OnDemand Includes 4 Months Access to Course Content - Special Offers Available Now!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume IX - Issue #93

November 26, 2007

Interesting career opportunity for security professionals:

A substantially growing area in security is defending attacks against vulnerable web applications. More than a quarter of all home-grown (or outsourced) web applications have important vulnerabilities, and real damage can be done by exploiting those holes. Attackers have taken notice. Shifting attack patterns create huge job growth for web application penetration testers, an essential job in every organization with web applications. One large US company found that 75% of all the important vulnerabilities in their 600 web applications were found by penetration testers; only 25% by using web app testing tools. Sadly most network and system penetration testers do not have the application testing knowledge to do this job well - creating big opportunities for newcomers. Ed Skoudis and the team at Intelguardians have developed an important and exciting new course to prepare these people: Advanced Web Application Penetration Testing. The first opportunity to take this four day course is in New Orleans, January 14-17.


eVoting Vendor Faces Lawsuits Over Allegedly Uncertified Devices
UK Info Commissioner May Have Authority to Conduct Data Security Spot Checks
French Digital Content Pirates Could Lose Internet Service


Swedish Man Guilty of University Intrusions Suspected in Cisco Source Code Theft
More Details Emerge in HMRC Data Loss Case
Targeted Attacks Spoof Dept. of Justice & Better Business Bureau
MPAA Asks Universities to Install Monitoring Software
Chinese Online Service Internet Cafe Sued for Movie Piracy
QuickTime Exploit Code Released
Old Apple Mail Flaw Reappears in Leopard
Mozilla Will Release Security Update for Firefox 2
Sensitive Canadian Patient Data Exposed
Facebook Users Give Beacon a Thumbs Down
New Data Storage Firm Chosen Following Student Data Loss

********************* Sponsored By Sunbelt Software *********************

How Many Machines on Your Network are Infected with Malware? Imagine a new hybrid technology that merges the 'system cleaning' properties of traditional antispyware products with the efficiency of powerful antivirus-based technology. It's available with Sunbelt Counterspy Enterprise.

Find out how many machines on your network are infected now! Download the free trial now!


Where can you find Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, CISSP, and SANS' other top-rated courses?
- - Washington DC (12/13-12/18): http://www.sans.org/cdi07
- - New Orleans (1/12-1/17): http://www.sans.org/security08/event.php
- - London (11/26 - 12/1): http://www.sans.org/london07/
- - and in 100 other cites and on line any-time: www.sans.org



eVoting Vendor Faces Lawsuits Over Allegedly Uncertified Devices (November 21 & 23, 2007)

Election Systems & Software (ES&S) is facing two lawsuits over its electronic voting devices. The lawsuits, brought by California's Secretary of State and by the City of San Francisco, allege the machines delivered by ES&S were uncertified. The San Francisco suit alleges that ES&S supplied voting machines that had not been recertified despite a change in the company's manufacturing procedure; as a result, ES&S allegedly acted fraudulently and breached its contract with San Francisco. The suit from the Secretary of State makes similar allegations and seeks a US $5 million refund to the counties affected, damages of US $10,000 per machine, and additional fines. ES&S has issued a statement disputing the claims made in the lawsuits.

[Editor's Note (Schultz): I predict that events such as these will occur increasingly in the future. Given all the e-Voting security concerns that have surfaced to date and given the problems that these concerns have caused, it should be little surprise that lawsuits against e-Voting vendors will be initiated. (Kreitner): If this is the beginning of a trend where purchasers demand higher levels of particularly software quality from IT system vendors, I'm all for it. ]

UK Info Commissioner May Have Authority to Conduct Data Security Spot Checks (November 21 & 22, 2007)

In the wake of the widely-publicized HMRC data loss, UK Prime Minister Gordon Brown said that the Information Commissioner's Office will be given the authority to conduct unannounced audits and inspections of government departments to check for compliance with data protection laws. Information Commissioner Richard Thomas would like to have that authority expanded to include private businesses, but it is unclear if that will happen.

[Editor's Note (Honan): It is a pity that despite numerous data losses in the past it takes a cataclysmic mishandling of personal information to bring this sea change in attitude, rather similar to the life boat regulations introduced after the sinking of the Titanic. ]

French Digital Content Pirates Could Lose Internet Service (November 23 & 24, 2007)

A new anti-piracy enforcement body would have the authority to cut off Internet service to people who do not comply with requests to stop engaging in copyright violating behavior. The "three strikes" plan would allow people two warnings before their service is rescinded. French Prime Minister Nicolas Sarkozy has endorsed the move, calling it "a decisive moment for the future of a civilized Internet."


************************* Sponsored Links: ***************************

1) ALERT: "How a Hacker Launches an XPath Injection Attack!"- SPI Dynamics White Paper http://www.sans.org/info/19982

2) Link here to take the SANS Database Security Compliance Survey and register to win a $250 AMEX Gift card. http://www.sans.org/info/19987

3) Complimentary Aberdeen research report that addresses the challenges of deploying encryption and key management. http://www.sans.org/info/19992




Swedish Man Guilty of University Intrusions Suspected in Cisco Source Code Theft (November 21 & 23, 2007)

A 19-year-old Swedish man has been found guilty on seven counts of unauthorized access for breaking into computer systems at three universities. He was ordered to pay damages to the universities. He plans to appeal the verdict, which itself overturned a previous acquittal. The unnamed man is also suspected of breaking into Cisco Systems' computer network and stealing source code; the FBI has made a formal request to Swedish police to investigate, but no extradition request has been made.

[Editor's Note (Cole): These cases always make me nervous since there are numerous cases of attackers breaking into critical servers with source code like Cisco and Microsoft, but reports say they only access the code. If they could access it, couldn't they also change it? Even though your company might not have access to the source code for key routing devices or servers, you should perform thorough validation and testing before deploying these systems. ]


More Details Emerge in HMRC Data Loss Case (November 23, 2007)

New information about the HM Revenue & Customs (HMRC) data loss indicates that data were routinely stored in password-protected zip-files. In addition, although the National Audit Office (NAO) wanted only the names, National Insurance numbers and Child Benefit numbers, HMRC left the rest of the data in because of cost concerns. It is also apparent that numerous people were aware of the unfiltered data transfer, eliminating the scenario of one junior staff member making an independent yet ill-advised decision.

[Editor's Note (Honan): As more details emerge it is becoming more and more evident that despite the sensitive nature of the information in the care of HMRC, information security awareness is not engrained into the culture of the organisation. It is estimated the cost of not securing this information will now be in the region of GBP500m or US $1 billion (
). When costs become an issue in ensuring the secure transfer of sensitive information then either take the cost hit or do not transfer that information. It also appears that, despite the publicity surrounding this issue, the HMRC has not learnt from its mistakes as more CDs containing personal information have gone missing


Targeted Attacks Spoof Dept. of Justice & Better Business Bureau (November 19 & 21, 2007)

There are reports that targeted email messages with malicious attachments are spreading; these messages appear to come from the US Department of Justice (DOJ) and the Better Business Bureau (BBB) and address the recipients by name. The bodies of the messages refer to complaints made against the recipients and/or their companies. The attachments accompanying the messages contain malware hidden in screensaver files.

[Editor's Note (Skoudis): This attack vector is quite significant, and I expect to see it a lot more, especially associated with those areas where the federal government interacts with its citizens the most and involves money, such as the IRS and Social Security Administration. Please educate your user base about this vector in awareness initiatives, telling them to be very leery of e-mail that appears to come from the government. Also, some of the eGovernment funds being spent by government agencies should be directed at educating the public about this issue, or else trust in eGovernment initiatives could collapse.
(Paller): The specific user rules that must be embedded in users (through inoculation, not lecture) are, if you receive an unexpected or unsolicited email, no matter who seemed to have sent it, (1) never click on a url embedded in it and never open an attachment. Write a note back to the sender to ask why you got it.
(Northcutt): At some point with the personal data they can collect by bots installed on users machines, the spoofers are going to get so good, that even security savvy people are going to be fooled. The fax machine may see an uptick in demand as a business tool.
(Cole): To protect against spear phishing attacks that use legitimate recipients and content there are two key things you should do. First, filter incoming emails from the Internet. Second, train users not to send attachments via email for internal corporate business, they should post them to the file server instead. Now if no one is sending attachments, yet you receive a spear phishing attack with an attachment, the chances of you clicking on it will be sharply reduced. ]


MPAA Asks Universities to Install Monitoring Software (November 23, 2007)

The Motion Picture Association of America (MPAA) has sent letters to 25 US universities it has identified as having the greatest number of downloads of pirated movies over their networks asking them to install an MPAA-supplied custom toolkit to help "illustrate the level of filesharing on
[their schools' ]
networks." The reports generated would be "strictly internal and ... confidential." A closer look at the toolkit raises serious privacy and security flags. The toolkit is set up to call back to MPAA servers immediately upon being deployed to check for updates, so the MPAA would have the IP address of the computer running the toolkit. The toolkit also sets up an Apache web server on the machine, which is likely to be visible to the Internet. Administrators could set up usernames and passwords for access to the server, but they are never prompted to.

[Editor's Note (Northcutt): This story by Brian Krebs is, as usual, well balanced and meticulously researched. Looks like the MPAA's main mistake was to forget the Mondavi "no wine before its time" rule that also applies to software, as we see clearly from this story. An improved version of this toolkit may become a useful capability for schools that want to manage their content a bit better without incurring high software expense outlays. ]

Chinese Online Service Internet Cafe Sued for Movie Piracy (November 22 & 23, 2007)

Five Hollywood movie studios have joined forces to sue Chinese online movie and television provider Jeboo.com and an Internet cafe in Shanghai for making 13 movies available for download and viewing in violation of copyright laws. Jeboo.com allegedly created the software used by the cafe to download the pirated films. The studios are seeking 3.2 million yuan (US $432,500) collectively for legal costs and damages. A statement on the Jeboo.com website maintains all content is "legally obtained."


QuickTime Exploit Code Released (November 25, 2007)

Exploit code for an unpatched vulnerability in Apple QuickTime on Windows XP SP2 and Windows Vista has been released on the Internet. The flaw is known to affect QuickTime 7.2 and 7.3, although earlier versions may be vulnerable as well. The flaw lies in the way QuickTime handles the Real Time Streaming Protocol (RTSP). It can be exploited by manipulating users into visiting maliciously crafted websites or opening malicious email attachments. Once a system is infected, the attackers can download additional malware onto the computer or search for valuable data.


Old Apple Mail Flaw Reappears in Leopard (November 23, 2007)

The newest version of Mac OS X, known as Leopard, contains an Apple mail vulnerability that was fixed in Tiger in March 2006. The flaw could be exploited by hiding malicious code in what appear to be trusted files; Apple Mail would then run the code without any warning to the user.


[Editor's Note (Skoudis): There is an important lesson here for all software development shops. While working on a new version of your software, make sure any security flaws you fix in your old version are also corrected in your new software. Microsoft got zapped by a similar issue when the Land denial of service flaw from 1997 resurfaced in a set of 2005 patches for Windows XP and 2003. To get more Leopard-specific, the new Mail.App is very buggy, with all kinds or problems. In particular, Mail.App's lack of integration with PGP and GnuPG is a big security problem as well, forcing some users either to abandon encryption until the integration is done, or to use cumbersome work-arounds, saving e-mails as files and then decrypting them. Apple needs to support and encourage PGP and the GnuPG folks to fix this ASAP. ]

Mozilla Will Release Security Update for Firefox 2 (November 21 & 22, 2007)

Mozilla plans to release a new security update for Firefox 2 sometime this week to address a Java Archive handling flaw. The cross-site scripting vulnerability could be exploited by tricking users into opening malicious .zip files. Firefox will also address a .jar/.zip file-related flaw "that has been demonstrated to work against Gmail as a way to access ... stored contacts." Firefox is currently in the testing process.


Sensitive Canadian Patient Data Exposed (November 24, 2007)

Sensitive Newfoundland and Labrador (Canada) patient data were reportedly exposed over the Internet. A consultant took home a government computer containing the patient data and connected it to the Internet. Someone later contacted the consultant with the information that that the data were accessible. The government has launched an investigation. The data include the names, health numbers and lab test results for infectious diseases of an unspecified number of people.


Facebook Users Give Beacon a Thumbs Down (November 21 & 22, 2007)

Facebook users are protesting a new feature called Beacon that informs Facebook friends about their recent online purchases. Following purchases at participating online retailers, users are alerted to the imminent sharing of the purchase information with Facebook by a small box that appears in the corner of a screen for less than half a minute. If they don't click "no thanks' in the box within the allotted time, their consent to share the information is assumed. The next time they log on to Facebook, they are notified that the information is going to be shared with friends, but that alert is apparently easy to miss as well. Privacy rights advocates say the program violates user privacy because it is not an opt-in system.

[Editor's Note (Pescatore): It would be nice to see Facebook users "vote" with their clicks against these kinds of practices because it is only going to get worse - these social networking sites have to justify their enormous valuations with something besides banner ads. ]

New Data Storage Firm Chosen Following Student Data Loss (November 21, 2007)

The Louisiana Student Financial Assistance Commission has approved a contract with a new data storage firm following the loss of backup data by Iron Mountain, the company that formerly held the contract. The lost data include Social Security numbers (SSNs) and bank account information of thousands of current and former students and parents of students who had applied for college loans or financial aid within the last 10 years. The data were lost during a truck delivery in Louisiana and the FBI is investigating the incident. The Commission is considering filing a lawsuit against Iron Mountain.


SANS Custom Webcast: Stealing.info with Mike Poor
WHEN: Tuesday, November 27, 2007 at 1:00 PM EST (1800 UTC/GMT)

Sponsored By: Core Security

Information theft for the 21st Century. In this webcast we will be looking at some of the largest thefts of data, along with pointing out some of the most common methods that cyber criminals are employing in their craft.

SANS Special Webcast: Analyzing a Traffic Analyzer: NIKSUN NetDetector/NetVCR 2005
WHEN: Wednesday, December 5, 2007 at 1:00 PM EST (1800 UTC/GMT)
Sponsored By: NIKSUN
How deep can traffic inspection reach without hindering data flow and how much data should it store for post-mortem analysis? Join this Webcast to hear senior SANS Analyst Jerry Shenk go over his test results on the NetDectector/NetVCR 2005 and features such as full packet inspection and the ability to call up and review raw data in its native format.

Internet Storm Center: Threat Update
WHEN: Wednesday, December 12, 2007
FEATURED SPEAKER: Johannes Ullrich

This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.

WhatWorks Webcast: Pinpointing and Proving Web Application Vulnerabilities
WHEN: Tuesday, December 18, 2007 at 1:00 PM EST (1800 UTC/GMT)
Sponsored By: Core Security

Please join Dr. Eric Cole, SANS fellow and senior scientist with Lockheed Martin Information Technology, for a free webcast: "Pinpointing and Proving Web Application Vulnerabilities"

Dr. Cole will present new penetration testing technology that lets you to see your web applications from an attacker's perspective.


The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/