Final Week: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training - Ends Jan 27

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume IX - Issue #86

October 30, 2007

A Heads Up for State and Local Government Agency Security Officers: In early December, a major national program will be announced enabling state and local government agencies to buy laptop encryption software for approximately $16 per copy in volume instead of the $160-$200 retail price. The program will be explained at the Mobile Encryption Summit December 3-4, in Washington DC:



New Commission To Look For Overhaul of US Cyber Security Policy
Payment Card Data System Needs Security Overhaul
NIST Issues Information Systems Risk Management Draft Document


Bot-Net Operator Draws One-Year Prison Sentence
House Committee Approves Global Online Freedom Act
Grocery Store Chain Nearly Loses Millions to Phishers
Six More Flaws in RealPlayer
Trojan Dupes Users Into Deciphering CAPTCHA Images
Trojan Exploits Adobe PDF Flaws, Installs Gozi Trojan
Higher Education Data Security
Unflattering Details Emerge in TJX Case
Microsoft Angles to Get Windows on XO Laptops
Graphics Processing Unit Cuts Password Cracking Time

**************************** Sponsored By SANS **************************

What is the extent of the data leakage problem? How can you use content monitoring and filtering tools to find information leakage and reduce data theft? Which products can scale for large organizations? How can you justify this protection? Find out at the Data Leakage and Insider Threat Summit December 3-4 - Orlando.


Where can you find Hacker Exploits, Security Essentials, Forensics, Wireless, Auditing, CISSP, and SANS' other top-rated courses?
- - Washington DC (12/13-12/18):
- - New Orleans (1/12-1/17):
- - London (11/26 - 12/1):
- - Chicago (11/2-11/7):
- - Tokyo (11/5-11/10):



New Commission To Look For Overhaul of US Cyber Security Policy (October 30, 2007)

The US House Homeland Security Committee launched a new cybersecurity commission that will provide recommendations on how to improve the state security of public- and private-sector computers and networks, to the next president. In a rare show of bi-partisanship, both the Ranking Minority Member and the Chairman (McCaul or Texas and Langevin of Rhode Island) of the SubCommittee on Emerging Threats and Cyber Security agreed to personally chair the new commission. The members of the Commission are a who's who of cyber security expertise. Joining the Congressmen in managing the effort are Bobby Inman who served as Director of NSA and Deputy Director of the CIA and Scott Charney who served as chief of the US Department of Justice's Computer Crime and Intellectual Property Section and now leads Microsoft's efforts to improve the security of its products and to help law enforcement catch criminals. The Commission will be managed by the Center for Strategic and International Studies.

Payment Card Data System Needs Security Overhaul (October 29, 2007)

Gartner analyst Avivah Litan says that to focus solely on retailers' card data security is to take a narrow view of the situation; instead, efforts should be directed toward revamping the payment system's security as a whole. According to Litan, "the banks and the credit card companies could solve this
[data security issue ]
more easily" than the retailers could. Presently, merchants have to retain cardholder data to protect themselves against charge backs and to manage recurring charges and refunds. Banks already have stronger data security measures in place so perhaps they could store the data. Another option would be to require personal identification numbers (PINs) for each transaction; fraud from signature debit transactions is considerably higher than fraud from PIN debit transactions.
[Editor's Note (Ullrich): The focus on retailers seems to be wrong. While they have a part in the systems security, they didn't design it. At the very least, the payment card industry should at least assist retailers. PINs seem like a sensible improvement.
(Honan): While experience in the UK reinforces Ms. Litan's argument for the introduction of PIN authorised transactions in reducing certain types of fraud, it also demonstrates that criminals will adapt to changing situations. Since the introduction of Chip and Pin in the UK, card-not-present fraud is increasingly at an annual rate of 16% - see

NIST Issues Information Systems Risk Management Draft Document (October 26, 2007)

The National Institute of Standards and Technology (NIST) has issued SP-800-39, "Managing Risk from Information Systems: An Organizational Perspective." The draft report is intended to help US government agencies "apply the NIST Risk Management Framework to government IT systems" and is considered to be "the flagship document in the series of FISMA-related security standards and guidelines developed by NIST." NIST is accepting comments on the draft document until December 14, 2007.

[Editor's Comment (Northcutt): I am glad I am no longer a government worker. This is very high level, with no way to implement anything it does or does not say and tons of external references when it would have been much more effective to have incorporated the relevant sections of those documents inline so that someone can actually use the document. If your life is going to be impacted by this, it might help to download this and send NIST in your comments. ]

************************* Sponsored Links: ***************************

1) ALERT: "How A Hacker Launches A Cross-Site Scripting Attack"- White Paper from SPI Labs

2) Security professionals focus on fighting the most common data threats - - Encryption Summit, December 3-4.

3) Link here to complete the SANS Database Security Compliance Survey and register to win a $250 AMEX Gift card.




Bot-Net Operator Draws One-Year Prison Sentence (October 26 & 29, 2007)

Jason Michael Downey was sentenced to 12 months in prison for launching bot-net attacks that caused thousands of dollars in damages. Downey amassed a bot-net of approximately 6,000 computers that he used to launch distributed denial-of-service (DDoS) attacks on a variety of computer systems. He will also serve three years of suspended release, pay US $21,110 in restitution and perform 150 hours of community service.

[Editor's Note (Ullrich): At least when the operators are in the US, these arrests and convictions are becoming more routine. Prosecuting foreign actors is still hard and time consuming, if possible at all. ]


House Committee Approves Global Online Freedom Act (October 23, 24 & 25, 2007)

The US House Foreign Affairs Committee has approved the Global Online Freedom Act of 2007, which would impose criminal penalties on US Internet companies that provide customers' personal information "to governments that use the information to suppress political dissent." Companies found to be in violation could also face civil penalties of up to US $2 million. In addition, the bill would prohibit ISPs from blocking US government financed content. In two weeks, a House Foreign Affairs Committee panel will question Yahoo! about its role in the case of Chinese journalist Shi Tao, who was jailed after Yahoo! allegedly provided China's government with information that helped identify and locate him.



Grocery Store Chain Nearly Loses Millions to Phishers (October 29, 2007)

The Minnesota-based Supervalu grocery chain nearly lost millions to a pair of phishing attacks. Earlier this year, emails purporting to be from employees at two separate Supervalu suppliers requested that Supervalu send payments to new bank accounts. Over the course of the following week, Supervalu made transfers of more than US $10.3 million into the two accounts; several days later, the company realized it had been duped and contacted the FBI. Most of the money has been recovered.

[Editor's Note (Cole): The problem with phishing attacks is that they look like legitimate email. While user awareness is critical for employees to understand the threat, it must be coupled with technical measures. Many of these attacks use spoofed email addresses, so, an email gateway can be configured to block some of the phishing emails. Email sandboxing and content filtering can also help with this problem. ]


Six More Flaws in RealPlayer (October 29, 2007)

RealNetworks has acknowledged an additional half-dozen vulnerabilities in its RealPlayer media player. Just last week, RealNetworks issued RealPlayer updates to address a flaw that was being actively exploited to spread malware. The patched versions are not vulnerable to the newly disclosed bugs, but these new bugs provide even more incentive for users to update their versions. The six flaws involve issues with the way RealPlayer parses certain file formats. The flaws could be exploited to execute arbitrary code. Four of the six flaws affect Mac OS X and Linux systems as well as Windows systems.

[Editor's Note (Skoudis): I get a little uneasy when a vendor's prior patch retroactively fixes new flaws not yet disclosed. That is, when a new flaw comes to light (or, say six new flaws), the vendor says, "Oh yea... the version we released last week deals with those too!". So, when RealNetworks released their fix last week, their users didn't have an accurate accounting of the risk we faced by not patching or delaying the patch. The vendor may have figured that if they disclosed the other vulnerabilities, it would have given the bad guys a heads up about how to exploit new flaws. There is no good answer here, but I still feel uneasy.
(Cole): With zero day attacks on the rise, patching is not enough. Organizations need to uninstall programs and parts of programs that are not needed. With RealPlayer, for example, some of the components that are exploited are not used by the average person running the software. ]

Trojan Dupes Users Into Deciphering CAPTCHA Images (October 29, 2007)

A Trojan horse program exploits the CAPTCHA protection Yahoo! requires to create accounts. Users are encouraged to play a game wherein a model performs a striptease; each "move" requires the user to decode a different CAPTCHA image. It is unclear how the malware that allows the pop-ups gets onto users' computers, but it is likely to have come as an email attachment.
[Editor's Note (Skoudis): I've been waiting for this to happen. Harnessing the human power behind all of those bot-infected machines was inevitable, and leverages the bot-net in a very useful way for attackers. I wonder what other things the bad guys have up their sleeves to social engineer massive numbers of users into doing.
(Shpantzer): Offloading the CAPTCHA decoding process makes sense since the artificial intelligence programs that decode some CAPTCHAs are not as accurate or fast as humans. In 2002, NewsBites noted that the hackers sending decoding work to humans is good and proper evidence that CAPTCHAS are doing their job, since this roadblock for spammers "reduces automation significantly and introduces more expensive and labor intensive processes (humans completing captchas) into the loop." ]

Trojan Exploits Adobe PDF Flaws, Installs Gozi Trojan (October 26 & 29, 2007)

A new variant of the Gozi Trojan exploits unpatched versions of Adobe Acrobat and Adobe Reader to infect machines. The Trojan arrives via maliciously crafted PDF files; the infected files download Gozi onto compromised computers. Gozi is designed to capture data entered when users visit secure websites. Users are urged to update to the most recent versions of Adobe Acrobat and Adobe Reader to protect their computers. PDF files are ubiquitous enough that people cannot be expected to stop using them. At least two groups are known to be launching the attacks.
[Editor's Note (Ullrich): This exploit was very predictable after a recent vulnerability disclosure. PDF readers are yet another one of those pesky web components which are often overlooked in patching but which are also exposed to untrusted content. ]


Higher Education Data Security (October 29, 2007)

CDW Government, Inc.'s third annual Higher Education IT Security Report Card found that although IT directors and managers in higher education say that data security is a high priority, there has been little improvement in actual data protection on college and university campuses. Fifty-eight percent of the campuses responding to the survey experienced at least one security breach in the last year. Furthermore, theft of staff and student data has increased 10 percent since last year's study, an increase of 43 percent.
[Editor's Note (Honan): Sadly the findings in this report also reflect the reality in many non-educational organisations. While information security is high on the IT manager's priority list, it appears this same urgency is often not reflected in the minds of senior business people. Being able to translate data security risks into business risks is a key skill information security professionals need to develop in order to ensure they receive the resources they require.
(Paller): Brian Honan's comment is exactly right. Security programs fail when the security manager cannot gain management support. That is why the SANS Master of Science degree candidates all spend a significant amount of time learning to present security topics in forms and language that will generate the management action they desire. You cannot ask security people to "translate security risks into business risks" if you don't teach them how to do it. ]


Unflattering Details Emerge in TJX Case (October 28 & 29, 2007)

More details are surfacing about the TJX data security breach through documents filed in federal court. TJX was found to be non-compliant with the Payment Card Industry Data Security Standard, (PCI DSS), failing to meet nine of 12 requirements; a data thief managed to transfer more than 80 GB of TJX data without TJX noticing, and in May 2006, attackers placed a sniffer program on the TJX network that went undetected for seven months. In addition, Visa International has fined TJX's card processor, Fifth Third Bank, nearly US $900,000 for "egregious" security violations.

Microsoft Angles to Get Windows on XO Laptops (October 25, 2007)

Microsoft is spending a significant amount of money to adapt a version of Windows XP to make it compatible with the One Laptop per Child Foundation's inexpensive XO laptops. The laptops, which will cost less than US $200 each in developing countries, currently run on a Linux operating system.

Graphics Processing Unit Cuts Password Cracking Time (October 24, 2007)

Russian software company Elcomsoft has filed a US patent for a password cracking technique that uses easily obtainable computer graphics hardware. The technique employs a graphics processing unit (GPU) from nVidia that has "massively parallel processing" capabilities.


Tool Talk Webcast: Guidelines for Implementing Role-Based Security Policies in Unix/Linux Environments
WHEN: Wednesday, October 31, 2007 at 1:00 PM EDT (1700 UTC/GMT)
Sponsored By: FoxT

In this webinar, you will discover how FoxT's IT Controls solution suite is helping organizations, including five of the top ten banks, resolve access control challenges and achieve unprecedented speed in adopting role-based security policies across multi-vendor Unix/Linux infrastructures.

Tool Talk Webcast: NEW - Web Application Pen Testing with CORE IMPACT
WHEN: Tuesday, November 6, 2007 at 1:00 PM EST (1800 UTC/GMT)
Sponsored By: Core Security Technologies

Core Security Technologies introduces new capabilities for web application penetration testing with CORE IMPACT v7.5. The new release allows security professionals to leverage the product's automated Rapid Penetration Test methodology to identify exposed web applications and interact with backend data - just as an attacker could.

Ask the Expert Webcast: Don't Bring A Knife To a Gunfight! - How threats are easily infiltrating most security deployments
WHEN: Wednesday, November 7, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford, Paul Henry, and Andrew Stevens
Sponsored By: Secure Computing

In this webcast, learn about some of the newest threats spotted in the wild, and why most of today's network firewalls won't be effective at preventing newer attacks.

Tool Talk Webcast: Be a Perfect 10: Nail the PCI Requirement
WHEN: Tuesday, November 13, 2007 at 1:00 PM EST (1800 UTC/GMT)
Sponsored By: ArcSight

Track and monitor all access to network resources and cardholder data. It seems simple enough, but PCI requirement 10 can often get organizations into audit trouble. Your customers' card data gets stored, processed and transmitted at many other points besides devices on your corporate network. Log data from all these points needs to be collected and managed to build a strong foundation for your PCI compliance program. Do you even know where this data resides?

Internet Storm Center: Threat Update
WHEN: Wednesday, November 14, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Johannes Ullrich and Mike Yaffe
Sponsored By: Core Security Technologies

This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.

Ask the Expert Webcast: Preventing Data Breaches: Protecting Critical Data through Database Compliance Monitoring
WHEN: Thursday, November 15, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and Dave Steidle
Sponsored By: netForensics

Traditional defenses have proven to be less than effective at protecting your data where it lives - your valuable databases and applications. Although network and host-based security technologies can detect and prevent many common attacks, they often miss more sophisticated penetration attempts such as electronic fraud, insider theft and sabotage, and unauthorized access.


The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College,

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit