OnDemand Includes 4 Months Access to Course Content - Special Offers Available Now!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume X - Issue #37

May 09, 2008

One story is missing from this issue because the press hasn't picked it up yet. Under Chairman Langevin of Rhode Island, the US House of Representatives Subcommittee on Emerging Threats and Cybersecurity just approved a new bill that changes how security will be measured, at least at the Department of Homeland Security. This is the beginning of the end of the huge waste under FISMA and the start of an era of continuous monitoring and automation. Long overdue. Look for news stories over the coming days.


National Security Letter Challenged in Court, FBI Relents
US Legislators Approve Intellectual Property Bill


TorrentSpy Fined Nearly US $111 Million
Microsoft Will Release Four Security Bulletins Next Week
Worm in Firefox Vietnamese Language Pack
Denial-of-Service Flaw in SCADA Software
Adobe Details Flaws Patched in February
Downloader-UA.h Trojan Spreads Via Malicious Media Files
Attack on Epilepsy Foundation Site Designed to Prompt Physical Reaction
Attacker Stole 1.4 Gigabytes of Data in Three Weeks
Are Banks Contributing to the Phishing Problem?
Geometric Representation of a Botnet

********************** Sponsored By Palo Alto Networks ******************

End users are circumventing IT controls and are using a new generation of Internet applications that are creating new security risks for the enterprise. The Application Usage & Risk Report is an analysis of actual application traffic from over 350,000 corporate end users. Learn more by downloading the free report now!


Where can you find the newest Penetration Testing techniques, Application Pen Testing, Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, both new Pen Testing courses, CISSP, and SANS' other top-rated courses plus evening sessions with Internet Storm Center handlers.
- - SANSFIRE 2008 in Washington DC (7/22-7/31) SANS' biggest summer program with many bonus sessions and a big exhibition of security products:
- - London (6/2-6/7) and Amsterdam (6/16-6/21) and Brussels (6/16-6/21)
- - Denver (6/7-6/13) http://www.sans.org/rockymnt2008/
- - Singapore (6/30-7/5) http://www.sans.org/singapore08/
- - Boston (8/9-8/16) http://www.sans.org/boston08/
- - and in 100 other cites and on line any time: www.sans.org



National Security Letter Challenged in Court, FBI Relents (May 7 & 8, 2008)

The FBI has backed off from an order seeking information about an Internet Archive patron after the Internet Archive filed a lawsuit to block the order. National security letters require no judicial approval and a gag order prevents recipients from discussing the letter with others. The Internet Archive challenged the order "based on a provision of the reauthorized USA Patriot Act, which protects libraries from such requests." The case was settled; the FBI withdrew the NSL and dropped the gag order and the Internet Archive withdrew its complaint. There have been two other instances in which national security letters were challenged in court, and both times, the FBI has backed off from its demands.



[Editor's Note (Schultz): No matter how small it is, this outcome is a victory for individual privacy rights in the U.S. The outcome reverses a trend in which court rulings have for the most part gone against the right to privacy. ]

US Legislators Approve Intellectual Property Bill (May 8, 2008)

By a significant margin, the US House of Representatives has approved the Prioritizing Resources and Organization for Intellectual Property (Pro-IP) Act, which would create the position of US Intellectual Property Enforcement Representative, a presidential appointee within the Executive Office who would act as intellectual property czar. The legislation also gives federal officials the authority to seize equipment used in the creation and distribution of pirated material or obtained through proceeds from intellectual property crimes.

[Editor's Note (Pescatore): it is hard to think of an example where a government "czar" position had much impact, let alone in this type of "let's fight technology" issue. Remember when the copying machine became widespread - imagine how little impact a "PRO-reprint fees" czar would have had. While Digital Rights Management has turned into a dirty word, the HD DVD world is starting to show some innovative approaches to limiting (not eliminating) piracy while allowing fair use and avoiding treating customers like criminals. More of that kind progress is needed, not more czars. ]

********************** Sponsored Links: *******************************

1) Register today for an upcoming SANS web cast, Ask The Expert Webcast:
Enterprise Incident Management with Security Monitoring.




TorrentSpy Fined Nearly US $111 Million (May 7 & 8, 2008)

A federal judge in California has ordered TorrentSpy to pay US $110.9 million in damages for copyright infringement. The Motion Picture Association of America (MPAA) sued TorrentSpy in early 2006, alleging the company "promoted and contributed to online copyright infringement." In December, a judge made a decision in the MPAA's favor, saying TorrentSpy had destroyed evidence that would allow a fair trial. The TorrentSpy site closed down in March of this year, saying the fight was draining its coffers and that it wanted to protect its users' privacy. The judge also issued a permanent injunction against TorrentSpy, prohibiting the defendants from engaging in similar activity in the future.



[Editor's Note (Cole): This is a reminder of why you should look at DLP (data loss prevention) solutions, to not only protect your information but make sure you are not liable for having content you should not have. ]


Microsoft Will Release Four Security Bulletins Next Week (May 8, 2008)

This month, Microsoft says it will release four security bulletins on patch Tuesday, May 13. Three of the four bulletins have been given severity ratings of critical; the other has been rated important. The patches address flaws in Windows, Word, Publisher and Jet Database Engine. The important bulletin will address flaws in Microsoft's anti-malware products. Two of the four patches will require restarts.
[Editor's Note (Cole): It is critical that organizations have an approach to apply patches within 24 hours. I am seeing patch Tues. and exploit Thurs., where attackers will reverse engineer patches and exploit the systems within 48 hours. Timely patching is no longer a recommendation it is a requirement. ]

Worm in Firefox Vietnamese Language Pack (May 8, 2008)

Mozilla has issued a warning that the Vietnamese Language Pack for Firefox 2 released in the most recent version contains a worm. The file is no longer on Mozilla's servers. The worm allowed remote content to be downloaded onto vulnerable machines. The problem affects users who downloaded the Language Pack on or after February 18, 2008. Users should disable the package until a new version is available. The worm was not detected because the Language Pack was released in February, but a signature for the malware, the Xorer worm, was not available until mid-April.


[Editor's Note (Skoudis): This story reminds me of the infected Korean language version of Firefox loaded on Mozilla's servers back in September 2005. These sound like fairly targeted attacks to me. ]

Denial-of-Service Flaw in SCADA Software (May 6 & 8, 2008)

A vulnerability detected in certain Supervisory Control and Data Acquisition (SCADA) software could allow attackers to create denial-of-service conditions. The flaw lies in Wonderware's InTouch SuiteLink application running in Windows. The vulnerability could possibly be exploited to execute arbitrary code. Wonderware has released an update to address the flaw; admins are urged to install the patch as soon as possible.

Adobe Details Flaws Patched in February (May 6 & 7, 2008)

Adobe has released details about vulnerabilities in Reader and Acrobat version 8.1.2 that the company patched in early February. In an uncharacteristic move, Adobe released the fixes three months ago without clarifying how many flaws were patched or how they could be exploited, although it did note that the flaws could be exploited to "cause the application to crash and ... potentially allow an attacker to take control of the affected system." Six of the eight flaws affect JavaScript.


Downloader-UA.h Trojan Spreads Via Malicious Media Files (May 7, 2008)

The Downloader-UA.h Trojan horse program spreads through maliciously crafted media files. The malicious MP3 and MPEG files are placed on filesharing networks and have varying names and sizes to avert suspicion. When users try to play the files, an application called PLAY_MP3.exe is downloaded onto their PCs instead. Once the malware is on a user's computer, it begins to inundate that PC with advertisements. The Trojan presents users with an end-user license agreement (EULA).
[From Internet Storm Center (Bojan Zdrnja): The article on McAfee's web site was actually confusing (they posted an update later). These were not MP3 or MPEG files, they were ASF files so they were able to have a script stream which caused Windows Media Player to open a browser and prompt the user to download (and execute) a binary. I posted a diary about that last week at



Attack on Epilepsy Foundation Site Designed to Prompt Physical Reaction (May 8, 2008)

The FBI is investigating a data security breach in which the attackers placed animated content on the Epilepsy Foundation's website, causing some people viewing the site to suffer migraines and near-seizure reactions. The Foundation's website no longer allows users to post animated images or links to other sites; it is also being moderated 24 hours a day.

[Editor's Note (Schultz): This is to the best of my knowledge the first cyberattack of this nature. In addition to data security breaches, denial of service attacks, intrusions, malware attacks, phishing, and so on, there should now be a new category of attacks--attacks designed to physically harm users.
(Skoudis): This is a very disturbing story of a truly wicked attack, reminiscent of Neal Stephenson's Snow Crash book. As we more closely integrate biology and information technology, with software-controlled healthcare systems, pacemakers, and even SCADA systems, I can't help but think we'll eventually see fatalities based on cyber attack. I'm not trying to spread FUD... I come to this realization with a very heavy heart. ]


Attacker Stole 1.4 Gigabytes of Data in Three Weeks (May 6 & 7, 2008)

Law enforcement agencies and financial institutions in the US, Europe and India have been notified of the discovery of a large cache of sensitive data on a server in Malaysia. The server was also running a botnet. The 1.4 gigabytes of compromised information includes personnel files, medical records, credit card and Social Security numbers (SSNs), and confidential business communications, all collected within a three-week period. The server on which the data were found had no security at all.


Are Banks Contributing to the Phishing Problem? (May 1, 2008)

A study from UK payments industry association APACS indicates that phishing attacks are on the rise. This may be attributed in part to user awareness and increased incident reporting. However, some feel that banks need to do more to protect their customers from phishers. The new banking code issued by the British Bankers Association (BBA) in April offers advice to customers to avoid being victimized by online fraud, but does not include a pledge from banks to stop sending emails that confuse the phishing situation. While users are routinely advised that their financial institutions will not ask for PIN numbers or login credentials, some banks still send legitimate emails to customers that contain links they want the customers to follow.
[Guest Editor's Note (John Carlson, Senior Vice President BITS): Financial institutions use the email channel both to communicate information and to prompt a variety of customer responses. It is becoming less and less common for institutions to include links in these emails, but we are not aware of any collective prohibitions on doing so. At both the institution level and the industry level, we are seeing accelerating adoption of encryption, mutual authentication and secure portals.
(Pescatore): Until the banks make the investments required to use Internet email as a secure channel to communicate with customers, they *should* have a collective ban on including links in email. If they don't protect their customers, customers should go back to calling banks 800 numbers - customers will be more secure and banks will see huge increases in customer support costs that might prompt them to move faster in "accelerating" the use of those technologies. ]

Geometric Representation of a Botnet (May 6, 2008)

This interactive botnet map was created by researcher David Vorel and annotated by Scott Berinato.
[Editor's Note (Pescatore): (Notice: attempt at humor) The only thing I have seen that is more complicated is the org chart at the Department of Homeland Security... ]


Internet Storm Center Webcast: Threat Update
WHEN: Wednesday, May 14, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Johannes Ullrich

Sponsored By: Core Security

The SANS Internet Storm Center (ISC) uses advanced data correlation and visualization techniques to analyze data collected from thousands of sensors in over sixty countries. Experienced analysts constantly monitor the Storm Center data feeds searching for trends and anomalies in order to identify potential threats. When a threat is identified, the team immediately begins an intensive investigation to gauge the threat's severity and impact. This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.

Security Inside the Perimeter: Confronting the Gap Between Talking About the Threat and Doing Something About it
WHEN: Thursday, May 15, 2008 at 1:00 PM EDT (1700 UTC/GMT)
Sponsored By: PacketMotion

Most security and IT professionals agree that the corporate network "perimeter" is no longer viable due to laptops, tunneling applications, VPNs and wireless, etc. But network security conventional wisdom is still very perimeter oriented. Why the inconsistency? Perhaps people really don't think the problem is that significant and the risk is not that high. Or maybe they do think it's a real problem, but hesitate to act because of cost, complexity, and risk to application availability. This webinar will review the key aspects of this inconsistency and offer solutions to better manage the "inside risk."

WHEN: Tuesday, May 20, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Rush Carskadden

Sponsored By: Cisco Systems

Effective mitigation of application-layer threats requires defeating attempts to obfuscate malicious headers and payloads. However, active evasion protections can introduce misleading results in the testing of a network IPS. This session will present well-known and recent obfuscation techniques, methods for their mitigation and prevention, and guidelines for effective testing.

SANS Special Webcast: Understanding and Selecting a Database Activity Monitoring Solution
WHEN: Wednesday, May 21, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Rich Mogull
Sponsored by the Following:


Thanks to increasing compliance requirements and growing security threats, enterprises must adopt new strategies and techniques to protect their databases. Security and database administrators are charged with protecting these essential corporate assets, but are challenged to improve security and auditing in the least intrusive way possible. Database Activity Monitoring is emerging as a powerful tool to ensure compliance while detecting, and sometimes preventing, database attacks and internal abuse. In this webcast independent consultant Rich Mogull will review the inner workings of Database Activity Monitoring, highlight key features, and present a three step selection process.

Ask the Expert: Enterprise Incident Management with Security Monitoring
**** Previously scheduled for Thursday, May 8, 2008****
WHEN: Thursday, May 22, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Adrien de Beaupre and A.N. Ananth
Sponsored By: Prism MicroSystems

Some of the issues revolving around log management include privacy, storage requirements, and meeting regulatory or legislative requirements. Finally, integration of LM into an organization's overall security dashboard will be the focus of this presentation.


Be sure to check out the following FREE SANS archived webcasts:

Tool Talk Webcast: The ABC's of Dealing with Unique Network Security Risks in a World of Open Campus Networks
WHEN: Wednesday, March 5, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Brian Mehlman
Sponsored By: Q1 Labs

SANS Special Webcast: A Response to the "Cold Boot Attack" Announcement
WHEN: Thursday, March 6, 2008 at 3:00 PM EST (1900 UTC/GMT)
FEATURING: John Strand



The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/