Last Day: Get a 10.2" iPad (32 G), Galaxy Tab A, or Take $250 Off with OnDemand Training

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume X - Issue #4

January 15, 2008

Two great reads, an apology and a process:
Interesting articles: (1) One of the Storm Center handlers, Maarten Horenbeck, wrote a great article about targeted attacks . Johannes Ullrich recommend it saying, "It is way better than anything else I have seen about these attacks.
(2) And Mike Assante (ex CSO of AEP and now with Idaho National Labs) wrote a paper on parallels between today's cyber vulnerabilities and vulnerabilities in the aqueducts of Rome.

(3) A sincere apology to the security managers who were frustrated by my comment in the last issue about people who write security policies that are never fully implemented. That note broke SANS' cardinal rule of never pointing out a problem without offering a solution. Here's how security managers who get their policies implemented do it: They select the policies that really matter (the ones that are most important for blocking active attacks.. secure configuration is a good place to start) and they publish monthly color charts comparing the organization's divisions using metrics that measure compliance with the policies. They give the charts to top management and the executives make sure the laggards catch up using peer embarrassment.



Mass Web Attack Confounds Law Enforcement and Researchers


Convicted Database Hacker Arrested for Alleged Extortion
Former Cox Employee Gets Prison Time for Causing Outage
TSA Website Exposed Passenger Data
Wisc. State Agency to Drop SSNs as Unique Identifiers
Malware Hiding on Digital Devices
Network-Connected Printer Vulnerability
Polish Teen Faces Charges for Allegedly Manipulating Train System
Barclays Chairman Victim of Identity Theft
Stolen Laptops Hold Nashville Voter Data
Washington Post Writer Details Experience with ID Theft
US-CERT Recommends Disabling Unnecessary Browser Features
Infrastructure Protection Lessons From the Roman Aqueducts

********************* Sponsored By Palo Alto Networks *******************

What would you do if Internet applications you couldn't see were penetrating your firewall right now? How would you even know? What would you do if you did know? What exactly are these applications? And what is their security risk to your network? Now you can get answers to all these questions. Watch and learn!


Where can you find Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, CISSP, and SANS' other top-rated courses?
- - San Jose (2/2 - 2/8):
- - Phoenix (2/11 - 2/18)
- - Prague (2/18-2/23):
- - SANS 2008 (4/18-4/25) SANS' biggest:
- - and in 100 other cites and on line any-time:



Mass Web Attack Confounds Law Enforcement and Researchers (14 - 7 January 2008)

A massive attack has compromised tens of thousands of web sites, each of which infects visitors with a bevy of exploits including javascrip generated in real time. Forensics are "extraordinarily difficult," says one researcher. Web application vulnerabilities - basically programming errors that allowed SQL injection attacks - accounted for a portion of the infected sites.

Original Jan 7 story:

************************* Sponsored Links: ***************************

1) Utimaco expands reach into Data Leakage Prevention Market with release of SafeGuard LeakProof (TM)

2) Discover the latest security management trends from Jon Oltsik's ESG research in this HP-hosted webinar.

3) Protect your Web applications from SQL injection attacks! Learn how with this HP Software paper.




Convicted Database Hacker Arrested for Alleged Extortion (January 14, 2008)

Jeffrey Robert Weinberg, who last year was convicted of breaking into the Accurint database, has been arrested again, this time for allegedly taking control of an Internet celebrity's MySpace account. A woman known online as Amor Hilton reportedly was locked out of her MySpace account at the end of December and shortly thereafter began receiving phone calls demanding photographs and other activity in exchange for control of her account. Weinberg received a 10-month sentence for the Accurint hack and was released in November to serve three years of supervised release.

Former Cox Employee Gets Prison Time for Causing Outage (January 10, 2008)

William Bryant has been sentenced to five months in prison and five months of home confinement for sabotaging his former employer's computer system. He was also ordered to serve two years of supervised release, perform 200 hours of community service, and pay more than US $15,000 in restitution. Bryant worked at Cox Communications, which provides computer and telecommunications services across the US. When Bryant was asked to resign from Cox, he remotely shut down parts of the company's network, which resulted in loss of services to customers in Texas, Las Vegas, New Orleans, and Baton Rouge. In some cases, 911 emergency services were affected as well. The services were back up within hours of the attack.

[Editor's Note (Skoudis): When we perform security assessments and penetration tests, we sometimes find companies that send sensitive information in clear text across the Internet, from corporate network to corporate network. When we tell them about the risk, they sometimes respond, "But, only the ISP would see that data, so it's not a big deal." As much as we all love our ISPs, don't assume that data going across their network in clear text is safe. It's not. An attacker could redirect the flow, or an unscrupulous ISP employee could intercept it. In this case, the employee impacted availability, but an ISP employee could likewise undermine confidentiality and integrity if you aren't careful. ]


TSA Website Exposed Passenger Data (January 11, 2008)

A congressional investigation found there were security problems with a Transportation Security Administration (TSA) website created to allow people to petition the government to have their names removed from no-fly lists. Nearly 250 people who submitted personal details, including Social Security numbers (SSNs), may be at risk of identity theft. The problem affects people who submitted information to the site between October 6, 2006 and February 13, 2007. An information security graduate student discovered the problem while researching boarding pass security early last year. The security problems include the fact that the site was not hosted on a .gov domain, the home page was unencrypted, as was one data submission page, and the pages that were encrypted were not properly certified. The overall appearance of the site, with misspellings and lack of security, made it easy to mistake for a phishing site. TSA took down the site shortly after the graduate student made his finding public.


Wisc. State Agency to Drop SSNs as Unique Identifiers (January 8 & 10, 2008)

Wisconsin's Department of Health and Family Services will start using randomly generated identification numbers in place of SSNs sometime later this year. The change will affect residents who receive Medicaid and those receiving state-funded disability payments. Just last week, a contractor for the department had printed and mailed newsletters to 260,000 Medicaid recipients with their SSNs on the mailing labels. About 240,000 more newsletters with SSNs visible were prevented from being mailed after the department became aware of the problem. A similar incident occurred about a year earlier.


Malware Hiding on Digital Devices (January 9 & 13, 2008)

There have been three reports of consumers who found that digital picture frames attempted to install malware on devices connected to the frame. The frames were sold in different branches of the same store, suggesting that the source of the infection was the factory or some point during shipping. The malware appears to be a Trojan horse program that hides itself like a rootkit once on a computer and tries to disable the computer's ability to access anti-virus tools. The incidents illustrate the necessity for users to be wary of all digital devices with onboard memory. There have also been reports of hard disk drives and digital music players attempting to install malware on computers. These incidents appear to have been accidental, related to the manufacturing process, but some believe it is just a matter of time before such infections are intentional and malicious. It is also possible that the items were purchased and returned, which would make it possible for someone to install malware on a device and then return it.
[Editor's Note (Ullrich): There have been more than three reports. In some cases, devices came fresh out of the box, in other cases the device was infected by a prior owner, returned and then sold again as refurbished.
(Skoudis): This is pretty serious stuff, but is only coming to light because the media covers it when it impacts consumers. The risk is even greater for business and government procurement of digital devices. ]

Network-Connected Printer Vulnerability (January 9, 2008)

Proof-of-concept code demonstrates how attackers could target network-connected printers with spam. The idea is based on cross-site scripting and could be manipulated to send spam to the printer of someone who visits a maliciously crafted website, or a website vulnerable to cross-site scripting. According to a paper published in November, "many network printers listen on port 9100 for a print job. You can telnet to the printer port and enter text. Once you disconnect from the printer it will print out the text that you send it." The attack could also be used to tell the printer to send a fax, format its hard drive or download firmware. Printers plugged directly into PCs are not vulnerable to the attack. Defensive actions include setting administrator passwords for printers and restricting printer access so that it will only accept jobs from specific servers.

[Editor's Note (Skoudis): Once inside a corporate network, printers offer an attacker (a bad guy or penetration tester) an excellent platform from which to scan or launch further attacks. Printers get far less scrutiny from system and network administrators, and are often wide-open.
(Liston): Several years back, a company I was working for sat on the same class B as another company that was riddled with infected machines and constantly beating on our firewall. They also had a printer open to the world. Phone calls and emails failed to get anyone's attention, but when I mapped their printer and dumped out a nicely formatted anonymous letter telling them to clean up their act (and informing them that their printer was available to anyone on the Internet) things immediately got better. I always wondered when spammers would figure this out... ]


Polish Teen Faces Charges for Allegedly Manipulating Train System (January 11, 2008)

A 14-year-old Polish student is facing charges of endangering public safety for allegedly manipulating the tram system in the city of Lodz with a modified television remote control device. Four trams were derailed as a result of the activity, injuring 12 people. The teenager allegedly modified the remote control device to allow him to change the tracks and control track junctions. The incident illustrates the apparent lack of security of some infrastructure systems. The teenager will face charges in a juvenile court.

Barclays Chairman Victim of Identity Theft (January 10 & 11, 2008)

Barclays Bank chairman Marcus Agius has become the victim of an identity thief. Someone obtained sufficient personal information about the chairman to convince the bank to issue a new card in Agius's name. The thief then used the card to withdraw GBP 10,000 (US$19,574) from Agius's account. The bank has reimbursed the chairman for his losses and established procedures to ensure that the same thing does not happen again.
[Editor's Note (Schultz): I am not kidding when I say that Barclays Bank senior management at Barclays Bank could not have had a better information security-related wake-up call. Being a victim does wonders in sensitizing individuals to the reality of risk.]

Stolen Laptops Hold Nashville Voter Data (January 3, 2008)

Two laptop computers stolen from the Metro Office Building in Nashville, Tennessee, hold the SSNs of approximately 337,000 Nashville voters; the data are not encrypted. The break-in was discovered after a security guard noticed the building was unusually cold; the thieves had broken a window to gain access to the building. The video recorder that could have captured evidence had been unplugged. The guard who was on duty at the time of the theft has been fired. The Davidson County Election Commission and two other departments questioned by the Metro Council's Public Safety Committee about the incident say they have stepped up physical security and have removed voters' SSNs from laptops. Alarms have been placed on video recorders to alert staff. There is some confusion as to whose responsibility it was to encrypt the data. The election commission plans to establish a procedure for making sure laptops are secured after business hours. The Davidson County Election Commission is offering free identity theft protection to affected voters.


Washington Post Writer Details Experience with ID Theft (January 13, 2008)

Washington Post personal finance writer Nancy Trejos relates her experience as the victim of identity theft. She describes what she was required to do to protect her account and credit. First she had to file a complaint with the Federal Trade Commission (FTC) and present it to the police. When she contacted the credit bureaus to place a fraud alert on her credit file, she was given a choice of a renewable 90-day alert or a seven-year alert. When placing an alert on a credit file, just one bureau needs to be contacted and that bureau informs the others. However, if a victim wants to place a credit freeze on the files, each of the three bureaus must be contacted separately. In addition, the officer she spoke to asked her if she had verified the identity of the person from the card company who had called her and alerted her to the fraud in the first place - pointing to the possibility that this could be another avenue for thieves to gather valuable personal and financial information. Another important fact to know is that credit cards offer greater protection from losses than do debit cards.

[Editor's Note (Honan): A growing concern I have is where people are classifying most online fraudulent activities as identity theft. Unauthorised use of a credit card is not identity theft. It is simply credit card fraud. Credit card fraud, as the article points out, results in limited liability to the victim, whereas identity theft has far more serious repercussions as in the previous story --Barclays Chairman Victim of Identity Theft. If we continue to categorise everything as identity theft we run the risk of minimising the seriousness of this type of crime. ]

US-CERT Recommends Disabling Unnecessary Browser Features (January 11, 2008)

The US Computer Emergency Readiness Team (US-CERT) says that many browsers offer increased functionality that may actually be unnecessary for most users and could present vectors of attack for cyber criminals. US-CERT recommends disabling several features including JavaScript, Java and ActiveX controls, plug-ins, cookies, and pop-up windows, unless users feel they are specifically necessary.
[Editor's Note (Skoudis): I try to make sure my security recommendations are reasonable, especially when directed at non-technical consumer-type users. These recommendations are hardly reasonable for 99% of users on the Internet. Disable cookies? Yeah, right. They'll do it for one minute, realize that all of their apps are broken, and then back out _all_ of the other hardening recommendations included in this list. ]

Infrastructure Protection Lessons From the Roman Aqueducts

Michael J. Assante's paper, "Infrastructure Protection in the Ancient World," looks to the Roman Aqueducts to gain insight into the development of critical infrastructure protection, particularly that of our modern electric power grid. He observes that "infrastructures can change from simple conveniences or enabling capabilities to critical necessities relatively quickly once they are put in place." The ancient Romans built their early Aqueducts with protection in mind so their enemies could not disrupt their water supply. When they had gained prominence and were no longer as fearful of physical attacks on the Aqueducts, they built them in a way to show their power, which ultimately gave enemies a way to cut them off from essential provisions.


SANS Ask the Expert Webcast: Going beyond log management to solve security, risk and audit challenges
WHEN: Wednesday, January 23, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and Vijay Basani

Sponsored By: eIQnetworks

In this webcast, learn the benefits of going beyond log management to perform end-to-end correlation and analysis, how compliance can tie into the use of security technologies, and why the future of security information management (SIM) systems is shaping up to integrate security, risk and audit management onto one platform.

SANS Special Webcast: Things That Go Bump in the Network: Embedded Device Security
WHEN: Thursday, January 24, 2008 at 1:00 PM EST (1800 UTC/GMT)

Sponsored By: Core Security

Embedded devices come into your network and appear in many different forms, including printers, iPhones, wireless routers and network-based cameras. What you might not realize is that these devices offer unique opportunities for attackers to do damage and gain access to your network - - and to the information it contains. This webcast will review known embedded device vulnerabilities and cover how these vulnerabilities can be used to gain control of devices, networks, and data - and, more importantly, what can be done about it.

SANS Special Webcast: The SANS Database and Compliance Survey
WHEN: Tuesday, February 5, 2008 at 1:00 PM EST (1800 UTC/GMT)

Sponsored By: Lumigent Technologies

SANS analyst Barbara Filkins uncovers the findings in the SANS Database Auditing and Compliance Survey. Conducted over three months, 348 respondents answered a variety of questions ranging from their perceptions of compliance issues to security frameworks and roles and responsibilities for data privacy protection inside their organizations.

We will also be announcing the $250 American Express card winner from among nearly 200 respondents who signed up for our drawing.

WhatWorks in Intrusion Detection and Prevention: Improving Network Visibility at GraceKennedy
WHEN: Tuesday, February 12, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Alan Paller and Gregory Henry

Sponsored By: Sourcefire

A need for increased visibility into its diverse network prompted GraceKennedy's security team to seek an intrusion detection system. They found a solution that met all their needs and offered great tech support, as well as a component that could establish a network activity baseline and another that included a top vulnerability scanner for the same price as other solutions they tried. GraceKennedy is one of the Caribbean's largest and most dynamic corporate entities. The company started in Jamaica in 1922 as a small trading establishment and wharf founder. It has expanded and diversified over the years, changing from a privately-owned enterprise to a public company listed on the stock exchanges of Jamaica, Trinidad, Barbados and the Eastern Caribbean. Today, the GraceKennedy Group comprises a varied network of some 60 subsidiaries and associated companies located across the Caribbean, in North and Central America and the United Kingdom. The group's operations span the food distribution, financial services, insurance, remittance, hardware retailing and food-processing industries.


The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College,

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit