and security was also cited as one of the reasons it is being adopted.):]

************************* Sponsored Links: ***************************

1) More than 2 million URLs world-wide distributed malicious downloads to site visitors. New report provides the latest stats.

2) Find out what Seagate knows about secure storage. It could improve your company's security.

3) Is your MPLS network secure? Watch the FREE webinar "Securing MPLS Networks" and learn how to utilize NetFlow to harden and securely operate your MPLS.




FTC Reaches Settlement with ERG Ventures in Spyware Case (October 1, 2007)

ERG Ventures LLC has agreed to pay US $330,000 to settle a Federal Trade Commission (FTC) complaint that it bundled a program called Media Motor with other software, such as screensavers and video files, that was offered at no cost to consumers. Once installed, Media Motor downloaded other software that changed users' home pages, kept tabs on their surfing habits and disabled antivirus and antispyware programs. The malware installed through Media Motor has proven difficult or impossible to remove once it has installed itself. Under the terms of the settlement, ERG may not distribute software that alters settings or disables installed programs. The complaint also charged that ERG used deceptive end-user license agreements (EULAs) that installed malware whether or not users agreed to download their software.

[Editor's Note (Liston): Having dealt with Media Motor in a "Follow the Bouncing Malware" article I wrote back in 2004, I can tell you firsthand that "difficult or impossible to remove" is a very accurate assessment. Compared to the amount of money ERG Ventures made and the damage they caused, $300K is nothing. Until we start handing out fines and jail time in proportion to the true damage these pondscum inflict, the deterrent effect of cases like this will be nil. ]

California Man Indicted for Alleged Botnet Attack (October 1, 2007)

A California man has been arrested for allegedly using a botnet to attack computer servers. The FBI arrested Greg King after an extensive investigation. King was charged with four counts of electronic transmission of codes to cause damage to protected computers. Court documents suggest King's botnet allegedly comprised more than 7,000 infected computers. If convicted on all charges, King could face 10 years in prison.
[Editor's Note (Northcutt): Ee had an older IRC command and control botnet and used it to attack Castlecops in February this year. I sometimes have concerns about Castlecops, but surely he realized attacking them could lead to his demise. This will probably be a colorful court case, the indictment is here:

Judge Questions TJX Settlement Proposal, Maintains Court Date (September 28, 2007)

A federal judge has "a lot of questions and concerns" about TJX Companies' class action lawsuit settlement proposal. TJX has proposed giving individuals affected by the data security breach US $30 vouchers in addition to offers of credit monitoring and other identity fraud amelioration and prevention. The judge in the case wants members represented by the class action suit to have the option of receiving cash in the place of the vouchers. He has also refused requests from both sides to remove the trial from the court calendar. The judge instead ordered the trial date be maintained and has set an additional hearing date for later this month.
[Editor's Note (Northcutt): Journalist Evan Schuman has more on the settlement here:
And according to blogger Meg Marco, TJX does not intend to give much of a settlement to anyone:

(Liston): Funny thing: we have a new department store near my home and they're giving out $20 vouchers for their grand opening to anyone with a pulse. TJX treats your credit info like a Paris Hilton sex tape, and they cough up ten bucks more? Seems fair to me... ]


MPAA Seeks to Shutter Alleged Pirated Movie Sites (September 28, 2007)

A lawsuit filed against and seeks to shut down the sites because they allegedly allow their users to view pirated movies. The Motion Picture Association of America (MPAA) filed the lawsuit on behalf of major US movie studios. servers are apparently located in Malaysia and servers in Arizona.


iPhone Update Renders Modified Devices Inoperable (September 28 & October 1 & 2, 2007)

Apple has released a security update for its iPhone to address 10 flaws. The vulnerabilities could be exploited to execute arbitrary code, cause denial-of-service conditions, or gain access to private data. The security update also has the effect of making modified iPhones useless. There are reports that the update causes problems with unmodified phones as well. Apple also released updates for iWork productivity applications, iTunes for Windows and iWeb.
[Editor's Note (Liston): I think this is just the universe's way of normalizing karma after four months of iPhone users smugly sliding, tilting and zooming their little chunks of glossy user interface in front of the rest of us. And no, I'm not bitter about not having an iPhone.... not anymore :-) ]

Hole in OpenSSL Not Wholly Fixed (September 28, 2007)

A fix for a security flaw in OpenSSL that was released last year evidently did not go far enough. The update addressed a critical buffer overflow flaw in OpenSSL versions 0.9.7k and 0.9.8c; it limited the extent of the overflow but did not completely close the hole. The flaw could still be exploited in versions 0.9.7m and 0.9.8e to execute arbitrary code. The date on which updated versions of OpenSSL will be released is uncertain.
[Editor's Note (Ullrich): The OpenSSL library is widely used and probably one of the better reviewed pieces of open source software. This problem just shows how incredibly hard it is to identify and fix bugs late in the development process. ]


Woman in Greece Arrested for Allegedly Stealing Hospital Data (September 29, 2007)

Greek authorities arrested a woman for allegedly sending files from her job at a hospital to her home computer. The woman had recently submitted her letter of resignation at that hospital and was reportedly working for a rival institution. The files she sent to her home computer included client information and financial reports. Investigators found two hard disks containing similar data at the woman's home.
[Editor's Note (Honan): This case is by no means unique and highlights why good communications between HR and information security is so important. Having a process in place to review and determine whether a staff member retains their access rights to confidential information after they resign and are still serving their notice will help mitigate this type of data loss. ]

Stolen Laptop Holds Gap Applicant Data (September 28, 2007)

A laptop computer stolen from a third-party vendor's office holds unencrypted, personally identifiable information of approximately 800,000 people who applied for jobs with The Gap between July 2006 and July 2007. The breach affects residents of the US, Puerto Rico and Canada who applied for jobs with the clothing retailer online or by phone. The unidentified vendor had been hired specifically to handle the applicant data.


Student Won't be Expelled for Accessing Applicant Data (September 30, 2007)

A Western Oregon University student who discovered that sensitive student data were accessible on a school computer network will not be expelled. The student, Blair W. Loving, also works as a copy editor at the student newspaper; in early June, he came across and opened a file holding the names and SSNs of approximately 100 applicants to the university's College of Education. Loving made a copy of the file and informed the paper's editor who in turn notified the faculty advisor. Loving was accused of violating the school's computer use policy. The Student Conduct Committee decided that he would be allowed to stay at the school but would be required to write a proposal describing how to help students understand their responsibilities in using the computer system. He will also be required to write a piece for the newspaper about the importance of reading university policies.

Ohio University Steps Up IT Security (September 28, 2007)

Ohio University (OU), which in the last few years experienced several data security breaches, has taken steps to improve its IT security. OU's data center is now protected by six new firewalls, and other computers that hold sensitive data will have their own firewalls installed. In addition, the school's office of information technology (OIT) has stopped using SSNs as unique student identifiers; students received new identification cards, as the old ones contained unencrypted SSNs. OU has also acquired software to detect file sharing activity and identify those responsible for the illegal activity.
[Editor's Note (Schultz): What is happening at Ohio University once again proves the point that nothing leads to improvement of security practices more than a serious security breach. ]

Hospital Server Room Overheats, Destroys Equipment (September 27, 2007)

Internal auditors are conducting an investigation at St. James Hospital in Leeds to discover the reasons a server room overheated, permanently damaging GBP 1 million (US $2.04 million) worth of equipment. The system in the room was designed to store patient x-rays but had not yet gone live, so patient care was not affected by the incident.
[Editor's Note (Grefer): Whenever feasible, build in redundancy in your A/C setup. Operating a single A/C unit at full power reduces its life expectancy and creates a single point of failure. In case such a setup is not feasible, at least invest in heat sensors and a system that allows for automatic shutdown of non-critical systems early on as well as automatic shutdown of critical systems at the last minute. ]


Ask the Expert: Payment Card Data Law: The Changing Landscape
WHEN: Wednesday, October 3, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Ben Wright and Tracey Mustacchio
Sponsored By: TraceSecurity

2007 is shaping up to be a landmark in the law on merchant liability for loss of credit and debit card data. A flurry of lawsuits are pending against TJX for the break-in it announced in January. Minnesota enated pioneering legislation imposing new liability on merchants, and as of mid-September California was on the verge of doing something similar.

Ask the Expert: Late-Breaking Computer Attack Vectors by Mike Poor
WHEN: Tuesday, October 16, 2007 at 1:00 PM EDT (1700 UTC/GMT)
Sponsored By: Core Security

This lively session will discuss recent and anticipated computer and network attack vectors, showing the most powerful tools in the bad guys' arsenal today and predicting where they are headed in the future. Specific topics to be discussed include client-side exploitation and the rise of privilege escalation attacks against Windows Vista and other operating systems.

Ask the Expert: The Evolution of Access Management
WHEN: Wednesday, October 17, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and Howard Ting
Sponsored By: Securent

In this webcast, learn how access control technologies have evolved over the years, the types of access management solutions organizations are evaluating today, and the challenges they face in design and implementation.

Ask the Expert: Log Heaven: How to Simplify Log Management for Compliant, Secure Operations
WHEN: Thursday, October 25, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and Dave Steidle
Sponsored By: netForensics

Join this webcast to learn:
What to consider when evaluating log management solutions
How to use log management to address compliance audits
How to get better security intelligence from existing data
Tips for streamlining log management operations

Tool Talk Webcast: Guidelines for Implementing Role-Based Security Policies in Unix/Linux Environments
WHEN: Wednesday, October 31, 2007 at 1:00 PM EDT (1700 UTC/GMT)
Sponsored By: FoxT

In this webinar, you will discover how FoxT's IT Controls solution suite is helping organizations, including five of the top ten banks, resolve access control challenges and achieve unprecedented speed in adopting role-based security policies across multi-vendor Unix/Linux infrastructures.


The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College,

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit