Last Day: Get a 10.2" iPad (32 G), Galaxy Tab A, or Take $250 Off with OnDemand Training

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume X - Issue #100

December 23, 2008

Three interesting and important stories in Top of the News this week: a window into banking cyber crime, RIAA changing tactics, and the World Bank banning (for nine years) a vendor that made millions writing applications for the Bank that were later found to enable data breaches. Software buyers? patience has run out. Any company that develops code for a living is flirting with economic disaster if it fails to (1) test the software using a suite of the most effective tools source code and black box tools, and (2) ensure that each developer who touches the code has mastered secure coding skills (GSSP assessment is the most common method of proving that .)

Organizations that develop applications using .NET languages can now use GSSP assessments to help their programmers find the gaps in their secure coding knowledge. GSSP tests for Java and C/C++ are already being widely used, but the .NET tests were just released. The first 50 medium and large organizations that reach out, can get up to 100 developers through the assessment for free. Email for access to any of them.


P.S. Tomorrow is the last day for early registration savings for SANS Security West 2009 (Jan 24-Feb 1) And early registration is still open (save $350) on SANS biggest program SANS 2009 Orlando (March 1-9)


Trojan and Keystroke Logger Dropzone Study
RIAA Changes Tactics
World Bank Vendor Barred for Eight Years


MIT Students Will Work With MBTA to Improve Payment System Security
Judge Will Not Divulge Location of Computers Used to Alter Wikipedia Pages
Spammer Fined in New Zealand; Still Faces Charges in US
New Law in Ireland Increases Fines for Spammers
Ohio College Servers Compromised
 Phone Hacker Sticks Computer Company with CA $52,000 Bill
Repair Mission Underway on Damaged Mediterranean Undersea Cables
 Why Did Microsoft Developers Miss the Internet Explorer Flaw?

**************************** Sponsored By SANS **************************

The Log Management Summit April 6-7 is a user-to-user, non-commercial conference on what works in log management. It is the only place where you can learn about the strengths and weaknesses of competing technologies, where users will share the lessons they learned about what to log and what to keep and what to report.


- - SANS 2009 in Orlando in early March - the largest security training conference and expo in the world. lots of evening sessions:
- - SANS Security West Las Vegas (1/24-2/01)
- - Looking for training in your own Community?
For a list of all upcoming events, on-line and live: *************************************************************************


Trojan and Keystroke Logger Dropzone Study (December 18, 2008)

A research team assembled by Thorsten Holz from the University of Mannheim (Germany) examined banking Trojans, keystroke loggers and dropzones for both types of malware.  Their study found more than 33 GB of log files in the dropzones of 70 separate pieces of malware. The files contain personal information of more than 170,000 individuals; the collected data include passwords, PINs, user names and other crucial information for committing fraud.  The study also examined the resale value of stolen data; a bank account goes for between US $10 and US $1,000, while credit card account data are sold for as little as US $0.40 per account.  eMail passwords were being sold for between US $4 and US $30.

RIAA Changes Tactics (December 19, 2008)

The Recording Industry Association of America (RIAA) said it will stop filing numerous lawsuits against suspected copyright violators. Instead, the RIAA will work with Internet service providers (ISPs) to target people it believes are violating copyright laws and convince them to change their ways.  Under the new plan the RIAA will notify ISPs of suspected violators and the ISPs will either notify the suspected offenders themselves or forward the messages from the RIAA. Repeat offenders would be subject to increasing sanctions, including network speed throttling and termination of Internet service.  The RIAA has not entirely ruled out the possibility of lawsuits; people who appear to be committing gross violations of copyright law could still find themselves being sued by the RIAA.

RIAA Letter to ISPs:

[Editor's Note (Schultz): RIAA's approach in pursuing those who engage in music swapping has been incredibly unsuccessful. A change in strategy has been long overdue, and apparently it is now forthcoming. ]

World Bank Vendor Barred for Eight Years (December 22, 2008)

The World Bank has acknowledged that it imposed strict sanctions against an India-based computer software service provider that has been linked to data breaches and financial malfeasance at the international institution.  For months, World Bank had been denying FOX news reports regarding these issues, but now it has been confirmed that Satyam Computer Services has been barred from working with World Bank for eight years.  Satyam was employed by the World Bank from 2003 through 2008 in the capacity of writing and maintaining all of the bank's software; Satyam was paid hundreds of millions of dollars for its services.

[Editor's Note (Pescatore): There are a lot of sourcing decisions that are done without having security as a highly rated evaluation criteria. Also, a lot of outsourcing contracts are so large that they really deserve high level governance and oversight by boards of directors, just like mergers and acquisitions. (Schmidt): I see this as a very effective way to convince business partners and supply chain to do security better.  Nothing gets a business attention quicker than to lose the ability to do business with a major client.
[Editor's Note (Pescatore): There will be a lot of speculation about whether this was sabotage or just an accident, but the effect is way more important than the cause. A lot of data centers boast dual fiber optic feeds (on different sides of the building) from multiple carriers, but then you find they both go through a common choke point. Redundant connections help when a local backhoe takes out a cable but what is really needed is redundant bandwidth - either have SLAs that cover this type of outage or require hosters/outsourcers to demonstrate reliable bandwidth, not just connectivity.]



MIT Students Will Work With MBTA to Improve Payment System Security (December 22, 2008)

The three Massachusetts Institute of Technology (MIT) students who earlier this year faced legal action from the Massachusetts Bay Transit Authority (MBTA) are now working with the MBTA to improve the security of its electronic fare system.  Zack Anderson, RJ Ryan and Alessandro Chiesa had planned to present their findings about weaknesses in the MBTA's Charlie Card system at a conference last summer.  The MBTA obtained a gag order preventing them from making their presentation, but a judge threw out the order several days later, and the case was settled in early October.

[Editor's Note (Skoudis): Maybe I'm just growing into an old softie, but I view this as a happy hacker holiday story.  Although a difficult and ugly process, this story seems to have ended pretty well, in my estimation. ]

Judge Will Not Divulge Location of Computers Used to Alter Wikipedia Pages (December 19, 2008)

A judge in Arkansas has ruled that the locations of computers used to make changes to the Wikipedia pages of former Governor Mike Huckabee, current Governor Mike Beebe and other state officials will not be disclosed.  The information was being sought by journalists under the state's Freedom of Information Act, but the judge, siding with state's attorneys, said to divulge the information would threaten the security of the state's computer network.  The reporters had uncovered several IP (Internet protocol) addresses that had been used to make the changes and wanted to know at which agencies the particular computers were located.

[Editor's Note (Skoudis): According to this article, the judge's logic rests on the argument that "...public disclosure (of the agency associated with the IP addresses) could open 'vast holes' in network security for hackers".  If that's the case, they've got _huge_ architecture problems.  Plus, a single client-side exploit followed by some clever pivoting would likely let a real bad guy map their internal network anyway.  Perhaps there is a lot more to this story than these news articles reveal, but the argument as presented is cause for significant concern. (Weatherford): 'Transparency in government is essential to good order and discipline but publicly revealing even minor technical details that could be used against you by those who would do you harm is simply not a good idea.  While the public sector is obviously required to be more open about issues due to Freedom of Information laws and Public Records Acts, turn the question around and ask how a private company would respond to a request like this?  While IP's aren't the keys to the kingdom, they are a vector that gives insight into the network environment.  The judge made the right decision." ]


Spammer Fined in New Zealand; Still Faces Charges in US (December 22, 2008)

Lance Atkinson has agreed to pay fines of NZ $110,000 (US $62,842) for his role in an international spam operation.  Atkinson is also facing charges in the US; his assets there have been frozen.  The spam operation is believed to be responsible for more than 2 million unsolicited messages sent to computers in New Zealand over a four-month period in late 2007.




New Law in Ireland Increases Fines for Spammers (December 21 & 22, 2008)

Irish Communications Minister Eamon Ryan has signed legislation that increases fines for spammers.  Companies convicted of sending unsolicited commercial email or text messages could be required to pay fines of up to 250,000 Euros (US $349,000) or 10 percent of their turnover, whichever is greater.  Previously, spammers could be prosecuted only in the District Court with a maximum fine of 3,000 Euros (US $4,191).  Offenders can now be prosecuted in the Circuit or High Court.



Ohio College Servers Compromised (December 20, 2008)

An attacker broke into two Lorain County (Ohio) Community College servers in November, compromising the security of the data they hold, which include the records and Social Security numbers (SSNs) of approximately 22,000 students, employees, and community users. College vice-president of strategic and institutional development Marcia Ballinger said they the attacker appeared to be looking for available storage space rather than data; nonetheless, forensics experts and the FBI are conducting investigations.  The college has notified those affected by the breach through letters sent last week.

Phone Hacker Sticks Computer Company with CA $52,000 Bill (December 19, 2008)

Manitoba (Canada) Telecom Services is insisting that a Winnipeg-based company is responsible for the cost of phone calls a hacker made to Bulgaria through its phone system.  Someone broke into the HUB Computer Solutions system in late November and over a period of two-and-a-half weeks made calls totaling CA $52,360 (US $43,023).  MTS said it should have been contacted as soon as the volume of outbound international calls began to exceed normal levels.

[Editor's Note (Schultz): A potential downstream liability lawsuit exists here. These types of cases are not commonplace in the information security arena, yet the likelihood that they will result in huge financial losses and reputational damage is enormous. (Pescatore): Gee, back to the future with PBX hacking. We'll see more of this as more and more IP PBXs get in use by smaller businesses. While most of VoIP security hype has been around eavesdropping, I think theft of service will be the first wave. (Schmidt): This definitely sounds like the classic war dialing and phreaking that has been used against PBX systems since the early days of their existence.  This is another example that some insecurities just never go away.  After the coverage that was given to the FEMA event a few months ago you would think every PBX owner would do a security assessment of their systems. ]


Repair Mission Underway on Damaged Mediterranean Undersea Cables (December 19, 21 & 22, 2008)

A pair of undersea telecommunications cables in the Mediterranean was damaged late last week, causing serious disruptions in connectivity to users in the Middle East and Asia.  Egypt and India were especially hard hit, with the countries experiencing 70 percent and 60 percent of web services disrupted, respectively.  The damage may have been caused by a trawler net.  Repair work on the cables has begun, but it is not known when it will be complete.  A submarine robot has been deployed to find the ends of the severed cables.


Why Did Microsoft Developers Miss the Internet Explorer Flaw? (December 22, 2008)

In a posting to Microsoft's Security Development Lifecycle blog, Microsoft principal security manager Michael Howard said the Internet Explorer (IE) flaw for which the company released an out-of-cycle fix last week went undetected because programmers had not been trained to look for such problems.  The flaw in question was a memory-related time-of-check-time-of-use bug.  Microsoft developer training will be updated to take into account this sort of flaw in the future.

[Editor's Note (Skoudis): This is a fascinating read.  It also illustrates that there are many classes of vulnerabilities beyond the traditional buffer overflow exploit.  We'll be busy for many, many years (and perhaps for the rest of our lifetimes) stomping out all of these different classes of security bugs.  Frustrating?  Yes.  Job security? Yes, that too. (Northcutt): This was a tricky one, but I do not see it so much as life cycle bug as Michael's blog claims. Somehow, someone found the bug, possibly with an advanced fuzzer. 6000 sites were doctored; check the following site to see whether you were infected and what to do about it.

The crafted web pages put a cookie on the client computer. You can see the cookie and its decoded representation here:
By the way, whenever you want to view the contents of an encoded cookie, one free tool, CookieView, you can use on windows is here (It is a good Saturday afternoon play toy and worth having in your toolset):
The ISC posting shows it is SQL injection pointing the browser to a malicious script: (hint, downloading the script is not highly recommended ) The source information for the Computerworld article is here:
And I feel the original blog is worth reading even if you do not understand everything, you will be able to see why the bug was so hard to spot. The important thing is that Microsoft is making process corrections to keep this from happening again. ]

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescastore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Ron Dick headed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College,

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa).  He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit