SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IX - Issue #37

May 08, 2007

A little help, please. We are planning for the 2007 Top20 Internet Security Threats report. If you have any experience with Top20 reports over the past six years, could you tell us whether you think an annual or semi-annual or quarterly summary report is necessary or valuable? Do you think the current categorization is OK or can you think of improvements Are there any things we can do to improve the value of the Top20 for you to put it to use? Just reply to this email with your comments. And thanks.
Alan

---

TOP OF THE NEWS

Legislators Get Busy with Data Breach Notification Bills
Royal Bank of Scotland Will Provide Customers with Chip-and-PIN Readers

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Teen Gets Probation, Community Service for Cyber Intrusion
Russian Principal Fined for Using Pirated Software in School
Michigan Man Sentenced for Selling Pirated Software on eBay
Student Arrested in Connection with Attacks on Estonian Government Web Sites
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Missing TSA Hard Drive Holds Info. on 100,000 Employees
POLICY & LEGISLATION
Singapore Issues Guidelines for Protecting Biomedical Research Participant Data
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Russia and China Top US Trade Priority Watch List for Piracy
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Trojan Pretends to be Windows Activation Program
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Stolen Laptop Holds Marks & Spencer Employee Data
STATISTICS, STUDIES & SURVEYS
Portable Storage Devices Top List of Security Concerns
MISCELLANEOUS
PCI Merchant Level Reclassification Brings New Security Challenges
TJX Data Thieves Got In Through Wireless Network

---

********************* Sponsored By ArcSight, Inc. ***********************

Free Whitepaper: Guide to Selecting a SIM Solution for Insider Threat

An attack from a malicious insider can be just as devastating as a security breach from outsiders. But insider attacks are often more difficult to detect. Learn the top 10 best practices for selecting a software solution with this free whitepaper. Brought to you by ArcSight, the ESM leader that turns data into action.
http://www.sans.org/info/6796
*************************************************************************
SANSFIRE 07 in Washington DC Features the Internet Storm Center Experts

No one knows the newest attacks better than the Internet Storm Center Incident Handlers, and they are sharing the newest attacks and defenses in evening sessions during SANSFIRE in Washington DC, July 25-August 7, 2007. Anyone who attends a course can also attend Internet Storm Center Threat Updates. For a list of courses http://www.sans.org/sansfire07/

If you cannot come to Washington or can't wait that long, SANS award winning security training is available in more than 70 cities in nine countries just in the next four months. Better still, you can schedule SANS training on-site or even take it live online or on demand.

*Complete schedule: http://www.sans.org/training/bylocation/index_all.php
*SANS courses on site at your facility: http://www.sans.org/onsite/
*************************************************************************

---

TOP OF THE NEWS

Legislators Get Busy with Data Breach Notification Bills (May 3, 2007)

US Representative Tom Davis (R-Va.) has once again introduced legislation that would require organizations experiencing data breaches to notify affected individuals promptly. The bill would have the Office of Management and Budget (OMB) establish practices and policies to support timely notification. The Senate Judiciary Committee has also approved two bills that would require notification about data security breaches.
-http://www.scmagazine.com/us/news/article/655110/davis-reintroduces-federal-brea
ch-reporting-act-house/
-http://www.fcw.com/article102630-05-03-07-Web&printLayout
[Editor's Note (Skoudis): I'm honestly surprised it's taking so long to get a law like this put into place at the federal level. The states have led the way, with considerably more than half of them having some form of breach notification law. And, even if you operate in a state that doesn't have such a law, chances are, you have business dealings (customers, employees, business partners, etc.) where such laws are on the books. Thus, if you have a breach, you need to work closely with your legal team to determine how to disclose appropriately, regardless of your own state's laws. Plan for this in advance, just in case something bad happens, so all the decision makers are known. ]

Royal Bank of Scotland Will Provide Customers with Chip-and-PIN Readers (May 2, 3 & 4, 2007)

The Royal Bank of Scotland (RBS) will provide all its online banking customers with chip-and-PIN readers to use at home. Customers will not be charged for the devices, which work by providing a one-time password generated with the use of the customer's bank card and a "challenge" code provided by the bank. Users who want to use online banking services to check balances and pay bills will be able to continue those tasks without the use of the reader. Barclay's Bank is in the midst of deploying chip-and-PIN readers to 500,000 of its online customers.
-http://www.zdnet.co.uk/misc/print/0,1000000169,39286964-39001093c,00.htm
-http://www.computerworlduk.com/technology/security-products/authentication/news/
index.cfm?newsid=2843
-http://www.computerweekly.com/Articles/2007/05/03/223620/rbs-to-issue-online-ban
king-customers-with-smartcard.htm
[Editor's Note (Schultz): Because of growing risks in connection with customer banking transactions, what RBS and Barclays Bank are doing will become a standard practice within the international banking community in the near future. (Northcutt): Chip and PIN can help, but the certainly are only a tiny part of the solution, see Bruce Schneier's blog on easy to remember PINs:
-http://www.schneier.com/blog/archives/2005/01/easytoremember_1.html
And if you search for Tetris, you can find fairly vague stories on breaking the security of chip and PIN:
-http://hardware.slashdot.org/article.pl?sid=07/02/06/1646247
And of course being a new technology it is considered evil until proven innocent, here is a study showing chip and PIN leads to the poorhouse:
-http://news.scotsman.com/uk.cfm?id=423682007]

---

*********************** Sponsored Links: ******************************

1) SAVE BIG! Get 30% off of any of upcoming courses when you sign up for OnDemand's pre-paid program. Check out our full list of upcoming courses http://www.sans.org/info/6801. For more information or to request a pre-paid from please contact ondemand@sans.org.
*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Teen Gets Probation, Community Service for Cyber Intrusion (May 7, 2007)

A Golden (Co.) High School student was sentenced to one year of probation for breaking into the school's computer system and changing his grades. The 17-year-old was arrested earlier this year after breaking into the school through a skylight, then breaking into his counselor's office. He pleaded guilty this week to computer crimes, unlawful accessing and altering. He was also ordered to provide 80 hours of community service and to pay restitution.
-http://www.thedenverchannel.com/news/13272734/detail.html

Russian Principal Fined for Using Pirated Software in School (May 7, 2007)

A Russian court has fined a school principal 5,000 rubles (US $194), roughly half his monthly salary, for using pirated copies of Microsoft software on a dozen of his school's computers. Alexander Ponosov maintains he did not know the computers contained pirated software when they were delivered; the software came pre-installed. Ponosov plans to appeal the ruling. The case was initially thrown out of court in February because the losses to Microsoft were considered to be insignificant, but both parties appealed that decision; Ponosov's reason for appealing was that he was not cleared of the charges. Microsoft says Russian authorities initiated the proceedings and that the company has no plans to file charges against the principal. Former Russian president Mikhail Gorbachev has asked Bill Gates to intervene on Ponosov's behalf.
-http://www.eweek.com/article2/0,1759,2126686,00.asp?kc=EWRSS03119TX1K0000594
-http://www.usatoday.com/tech/news/techpolicy/2007-05-07-russian-principal-piracy
_N.htm?csp=34
[Editor's Note (Grefer): There is a considerable discrepancy between the fine of 5,000 rubles and the losses, found by the court to be 266,000 rubles. If this case had been based on BSA proceedings, though, it might never have gotten to court, but rather ended with an obligation for the school to obtain proper licenses. Given the prices listed at
-http://allsoft.ru/microsoft.php,
the Russian pricing for the operating system, however, seems to be out of touch with Russian incomes and rather be based on the US pricing. Having to spend half their monthly gross salary on a copy of Windows is counter-intuitive. Relative to monthly income, US prices for Windows are at least one order of magnitude lower. ]

Michigan Man Sentenced for Selling Pirated Software on eBay

A Michigan man who sold more than US $1 million worth of counterfeit Rockwell Automation software on eBay has been sentenced to five months in prison followed by five months of home confinement. James Thomas has also been ordered to pay Rockwell US $15,660 in restitution. Thomas is not the only person to target Rockwell; in March, Courtney Smith of Anderson, Indiana was sentenced to 27 months in prison for selling pirated Rockwell software in eBay.
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=199204272
In a story we ran last week, four men pleaded guilty to selling Rockwell software on eBay.
-http://www.infoworld.com/article/07/04/26/HNfourpleadguilty_1.html

Student Arrested in Connection with Attacks on Estonian Government Web Sites (May 1, 5 & 7, 2007)

A 19-year-old student has been arrested in connection with a spate of attacks on Estonian government web sites. The suspect is identified only as Dmitri; he allegedly posted instructions for conducting denial-of-service attacks as well as calls for launching attacks against Estonian servers. The cyber attacks were spurred by civil unrest following Estonia's removal of several Soviet monuments in its capital city of Tallinn as well as the excavation of WWII Red Army graves. Authorities expect to arrest more suspects.
-http://www.theregister.co.uk/2007/05/07/estonian_attacks_suspect/print.html
-http://www.hs.fi/english/article/Organiser+of+Internet+DoS+attacks+arrested+in+E
stonia+/1135227074182
-http://www.theregister.co.uk/2007/05/01/estonian_riots/print.html
[Editor's Note (Skoudis): This case is an excellent example of politically motivated computer attacks, something that has fallen below the radar screen of some organizations with the huge rise in money-making computer attack schemes (spyware, phishing, etc.) In fact, given all the focus on thwarting malware-for-profit schemes, this attack seems almost old fashioned. But, we need to be diligent in fighting both kinds of threats, especially government agencies. Kudos to those who helped find the perpetrator of this attack. ]

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

Missing TSA Hard Drive Holds Info. on 100,000 Employees (May 4 & 5, 2007)

The US Transportation Security Administration (TSA) has acknowledged that a hard drive containing personally identifiable information of approximately 100,000 current and former employees is missing. The breach affects individuals employed by the TSA between January 2002 and August 2005. The payroll data on the drive include names, Social Security numbers (SSNs) and bank account and routing numbers. Employees were notified of the situation by email on Friday, May 4. The TSA became aware the drive was missing from the TSA Headquarters Office of Human Capital on May 3; the FBI and the US Secret Service have been asked to investigate.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9018678&source=rss_topic17
-http://www.usatoday.com/news/washington/2007-05-04-harddrive-tsa_N.htm?csp=34
-http://www.govexec.com/story_page.cfm?articleid=36816&dcn=todaysnews
-http://www.washingtonpost.com/wp-dyn/content/article/2007/05/04/AR2007050402152_
pf.html
-http://www.tsa.gov/press/happenings/050407_statement.shtm
[Editor's Note (Northcutt): I was reading an article by Richard Hammer and it included the text from Alan Paller's commencement speech from the first SANS Technology Institute graduation. There were some really scary points in that article and it makes it all the harder to swallow self inflicted wounds like this one from the folks that are supposed to keep us safe. The article with the speech can be found here:
-http://www.sans.edu/resources/leadershiplab/cyber_security_lead.php
(Kreitner): Given the obvious decrease in respect, trust, and credibility that organizations suffer as a result of episodes like this, I just can't fathom why top management doesn't establish policies that: (1) designate a single person as accountable for each laptop, (2) make automatic termination the consequence of losing the laptop, (3) require all new laptop purchases to come with encryption capability, and (4) make use of that encryption capability mandatory with automatic termination the consequence for failure to do so. Is that rocket science for enterprise leaders? Where are the real leaders out there in enterprise-land?
(Grefer): Repeat after me: "All personally identifiable information should be encrypted at rest as well as in transit." ]

POLICY & LEGISLATION

Singapore Issues Guidelines for Protecting Biomedical Research Participant Data (May 7, 2007)

Singapore's Bioethics Advisory Committee has released guidelines to protect personal information of individuals participating in biomedical research. The researchers will bear the burden of protecting participants' personal data. If they violate the guidelines, they could face fines or jail time. There is similar legislation already in effect in other countries, including Sweden, Germany, the UK and the US.
-http://www.channelnewsasia.com/stories/singaporelocalnews/view/274730/1/.html

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

Russia and China Top US Trade Priority Watch List for Piracy (April 30 & May 1, 2007)

Office of The United States Trade Representative has released a report "examining in detail the adequacy and effectiveness of intellectual property rights protection in 87 countries." The report includes a "priority watch list" of the top 12 countries that are not taking adequate steps to protect intellectual property copyrights. China, where "infringement levels remain unacceptably high," and Russia are at the top of the list. The US government has already filed a complaint against China with the World Trade Organization alleging unfair trade practices, which include "failing to enforce its laws protecting American copyrights and patents."
-http://news.bbc.co.uk/2/hi/entertainment/6612685.stm
-http://www.cio-today.com/story.xhtml?story_id=13200EQLATPC
-http://www.ustr.gov/assets/Document_Library/Reports_Publications/2006/2006_Speci
al_301_Review/asset_upload_file473_9336.pdf

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Trojan Pretends to be Windows Activation Program (May 4, 2007)

A Trojan horse program called "Kardphisher" pretends to be a Windows activation program in an attempt to elicit credit card details from unsuspecting users. After machines become infected, users get a screen telling them that someone else has activated their copy of Windows, and that "to help reduce software piracy,
[they should ]
reactivate their copy of Windows." They are told they will need to provide their billing information, but that their credit card will not be charged. Clicking "no," shuts down their computers; clicking "yes" pops up a second screen that asks for name and credit card information. PCs running Windows 95, 98, 2000, NT and Server 2003 are vulnerable to the attack. Kardphisher has been detected in the wild.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9018645&source=NLT_SEC&nlid=38
[Editor's Note (Skoudis): Not to be evil or anything, but this just seems poetic. Microsoft pops up messages asking for personal information to help thwart piracy, so bad guys pretend to be Microsoft asking for personal information. In retrospect, I suppose it was inevitable. ]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Stolen Laptop Holds Marks & Spencer Employee Data (May 5, 2007)

UK retailer Marks and Spencer (M&S) has informed 26,000 employees that a laptop computer containing their personal information was stolen from a printing company. The compromised data include addresses, dates of birth, national insurance numbers and salary information. The computer was stolen on April 18 from a company that had the data so it could send information about changes in M&S employees' pension plans to them.
-http://news.bbc.co.uk/2/hi/programmes/moneybox/6626581.stm
-http://www.channel4.com/news/articles/uk/laptop+theft+risk+to+ms+staff+ids/49968
7

STATISTICS, STUDIES & SURVEYS

Portable Storage Devices Top List of Security Concerns (May 7, 2007)

A study of IT managers found that portable storage devices topping their lists of security concerns. It is all too easy for someone to quickly load sensitive data onto a flash drive or an MP3 player and walk out of an office undetected, or to lose a flash drive loaded with sensitive information. Eighty percent of respondents said their organizations do not have "effective measures" for preventing misuse of portable storage devices. Just 8.6 percent have imposed a ban on such devices in their workplaces. Despite their worries about the devices, 65 percent of IT managers say they use flash drives daily.
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=199300021
-http://www.net-security.org/secworld.php?id=5103
[Editor's Note (Skoudis): Rather than just fretting about these, you need to either: 1) outlaw them in your organization... good luck on that, 2) provide training in how to encrypt such devices and offer encryption solutions that protect them (like at least the Encrypting File System if they are used with Windows machines and formatted NTFS), or 3) Require that people use corporate-approved devices that offer built-in encryption. The third solution is the nicest, but most costly. ]

MISCELLANEOUS

PCI Merchant Level Reclassification Brings New Security Challenges (May 7, 2007)

Less than two years after it began accepting credit card payments, Indianapolis-based Steak n Shake Co. was thrust from Level 4 merchant classification under the Payment Card Industry (PCI) Data Security Standard into Level 1 merchant classification. With that move came added requirements to comply with the standard and protect customer data. The company's director of strategic technology services said the "PCI requirements and the difficulty of attaining them changed by a magnitude of sixfold to tenfold." Level 1 merchants "are required to undergo quarterly network security scans and an annual on-site security audit" in addition to implementing the 12 security controls required of all merchants. Steak n Shake has made a number of changes, including shifting to "a log-in system based on Active Directory that can be centrally monitored and managed...
[so the company knows ]
who is accessing what when and where;" deploying tools for central management of IT assets at the restaurants and for pushing out updates and patches; and "replacing VSAT satellite communication links with a T1 network that will tie each restaurant to headquarters via secure point-to-point virtual private network connections." Steak n Shake, which operates more than 450 restaurants in the Midwest and Southeast US, did not reveal what the changes would cost.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=291415&source=rss_topic17
[Editor's Note (Kreitner): Wonderful! This is exactly the kind of change the PCI standard is intended to effect in organizations handing our payment cards. Nobody said better security was free.
(Schultz): After all the whining is over, Steak n Shake senior management will at some point in time realize that the resources it had to expend to conform to PCI DSS Level 1 requirements will have been wisely invested. The alternative is to run a high risk of having the same thing that happened to TJX occur; TJX has experienced mounting financial losses and severe damage to its reputation because of failure to secure its personal and financial information. Additionally, lawsuit-after-lawsuit has been filed against this company.
(Grefer): Quarterly network security scans and adherence to the 12 security controls are required at all four levels. The primary differentiator is the number of transactions.
-http://usa.visa.com/merchants/risk_management/cisp_merchants.html
-http://www.mastercard.com/us/sdp/merchants/merchant_levels.html]

TJX Data Thieves Got In Through Wireless Network (May 4, 2007)

According to the Wall Street Journal, the TJX data thieves began their attacks outside a Minnesota Marshall's store; with the help of an antenna, they were able to access the store's wireless network and from there, gain access to the company's main server in Framingham, Massachusetts. TJX apparently secured its wireless network with nothing more than the Wired Equivalent Privacy protocol (WEP). The company had no firewalls in place and had not deployed available software patches. TJX is facing 21 lawsuits stemming from the breach. It is possible that some information was gleaned while customers were awaiting approval of their credit card purchases; TJX transmitted that information unencrypted, which violates the security guidelines set by the credit card companies.
-http://www.theregister.co.uk/2007/05/04/txj_nonfeasance/print.html
-http://online.wsj.com/article_email/article_print/SB117824446226991797-lMyQjAxMD
E3NzA4NDIwNDQ0Wj.html

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/