Register now for SANS Cyber Defense Initiative 2016 and save $400.

Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume IX - Issue #85

October 26, 2007

TOP OF THE NEWS

Gov. Agency Data Security Incident Reports on the Rise
Number of Accounts Compromised in TJX Breach Off by Factor of Two
Austrian Police Want to Use Trojans as Surveillance Tools
ISPs Must Penalize Filesharers or Face Regulation

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Five Sentenced for Stealing Wireless Broadband Technology
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Police Shut Down OiNK Music Piracy Site
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Trojan Exploits PDF Flaw
Storm Worm Evolves, Launches Retaliatory Attack
Mozilla Will Issue Another Firefox Update to Fix Regression Bugs in Last Week's Release
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Alleged Data Thief's Personal Data Exposed
MISCELLANEOUS
IT Companies Form Secure Coding Group
LIST OF UPCOMING FREE SANS WEBCASTS


********************** Sponsored By Sunbelt Software ********************

Trap and Kill Image Spam with Ninja Email Security for Exchange Ninja integrates best-of-breed antispam, antivirus, disclaimers, & attachment filtering on your Exchange server. It has one of the industry's only dedicated image-spam detection engines designed to protect against emerging image spam threats.
Try the 30-day evaluation to see this policy-based email security product in action!
http://www.sans.org/info/18482

*************************************************************************

TRAINING UPDATE:
Where can you find Hacker Exploits and SANS other top-rated courses?
London (11/26 - 12/1): http://www.sans.org/london07/
Washington DC (12/13-12/18): http://www.sans.org/london07/
New Orleans (1/12-1/17): http://www.sans.org/security08/event.php
Chicago (11/2-11/7): http://www.sans.org/chicago07/event.php
Tokyo (11/5-11/10): http://www.sans.org/sanstokyo2007_autumn/event.php

How good are the courses? Here's what past attendees said:
"An extraordinary amount of information covered in a week, backed up with excellent documentation for those long winter nights." (Keith Mellism, Canada Life)
"This course has valuable information that can be implemented immediately in the work place." (Christopher O'Brien, Booz Allen Hamilton)
"You will never ever find anything more valuable than SANS super knowledge. Worth the price!!" (Carlos Fragoso, CESCA)

*************************************************************************

TOP OF THE NEWS

Gov. Agency Data Security Incident Reports on the Rise (October 23, 2007)

Speaking at a conference earlier this week, Office of Management and Budget (OMB) administrator of the Office of Electronic Government and Information Technology Karen Evans noted that the number of reported security breaches at federal agencies had doubled in the last several months. US government agencies are required to report incidents that expose personally identifiable information to the US Computer Emergency Readiness team (US-CERT) within one hour of their occurrence. The average number of incidents per day in June 2007 was 14; just this week, the average number of incidents per day is 30. Evans believes the significant change is due to agencies "erring on the side of caution," and "isn't necessarily a bad thing
[because it ]
reflects increased market awareness."
-http://www.govexec.com/story_page.cfm?articleid=38348
[Editor's Note (Pescatore): Well, any increase in incident reports is pretty much always a bad thing, since no matter which way you slice it either means more incidents, more noticing of incidents or less pretending incidents didn't happen. It's like quality assurance - more defects is always a bad thing, even if it means you just started actually looking for defects or stopped calling defects "features." The real key is root cause analysis - why are the defects/incidents occurring? On personal/customer information exposure, the biggest reason is decades of talking about data classification but never actually taking any tactical steps to do anything about it.
(Schultz): I agree with Karen Evans' assessment of the possible reason that more security incidents are being reported. Additionally, if technical staff have only a short period to investigate potential incidents because of the requirement to report within one hour of a possible incident's occurrence, more events that eventually turn out to be false alarms will almost certainly now be reported as incidents. As I have said before, to require a determination whether or not a potential incident is a bona fide incident within one hour is not very realistic. ]

Number of Accounts Compromised in TJX Breach Off by Factor of Two (October 24 & 25, 2007)

As more details emerge about the TJX data security breach, the Massachusetts-based company is coming under fire for understating the number of payment card accounts compromised. In March 2007, TJX acknowledged that information about approximately 45.7 million accounts was stolen over a period of a year-and-a-half. Court documents indicate that number appears to be more than 94 million. The notable change could cost the company significantly more to address the issues accompanying the massive breach. Last month, Canada's privacy commissioner issued a report criticizing TJX for storing more data than they needed and for not implementing adequate security measures to protect those data. The report suggests the attackers exploited vulnerable wireless systems to gain access to the company's network. TJX is fighting requests from attorneys that they make public reports compiled about its security problems.
-http://www.theregister.co.uk/2007/10/24/tjx_breach_estimate_grows/print.html
-http://www.boston.com/business/globe/articles/2007/10/24/court_filing_in_tjx_bre
ach_doubles_toll?mode=PF

-http://www.eweek.com/article2/0,1759,2206680,00.asp
[Editor's Note (Ullrich): One of the lessons to take away here: Don't store more data then you need. If it's a company or a government agency, any data you store is a potential liability should it get lost.
(Schultz): TJX is fighting a losing battle in trying to keep information about its security deficiencies from being publicly revealed. In reality the public already knows quite a bit about these deficiencies through the information that the media has disseminated concerning TJX's security breaches. Additionally, TJX's interests would be better served if this company devoted the resources it is currently expending in trying to hide this information from the public to correcting its many security problems. ]

Austrian Police Want to Use Trojans as Surveillance Tools (October 26, 2007)

Police in Austria have indicated their intention to use Trojan horse programs as remote surveillance tools in certain investigations. The country's Minister of Justice and the Interior Minister "have drafted a proposal that will be amended by legal experts and the cabinet with the intention of allowing police to carry out such surveillance legally with a judge's warrant." Some in the security software industry are concerned that the tools developed by law enforcement agencies will fall into the hands of unscrupulous individuals and be used for harmful purposes. Another problem is how the tools will escape detection by antivirus programs. Police in Germany have faced legal challenges to the use of Trojans as surveillance tools.
-http://www.arnnet.com.au/index.php/id;661124581;fp;4194304;fpid;1

ISPs Must Penalize Filesharers or Face Regulation (October 24 & 25, 2007)

Representatives from UK ISP and music industry trade bodies have been having talks to hammer out an agreement about the treatment of ISP subscribers who violate copyright law by sharing files over the Internet. The Music Publishers Association would like the ISPs to kick illegal filesharers off the Internet; the ISPs reportedly would rather impose a fine. If the ISPs do not take some form of action against the filesharers, the government may impose regulations.
-http://www.theregister.co.uk/2007/10/25/triesman_isps_music/print.html
-http://news.bbc.co.uk/2/hi/technology/7059881.stm
[Editor's Note (Pescatore): In North America, many ISPs have terms of service agreements that prohibit customers from using file sharing services; yet whenever they actually try to enforce those terms, all kinds of furor results. This is one of many areas where laws don't move as fast as technologies. ISPs kicking off users means loss of revenue, whereas fines don't. When someone goes through a tollbooth without paying, you don't ban them from the tollway (loss of revenue.) You send them a ticket.
(Cole): These laws could easily impact corporations by imposing liability for allowing employees to share illegal content over the Internet. To find out if you may have that problem, run a sniffer such as snort on your gateway with keywords such as mp3, jpg, an intellectual property. Fixing the problem with not only reduce legal liability, but will also increase available bandwidth and potentially reduce cost. ]


************************* Sponsored Links: ***************************

1) SANS Encryption Summit, December 3-4 - concrete, actionable information you can deploy immediately.
http://www.sans.org/info/18487

2) IT Staff Survey Reveals: iPod, Portable Storage Device usage rates and potential impacts
http://www.sans.org/info/18492

3) Link here to complete the SANS Database Security Compliance Survey and register to win a $250 AMEX Gift card.
http://www.sans.org/info/18497

*************************************************************************

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Five Sentenced for Stealing Wireless Broadband Technology (October 22, 2007)

The Seoul Central District Court has sentenced five engineers (all employees of Posdata) for their roles in an intellectual property theft scheme. The researchers stole information about the WiBro third-generation global standard wireless broadband technology from Posdata and passed it to another company they had established in the US. Posdata has reportedly spent more than US $80 million to develop the WiBro platform.
-http://english.chosun.com/w21data/html/news/200710/200710220008.html
-http://www.cellular-news.com/story/26856.php

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

Police Shut Down OiNK Music Piracy Site (October 23 & 24, 2007)

Law enforcement authorities in the UK and the Netherlands have shut down OiNK, an invitation-only music piracy website. OiNK is known for making albums available for downloading before they have been officially released, according to the International Federation of the Phonographic industry. More than 60 albums have allegedly been shared through OiNK already this year. Police say they have seized OiNK servers. The site's operator has also been arrested.
-http://www.msnbc.msn.com/id/21439384/
-http://news.bbc.co.uk/2/hi/uk_news/england/tees/7057812.stm
-http://www.guardian.co.uk/technology/2007/oct/24/piracy.crime

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Trojan Exploits PDF Flaw (October 24, 2007)

Malware that exploits a recently patched Adobe Acrobat/Adobe Reader vulnerability has been spreading through email. Trojan.Pidief.A arrives as an attachment; the email it accompanies generally targets specific organizations and carries subject lines that read "invoice," "statement," or "bill." The body of the email is empty. If a user opens the maliciously crafted PDF file, the malware lowers security settings on Windows-based machines and installs other malware.
-http://www.theregister.co.uk/2007/10/24/pdf_exploit_in_the_wild/print.html
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9043940&source=rss_topic17

Storm Worm Evolves, Launches Retaliatory Attack (October 24 & 25, 2007)

The Storm worm (sometimes called Peacomm) has the capacity to launch targeted counterattacks against the systems of users trying to probe its command-and-control servers. Storm is able to detect the probes and retaliate by launching distributed denial-of-service (DDoS) attacks against the uninvited visitors. Researchers have been wary of publicizing the results of their efforts to understand the worm and stop its harmful behavior. Storm has the capability to interrupt applications, including security applications such as Anti-Virus software, as they are booting up and either shut them down or render then inert so that they appear to be running but are in fact doing nothing.
-http://www.networkworld.com/news/2007/102407-storm-worm-security.html
-http://www.theregister.co.uk/2007/10/25/storm_worm_backlash/print.html
-http://www.enews20.com/news_The_Storm_Worms_Striking_Back_03307.html
[Editor's Note (Ullrich): The Storm worm goes out of its way to fight malware researchers. It has always used multiple anti-reverse engineering techniques. This retaliatory behavior was first seen a few months ago as malware researchers who downloaded the trojan multiple times started to be the target of these likely automated attacks. One attack works as follows: Whenever you port scan a storm-infected node, or if you download the malware several times, a subset of the storm network will launch a denial of service attack against you. Typically it is an ICMP flood that can last a day or so. ]

Mozilla Will Issue Another Firefox Update to Fix Regression Bugs in Last Week's Release (October 23, 2007)

Less than a week after releasing Firefox 2.0.0.8, which addressed 10 security flaws, Mozilla says it will release another update, Firefox 2.0.0.9, as soon as next week to fix five regression bugs that shipped with version 2.0.0.8. Three of the regression bugs affect only Windows, but two affect Mac OS X and Linux as well.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9043820&source=NLT_AM&nlid=1

-http://developer.mozilla.org/devnews/index.php/2007/10/22/firefox-2008-update-to
-be-updated/

[Editor's Note (Pescatore): Patches that require patches are always a bad thing and always means the initial patches were pushed out without sufficient testing. This is why bragging about how quickly patches come out is a fool's game - it is like the airlines pushing back from the gates to claim on-time departures while the actual passengers sit on the plane for hours before the flight actually takes off.
(Cole): Do not interpret this as a reason to delay patching. It is lower risk to apply patches within 24 hours of their being released even if you have to patch again. Leaving a system like Mozilla unpatched for a week or two could easily allow an attacker to take advantage of the hole in the software.]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Alleged Data Thief's Personal Data Exposed (October 24, 2007)

A man arrested for stealing a computer that holds personal information of 500 Missouri residents now knows what it feels like to have his own personal data exposed. A court document normally available online only to people involved with the case was accidentally made public through the Electronic Case Files System. The document contains Timothy Scott Short's birthdate and Social Security number (SSN). Short allegedly stole a Missouri Department of Revenue printer and a computer containing the residents' data. He was caught when he made phone calls to the printer manufacturer's support center.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9044020&source=rss_topic17

[Editor's Note (Northcutt): The original story (about the printer bust) is helpful because we see why he had to call Digimark tech support to ask for the drivers for the drivers license printer/laminator. The PC that ran the printer was locked with a key, and Timothy Short was trying to get a different computer to drive the printer. IDG, the source for the story below was also the group that found Short's social security number online. Score a point to Missouri for physical security on the PC and another to IDG for good investigative journalism:
-http://www.pcworld.com/article/id,138751-c,printers/article.html]

MISCELLANEOUS

IT Companies Form Secure Coding Group (October 23 & 24, 2007)

A group of IT companies has formed the Software Assurance Forum for Excellence in Code (SAFECode). The not-for-profit technical organization will share information and establish best practices in the IT industry to help promote the development of secure code.
-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn_daily&stor
y.id=45286

-http://software.silicon.com/security/0,39024655,39168921,00.htm
-http://www.vnunet.com/vnunet/news/2201819/industry-bands-together

LIST OF UPCOMING FREE SANS WEBCASTS

Tool Talk Webcast: Eenie-Meenie-Minie-Mo: No Way to Choose a Log Management Solution
WHEN: Tuesday, October 30, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKER: Ansh Patnaik
-http://www.sans.org/info/16871
Sponsored By: ArcSight

Join this Webcast to learn:
How to evaluate and select the right log management solution for your environment What big log management mistakes can be avoided, and how to avoid them Why the compliance, security, IT operations, forensics, and helpdesk teams will all applaud you for making the right choice

Tool Talk Webcast: Guidelines for Implementing Role-Based Security Policies in Unix/Linux Environments
WHEN: Wednesday, October 31, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKER: Alan Dobbs
-http://www.sans.org/info/16876
Sponsored By: FoxT

In this webinar, you will discover how FoxT's IT Controls solution suite is helping organizations, including five of the top ten banks, resolve access control challenges and achieve unprecedented speed in adopting role-based security policies across multi-vendor Unix/Linux infrastructures.

Tool Talk Webcast: NEW - Web Application Pen Testing with CORE IMPACT
WHEN: Tuesday, November 6, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Anthony Alves
-https://www.sans.org/webcasts/show.php?webcastid=91461
Sponsored By: Core Security Technologies

Core Security Technologies introduces new capabilities for web application penetration testing with CORE IMPACT v7.5. The new release allows security professionals to leverage the product's automated Rapid Penetration Test methodology to identify exposed web applications and interact with backend data - just as an attacker could.

Ask the Expert Webcast: Don't Bring A Knife To a Gunfight! - How threats are easily infiltrating most security deployments
WHEN: Wednesday, November 7, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford, Paul Henry, and Andrew Stevens
-https://www.sans.org/webcasts/show.php?webcastid=91186
Sponsored By: Secure Computing

In this webcast, learn about some of the newest threats spotted in the wild, and why most of today's network firewalls won't be effective at preventing newer attacks.

Tool Talk Webcast: Be a Perfect 10: Nail the PCI Requirement
WHEN: Tuesday, November 13, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Dave Anderson
-https://www2.sans.org/webcasts/show.php?webcastid=91071
Sponsored By: ArcSight

Track and monitor all access to network resources and cardholder data. It seems simple enough, but PCI requirement 10 can often get organizations into audit trouble. Your customers' card data gets stored, processed and transmitted at many other points besides devices on your corporate network. Log data from all these points needs to be collected and managed to build a strong foundation for your PCI compliance program. Do you even know where this data resides?

Internet Storm Center: Threat Update
WHEN: Wednesday, November 14, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Johannes Ullrich and Mike Yaffe
-https://www.sans.org/webcasts/show.php?webcastid=90826

Sponsored By: Core Security Technologies

This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.

Ask the Expert Webcast: Preventing Data Breaches: Protecting Critical Data through Database Compliance Monitoring
WHEN: Thursday, November 15, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and Dave Steidle
-https://www.sans.org/webcasts/show.php?webcastid=91341
Sponsored By: netForensics

Traditional defenses have proven to be less than effective at protecting your data where it lives - your valuable databases and applications. Although network and host-based security technologies can detect and prevent many common attacks, they often miss more sophisticated penetration attempts such as electronic fraud, insider theft and sabotage, and unauthorized access.



=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/