MacBook Air, Dell XPS 13, or $600 Off with SANS Online Training for a limited time!

Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume X - Issue #21

March 14, 2008

A powerful trend story this week can be fund in the "WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES" section where you'll note *all* of the stories are about application vulnerabilities, not system or network vulnerabilities. The problem is not just that attackers are exploiting commercial applications you buy. It's even more critical to fix applications, especially web applications, you write or have written for you. With the 10,000 additional infected web sites reported here, the 2008 number of exploited web sites passes the 100,000 mark. If you run one of those sites, your visitors, who trusted you, are being infected; and the damage is *much* worse, on average, than disclosing their personal information. Many of the organizations that have moved to improve application security are getting together in Las Vegas at the end of May to share the lessons they learned and to learn about some new data demonstrating which application security tools work best. More information at:

Correction: In the last issue I implied that the only way to ensure your penetration testing skills and tools are up to date is to attend the SANS Penetration Testing Course. That, as several readers pointed out, is obviously false; we could not have developed the course if people like Ed Skoudis hadn't already found the best new tools and techniques, and learned how to use them effectively.



Senate Subcommittee Confirms FISMA's Shortcomings
NATO Equates Cyber Attacks to Missile Attacks
Publishers Starting to Drop DRM from eBooks


BBC Fixes iPlayer Streaming Hole
10,000+ Web Pages Infected with Malicious JavaScript
Proof-of-Concept Code Posted for Unpatched RealPlayer Flaw
US-CERT Warns of Critical Flaws in Adobe Form Designer and Form Client
Microsoft Patch Tuesday Focuses on Office Suite
Harvard Grad School Applicants' Data Compromised
Lost and Found Memory Stick Holds Police Data
40,000 NY Insurance Subscribers' Data on Lost Computer
IT Managers Say Security Most Important Skill, but Wireless is Climbing the List
Paper: Wireless Internal Medical Devices Can be Hacked

*********************** Sponsored By SANS ****************************

The Application Security Summit June 2-3 is a user-to-user, non-commercial conference on What Works in Application Security. It is the only place where you can learn about the strengths and weaknesses of competing technologies and where users share the lessons they learned about how to make applications secure.


Where can you find the newest Penetration Testing techniques, Application Pen Testing, Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, CISSP, and SANS' other top-rated courses?
- SANS 2008 in Orlando (4/18-4/25) SANS' biggest program with myriad bonus sessions and a huge exhibition of security products:
- Washington DC (Tyson's) 3/24-3/31
- San Diego (5/9-5/16)
- Toronto (5/10-5/16)
- and in 100 other cites and on line any time:



Senate Subcommittee Confirms FISMA's Shortcomings (March 13, 2008)

At a Senate subcommittee hearing on Wednesday, March 12, witnesses testified that the Federal Information Security Management Act (FISMA) is not necessarily an accurate measure of IT security. Even though government agencies have reported improved compliance with FISMA requirements, agencies are still experiencing system infiltrations and data losses. According to Cyber Security Industry Alliance president Tim Bennett, "A high FISMA grade doesn't mean the agency is secure, and vice versa. That is because FISMA grades reflect compliance with mandated processes: they do not, in my view, measure how much these processes have actually increased security." OMB and GAO officials confirmed the failure of FISMA compliance to improve security, with E-Gov chief Karen Evans saying that agencies that do the work just to meet OMB requirements are just pushing paper.

[Editor's note (Schultz): The most fundamental problem with FISMA compliance is that, for FISMA, producing paperwork is more important than having a genuine understanding of the risk an organization's information and information processing resources face and then implementing suitable security controls. The fact that there is little relationship between outcomes of FISMA audits and the number of security breaches experienced should thus not be any kind of surprise. ]

NATO Equates Cyber Attacks to Missile Attacks (March 7, 2008)

Suleyman Anil, Nato's cyber defence chief, said a determined cyber attack on a country's online infrastructure would be practically impossible to stop. Nations need to focus on improving their ability to quickly recover and get systems back online, an area in which nearly all countries were currently weak. NATO will develop an action plan for dealing with infrastructure attacks on its members at a state summit in Bucharest next month.

Publishers Starting to Drop DRM from eBooks (March 3, 2008)

In an effort to increase interest in electronic books, some publishers are beginning to remove DRM protection from their audio book downloads. The elimination of the copyright protection technology will allow users to transfer the ebooks between various devices and even share them with other people. Random House was the first to announce its intention to cease the use of DRM software. Penguin appears ready to do the same, and Simon & Schuster Audio plans to release 150 titles free of DRM technology some time this spring.

************************** Sponsored Links: ***************************

1) PacketMotion delivers unprecedented visibility and real-time control of insider threats. Learn more and first 100 respondents receive a complementary Elsevier book "Insider Threat" - $35 value.

2) Free Biometric Security White Paper. Implement strong, compliant security policies and make user's lives easier.

3) More than 50% of latest online scams are hosted on compromised web sites. New report has the details.




BBC Fixes iPlayer Streaming Hole (March 13, 2008)

The BBC has fixed a hole in its iPlayer streaming site that allowed users to get television program downloads free of digital rights management (DRM) technology. The content was intended to be only for iPhones and iPods, but users had discovered a way to save the programs to hard drives and share them.



10,000+ Web Pages Infected with Malicious JavaScript (March 13 & 14, 2008)

More than 10,000 web pages have been infected with JavaScript code that redirects site visitors and attempts to steal passwords to online games. A similar attack targeted visitors to the Miami Dolphins football team and stadium websites in the days before the 2007 Super Bowl. For the most part, exploits target known vulnerabilities, so if users have been vigilant about patching their systems, they are largely protected against the attack. However, some of the exploits target ActiveX controls in online games and other more obscure programs. Internet Storm Center:

Proof-of-Concept Code Posted for Unpatched RealPlayer Flaw (March 11 & 12, 2008)

Users are being urged not to use RealPlayer on Internet Explorer (IE) until a patch is released for a code execution flaw. The heap overflow vulnerability affects all versions of RealPlayer that run on IE. The problem lies in the RealPlayer ActiveX control rmoc3260.dll; users can run RealPlayer in browsers that do not support ActiveX. The person who found the flaw has posted proof-of-concept code to the Internet. Internet Storm Center article:

US-CERT Warns of Critical Flaws in Adobe Form Designer and Form Client (March 11 & 12, 2008)

The US Computer Emergency Readiness Team, (US-CERT) has issued a warning about critical buffer overflow flaws in Adobe Form Designer and Advanced Form Client ActiveX controls. The flaws affect version 5.0 of both products. Users are urged to apply Adobe's update. Users could also disable ActiveX or the Adobe Form ActiveX controls in Internet Explorer. The vulnerabilities can be exploited by manipulating users of vulnerable systems into loading maliciously crafted HTML files in their web browsers.

Microsoft Patch Tuesday Focuses on Office Suite (March 11 & 12, 2008)

On Tuesday, Microsoft released four security bulletins to address a dozen vulnerabilities. All four of the bulletins are related to Microsoft Office products. The most serious, MS08-014, addresses vulnerabilities in Excel that are already being actively exploited. MS08-015 also addresses a critical remote code execution flaw in Outlook.


Harvard Grad School Applicants' Data Compromised (March 13, 2008)

An attacker stole a file containing personally identifiable information of approximately 10,000 applicants to Harvard's Graduate School of Arts and Sciences. The file has reportedly been posted to a BitTorrent site. The compromised data include names, addresses, test scores, school records, and in roughly 6,600 cases, Social Security numbers (SSNs). The breach affects individuals who applied to the school for admission in the fall of 2007 as well as graduate student housing applicants for the academic years 2006-07 and 2007-08. A note was added to the file by someone claiming the data exposure is meant to demonstrate that the Harvard server's admin did not take adequate security precautions. Affected students and applicants have been notified of the breach.


Lost and Found Memory Stick Holds Police Data (March 13, 2008)

A passerby in Hertfordshire, England found a memory stick in the gutter that contained confidential police information. The unencrypted data included the names and addresses of offenders as well as the types of vehicles they drive and details about their offenses. A police spokesperson acknowledged that a device was lost on March 5 and turned in several hours later.

40,000 NY Insurance Subscribers' Data on Lost Computer (March 11, 2008)

Forty thousand members of HealthNow New York have been notified that their personal information was on a laptop that has been missing for several months. The data include names, dates of birth, SSNs, employer group names and health insurance identifier numbers, but not health or medical claim information. HealthNow does not plan to issue new identification numbers to all affected members, but will comply with individuals' requests to do so. The laptop was not encrypted, and the organization has severed the computer's access to the corporate network.


IT Managers Say Security Most Important Skill, but Wireless is Climbing the List (March 13, 2008)

A survey of more than 3,500 IT managers found that 73 percent say that security, firewalls, and data privacy are the most important skills for IT professionals to have. However, just 57 percent say their employees possess adequate competence in these skills. Fifty-five percent of those surveyed said that mobile, wireless, and RFID skills will top the list within the next five years.


Paper: Wireless Internal Medical Devices Can be Hacked (March 12 & 13, 2008)

Researchers have demonstrated that it is possible to hack into internal medical devices. Specifically, they published a paper describing how a wireless combination pacemaker and defibrillator can be attacked. The exploit could expose personal medical information to the attacker as well as allow them to control the device, potentially inducing ventricular fibrillation. The researchers say they are not trying to scare people away from using the devices. There have been no reported instances of any such attacks, and the likelihood of an attack is small. Programming the wireless implanted devices requires the patient to be in close proximity - no more than a few feet away.


WhatWorks Webcast: PaulDotCom's Penetration Testing Dojo: Core IMPACT Style
WHEN: Tuesday, March 18, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Alan Paller and Paul Asadoorian

Sponsored By: Core Security Technologies

When beginning a security process at a consortium of non-profits, senior network security engineer, Paul Asadoorian of Pauldotcom began looking for a penetration testing tool that did network, web application and social engineering tests. The tool he purchased is low on manpower use, mostly self-maintaining and reliably proves the existence of network vulnerabilities. Please attend this webcast to find out why Paul selected CORE IMPACT and learn how it can help you safely perform network, web application and end-user penetration testing.

SANS Special Webcast: Monthly Series: Security Insights with Dr. Eric Cole This Month's Topic: Encryption
WHEN: Wednesday, March 19, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Dr. Eric Cole

Based on first-hand experience, this talk will look at areas where encryption should be used and how to avoid common mistakes. Dr. Cole will also identify areas where encryption should not be deployed. Overall, this talk will provide expert knowledge of the landscape of encryption, proper uses and common pitfalls. Register now for this free webcast!

Ask the Expert: Malcode Analysis and Response: Proficiency vs. Complexity
WHEN: Thursday, March 20, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Matt Allen and Russ McRee

Sponsored By: Norman Data Defense Systems

The threat landscape changes constantly, driven in part by the "bot economy" and changing malcode techniques. In response, incident handler techniques must keep pace. This presentation will cover the use of RAPIER, a security tool built to facilitate first response procedures for incident handling. It is designed to acquire commonly requested information and samples during an information security event, incident, or investigation. RAPIER automates the entire process of data collection and delivers the results directly to the hands of a skilled security analyst. From detection and discovery, capture and containment, count on a useful discussion meant to further your incident response practices.

Tool Talk Webcast: Are You Naked? Why virtualization and service processors are leaving traditional log management customers naked.
WHEN: Tuesday, March 25, 2008 at 1:00 PM EDT (1700 UTC/GMT)

Sponsored By: Tdi

Virtualization and on board service processors are making log management systems obsolete and opening their customers to huge compliance issues. All existing log management systems are based on an 'inside out' agent based, SYSLOG and SNMP architecture. This model is obsolete in today's datacenter. Traditional log management systems do not log all events or watch the data center all the time, opening the door to Sarbanes Oxley, HIPAA and other compliance risks.

Tool Talk Webcast: Analyzing Pen Testing Tools: Shootout at the Blackbox Corral
WHEN: Wednesday, March 26, 2008 at 1:00 PM EDT (1700 UTC/GMT)

Sponsored By: Fortify Software

All black box testing tools are not created equal. In the Fall of 2007, security consultant Larry Suto published a report that evaluates the coverage and balance between false positives and false negatives of three popular penetration testing tools. His findings, which some found surprising, prompted official responses from a number of tool vendors that called into question areas of the experiment that could have led to shaky results.

SANS Special Webcast: Stephen Northcutt Presents: Managing Vulnerability Situational Awareness
WHEN: Wednesday, April 2, 2008 at 2:00 PM EDT (1800 UTC/GMT)
FEATURING: Stephen Northcutt

Sponsored By: Core Security Technologies

Stephen Northcutt challenges leaders to move past "Security Theater", practices like confiscating nail files in airport security or running vulnerability scans and taking no action or pretending a SIEM "partial implementation" actually helps create effective security. If we want to get better and actually implement security well one of the atomic keys is to configure the system correctly and maintain that configuration. Stephen will discuss the three views, the inside view, outside view and user view that give us the information we need to assess the configuration of our system. We can use tools like the Center for Internet Security toolsets to create the inside view, vulnerability scanners and exploitation tools like CORE for the outside view and to get the user view we need to run a number of tests to determine the level of awareness and practice. The data from all three views gives us the ability to accurately assess our exposure to threat.

SANS Special Webcast: Data Leakage Landscape
WHEN: Thursday, April 3, 2008 at 1:00 PM EDT (1800 UTC/GMT)
FEATURED SPEAKERS: Barb Filkins, Robert Hemeryck and Malte Pollmann

Sponsored By: TrendMicro and Utimaco Software

Data leakage occurs everywhere computing is conducted - whether it be hand-helds, USB tokens or even protected internal computers where cut, copy and paste functions are difficult to control. Organizations need a map of these leakage points so they can plug them and protect themselves against regulatory violations. This Webcast discusses where and how data leaks, what types of privacy violations these leakage points present, and what to do about them.

Tool Talk Webcast: A Blueprint for Successful NAC Deployments
WHEN: Wednesday, April 16, 2008 at 1:00 PM EDT (1800 UTC/GMT)

Sponsored By: StillSecure

This webinar will discuss the challenges associated with NAC deployments and provide organizations with a blueprint on how to cost-effectively take advantage of this critical technology. Learn first hand how your organization can benefit from this ground-breaking technology.

SANS Special Webcast: Log Management Part II: Real-Time Event Management
WHEN: Thursday, April 17, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and Sunil Bhargava

Sponsored By: Intellitactics, Inc.

This Webcast discusses how logs and event correlation should be managed for compliance purposes and how auditors, working closely with security and operations teams, can help develop processes that leverage logging and event data to measure the effectiveness of their controls.

SANS Special Webcast: Security Insights with Dr. Eric Cole This Month's Topic: DLP
WHEN: Tuesday, April 22, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Dr. Eric Cole

Cyber security is all about reducing risk to critical assets. Protecting and controlling data flow is a critical part of an organizations security arsenal. Therefore data loss prevention would seem like a perfect solution for reducing risk. However, just because a product is called a data loss prevention solution, does not necessarily mean that it properly reduces risk. Before purchasing or deploying a solution it is critical to understand the key risks you are trying to reduce and make sure the solution is the most cost effective way to reduce risk. This talk will provide insight into what product features are most valuable and which solutions should be avoided. To accomplish this it will provide a detail understanding of the landscape and the best way to protect data at an organization. Register now for this free webcast!

Analyst Webcast: Security and Performance on Converged Networks
WHEN: Thursday, April 24, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Dave Shackleford

Sponsored By: NIKSUN

Events from security and monitoring devices fire off an unmanageable number of alarms with no way of telling how they're related, or how they impact performance. As networks converge their video, voice and data traffic over IP networks, these alarms will only increase, while providing less visibility into what set them off. This Webcast discusses what will be needed of security monitoring tools as these data, voice, video convergence becomes ubiquitous.

SANS Special Webcast: The Little Hybrid Web Worm That Could
*** Previously scheduled for 3/6/08***
WHEN: Wednesday, April 30, 2008 at 1:00 PM EDT (1700 UTC/GMT)

Sponsored By: HP

This Webcast examines the possibility of hybrid web worms which use several methods to overcome the limitations of current web worms. Specifically the authors examine how a hybrid web worm: mutates itself to evade defenses; updates itself with new attack vectors while in the wild; and finds and exploits targets regardless of whether they are client web browsers or web servers.


Be sure to check out the following FREE SANS archived webcasts:

Tool Talk Webcast: The ABC's of Dealing with Unique Network Security Risks in a World of Open Campus Networks
WHEN: Wednesday, March 5, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Brian Mehlman

Sponsored By: Q1 Labs

SANS Special Webcast: A Response to the "Cold Boot Attack" Announcement
WHEN: Thursday, March 6, 2008 at 3:00 PM EST (1900 UTC/GMT)
FEATURING: John Strand


The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College,

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit