Last Day: Get a 10.2" iPad (32 G), Galaxy Tab A, or Take $250 Off with OnDemand Training

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume IX - Issue #89

November 09, 2007

Help with a SANS research project: SANS is preparing a report on the most important federal initiatives that can be proven to have significantly reduced national vulnerability to cyber attacks, prevented those attacks, and/or minimized the damage from those attacks. If you know of any initiatives that meet those criteria, send us your recommendation ( and we'll include you in this project so you can review the others that have been recommended. Your name will not be disclosed unless you ask. Deadline, Tuesday, Nov. 13.

Reserve your place today for the December 17 eDiscovery evening mini-course in Washington at

The top two eDiscovery folks in the country will provide a two hour briefing on the key elements of e-Discovery that every security practitioner needs in order to protect his or her organization. This session is free for everyone attending courses at SANS CDI 2007 (ten phenomenal hands-on, immersion security courses - see We have about 40 open places for others who cannot attend CDI but want to attend the eDiscovery mini-course.



White House Requests US $154 Million for Cyber Security Spending
Yahoo! Execs Rebuked for Role in Revealing User Info to China


Seventeen Indicted in Card Fraud Scheme
Former DuPont Scientist Sentenced for Theft of Trade Secrets
Arrest in Italian Spying and Wiretapping Case
Guilty Plea in P2P ID Theft Case
Former DOD Employee Pleads Guilty to Wire Fraud
American Movie Studios Aim to Fight Piracy in China
Microsoft Partners with Chinese PC Maker to Fight Piracy
Microsoft's Patch Tuesday Will Offer Two Updates
Exploit Code Published for Unpatched Oracle Flaw
ATTACKS, INTRUSIONS, DATA THEFT & LOSS Customers at Risk of Phishing Attacks

************************ Sponsored By Sunbelt Software ******************

How Many Machines on Your Network are Infected with Malware? Imagine a new hybrid technology that merges the 'system cleaning' properties of traditional antispyware products with the efficiency of powerful antivirus-based technology. It's available with Sunbelt Counterspy Enterprise.

Find out how many machines on your network are infected now! Download the free trial now!


Where can you find Hacker Exploits, Security Essentials, Forensics, Wireless, Auditing, CISSP, and SANS' other top-rated courses?
- - Washington DC (12/13-12/18):
- - New Orleans (1/12-1/17):
- - London (11/26 - 12/1):



White House Requests US $154 Million for Cyber Security Spending (November 6, 2007)

The Bush administration has requested US $154 million in funding for new cyber security programs. The bulk of that money, US $115 million, would be put toward enhancing the deployment of the Einstein program through the US Computer Emergency Readiness Team. The Einstein program "monitors about 13 participating agencies' network gateways for traffic patterns that indicate the presence of" malware. US $39 million would go to the Department of Justice "to help the FBI investigate incursions into federal networks, increase intelligence analysis and provide technical tools for investigations and analysis."

Yahoo! Execs Rebuked for Role in Revealing User Info to China (November 6 & 7, 2007)

Members of the House Foreign Affairs Committee harshly criticized Yahoo! executives for omitting information about providing user data to Chinese officials. Journalist Shi Tao was put in jail after information provided by Yahoo! helped authorities in China identify him. Yahoo! executive VP and general counsel Michael Callahan initially told the House panel that he did not know why Chinese authorities wanted the information. Later it became clear that there were documents in Yahoo!'s possession indicating that the identifying information was sought because of "suspected illegal provision of state secrets." The panel said that Yahoo! had been "inexcusably negligent" and "deceptive."

************************* Sponsored Links: ***************************

1) Complimentary Aberdeen research report that addresses the challenges of deploying encryption and key management.

2) Link here to complete the SANS Database Security Compliance Survey and register to win a $250 AMEX Gift card.

3) Over 450 security professional participated in the 2007 Web Security Leadership Survey. Get the results at




Seventeen Indicted in Card Fraud Scheme (November 8, 2007)

Seventeen people have been indicted for allegedly participating in a credit card fraud and identity theft scheme. Details of more than 95,000 cards were advertised for sale on various websites; the loss incurred by banks is estimated to be US $4 million. Among those indicted is a married couple already serving prison time for other financial fraud.

Former DuPont Scientist Sentenced for Theft of Trade Secrets (November 8, 2007)

One year ago, former DuPont scientist Gary Min pleaded guilty to theft of trade secrets. A US District Court judge has now sentenced Min to 18 months in prison and ordered him to pay US $14,500 in restitution and a US $30,000 fine. DuPont became suspicious of Min's motives when they realized that he was the second most active user of the company's database. In the second half of 2005, Min accessed approximately 38,000 documents and scientific abstracts with the intent of giving the information to a Dupont rival where he was going to work. Min apparently also uploaded some DuPont documents to the laptop provided to him by his new employer.

[Editor's Note (Paller) Data leakage protection (DLP) tools have matured to the point where 84% of large organizations are using them, or plan to deploy them in the next eight months, to try to stop this type of attack. Many of the pioneering users of data leakage protection are coming together in Orlando in early December to share the lessons they have learned about which products to deploy and how to manage them. More at
(Cole): As attacks become more damaging, organizations need to focus on preventive rather than reactive security measures. Instead of just detecting that Mr. Min was the second most active user, why did they not block or stop the access to information he did not need to perform his job. If Mr. Min was less aggressive with the amount of information he was taking, so that he was not in the top 5 down loaders, he probably would not have been caught. Two promising practices for dealing with this problem are data classification and least privilege through role based access control. Unless organizations control and stop the downloading of documents, this problem will continue to grow. ]

Arrest in Italian Spying and Wiretapping Case (November 6 & 8, 2007)

Police in Milan, Italy have arrested Roberto Preatoni, one of the founders of the WabiSabiLabi and Zone-h, in connection with a spying case involving Telecom Italia. He has been charged with unauthorized access to computer systems and wiretapping. Preatoni is one of several security consultants who, when hired to conduct penetration testing for Telecom Italia, allegedly used malware and wiretapping methods to spy on the chief executive of Brasil Telecom, the investigation agency Kroll, and several journalists.

[Editor's Note (Skoudis): Every organization that utilizes penetration testing services, either those offered by outside consultants or inside employees, must clearly spell out the rules of engagement in advance. These rules should indicate whether any tools can be installed on target systems (such as sniffers or backdoors). They should also rule out the installation of rootkits for the vast majority of tests.
(Schultz): This incident highlights the need to do a much more thorough background check of third-parties hired to conduct penetration testing (as well as third parties hired to do other information security-related tasks) than is typically currently done. ]

Guilty Plea in P2P ID Theft Case (November 6, 2007)

A Washington state man who used P2P networks to steal personal information has pleaded guilty to mail fraud, aggravated identity theft, and another charge. Gregory Kopiloff admitted he used file-sharing programs to search other people's computers for information that could be used to commit identity fraud. He used the data to open credit lines; he bought and then resold more than US $73,000 of goods. This is believed to be the first case in which someone has been tried for using P2P networks to commit data theft with the intent of committing identity fraud.

Former DOD Employee Pleads Guilty to Wire Fraud (November 6, 2007)

A former US Department of Defense (DOD) civilian employee could face up to 20 years in prison for manipulating a pay-processing computer system to defraud the government of US $700,000. Lilia Delgadillo and co-conspirator Granados devised a scheme to enter phony pay adjustments that caused funds to be wired into Delgadillo's bank account. Delgadillo has pleaded guilty to wire fraud; Granados has already pleaded guilty to wire fraud in September. Delgadillo could also face a fine of up to US $250,000. In June, a California Army National Guard member pleaded guilty to one count of wire fraud and one count of conspiracy in a separate but similar case.


American Movie Studios Aim to Fight Piracy in China (November 8, 2007)

Warner Bros., Paramount Pictures, and Dreamworks, a Paramount affiliate, have reached an agreement that will allow Paramount and Dreamworks to sell DVDs through Warner's established outlets in China. The move is aimed at combating movie piracy in China, where illegal copies of new release movies are often available for less than a dollar just days after their American theatrical releases. The three studios plan to have legitimate copies of movies in the China stores two months after their release; they will be priced at US $3. Chinese authorities have increased the penalties for piracy and are stepping up enforcement.

Microsoft Partners with Chinese PC Maker to Fight Piracy (November 7, 2007)

Microsoft has signed an agreement with Chinese computer maker Founder Technology Group Corp. that will have Windows pre-installed on the company's PCs. The move is an effort to fight software piracy, which is rampant in China (As is movie piracy, as the previous story shows.). An estimated 82 percent of software used in China last year was pirated; the average for the Asian region is 55 percent. Other Microsoft products will be available for sale in Founder stores throughout China. Microsoft reached a similar agreement with Lenovo, the number one Chinese PC maker, last March.


Microsoft's Patch Tuesday Will Offer Two Updates (November 8, 2007)

According to the Microsoft Security Bulletin Advance Notification for November 2007, Microsoft will release two security bulletins on Tuesday, November 13. One of the bulletins has a severity rating of critical; the other has been given the next highest rating of important. The critical bulletin, which addresses a remote code execution flaw, affects Windows XP and Server 2003. The important bulletin affects Windows 2000 and Server 2003.

[Editor's Note (Ullrich): Nice to have a "light" patch-Tuesday. This will give us a bit extra time for our reboot-Wednesday webcast. I hope to cover some IPv6 security this time around. No cost:

Exploit Code Published for Unpatched Oracle Flaw (November 8, 2007)

Exploit code is already circulating for a recently disclosed vulnerability in Oracle Database 10gR2. The vulnerability may also affect earlier versions of the product. To exploit the flaw, attackers would need authentication to the database; once they have that, the vulnerability can be used to execute code remotely. Oracle says it has addressed the flaw in code for Database 10g, but the company does not plan to issue a patch until January 15, 2008, its next scheduled quarterly Critical Patch Update. No workarounds are available.


ATTACKS, INTRUSIONS, DATA THEFT & LOSS Customers at Risk of Phishing Attacks (November 6 & 7, 2007) customers are at risk of receiving phishing and other ill-intentioned email after a employee was tricked by a phishing scam into revealing a company password that allowed the attacker access to the customer database. Customers have reported receiving phony invoices. counts several banks among its customers.


[Editor's Note (Honan): The increasing uptake of Software As A Service solutions is not going unnoticed by criminal elements. Criminals recognize that SaaS companies are very attractive targets due to the nature of the sensitive data they store on behalf of their customers. If your company decides to implement SaaS solutions make sure your SLA covers items such as breach notification, contact details for the provider's security personnel and joint incident response processes.
(Ullrich): Finally they are revealing the real problem. This drama is dragging on much longer then it had to; makes you wonder whether proper incident handling procedures were followed. Sometimes it's too easy to accept the "convenient answer" only to find out that the right answer will be much less convenient the longer it remains covered up. ]


Tool Talk Webcast: Be a Perfect 10: Nail the PCI Requirement
WHEN: Tuesday, November 13, 2007 at 1:00 PM EST (1800 UTC/GMT)
Sponsored By: ArcSight

Track and monitor all access to network resources and cardholder data. It seems simple enough, but PCI requirement 10 can often get organizations into audit trouble. Your customers' card data gets stored, processed and transmitted at many other points besides devices on your corporate network. Log data from all these points needs to be collected and managed to build a strong foundation for your PCI compliance program. Do you even know where this data resides?

Internet Storm Center: Threat Update
WHEN: Wednesday, November 14, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Johannes Ullrich and Mike Yaffe
Sponsored By: Core Security Technologies

This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.

Ask the Expert Webcast: Preventing Data Breaches: Protecting Critical Data through Database Compliance Monitoring
WHEN: Thursday, November 15, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and Dave Steidle
Sponsored By: netForensics

Traditional defenses have proven to be less than effective at protecting your data where it lives - your valuable databases and applications. Although network and host-based security technologies can detect and prevent many common attacks, they often miss more sophisticated penetration attempts such as electronic fraud, insider theft and sabotage, and unauthorized access.

SANS Special Webcast: Analyzing a Traffic Analyzer: NIKSUN NetDetector/NetVCR 2005
WHEN: Wednesday, December 5, 2007 at 1:00 PM EST (1800 UTC/GMT)
Sponsored By: NIKSUN

How deep can traffic inspection reach without hindering data flow and how much data should it store for post-mortem analysis? Join this Webcast to hear senior SANS Analyst Jerry Shenk go over his test results on the NetDectector/NetVCR 2005 and features such as full packet inspection and the ability to call up and review raw data in its native format.

WhatWorks Webcast: Pinpointing and Proving Web Application Vulnerabilities
WHEN: Tuesday, December 18, 2007 at 1:00 PM EST (1800 UTC/GMT) FEATURED
SPEAKER: Eric Cole
Sponsored By: Core Security

Please join Dr. Eric Cole, SANS fellow and senior scientist with Lockheed Martin Information Technology, for a free webcast: "Pinpointing and Proving Web Application Vulnerabilities"

Dr. Cole will present new penetration testing technology that lets you to see your web applications from an attacker's perspective.


The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College,

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit