SANS Open-Source Intelligence (OSINT) Summit & Training offers immersive cyber security courses and a free Summit!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume X - Issue #16

February 26, 2008

Note for people planning to attend security training this spring: The deadline for savings on SANS08 in Orlando is next Wednesday, March 5. More information:


Pakistan's Attempt to Block YouTube Cast Wider-Than-Expected Net
FCC Ready to Take Steps to Enforce Net Neutrality


Woman Indicted on HIPAA Violation
Internet Stalker Gets Prison Time
OMB: Agencies Need to be More Aggressive About Data Protection
Spammers Defeat Gmail Captcha System
Image Uploader Flaw is Being Actively Exploited
Stolen Laptop Contained Psychiatric Patient Data
ICO: Financial Services Firm Violated Data Protection Act
Workers Often Peek at Customer Data
Informant Allegedly Sold Bank Account Data to Tax Authorities
Counterfeit Computer Parts Seized
PGP Responds to Cold Boot Attack Paper

********************* Sponsored By PacketMotion *************************

How do you safeguard intellectual property, sensitive information and compliance-relevant data without hampering employee and contractor productivity? Find the facts, blind spots and new technology regarding real-time visibility and control of network user transactions and information assets. Download the FREE, must-read whitepaper "TRUST BUT VERIFY: 24/7 User Activity Monitoring to Protect Business Critical Information" now.


Where can you find the newest Penetration Testing techniques, Application Pen Testing, Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, CISSP, and SANS' other top-rated courses?
- - SANS 2008 in Orlando (4/18-4/25) SANS' biggest program with myriad bonus sessions and a huge exhibition of security products: - - Washington DC (Tyson's) 3/24-3/31
- - San Diego (5/9-5/16)
- - Toronto (5/10-5/16)
- - and in 100 other cites and on line any-time:



Pakistan's Attempt to Block YouTube Cast Wider-Than-Expected Net (February 24 & 25, 2008)

An attempt by Pakistan to have YouTube blocked within its own borders is believed to be responsible for a two-hour outage of the site worldwide on Sunday, February 24. The incident draws attention to a weakness in autonomous systems broadcasts. Autonomous systems (AS), which are the network providers, effectively serve as postal codes or ZIP codes for IP address requests. In the incident this past weekend, the AS made a false broadcast to the whole Internet, not just to requests from Pakistan.

[Editor's Note (Skoudis): Although this is a short-term risk with copycat attacks, I think it's really good news for the long term. Having YouTube knocked off line gets Google's attention. Having it knocked off line by Pakistan gets a lot of countries' attention. Thus, we've managed to have this big problem illustrated with only minor inconvenience. I'm hopeful that with these big forces now interested in the problem, we'll likely see a move to address the situation in the near future.
(Schultz): This incident once again shows (at least on a small scale) just how potentially vulnerable the Internet is to disruption, denial of service attacks very much included. Mechanisms such as authenticated updates would have in this case solved a good part of the problem, but such mechanisms would cause substantial slowdowns.
(Guest Editor Frantzen): This incident boils down to a dangerous setup by the ISP. It allowed BGP announcements (BGP4 is the routing protocol used between ASes) to be constructed (in part) from internal routing information. ]

FCC Ready to Take Steps to Enforce Net Neutrality (February 25, 2008)

At a hearing on Monday, February 25, the US Federal Communications Commission (FCC) said it might soon take action against Internet service providers (ISPs) that discriminate against traffic from content providers. At issue is finding the line between discrimination and legitimate network traffic management. The FCC is also looking at rules that would force ISPs to be more transparent in their policies about when traffic might be slowed. The issue gained press recently when Comcast admitted to throttling traffic from BitTorrent.


[Editor's Note (Pescatore): The ISPs certainly have the right to enforce their Terms of Service agreements, but blocking bulk content is going beyond that. If the ISPs would focus on getting their customers to sign up (opt-in) for "in the cloud" filtering of spam and viruses *and* to clean up the bot clients on so many consumer machines, the ISPs would be able to gain back probably 30% of their bandwidth while the customers were gaining back 30% of their home PCs CPU cycles.
(Northcutt): This is a very complex issue that might be best left for the market to sort out. If a significant number of Comcast users want bit torrents and they can go to other providers, Comcast will probably change their policy. I don't expect this issue to go away. One possibility: The "type of service" field in the IP header just might get used for its original intended purpose yet! Policy-based routing could happen because one way or another the biggest uses of bandwidth have to be paid for:

************************** Sponsored Links: ***************************

1) Sponsored By RSA, The Security Division of EMC - Download 3 new White Papers on Best Practices for Comprehensive Security and Event Management.

2) More than 50% of latest online scams are hosted on compromised web sites. New report has the details.




Woman Indicted on HIPAA Violation (February 23, 2008)

An Oklahoma woman has been indicted on charges of violating the Health Insurance Portability and Accountability Act (HIPAA). The federal indictment alleges that Leslie A. Howell provided patient information from an unnamed counseling center to two individuals, knowing that they intended to use the information to commit "access device fraud" and identity theft. If she is convicted of charges against her, Howell could face up to 10 years in prison and a fine of up to US $250,000.

Internet Stalker Gets Prison Time (February 21, 2008)

Devon Townsend has been sentenced to two years in prison for using computers at her workplace to access private information about Linkin Park lead singer Chester Bennington. Townsend was employed at Sandia National Laboratories; from computers there, she managed to access Bennington's email account, phone numbers, phone bill records, and family photographs. She used some of the information she found to threaten Bennington's wife.
[Editor's Note (Northcutt): The article goes on to say she will be receiving mental health counseling while incarcerated. Seems that might be a good idea. ]


OMB: Agencies Need to be More Aggressive About Data Protection (February 22, 2008)

Following the spring 2006 theft of computer equipment that placed personal information of 26.5 million US armed service veterans and active duty members at risk of theft, the White House Office of Management and Budget (OMB) issued recommendations for federal agencies to help them protect sensitive personal data. Of the 24 agencies questioned by the Government Accountability Office (GAO), just two agencies - the Treasury and the Department of Transportation - have adopted all five recommendations. Two agencies have adopted none, while other agencies have adopted some of the recommendations, which include encrypting data on mobile devices.


Spammers Defeat Gmail Captcha System (February 25, 2008)

Spammers have figured out a way to defeat the Gmail Captcha challenge-response mechanism, which is used to ensure that requests to create new accounts are coming from real people and not from automated programs. Spammers successfully broke the Hotmail Captcha program in the last few weeks.
[Editor's Note (Honan): This is not the first time that captchas have been defeated.
In addition, the article highlights that the hack has a 20% success rate in defeating captchas. However when running an automated process a 1 in 5 success rate is not an issue and can yield a high number of accounts over a relatively short period.]


Image Uploader Flaw is Being Actively Exploited (February 23, 2008)

An exploit is circulating for a flaw in Image Uploader, an ActiveX control used in several social networking sites, including MySpace and Facebook. The exploit is part of an attack toolkit that also contains exploits for flaws in QuickTime, Windows, and Yahoo! Music Jukebox. Users become infected when they click on specially crafted links in email messages or IMs that send them to phony login pages where the tool tries to steal their credentials and scans the machines for vulnerable applications.

[Editor's Note (Honan): With the growth in Web 2.0 services criminals will develop even more tools to exploit unwary users. From a corporate point of view these browser based attacks can be difficult to defend against. Prohibiting access to certain sites may reduce your attack profile. You should also ensure that applications which have no business use are removed from your systems.
(Cole): DO NOT LET ACTIVE CONTENT RUN in your browser. Old habits are hard to fix but a little Internet safety will go a long way. ]


Stolen Laptop Contained Psychiatric Patient Data (February 25, 2008)

A laptop computer stolen from a NHS doctor's home in 2005 held extremely sensitive medical information about 190 psychiatric patients. The computer is one of approximately 180 devices reported missing or stolen from public institutions in the Lothians region of Scotland over the last five years.

[Editor's Note (Cole): If a system is turned off (for more than 5 seconds) full disk encryption solutions with strong passwords or external keys will minimize the damage. ]

ICO: Financial Services Firm Violated Data Protection Act (February 21 & 22, 2008)

The UK Information Commissioner's Office (ICO) has found that a financial services firm breached the Data Protection Act after a laptop computer containing unencrypted client information was stolen. The computer was stolen from Moore Stephens Ltd, which was processing data for Skipton Financial Services, but it was Skipton who was found to be in violation of the Data Protection Act. The ICO did not punish Skipton, but did compel the company to sign a legal document saying it would make sure customer data are protected in the future.


Workers Often Peek at Customer Data (25 February 2008)

Documents made public in a lawsuit indicate that employees throughout Wisconsin utility company WE Energies were accessing data about friends, family members, politicians, and others. Several years ago, a WE Energies employee leaked information about a mayoral candidate. Following that incident, the company began paying closer attention to which accounts its employees were accessing; 17 people were fired between 2005 and 2007. Federal agencies are struggling with similar problems.

Informant Allegedly Sold Bank Account Data to Tax Authorities (February 24 & 25, 2008)

UK HM Revenue & Customs reportedly paid an informant GBP 100,000 (US $197,000) for information about bank accounts held by Britons at Liechtenstein bank LGT Group. The same informant reportedly sold account information to Germany's intelligence agency. In the UK, people found to have evaded taxes face hefty fines, and, if the deception is proven to be deliberate, they could face jail time as well. The informant has been fired from LGT group and convicted of fraud.

[Editor's Note (Honan): Contrary to popular belief, Swiss bank accounts are not as confidential as some would think. Liechtenstein has stricter confidentiality requirements over access to its bank accounts which have made it a popular destination for those wishing to evade tax in their own countries.]

Counterfeit Computer Parts Seized (February 22 & 25, 2008)

Thousands of counterfeit computer chips and network components were seized in a two-week period late last year as part of a joint effort of US Customs and Border Protection and the European Commission Tax and Customs Directorate known as "Operation Infrastructure." The phony items carried more than 40 different trademarks, including Intel, Cisco, and Philips, and were valued at a total of more than US $1.3 billion. US Customs and border protection Assistant Commissioner Dan Baldwin noted that the "problem
[is ]
a fairly high risk for critical infrastructure."


PGP Responds to Cold Boot Attack Paper (February 2008)

PGP has posted a response to the recently published paper about the Cold Boot Attack, which describes how attackers with physical access to computers can take advantage of the fact that some encryption products store their keys in DRAM. PGP stresses the fact that attackers require physical access to the machines to conduct this sort of attack, and also points out that "all security tools techniques ... are designed to address specific threat models. Achieving comprehensive security in any given environment requires using a combination of security measures."
[Editor's Note (Northcutt): Good for PGP, calling all crypto vendors, we would love to highlight your cold boot responses as well, if you have posted a white paper on the subject, please send the link to and copy (Internet Storm Center: Frantzen) Excellent information from PGP is included in their answer, and it should be used to construct guidance for users of their tools. All vendors should release similar information needed to create such guidance. - - For PGP WDE: the guidance is that if you "sleep" your laptop and it get's stolen the keys are still in RAM. They claim hibernating removes the keys from RAM. - - For PGP Virtual Disk, the disk images need to be unmounted in order to remove the key from RAM. At the Internet Storm Center were are collecting this guidance in an article. Vendors and users are invited to contribute. ]


Ask the Expert Webcast: Regulatory Compliance and Securing Endpoint Data against Internal Threats
WHEN: Wednesday, February 27, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Jim Hietala and Richard Stone
Sponsored By Credant Technologies

This webcast will then discuss why today's dynamic IT environments must move away from first gen encryption products and to a more data-centric, not stand-alone, platform-specific point product of old. Gone are the days of the "encrypt everything" approaches, which lack protection against insider threats and have significant manageability, recovery, and usability issues. Hear how a new solution simultaneously meets security, IT operations, and compliance needs.

SANS Special Webcast: How to Win Friends and Influence People (for Penetration Testers)
WHEN: Tuesday, March 4, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Lenny Zeltser
Sponsored By: Core Security

The success of a security test is often determined in the planning stage, when the "human element" plays a critical role. This is especially true for penetration testing projects, which sometimes encounter political hurdles before they even begin. Please join us to learn how, with a little transparency and tact, you can not only get approval for pen testing projects but also help colleagues use the results to improve your overall security.

Tool Talk Webcast: The ABC's of Dealing with Unique Network Security Risks in a World of Open Campus Networks
WHEN: Wednesday, March 5, 2008 at 1:00 PM EST (1800 UTC/GMT)
Sponsored By: Q1 Labs

Universities continue to face a challenge in the balancing act of two diametrically opposed networking requirements. On one hand, IT services have must meet the requirements of delivering an open campus network with minimal restriction on use. And, on the other hand, you have networks and systems that maintain sensitive information that requires tight security controls, often under the scrutiny of specific regulatory mandates.

Ask the Expert: Malcode Analysis and Response: Proficiency vs. Complexity
WHEN: Thursday, March 20, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Matt Allen and Russ McRee
Sponsored By: Norman Data Defense Systems

The threat landscape changes constantly, driven in part by the "bot economy" and changing malcode techniques. In response, incident handler techniques must keep pace. This presentation will cover the use of RAPIER, a security tool built to facilitate first response procedures for incident handling. It is designed to acquire commonly requested information and samples during an information security event, incident, or investigation. RAPIER automates the entire process of data collection and delivers the results directly to the hands of a skilled security analyst. From detection and discovery, capture and containment, count on a useful discussion meant to further your incident response practices.

Tool Talk Webcast: Are You Naked? Why virtualization and service processors are leaving traditional log management customers naked.
WHEN: Tuesday, March 25, 2008 at 1:00 PM EDT (1700 UTC/GMT)
Sponsored By: Tdi

Virtualization and on board service processors are making log management systems obsolete and opening their customers to huge compliance issues. All existing log management systems are based on an 'inside out' agent based, SYSLOG and SNMP architecture. This model is obsolete in today's datacenter. Traditional log management systems do not log all events or watch the data center all the time, opening the door to Sarbanes Oxley, HIPAA and other compliance risks.


The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College,

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit