SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume IX - Issue #50
June 26, 2007
If you are interested in how companies are getting the security bugs out of software, at the end of this issue you will find the agenda for the Application Security Summit. http://www.sans.org/appsummit07/ And Wednesday June 27 is the final day for savings on SANSFIRE 2007's 56 courses in Washington: http://www.sans.org/sansfire07/
TOP OF THE NEWS
NZ Banks Can Examine Online Customers PCs for SecurityGoogle Could Pull Gmail From Germany if Draft Legislation Becomes Law
Merchants, Banks Debate Who Bears More PCI Compliance Burden
THE REST OF THE WEEK'S NEWS
LEGAL MATTERSAlleged Belgian Police Website Defacer Arrested
Arrest in Symbian Malware Case
DrinkorDie Ringleader Gets 51 Month Sentence
POLICY & LEGISLATION
Oregon Senate Approves Data Breach Notification Bill
SPYWARE, SPAM & PHISHING
Australian Authority Fines Spammers
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
BSA Nets GBP 250,000 (US $500,000) Settlement
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Online Employment Firm Exposes Client Data
Stolen Laptop Holds Ohio Workers' Compensation Data
Stolen Laptop Holds Prince's Sensitive Data
Stolen laptop Holds Texas First Bank Data
Phony Shockwave Sites
MISCELLANEOUS
BP to Weave IT, Physical and Corporate Security Together
What Would a Cyberwar Look Like?
*********************** Sponsored By SenSage, Inc. **********************
FREE NEW WHITEPAPERS AND WEBCASTS on Insider Threats and PCI. Brought to you by SenSage, the only patented SIM solution that enables regulatory compliance and mitigation of security risks such as insider threats.
Download whitepapers at http://www.sans.org/info/9566
Recent web casts available via http://www.sans.org/info/9571
*************************************************************************
SANS TRAINING UPDATE: SANSFIRE Deadline for savings Wednesday, June 27. In the next 120 days SANS training will be available in more than 30 cities in five countries with the biggest programs in Washington DC at the end of July and Las Vegas the end of September. Complete schedule at: http://www.sans.org/training/bylocation/index_all.php Two other ways to take SANS courses: (1) from your home or office you can learn from top SANS faculty teaching live on line and you asking questions in real time - very cool - called SANS@HOME http://www.sans.org/athome/
(2) Or have SANS faculty come to your site and shape the course to your specific needs: http://www.sans.org/onsite/
*************************************************************************
TOP OF THE NEWS
NZ Banks Can Examine Online Customers PCs for Security (June 25, 2007)
A new banking Code of Practice in New Zealand allows banks to request access to the PCs of their online customers who are disputing transactions so that they may examine the machines for adequate security protection. If Internet banking customers "used a computer or device that does not have appropriate protective software and operating system installed and up-to-date,[or ]
failed to take reasonable steps to ensure that the protective systems, such as virus scanning, firewall, antispyware, operating system and anti-spam software on the device are up to date," they will be liable for losses incurred due to unauthorized transactions. Customers could also be held liable for losses if they use obvious passwords, or share or keep a written or electronic copy of their personal identification number(s). The banks have the authority to refuse the claim if the customers do not agree to the request to examine the devices.
-http://computerworld.co.nz/news.nsf/news/FDA3CE33D73B5B82CC257302000B0EE8
[Editor's Note (Liston): I started off thinking about it like this: If you walk to the bank through a bad neighborhood, carrying cash, would you seriously consider that the bank should reimburse you for getting mugged? But then, I started thinking: What if your bank only built branch locations in really bad neighborhoods? Now, I just don't know what to think...
(Schultz): This new banking Code of Practice superficially seems fair. If customers do not adequately protect their computers, they should not be exempt from the consequences of bad transactions. At the same time, however, I dread to think of the potential for privacy infringement if customers must now allow banks to examine customers' computers if customers are to be allowed to dispute transactions. ]
Google Could Pull Gmail From Germany if Draft Legislation Becomes Law (June 25, 2007)
Google has said it may shut down Gmail in Germany if the country decides to enact draft legislation requiring Internet and email service providers to store users' data in a way that allows them to be identified. Google stands committed to providing its users with the option of anonymous email accounts.-http://www.heise.de/english/newsticker/news/91681
-http://www.computerworld.com.au/index.php/id;1844663436;fp;2;fpid;1
[Editor's Note (Liston): This legislation represents Germany's implementation of the European Mandatory Data Retention Directive adopted in 2006. Expect other nations within the EU to adopt similar legislation as the March 2009 deadline for implementation approaches. The directive requires the retention of data necessary to trace and identify the source, destination, date, time, duration, type, and communication device for any fixed network telephony, mobile telephony, Internet access, Internet e-mail and Internet telephony communication. Additionally, any available location information for mobile communication must be retained as well. Data must be retained from 6 to 24 months. ]
Merchants, Banks Debate Who Bears More PCI Compliance Burden (June 25, 2007)
Banks apparently feel that the burden of Payment Card Industry (PCI) Data Security Standard compliance is being unfairly placed on their shoulders instead of on those of the merchants where, they maintain, the significant data breaches have occurred. Some of the banks have also expressed frustration that when they have made efforts to implement measures to comply with PCI, they have found that the requirements have changed. Merchants, however, feel that banks have taken on very little of the burden of making sure systems are PCI-compliant. Gartner analyst Avivah Litan agrees, saying "all of the[PCI standard ]
enforcement has been on the processing and retailer side."
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=security&articleId=297167&taxonomyId=17&intsrc=kc_top
[Editor's Note (Northcutt): Attorney Ben Wright who teaches the law courses for SANS was making this point at an evening session at our recent STAR TECH conference in Phoenix. The credit card system is inherently insecure,otherwise loss of numbers would not be such a big deal. The credit card companies continue to raise the ante on the merchants and penalize them. If the merchants band together, they should be able to put pressure on the credit card companies. The problem will likely get worse, as Ben points out "The obligation imposed on merchants does not come with any quid pro quo for merchants - as might happen in a negotiated ecosystem." Links to Ben's article and course are shown below:
-http://www.sans.edu/resources/leadershiplab/cc_data_mn_law_bw1.php
-http://www.sans.org/training/description.php?mid=122]
************************ Sponsored Links: *****************************
1) ALERT: "How a Hacker Launches an XPath Injection Attack!"- SPI Dynamics White Paper
http://www.sans.org/info/9576
2) SANS Web Cast featuring Dr. Eric Cole, "Correlating SIM information to Detect Insider Threats" Register and Listen Today.
http://www.sans.org/info/9581
3) Save Time, Avoid Headaches with one solution. Protect your business from malware with CA Threat Manager.
http://www.sans.org/info/9586
*************************************************************************
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
Alleged Belgian Police Website Defacer Arrested (June 25, 2007)
Police in Belgium arrested a 17-year-old for allegedly defacing the federal police web site. A note left on the site suggested it had weak security. The young man has been released and will be summoned to a minors' court at a later date. A note posted to the site following the arrest stated that the perpetrator had been caught within 24 hours.-http://www.smh.com.au/news/Technology/Teen-arrested-for-hacking-Belgian-police-w
ebsite/2007/06/25/1182623818050.html
Arrest in Symbian Malware Case (June 25, 2007)
Police in Spain have arrested a man believed to be responsible for creating and releasing more than 20 variants of the Cabir and Commwarrior worms that infected more than 115,000 mobile phones. The malware targeted phones running the Symbian operating system and arrived disguised as messages claiming to be virus protection, adult images, or sports information. The malware reportedly caused millions of Euros in damage. The arrest is the culmination of a seven-month investigation.-http://www.vnunet.com/computing/news/2192789/spanish-virus-author-arrested
-http://www.heise-security.co.uk/news/91674
-http://www.theregister.co.uk/2007/06/25/spain_mobile_virus_arrest/print.html
[Editor's Note (Liston): Cabir is a bluetooth based worm limited to the Symbian series 60 phone. It requires the victim phone to be Bluetooth "discoverable" and needs user interaction to install. Somehow I find the estimates of 115,000 phones and millions of Euros of damage to sound a bit "padded."
(Grefer): Users of Symbian OS based phones might benefit from using one of the anti-virus products available for this operating system, such as Symantec Mobile Security for Symbian, F-Secure Mobile Anti-Virus, SimWorks Anti-Virus and Kaspersky Anti-Virus Mobile, to name but a few. The same or similar products are available for phones based on the Windows Mobile operating system. ]
DrinkorDie Ringleader Gets 51 Month Sentence (June 22, 23 & 25, 2007)
Hew Raymond Griffiths, a British national living in Australia, was extradited to the US in February 2007 where last week he was sentenced to 51 months in prison for his role in orchestrating the DrinkorDie international digital piracy group. Griffiths spent three years in detention in Australia while fighting his extradition. It is unknown if the time served in Australia will be subtracted from his sentence in the US. Griffiths could have been given a maximum sentence of 10 years in prison and a US $500,000 fine.-http://www.zdnet.co.uk/misc/print/0,1000000169,39287700-39001093c,00.htm
-http://www.channelregister.co.uk/2007/06/23/drink_or_die_ringleader_jailed/print
.html
-http://www.infoworld.com/article/07/06/22/Copyright-infringer-sentenced_1.html
POLICY & LEGISLATION
Oregon Senate Approves Data Breach Notification Bill (June 23, 2007)
The Oregon Senate has unanimously approved data breach notification legislation. Senate Bill 583 would require organizations maintaining sensitive personally identifiable data to notify individuals in the event of a data breach that could put their information at risk of misuse. The bill also allows affected customers to place freezes on their credit files. In addition, "the bill sets standard safeguards for organizations handling personal information." Senate Bill 464, also awaiting the governor's signature, establishes steep penalties for repeat and multiple aggravated identity theft offenders.-http://www.statesmanjournal.com/apps/pbcs.dll/article?AID=/20070623/LEGISLATURE/
706230341/1042
SPYWARE, SPAM & PHISHING
Australian Authority Fines Spammers (June 22, 2007)
The Australian Communications and Media Authority has imposed a fine of AU $11,000 (US $9,305) on Pitch Entertainment Group for violating the country's Spam Act. Pitch allegedly sent more than one million commercial text messages with no viable unsubscribe options. IMP Mobile has been fined AU $ 4,000 (US $3,384) for the same violation. Repeat offenses could be punished with much higher fines.-http://australianit.news.com.au/story/0,24897,21949015-5013044,00.html
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
BSA Nets GBP 250,000 (US $500,000) Settlement (June 21, 2007)
An unnamed UK firm will pay the Business Software Alliance GBP 250,000 (US $500,000) as an out-of-court settlement for using unlicensed software. The average settlement paid to BSA last year was GBP 10,000 (US $20,000). The company, which was not named for legal reasons, was using unlicensed copies of Adobe, Autodesk and Microsoft software on PCs at a number of sites.-http://www.zdnet.co.uk/misc/print/0,1000000169,39287658-39001084c,00.htm
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Online Employment Firm Exposes Client Data (June 25, 2007)
Australian online employment company CareerOne inadvertently exposed personally identifiable information of 5673 clients and potential clients. The clients are all companies wanting to hire employees, not people seeking jobs themselves. The compromised data include names, email addresses and account passwords, as well as comments from company executives about clients, some of which are less than flattering. Evidence suggests the information was available on the Internet for nearly a month before the breach was detected. The offending page has been taken down. CareerOne plans to investigate the incident.-http://www.theage.com.au/news/security/job-website-probes-data-bungle/2007/06/24
/1182623749129.html?page=fullpage#contentSwap1
Stolen Laptop Holds Ohio Workers' Compensation Data (June 25, 2007)
A laptop computer stolen from an auditor's home contains personally identifiable sensitive information belonging to 439 injured workers. The auditor was working for the Ohio Bureau of Workers' Compensation (BWC). The theft occurred on May 30, but BWC administrator Marsha Ryan was not informed of the theft until June 15. The revelation follows close on the heels of the theft of a backup tape containing personally identifiable information of hundreds of thousands of Ohioans; that tape was stolen from an Ohio State office intern's car. BWC will notify affected workers and employers.-http://www.middletownjournal.com/hp/content/oh/story/news/state/2007/06/25/ddn06
2507bwcweb.html
[Editor's Note (Liston): There is no indication in the source story regarding data encryption on the laptop. Every issue of NewsBites has a story or two about stolen laptops. If your company hasn't implemented strong encryption on your mobile devices, please use these stories to start the ball rolling. ]
Stolen Laptop Holds Prince's Sensitive Data (June 24, 2007)
A laptop computer stolen from an accountant's car in the UK contains personal information about Prince Charles. The data on the computer are believed to include the Prince's vital account number, sort code, and national insurance number. The accountant from whose car the computer was stolen works for Moorepay, the firm that handles wages for the Duchy of Cornwall estate.-http://www.people.co.uk/news/tm_headline=-pound-15m-charles--bank-secrets-stolen
--&method=full&objectid=19347215&siteid=93463-name_page.html
Stolen laptop Holds Texas First Bank Data (June 200, 2007)
A laptop computer stolen from a car in Dallas, Texas contains sensitive, personally identifiable information of about 4,000 Texas First Bank customers. The computer was protected with technology designed to prevent unauthorized access. The computer belonged to a former Texas First Bank online banking vendor; the vendor informed the bank of the theft immediately.-http://www.khou.com/news/local/stories/khou070622_jj_bankid.4056cb0.html
[Editor's Note (Schultz): It is encouraging to learn that the data stored on the stolen laptop were protected, but why did the former online banking vendor still have the bank's customer data? The bank should have had a contractual agreement as well as procedures in place to ensure that once the relationship with the vendor ended, all customer data that the vendor possessed would be deleted. ]
Phony Shockwave Sites (June 22, 2007)
Malware purveyors have been creating phony Adobe Shockwave Player websites to trick users into downloading a Trojan horse program. Users visit sites related to online games or other activities that require Shockwave. The lure sites present the users with broken icons, indicating there is something wrong with their version of Shockwave, if it is already installed. The users are given links to a site that will purportedly diagnose the problem with Shockwave, which invariably turns out to be the need to upgrade. The users are then redirected to a phony site for the upgrade where a Trojan, rather than a working version of the software, is downloaded onto their computer. Internet Storm center:-http://isc.sans.org/diary.html?storyid=3024
-http://www.theregister.co.uk/2007/06/22/shockwave_social_engineering_ruse/print.
html
MISCELLANEOUS
BP to Weave IT, Physical and Corporate Security Together (June 26, 2007)
In an effort to bolster its overall security posture, British Petroleum (BP) is taking steps to bring its physical, corporate, and IT security organizations together. The company believes attackers will come from a variety of angles, such as targeted attacks and espionage, and they want to be prepared. One example would be to check logged-in computer users against people known to be physically in the facility.-http://www.computerweekly.com/Articles/2007/06/26/224995/bp-aligns-it-with-physi
cal-security-to-combat-threats.htm
[Editor's Comment (Northcutt): You hear a lot about security convergence and some organizations were doing this ten years ago, but on the main, it is hard to imagine ex-op physical security folks and linux system and network administrators working all that closely with one another.
-http://www.computerworld.com/securitytopics/security/story/0,10801,108571,00.htm
l
-http://www.csoonline.com/read/041505/]
What Would a Cyberwar Look Like? (June 24, 2007)
Governments around the globe are preparing themselves for cyberwar, but "How bad would a cyberwar really be ...? And is there really a chance it would happen at all?" The general consensus now is that the attacks perpetrated in Estonian government and commercial websites were not government-ordered, but instead the work of hacktivists unhappy with the country's decision to remove a Soviet WWII memorial. A report from the US Defense Department indicated China is ratcheting up its cyber war capabilities, and programs have been established in the US to do the same.-http://www.nytimes.com/2007/06/24/weekinreview/24schwartz.html?_r=1&oref=slo
gin&ref=technology&pagewanted=print
=========================================================================
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.
Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/
=========================================================================
Agenda for the Application Security Summit, Aug. 15-16, Washington DC
http://www.sans.org/appsummit07/
Expert Briefings:
1. Expert Briefing: The Three Programming Errors that Caused More than 90% of all Critical Vulnerabilities Reported in 2006. Surprisingly nearly all critical vulnerabilities reported during 2006 were caused by just three types of programming errors. You'll learn what they are, how they happen and how to fix them in this briefing. Rohit Dhamankar, editor @RISK, and Senior Engineer, TippingPoint
2. Expert Briefing: New Frontiers of Web Hacking: AJAX Vulnerabilities, Deep SQL Injection, Cross Site Reference Forgery, and More An eye-opening briefing on a series of the newest attacks enabling criminals to compromise web-application (leaders from the application security field)
3. Expert Panel: Application Security and PCI Compliance - What It Means The credit card industry has changed its standards requiring every organization that processes credit cards to upgrade application security, In this expert panel you'll learn what PCI requires and how to meet the requirements.
User Panels: Key questions User Are Asking
4. User Panel: Validating Application Security: Choosing the Right Combination of Tools for Your Application Security Tool Box? Can application firewalls replace application scanners? Do application scanners do a better job that source code analyzers. How bad are the false positives? In this panel users of experienced users of the various tools will share their experiences and try to reach consensus on the right tools for an application security toolbox.
5. User Panel: Essential of a comprehensive application security program? Some organizations start their application security initiative without a comprehensive picture of the elements they will be putting in place as part of that program. This panel of very experienced users illuminates the elements you may have missed in your planning and explains why they matter.
6. User Panel: Justifying, planning, launching and organizing an application security program This panel will address questions such as: What are the costs of an application security program and how are the benefits best presented to management? Who should be in charge and what are the first steps to get a program solidly on track?
7. User Panel: Promising Practices in Building the Partnership Between Security Staff and the Developers (building into SDLC, when to use code reviews) In this panel users focus squarely on the ultimate goal - moving beyond application testing by the security group to get the programmers to embrace the tools or at least to get them to fix the problems willingly and quickly. This panel also looks at where application security best fits in the SDLC.
8. User Panel: Training and testing our application developers and testers Are the courses being offered by web security experts actually working? How do you know? In this panel users and experts will discuss the various training alternatives open to application developers and review the new international certification examinations that were launched this summer to measure application security skills in each major programming language.
9. User Panel: Innovative uses of procurement to improve application security Innovative CIOs have discovered that the most powerful weapon in the application security arsenal is the language the use in their procurements. In fact they have discovered that when they don't include explicit application security requirements in their procurement documents and contracts, the cost of better security rises exponentially. This panel will review ways to use procurement language effectively.
10. User Panel: Trust but Verify: Managing application security when applications development projects are outsourced Expanding on the procurement panel topics, this panel explores the unique character of outsourced development and looks at what special programs help ensure outsourced application development meet high security standards.
Vendor panels
11. Vendor Panel: Implementation lessons learned. When user deploy application security tools, they often make mistakes that lessen the value of the tools. In this panel technical experts from application security tool vendors share the most common mistakes and tell how to avoid them.
12. Vendor Panel: Tools shootout A great chance to pick the application security vendors you'll want on your short list of products to consider.