Develop invaluable cybersecurity skills through interactive training during SANS 2021 - Live Online. Register now.

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume X - Issue #32

April 22, 2008

If you live in the US and missed all 4 chances to attend Ed Skoudis' extraordinary new Penetration Testing and Ethical Hacking course, (because they were all sold out in less than two weeks), we are running it again at SANS Europe in Amsterdam June 16-21. It's a great excuse to take your family to Europe this summer. And if you want to attend Intrusion Detection, Hacker Exploits, Security Essentials, Firewalls and Perimeter Protection, Auditing, Pen Testing Wireless, Securing Windows or other popular SANS courses, they are spread out over Amsterdam, Brussels and London.

Oh, and if you want to attend those great pen testing courses (and Application Security Pen Testing) in the US, they are at the Summit in Las Vegas in early June and at SANSFIRE in Washington in late July, where all of SANS other great courses are also being run. Pen Testing & Hacking Summit (Las Vegas, 5/31-6/9) Web Application Security Summit (Las Vegas 5/31-6/9) SANSFIRE (Washington, DC, July 22-31)

Also, an interesting article about "Patch-based exploitation generation" at Internet Storm Center:



NJ Supreme Court Upholds Reasonable Expectation of Online Privacy
Proposed Law Addresses Electronic Record-Keeping Standards
PayPal Clarifies Browser Blocking Stance


Alleged eBay Hacker Arrested in Romania
Windows XP SP3 Will Be Available for Download on April 29
Microsoft Warns of Privilege Elevation Flaw in Windows
Credit Card Fraud Hits Petrol Station Customers in Scotland
Four Missing Laptops Hold Bank of Ireland Customer Data
Stolen Server Holds Debt-Collection Data
Lost PDA Holds Mass. Home Health Care Data
Security Manager Gets Involved in Projects Early On

************* Sponsored By RSA, The Security Division of EMC ************

Download 3 new White Papers on Best Practices for Comprehensive Security and Event Management. Download these today and use them as a guide when reviewing your compliance and security operations requirements - and when developing best practices to maximize the success of compliance and security initiatives.


Where can you find the newest Penetration Testing techniques, Application Pen Testing, Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, both new Pen Testing courses, CISSP, and SANS' other top-rated courses plus evening sessions with Internet Storm Center handlers.
- - SANSFIRE 2008 in Washington DC (7/22-7/31) SANS' biggest summer program with many bonus sessions and a big exhibition of security products:
- - London (6/2-6/7) and Amsterdam (6/16-6/21)
- - San Diego (5/9-5/16)
- - Toronto (5/10-5/16)
- - and in 100 other cites and on line any time:



NJ Supreme Court Upholds Reasonable Expectation of Online Privacy (April 21, 2008)

The New Jersey Supreme Court has ruled that Internet service providers (ISPs) cannot release personal information about their customers without valid subpoenas. The unanimous ruling upheld lower court decisions that related to police seeking the identity of a woman suspected of accessing her employer's computer system. The police had a subpoena from a municipal court, but because the alleged crime was an indictable offense, the court required a grand jury subpoena. This is "the first ruling in the nation to recognize a reasonable expectation of privacy for Internet users."

[Editor's Note (Schultz): This is a very significant victory for privacy advocates, but if this case goes to the Supreme Court, I would not count on the ruling being upheld. ]

Proposed Law Addresses Electronic Record-Keeping Standards (April 17, 2008)

Proposed Legislation in the US House of Representatives would "direct the National Archives and Records Administration to set standards for capturing, managing, retrieving and preserving White House email and other electronic communications, and to certify whether the White House system meets those standards." The bill was introduced after an investigation revealed that millions of Bush White House email messages were lost. The bill would also have the National Archives establish regulations "requiring federal agencies to preserve electronic communications in an electronic format." A watchdog group that has been vocally critical of the government's current electronic record keeping policies has called the proposed legislation "anemic."

[Editor's Note (Liston): Let's go close those barn doors... Hey! Where are the horses?!? ]

PayPal Clarifies Browser Blocking Stance (April 21, 2008)

PayPal says it does not intend to block customers running the Safari browser from using its services. A research paper released last week by PayPal chief information security Officer Michael Barrett indicated that the company planned to block customers from logging in to the site if they were using browsers that do not have technology to block phishing sites or support for Extended Validation (EV) certificates. PayPal now maintains that it would only block "obsolete browsers on outdated or unsupported operating systems
[such as ]
Internet Explorer 4 running on Windows 98." PayPal has not said when it plans to deploy its browser blocking strategy. Internet Storm Center:


********************** Sponsored Links: *******************************

1) Can You See What is Really Happening on Your Network? Use Network Behavior Analysis to Gain Detailed Views into Your Internal Network. Read More:

2) Cross-site scripting at the core of hard to detect phishing attacks - - learn how you can prevent them in this FREE paper from Cyveillance.

3) PacketMotion delivers unprecedented visibility and real-time control of insider threats. Learn more and first 100 respondents receive a complementary Elsevier book "Insider Threat" - $35 value.




Alleged eBay Hacker Arrested in Romania (April 18, 2008)

Romanian law enforcement officials have arrested Vlad Constantin Duiculescu, who allegedly gained access to employee-only areas of the eBay network and then bragged about his accomplishment online. eBay estimates that the damage totaled US $1 million. The US Secret Service, the FBI, and eBay's global fraud investigation team worked together to catch Duiculescu.
[Editor's Note (Ullrich): International collaboration like this is great news! We all know that cybercrime investigations often run into international borders. I hope collaboration like this will become more routine in the future. (Liston): We're good at catching the bad guys who do stupid things (like bragging about their crimes online). What worries me: you *know* there are bad guys who aren't doing stupid stuff... (Weatherford) this is the kind of law enforcement coordination and action that we need to see more of and should be highly publicized. It won't stop crime altogether but it will certainly deter some people. ]


Windows XP SP3 Will Be Available for Download on April 29 (April 21, 2008)

Microsoft released Windows XP Service Pack 3 (SP3) to manufacturing on Monday, April 21; it will be available for download via Windows Update and the Microsoft Download Center on April 29. Windows XP SP3 includes all updates since Windows XP SP2 was released more than four years ago as well as some new features. One of those is Network Access Protection, which checks PCs for malware before allowing them to connect to a network. SP3 also has black hole router detection turned on by default; "this feature automatically detects routers that are silently discarding packets." Internet Storm Center:

[Editor's Note (Ullrich): This service pack was long overdue. It is good to see that Microsoft is willing to keep Windows XP alive a bit longer. With all the security advance brought to us by Vista, many users are still not able or comfortable with it. From a security standpoint, it is frequently better to stick with what you know instead of chasing down the latest and greatest solution. (Schultz): I'd once again advise everyone to wait a little while--until any major bugs are identified and fixed--until before installing this Service Pack. ]

Microsoft Warns of Privilege Elevation Flaw in Windows (April 17, 18 & 21, 2008)

Microsoft has released a security advisory warning of a privilege elevation vulnerability that affects Windows XP Professional SP2, and all versions of Windows Server 2003, Windows Vista, and Windows Server 2008. Attackers could exploit the flaw through custom web applications running in Microsoft's Internet information Services (IIS) as well as through SQL Server. The advisory says Microsoft is investigating reports of the vulnerability but does not indicate if or when the flaw would be fixed. Internet Storm Center:





Credit Card Fraud Hits Petrol Station Customers in Scotland (April 21, 2008)

Police in Scotland say a recent rash of credit card fraud totaling GBP 250,000 (US $495,610) is the work of people raising money for terrorist groups. The attackers reportedly approach employees at petrol stations and offer them bribes of approximately GBP 15,000 (US $29,737) to allow them access to the card readers. They then place kits on the machines that skim information from the cards' magnetic strips and the cards' PINs. The information is gathered and used to create clone cards that are then used to withdraw money from various accounts. One woman whose bank of Scotland account was drained of GBP 1,000 (US $1982) was told her money would be refunded. Police estimate that as many as 5,000 cards were affected by the scheme that targeted two petrol stations in the Edinburgh area.

[Editor's Note (Weatherford): Once again, this shows that people are the weakest link and the best security controls in the world (not that they were in place in this case) are useless if users can easily sidestep them. The fact that this is funding terrorism ups the ante a bit and this should get some publicity to make people aware of the threat.
(Honan): This story highlights how once physical security, in this case the attendants, is compromised then all the technical security controls cannot protect you. Have a look at your own information security infrastructure and see what can be bought for GBP 15,000 (US$29,737), would it be a new firewall or your firewall administrator?
(Liston): I wonder: what does that GBP 15,000 represents as a percentage of the yearly income of a gas station employee? ]

Four Missing Laptops Hold Bank of Ireland Customer Data (April 21, 2008)

Irish Data Protection Commissioner Billy Hawkes is investigating the theft of four laptops that contain personal information of 10,000 Bank of Ireland customers. The theft occurred last year, but Hawkes learned of the incident just last Friday. The computers were being used by Bank of Ireland's life assurance division staff; the unencrypted data include medical backgrounds, life assurance information, bank account details, and names. The bank plans to notify those affected by the breach.

Stolen Server Holds Debt-Collection Data (April 21, 2008)

A server stolen from a debt-collection office in Indianapolis contains personally identifiable information of nearly 700,000 individuals. The Central Collection Bureau server holds unencrypted customer billing data for roughly 100 area businesses, including St. Vincent Health, Methodist Medical Group, and Citizens Gas & Coke Utility. The theft occurred last month. The Indianapolis Metropolitan Police Department and the Indiana Attorney General's office are investigating the incident.

[Editor's Note (Ullrich): This is a good reminder that laptops are not the only computers that "walk away". While server theft is less common, it tends to happen in facilities without 24/7 staffing and in shared hosting facilities without sufficient safeguards. ]

Lost PDA Holds Mass. Home Health Care Data (April 19, 2008)

The Central New England HealthAlliance is notifying 384 patients that their personal data could be at risk of exposure after a home health nurse reported that her handheld computer was missing. Leominster (MA) police have been notified as well. The unencrypted data include names, Social Security numbers (SSNs), and health insurance records and information from the nurse's last seven days of home visits.


Security Manager Gets Involved in Projects Early On (April 21, 2008)

Tired of being perceived as the bad guy who puts the brakes on projects just before they are scheduled to go live? The Computerworld Security Manager's Journal columnist made some changes to his involvement in project development at his company. Previously, projects were not brought to his attention until the operational-readiness phase, known at his company as Phase 5. Now he is brought into the process at the definition phase, known as Phase 2. He has also supplied project teams with a list of "high-level criteria that dictate whether a project needs security consideration," as well as a spreadsheet of requirements to ensure that security is considered from the beginning phases of projects.

(Editor's Note (Weatherford): Very timely! All project managers should get a copy of this article...and the Requirements Spreadsheet. ]


Tool Talk Webcast: Log Management for Security Monitoring and IT Operations
WHEN: Wednesday, April 23, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Ansh Patnaik
Sponsored By: ArcSight

While Log Management investments have primarily focused on compliance, the right platform can be used for much more - security monitoring, forensics analysis and IT operations. However, to effectively address these use cases log management solutions must offer a broader set of platform capabilities. It's not just about compliance - it's about analysis optimized data collection, simplicity of ad hoc searches, flexibility of reporting, personalized dashboards, real time correlation alerts and more. Most importantly it's about unleashing the value of logs to a broader set of constituents within the enterprise.

Analyst Webcast: Security and Performance on Converged Networks
WHEN: Thursday April 24, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and Karl Schaub
Sponsored By: NIKSUN

Events from security and monitoring devices fire off an unmanageable number of alarms with no way of telling how they're related, or how they impact performance. As networks converge their video, voice and data traffic over IP networks, these alarms will only increase, while providing less visibility into what set them off. This Webcast discusses what will be needed of security monitoring tools as these data, voice, video convergence becomes ubiquitous.

SANS Special Webcast: How to Stop Serious Threats from Evading Detection
WHEN: Monday, April 28, 2008 at 1:30PM EDT (1730 UTC/GMT)
FEATURING: Amit Yoran, CEO NetWitness Corporation
Sponsored By: NetWitness

This Webcast will describe an approach that will enable your organization to detect and stop designer malware, zero-day attacks, and non-signature-based threats to improve overall network visibility, and to detect the leakage and exfiltration of valuable corporate data. We will employ specific technical case studies and demonstrations to highlight the value of such an approach.

Tool Talk Webcast: Staying on Top of the SANS Top 20 with CORE IMPACT
WHEN: Tuesday, April 29, 2008 at 1:00 PM EDT (1700 UTC/GMT)
Sponsored By: Core Security

The 2007 "SANS Top 20 Internet Security Risks" report makes it clear that attackers can now circumvent many traditional countermeasures, so simply implementing countermeasures is no longer enough. In fact, short of experiencing a breach, the only way to really know your security posture is by continually testing the defenses you've worked so hard to put in place.

SANS Special Webcast: The Little Hybrid Web Worm That Could
WHEN: Wednesday, April 30, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Billy Hoffman
Sponsored By: HP

This webcast examines the possibility of hybrid web worms which use several methods to overcome the limitations of current web worms. Specifically the authors examine how a hybrid web worm: mutates itself to evade defenses; updates itself with new attack vectors while in the wild; and finds and exploits targets regardless of whether they are client web browsers or web servers.


Be sure to check out the following FREE SANS archived webcasts:

Tool Talk Webcast: The ABC's of Dealing with Unique Network Security Risks in a World of Open Campus Networks
WHEN: Wednesday, March 5, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Brian Mehlman
Sponsored By: Q1 Labs

SANS Special Webcast: A Response to the "Cold Boot Attack" Announcement
WHEN: Thursday, March 6, 2008 at 3:00 PM EST (1900 UTC/GMT)
FEATURING: John Strand



The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College,

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit