MacBook Air, Dell XPS 13, or $600 Off with SANS Online Training for a limited time!

Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume X - Issue #50

June 24, 2008

Tomorrow (Wednesday) is the late registration deadline for savings for SANSFIRE 08 in Washington, DC ( ) .



House Approves FISA Amendments Act, Telecoms Get Retroactive Immunity
PCI Standard Section 6.6 Addresses Web Application Security
Microsoft Tool Ousts Password Stealing Malware from 2 Million PCs
Dutch Researchers Break Mifare RFID Technology


Alleged Earthquake Warning Hacker Arrested
Mac OS X Trojans Detected
Apple's Safari Update Addresses Blended Threat
Lost Disk Holds Scottish Ambulance Service Call Data
Stolen Computer Holds Outsourced Human Resources Data
Florida Bank Notifies Customers of Debit Card Data Breach
One-third of IT Professionals Have Snooped on Co-Workers
California Wants ISPs to Join Fight Against Child Pornography

******************** Sponsored By Palo Alto Networks ********************

A Firewall Won Interop 2008 Grand Prize? How can that be? Firewalls haven't changed much in 15 years. Until now! Get to know next generation firewall solutions from Palo Alto Networks, and you'll discover why we won the Interop 2008 Best of Show Grand Prize. Start by learning about patent-pending App-ID technology, our secret sauce!


- - Wash. DC (7/22-7/31) (SANSFire 2008)
- - Singapore (6/30-7/5)
- - Boston (8/9-8/16)
- - and in 100 other cites and on line any time:



House Approves FISA Amendments Act, Telecoms Get Retroactive Immunity (June 20, 2008)

The US House of Representatives has approved the Foreign Intelligence Surveillance Act (FISA) Amendments Act, which extents the National Security Agency's blanket permission to conduct surveillance on phone and email traffic going in and out of the US. It also provides retroactive immunity for telecommunications companies that complied with US government orders to allow surveillance between September 11, 2001 and January 17, 2007.


PCI Standard Section 6.6 Addresses Web Application Security (June 23, 2008)

Section 6.6 of the Payment Card Industry (PCI) Data Security Standard will come into effect on June 30. Section 6.6 requires that companies with stored credit card or other consumer financial data install application firewalls around all Internet-facing applications or have all the applications' code reviewed for security flaws.

Microsoft Tool Ousts Password Stealing Malware from 2 Million PCs (June 20, 2008)

The updated version of Microsoft's Malicious Software Removal Tool, released on June 10, has already removed password-stealing malware from more than 2 million PCs. The malicious software targets gaming passwords; on the first day alone, a piece of malware called Taterf was removed from 700,000 machines. The malware often gets onto the PCs through undisclosed flaws.

[Editor's Note (Pescatore): The malware often gets onto PCs because users download and install it. There is no need for "undisclosed" flaws, it is simple social engineering. The answer to the current wave of threats is not patching, it is better in-bound malware blocking and application control for what does get on PCs.
(Skoudis): Those are huge numbers. And, given that the malware steals passwords, those users whose machines have been cleansed of the infection have to assume that their OS and web application passwords were compromised, possibly for banking, e-commerce, and even some enterprise system administrator passwords. I encourage anyone who was infected with these nasties to change their passwords on all of their accounts accessed via the infected machine. ]

Dutch Researchers Break Mifare RFID Technology (June 21 & 23, 2008)

Researchers at a Dutch university have broken the security of the Mifare RFID chip, which is used in the Oyster card, a prepaid smartcard used for travel on UK public transportation. Mifare RFID technology is also used in the UK to access government departments, hospitals and schools. The research was presented to the Dutch Parliament, which earlier this year postponed implementation of a prepaid transportation smartcard based on the same technology. The Dutch government is also replacing Mifare cards used to access government buildings.

[Editor's Note (Schultz): Over the past few years we've seen repeated claims concerning security weaknesses in the RFID chip. It was only a matter of time before there was a proof of concept of how these weaknesses can be exploited in real life settings. ]



Alleged Earthquake Warning Hacker Arrested (June 15, 17 & 23, 2008)

Chinese authorities have arrested a 19-year-old man for allegedly hacking into the website of the Guangxi Seismological Bureau in late May and altering the site to display a phony earthquake warning. The man, identified only as Chen, has allegedly admitted to the attack, saying he wanted to demonstrate his skill. The phony message, which warned of an earthquake of magnitude nine or greater, came just weeks after severe earthquakes in Sichuan province killed thousands of people.



Mac OS X Trojans Detected (June 20, 21 & 23, 2008)

A recently detected Mac OS X Trojan horse program exploits a flaw in Apple Remote Desktop Agent (ARDAgent) to load itself as root and take control of vulnerable machines. The malware has numerous capabilities, including keystroke logging, opening ports in the firewall to evade detection, taking pictures with the built-in camera and turning on file sharing. Users can protect their systems by removing ARDAgent from its normal location and archiving it. A second Trojan affecting Macs pretends to be a poker application and tries to gain secure shell access to vulnerable machines.


[Editor's Note (Pescatore): Since Apple's market share at enterprises will double in 2008, this item and the Safari patches points out that Apple needs to make progress in its secure development life cycle, and enterprises must factor the cost of patching Apple PCs into the acquisition costs or in the costs of letting users use their own Macs for company business.
(Skoudis): The underlying vulnerability here is an old-fashioned SUID root program called ARDAgent that attackers can trick into running code on their behalf as root in a local privilege escalation attack. SUID root programs aren't inherently evil -- a normal system needs several of them for day-to-day operation. But if SUID programs aren't carefully designed and implemented, they could lead to this kind of attack. To get an inventory of all SUID root programs on a Mac or Linux system, you could run: "find / -user 0 -perm -4000". I'm sure attackers are searching for other Mac programs with similar flaws. ]

Apple's Safari Update Addresses Blended Threat (June 19 & 20, 2008)

Apple has released an updated version of Safari for Windows. The update addresses four vulnerabilities, including one involved in a blended threat that could allow attackers to place malware on the Windows desktop because of a weakness in the way Safari interacts with certain Windows components. The change made involves prompting users before saving downloaded files and changing the default download location in Windows. Apple had previously said it did not consider the flaw to be a security issue.

[Editor's Note (Pescatore): See comment on the previous story. ]


Lost Disk Holds Scottish Ambulance Service Call Data (June 23, 2008)

The Scottish Health Secretary has acknowledged that a Scottish Ambulance Service disk containing details of hundreds of thousands of emergency calls was lost earlier this month. The Scottish government learned of the loss on June 19; the disk was in the possession of a courier company at the time. The compromised data include information about more than 890,000 calls made to the Scottish Ambulance Service's Paisley center since February 2006. The encrypted and password-protected disk was sent on June 9, but it never arrived at its destination.
[Editor's Note (Honan): Too often we read of data being compromised due to it not being encrypted on laptops or other media, so Kudos to the Scottish Ambulance Service for taking the steps to encrypt this data. ]

Stolen Computer Holds Outsourced Human Resources Data (June 23, 2008)

Computer equipment stolen from the Walnut Creek, California offices of Colt Express Outsourcing Services contains human resources data of several of the company's clients, including CNET Networks. The compromised data for CNET include names, birth dates, Social Security numbers (SSNs) and employment information of CNET health insurance beneficiaries. Local police are investigating.

Florida Bank Notifies Customers of Debit Card Data Breach (June 23, 2008)

Bank Atlantic in Tampa, Florida has acknowledged that a security breach at an unnamed local merchant compromised some of the bank's customers' MasterCard debit cards. Customers are urged to keep a close watch on their account activity and to apply for a new card. One customer reported being notified of the breach by a phone call.


One-third of IT Professionals Have Snooped on Co-Workers (June 19, 2008)

According to a survey of 300 IT professionals, nearly one-third have abused administrative passwords to look at confidential information about their co-workers. Close to half of the respondents also said they had accessed information that was not related to their positions. Just 30 percent of administrative passwords get changed every quarter, while nine percent are never changed, meaning that even people no longer employed by the company can gain privileged access to the system.
Direct link to survey press release (not full results):


California Wants ISPs to Join Fight Against Child Pornography (June 20, 2008)

California Governor Arnold Schwarzenegger and state Attorney General Edmund G. Brown Jr. have called for Internet service providers (ISPs) to take an active role in stopping the spread of child pornography. Schwarzenegger and Brown sent a letter to the California Internet Provider Association, which has more than 100 members, asking them to follow the lead set by Verizon, Time Warner Cable, and Sprint. Those three ISPs have struck a deal with New York State Attorney general Andrew Cuomo to remove child pornography cached on their servers and blocking channels that are known to distribute the offensive content. Some civil liberties proponents have expressed concern with the methods that would be used to block the user groups because such a broad action could stifle legitimate discussions.


[Editor's Note (Pescatore): If scoped and overseen correctly, having ISPs take active roles in filtering or blocking illegal content (including malware) is a very needed thing. However, just as the FISA Amendment Act had to include clauses giving telcos some liability relief, the same thing will have to happen for ISPs. Privacy advocacy groups have valid concerns, but there can be a middle ground to make a dent in the bad stuff without causing open season for frivolous lawsuits against ISPs.
(Guest Editor Donald Smith): The "deal they struck" was a bargain to prevent them from being charged with "fraud and deceptive business practices". I am not saying those ISPs are the "bad guys" but it shouldn't be spun to make them into the "good guys" either. Quoting the story posted at:
"The agreements resulted from an eight-month investigation and sting operation in which undercover agents from Mr. Cuomo's office, posing as subscribers, complained to Internet providers that they were allowing child pornography to proliferate online, despite customer service agreements that discouraged such activity. Verizon, for example, warns its users that they risk losing their service if they transmit or disseminate sexually exploitative images of children. After the ISPs failed to react to the undercover agents' complaints, NY AG Andrew Cuomo threatened them with charges of "fraud and deceptive business practices. ]


SANS Special Webcast: Endpoint Security: Point- Solution or Protection Platform
WHEN: Tuesday, June 24, 2008 at 3:00 PM EDT (1900 UTC/GMT)
FEATURING: Stephen Northcutt and Dan Teal

Sponsored By: CoreTrace

The continuous and rapid changes in malware and antivirus solutions are a reflection of the creativity and passion today's hackers and cyber-criminals have for damaging and disrupting an individual or organizational IT environment. As malware improves, better endpoint security solutions must follow. Currently it is unlikely an endpoint system outside of a corporate network could survive a determined attacker's efforts. Classic personal firewall and antivirus solutions are not proving to be enough in the fight against malware and products in these markets are being replaced with endpoint protection often using whitelisting techniques to help enterprises with performance gains and reduction in security related costs. This webcast will discuss the current trends in endpoint solutions and offer guidance on both commercial and free tools to seek the functionality they need, even if it comes from multiple solutions. Join SANS President Stephen Northcutt as he reviews the key features in endpoint security that really matter, how to shop for the best products, and why implementing defense in depth on your organization's endpoint is a best practice.

SANS Special Webcast: Top 10 Oracle Security Risks
WHEN: Wednesday, June 25, 2008 at 3:00 PM EDT (1800 UTC/GMT)
FEATURING: Tanya Baccam

This keynote is an introduction to some of the Oracle Database risks that exist, and highlights the "Top 10" critical areas that should be checking when conducting an Oracle database audit.

Ask the Expert: Lessons from the Frontline: Avoiding Costly Breach
Investigation Mistakes and Downtime
WHEN: Thursday, June 26, 2008 at 1:00 PM EDT (1700 UTC/GMT)

Sponsored By: Mu Security

This webcast will discuss some of the most egregious mistakes made by enterprises and network operators who have suffered costly and/or embarrassing security breaches.

SANS Special Webcast: A 2008 Perspective on Malicious Software
WHEN: Tuesday, July 8, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Lenny Zeltser

In this webcast, Lenny Zeltser surveys the characteristics of today's malware, exemplified by recently-seen bots, downloaders, keyloggers, and malicious scripts. He discusses samples that employed self-defense, social engineering, fast-flux DNS, man-in-the-middle attacks, extortion demands, and so on. Tune in to better understand what we're up against. This talk will expand your perspective of the modern malware landscape, empowering you to adjust your defenses and risk mitigation strategizes.

Internet Storm Center: Threat Update
WHEN: Wednesday, July 9, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Johannes Ullrich and Michael Yaffe

Sponsored By: Core Security

This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.


The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College,

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security courses at Minnesota State University, Mankato. He is the President of Prudent Security LLC and also serves as the President of the Mankato Chapter ISSA.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit