Last Day: Get a 10.2" iPad (32 G), Galaxy Tab A, or Take $250 Off with OnDemand Training

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume IX - Issue #90

November 13, 2007

Washington area people get early access to the new 2007 Top 20 Internet Security Attack Targets on December 14, 2007. As usual with the Top 20 announcement, there is no cost. We have seats for 120 people (plus the press). The first 120 folks who register can come. Because one of the two biggest developments in attack targets involves custom web applications, we have invited the top rated speakers from the Application Security Summit (from Cisco and Depository Trust) to share the lessons they learned in implementing advanced application security initiatives.
Register today.

And on a closely related topic, programmers in the Washington area will be able to demonstrate their mastery of the new "Essential Skills for Secure Programming" developed by the Secure Programming Council, at the exams on December 12. Starting in 2008, federal agencies will select contractors in part based on how well they do on the exams. Commercial companies will soon follow. One financial organization has already told all its 7,200 programmers that they will not be allowed to touch a line of code after August 15, 2008, unless they pass the GSSP tests. To register for the test:
Link to exam general info:



National Intelligence Office Moving Toward Dynamic FISMA Compliance
DOT Traffic Database Transmissions Not Encrypted
Law Enforcement Agents Obtain Unencrypted Hushmail Messages


Botnet Attacker Will Plead Guilty
Canadian Filesharing Site Shut Down
Windows 2000 Vulnerability Exposes Data
Cross-Site Scripting Flaw in Firefox
Member Information Stolen from Nonprofits
DoubleClick Taking Steps to Fight Ad-based Trojans
Russian Malware Site Disappears
More Revelations in TJX Breach Saga
NIST Competition to Develop New Algorithm for SHA-3

********************** Sponsored By SPI Dynamics ************************

ALERT: "How A Hacker Launches A XPATH Injection Attack Step-by-Step"- White Paper:

One particular form of injection attack, XPath Injection, is rapidly gaining in popularity due to the spread of AJAX applications and their inherent use of XML to store data. XPath Injection can be just as dangerous as SQL Injection, and can be even easier to exploit. Learn how to identify XPath Injection vulnerabilities and which methods of recourse to take to prevent them. Download this *FREE* white paper from SPI Dynamics for a complete guide to protection!


Where can you find Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, CISSP, and SANS' other top-rated courses?
- - Washington DC (12/13-12/18):
- - New Orleans (1/12-1/17):
- - London (11/26 - 12/1):



National Intelligence Office Moving Toward Dynamic FISMA Compliance (November 12, 2007)

The Office of the Director of National Intelligence (ODNI) is taking tangible steps toward making compliance with the Federal Information Security Management Act (FISMA) a dynamic process. FISMA implementation has met with growing criticism for being an exercise in paperwork instead of an effective means of ensuring government computer systems are secured from cyber attacks and other dangers. "ODNI officials are focused on real-time vulnerability assessments, changing business processes, seeking additional tools to secure their networks and providing better education and training for systems developers, administrators and program managers." The Justice Department and the Environmental Protection Agency have both developed tools to automate FISMA's certification and accreditation process, which they have shared with other agencies through the Office of Management and Budget's Information Systems Security Line of Business Initiative.
[Editor's Note (Schultz): This is a potentially very significant development. Making FISMA compliance more in line with dealing with real-world security risks would be a major step forward. (Paller): ODNI's leadership is extremely important. Automating FISMA compliance, at Justice and EPA, is just a smart survival strategy for CISOs dealing with a badly flawed FISMA compliance process. ODNI, on the other hand, is moving to fix the entire process so that it actually measures what matters. If OMB and NIST actively support ODNI's efforts, they can quickly and radically improve federal information security. On the other hand, NIST managers could grasp defeat from the jaws of victory if they say something like, "We support what ODNI is doing, but we feel every control we put in 800-53 is also important, so we believe agencies should do what ODNI is doing and all the rest we make them do now,"
[in other words, waste another $500 million of scarce security funds writing reports that will never be read. ]

DOT Traffic Database Transmissions Not Encrypted (November 12, 2007)

A report from the Department of Transportation inspector general (DOT IG) says that the department does not have adequate safeguards in place to protect information in the National Driver Register database. The data include names and dates of birth of drivers across the United States, who have been convicted of driving-related offenses. While the database records themselves are encrypted, transmissions of the data over external networks are not encrypted. "DOT officials are reviewing a draft 'interconnection security agreement' requiring the organization that owns the network to encrypt data."

Law Enforcement Agents Obtain Unencrypted Hushmail Messages (November 7 & 8, 2007)

Although Hushmail advertises that not even its own staff can access the communications sent via its service, US law enforcement agents were able to procure plaintext copies of emails for use as evidence in a drug-trafficking case. Hush Communications said it would only provide such to comply with a court order, and would only provide the information from specifically identified accounts. The plaintext emails were obtainable due to a new Hush Communications product that is slightly less secure.

************************* Sponsored Links: ***************************

1) Link here to complete the SANS Database Security Compliance Survey and register to win a $250 AMEX Gift card.

2) How are you utilizing NetFlow to improve network security and performance? Register for a FREE webinar "Cisco IOS NetFlow for Network Security and Traffic Analysis"

3) Online Fraud and ID Theft Report Identifies more than 3 Million Unique Malware Attacks in Q3 of 2007, download your FREE Report.




Botnet Attacker Will Plead Guilty (November 9 & 12, 2007)

John Kenneth Schiefer admitted he used botnets to install malware on more than 250,000 computers and steal online banking credentials. Schiefer, who was employed as a security professional, will plead guilty to four counts of fraud and wiretap charges; he could face up to 60 years in prison and a fine of US $1.75 million if he is convicted of all charges against him. The plea is the culmination of an investigation started in 2005; several co-conspirators were named in court documents. Schiefer has agreed to pay more than US $19,000 in restitution; he made that amount from a Dutch company that believed he was installing their adware on computers with users' consent. He instead uploaded the software to the computers that make up his botnet. He will be arraigned on December 3.

[Editor's Note (Cole): Most bot herders are not getting caught. Botnets use up bandwidth and could cause downstream liability for an organization if they cause harm to others. The best bet to finding them is to put a sniffer on key segments and look for unusual outbound traffic, and to have a robust outbound rule for filtering traffic. ]


Canadian Filesharing Site Shut Down (November 9, 2007)

BitTorrent site is no longer available online. The Canadian Recording Industry Association (CRIA) threatened the company renting the servers to Demonoid. Officials have shut down other content sharing sites in recent weeks, including Polish pre-release music site HPN and OiNK in the UK.


Windows 2000 Vulnerability Exposes Data (November 12, 2007)

A security flaw in Windows 2000 exposes virtually all information sent from a computer running the operating system, even in communications sent before the breach occurs. The flaw lies in the Windows random number generator, which plays an integral part in email encryption and the Internet browser SSL encryption protocol. The researchers developed a way to determine the encryption keys the computer has generated in the past and will generate in the future. Only Windows 2000 has been tested for the vulnerability, but it is possible that newer versions of the operating system are susceptible to the attack as well.
[Editor's Note (Ullrich): Windows 2000 is no longer supported, and has outlived its usefulness. The article suggests that newer versions of Windows may be vulnerable as well but does not offer any evidence. ]

Cross-Site Scripting Flaw in Firefox (November 9 & 12, 2007)

A cross-site scripting vulnerability in Firefox could be exploited to obtain users' login credentials for websites. The problem lies in the implementation of the jar protocol. While there is not a patch currently available for the flaw, there are several workarounds, including blocking URIs that contain "jar:". "The jar: protocol is used to extract and render content from ZIP compressed files."
[Editor's Note (Ullrich): The Firefox "noscript" plugin will mitigate this and many other issues. It is a 'must have' for Firefox users. ]


Member Information Stolen from Nonprofits (November 12, 2007)

Cyber thieves broke into computer systems at Convio, a marketing company for nonprofit organizations, and stole email addresses and member passwords from 92 organizations, including the American Museum of Natural History and CARE. The attacks took place during the last week of October. Convio discovered the intrusion on November 1, preventing the attackers from stealing information from 62 other clients. No credit card information was compromised in the intrusion.

DoubleClick Taking Steps to Fight Ad-based Trojans (November 7 & 12, 2007)

DoubleClick says it has deployed a monitoring system to detect and disable malware that was sneaking into its online advertisements and urging users to allow phony security scans to be conducted on their computers. The malware made its way into ads on a large number of sites, including CNN and The Economist. The ads persist until the users agree to pay for a bogus security program. In a separate story, malware infected banner ads are causing pop-ups encouraging users to purchase phony security software; the malware tries to install backdoors on users systems and steals the credit card data they enter when they buy the phony program.

Russian Malware Site Disappears (November 9 & 13, 2007)

The Russian Business Network (RBN), widely known for hosting malware development suites, has suddenly disappeared from the Internet. Its absence suggests that "their upstream providers put them on a black list." An October Washington Post article detailed RBN's activities, which may have prompted that move. RBN reportedly moved its operations to China and Taiwan, but those sites have "gone dark" as well.
WP article:

[Editor's Note (Ullrich): For a few days, domains hosted by RBN did show up via ISPs in Hong Kong, China and other countries. But they are very much on the run changing ISPs quickly. It's a nice success for the community to have made it very hard for the malicious customers of RBN to maintain network connectivity.]


More Revelations in TJX Breach Saga (November 2, 2007)

Court documents indicate that Visa was aware of TJX's failure to comply with the Payment Card Industry Data Security Standard guidelines back in 2005 and had agreed to give the company an extension until December 31, 2008. In a stroke of irony, the letter allowing the extension arrived months after the system breaches began.

NIST Competition to Develop New Algorithm for SHA-3 (November 12, 2007)

The National Institute of Standards and Technology (NIST) is holding a competition for what will become the Secure Hash Algorithm-3 (SHA-3). "Recent advances in the analysis of hash algorithms" has prompted NIST to "augment the hash algorithms currently specified in the Federal Information Processing Standard (FIPS) 180-2, Secure Hash Standard." Federal civilian computer systems are required to use the FIPS standards; many private organizations use the standards as well. Entries must be received by October 31, 2008.


Internet Storm Center: Threat Update
WHEN: Wednesday, November 14, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Johannes Ullrich and Mike Yaffe
Sponsored By: Core Security Technologies

This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.

Ask the Expert Webcast: Preventing Data Breaches: Protecting Critical Data through Database Compliance Monitoring
WHEN: Thursday, November 15, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and Dave Steidle
Sponsored By: netForensics

Traditional defenses have proven to be less than effective at protecting your data where it lives - your valuable databases and applications. Although network and host-based security technologies can detect and prevent many common attacks, they often miss more sophisticated penetration attempts such as electronic fraud, insider theft and sabotage, and unauthorized access.

SANS Special Webcast: Analyzing a Traffic Analyzer: NIKSUN NetDetector/NetVCR 2005
WHEN: Wednesday, December 5, 2007 at 1:00 PM EST (1800 UTC/GMT)
Sponsored By: NIKSUN

How deep can traffic inspection reach without hindering data flow and how much data should it store for post-mortem analysis? Join this Webcast to hear senior SANS Analyst Jerry Shenk go over his test results on the NetDectector/NetVCR 2005 and features such as full packet inspection and the ability to call up and review raw data in its native format.

WhatWorks Webcast: Pinpointing and Proving Web Application Vulnerabilities
WHEN: Tuesday, December 18, 2007 at 1:00 PM EST (1800 UTC/GMT)
Sponsored By: Core Security

Please join Dr. Eric Cole, SANS fellow and senior scientist with Lockheed Martin Information Technology, for a free webcast: "Pinpointing and Proving Web Application Vulnerabilities"

Dr. Cole will present new penetration testing technology that lets you to see your web applications from an attacker's perspective.


The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College,

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit