SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume IX - Issue #62
August 07, 2007
The early registration discount for SANS Network Security in Las Vegas (September 22-30) ends tomorrow, Wednesday August 8.
TOP OF THE NEWS
Sixty Percent of IRS Employees Succumb to Social EngineeringCA Sec. of State Places Limitation on Use of eVoting Machines
Consumer Reports: Malware and Phishing Cost Consumers US $7 Billion Over Two Years
THE REST OF THE WEEK'S NEWS
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITYDARPA Seeks Network Attack Monitoring Input
GAO Report: Security Weaknesses in US-VISIT Support Systems
POLICY & LEGISLATION
Legislators Say No to Financial Help for Real ID Implementation
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
VeriSign Employee Data on Stolen Laptop
Stolen Computer Holds Capital Health Patient Data
MISCELLANEOUS
Legislators to Look Into Yahoo!'s Role in Chinese Journalist's Arrest
China's Great Firewall Could Offer Protection in Cyber War
LIST OF UPCOMING FREE SANS WEBCASTS
*********************** Sponsored By ArcSight, Inc. *********************
Free Whitepaper: Extracting Value From Log Data
Discover how to extract the value in your event log data. Learn how to capture log data across your enterprise, reduce long-term retention costs and simplify access to historical data with this free whitepaper. Brought to you by ArcSight, the SIM leader that turns operational data into action. http://www.sans.org/info/13106
*************************************************************************
SECURITY TRAINING UPDATE
SANS Network Security 2007 (September 22-30, in Las Vegas) is the largest fall conference on cybersecurity with more than 40 courses and wonderful evening sessions and a big vendor exposition. Most importantly, it brings together the top rated teachers in cybersecurity in the world. How good are they? Here's what past attendees said:
"This course has valuable information that can be implemented immediately in the work place." (Christopher O'Brien, Booz Allen Hamilton)
"The quality of teachers, speakers, and even attendees is far superior to any other training event I've attended." (Corinne Cook, Jeppesen)
"SANS provides by far the most in-depth security training with the true experts in the field as instructors." (Mark Smith, Costco Wholesale)
Registration information: http://www.sans.org/ns2007/
*************************************************************************
TOP OF THE NEWS
Sixty Percent of IRS Employees Succumb to Social Engineering (August 3, 2007)
Auditors from the Treasury Inspector General for Tax Administration Office (TIGTA) conducted a test in which they telephoned employees and contractors at the IRS and, pretending to be IRS help-desk workers, asked them to provide their usernames and temporarily change their passwords to ones they suggested. Sixty percent of those telephoned complied with the request. A similar test in 2004 netted just 35 percent and in 2001, 71 percent changed their passwords. That test prompted "corrective actions" designed to increase awareness of social engineering tactics. The most recent test involved 102 employees. Just eight of the people who received phone calls responded appropriately by "contacting either the audit team, the TIGTA Office of Investigators, or the IRS computer security organization to validate[the ]
test as being part of an official TIGTA audit."
-http://news.com.com/8301-10784_3-9754689-7.html?part=rss&subj=news&tag=2
547-1_3-0-20
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9028960&source=rss_topic17
-http://www.fcw.com/article103417-08-03-07-Web
-http://www.ustreas.gov/tigta/auditreports/2007reports/200720107fr.pdf
[Editor's Note (Schultz): These results are very typical of the results of other, similar studies in the past. Mitigating social engineering-related risk is truly one of the most difficult tasks that information security professionals face.
(Honan, Liston): While the results of the test are disappointing, the IRS should be given credit for conducting the tests in the first place. Educating users is nearly as important as protecting the perimeter.
(Paller): New York State has pioneered an approach to mitigating social engineering called "inoculation" in which organizations run multiple self-tests and educate those who fall for each ruse. They rank the divisions on how well each did and let people know the tests will continue and that one day individuals who fail may become visible. Result: the number of victims falls rapidly and radically. Inoculation is easy and inexpensive but takes real leadership by the CISO because it involves "fooling" employees." The key to success: top management cover. The Governor in New York personally blessed the program there. ]
CA Sec. of State Places Limitation on Use of eVoting Machines (August 4 & 6, 2007)
CA Secretary of State Debra Bowen has made a decision regarding the use of electronic voting systems after reviewing the results of a study of the systems' security. Bowen has placed restrictions on several of the systems, and decertified one altogether. Polling places will be permitted just one Diebold Accu-Vote-TSx and Sequoia Edge Model system, and county registrars will be required to reinstall software and firmware and reset encryption keys. Additional physical security measures will need to be implemented as well. Hart InterCivic machines are subject to the same security requirements, except polling places will not be limited to one of those machines. Election Systems & Software (ES&S) Inc. machines were decertified because of delayed product access. ES&S InkaVote Plus systems are being evaluated for potential use in California's February 2008 presidential primary election.-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9029038&source=rss_topic17
-http://blog.washingtonpost.com/securityfix/2007/08/citing_security_concerns_cali
f.html?nav=rss_blog
-http://www.theregister.co.uk/2007/08/06/california_evoting_decertification/print
.html
[Editor's Note (Schultz): Debra Bowen has once again made a brilliant decision. It will not only safeguard the integrity of voting results in California, but will also send a powerful message to eVoting vendors that poor security in their products is no longer acceptable. ]
Consumer Reports: Malware and Phishing Cost Consumers US $7 Billion Over Two Years (August 6, 2007)
Consumer Reports' "State of the Net" survey estimates that Americans lost US $7 billion due to viruses, spyware, and phishing attacks over the last two years. The survey is based on responses from 2,000 US households. Thirty-eight percent of respondents reported experiencing virus infections. Thirty-four percent reported their machines were infected with spyware. Just eight percent of respondents acknowledged they had been fooled by a phishing scheme; the phishing attacks had a median cost of US $200. An estimated 1.8 million households replaced computers due to viruses in the last two years. Spyware infestations were responsible for an estimated 850,000 households replacing computers over the last six months.-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201203030
[Editor's Note (Ullrich): Of note is the large number of systems that were replaced as a result of malware infections, and the large number of consumers that do not use anti-malware/firewalls. Free anti malware and firewall solutions are available for almost all systems currently in operation.
(Liston): This is unquestionably an education issue. AV, anti-spyware, and firewalls can only do so much and then the need for user education becomes glaringly apparent. Computers today are marketed as appliances... as though no thought, knowledge, or skill is required to use them. This is the result. ]
*********************** Sponsored Links: ******************************
1) Find out what Seagate knows about secure storage. It could improve your company's security.
http://www.sans.org/info/13111
2) ALERT: Hacking Web Applications- A Step-by-Step Attack Analysis
Download this SPI Dynamics White Paper:
http://www.sans.org/info/13116
3) C and Java programmers - Come to DC August 14 and be the first to pass the Secure Coding Exam. Earn the GIAC Secure Software Programmer (GSSP) certification at this August Inaugural Exam. Only 100 seats available.
http://www.sans.org/info/13121
*************************************************************************
THE REST OF THE WEEK'S NEWS
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
DARPA Seeks Network Attack Monitoring Input (August 3, 2007)
The Defense Advanced Research Projects Agency (DARPA) is seeking proposals for its Scalable Network Monitoring (SNM) program. "The envisioned size of the Global Information Grid (GIG) and use of IPv6 present new challenges to information assurance." DARPA wants solutions that will "provide maximum coverage with performance independent of the network size." DARPA has scheduled a Proposers' Day Workshop for Thursday, August 16. The registration deadline is August 8; attendance will be limited to the first 80 registrants.-http://www.fcw.com/article103422-08-03-07-Web
-http://www.arpa.mil/baa/SN07-52.html
GAO Report: Security Weaknesses in US-VISIT Support Systems (August 3, 2007)
A report from the Government Accountability Office (GAO) indicates security problems with the computer network that supports the US-VISIT border control system. "GAO examined the controls over the systems operated by Customs and Border Protection (CBP) that support the US-VISIT program" and found "weaknesses[that ]
collectively increase the risk that unauthorized individuals could read, copy, delete, add, and modify sensitive information." US-VISIT Director Robert A. Mocny says there have been no attacks on the system and that the report posits hypothetical problems and exaggerates others. The security concerns include inadequate user identification and authentication in US-VISIT support systems; ineffective physical security at some locations; inconsistent use of data encryption; inadequate logging; and inadequate segregation of responsibilities. "GAO recommends that DHS direct CBP to fully implement information security program activities for systems supporting the US-VISIT program."
-http://www.washingtonpost.com/wp-dyn/content/article/2007/08/02/AR2007080202260_
pf.html
-http://www.gao.gov/new.items/d07870.pdf
[Editor's Note (Frantzen): If you have inadequate logging, inadequate segregation of duties, and ineffective physical security, how can you ever conclude that there have been no attacks?
(Liston): Every time I hear people say things like "these issues are all just hypothetical" and "there have been no attacks on our systems" I cringe. Perhaps I've seen too many instances where "hypothetical" attacks have become all too real or where wholly 0wned inadequately logged systems showed no signs of attack. But that's just me... ]
POLICY & LEGISLATION
Legislators Say No to Financial Help for Real ID Implementation (August 2, 2007)
The US Senate failed to approve legislation that would have provided US $3 million annually to help states comply with the Real ID Act. The law requires states to provide citizens with driver's licenses and state issued ID cards with machine-readable bar codes or RFID chips and to create a database of personal information that will be linked to databases from all other states. States are required to comply by 2008, though some have been granted extensions to 2010. The American Civil Liberties Union (ACLU) opposes the Real ID Act not because of the associated costs, but because it views the entire project as a "serious privacy threat." Seventeen US states have publicly opposed the federal law.-http://www.eweek.com/print_article2/0,1217,a=212765,00.asp
[Editor's Note (Liston): Turning Real ID into an unfunded mandate is just going to make states all the more reluctant to cooperate with the Feds. With the cost of ID conversion coming out of their own budget, State lawmakers will be far more willing to listen to those talking about Real ID's privacy implications. ]
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
VeriSign Employee Data on Stolen Laptop (August 2 & 6, 2007)
A laptop computer stolen from a VeriSign employee's car holds personally identifiable information of an unspecified number of company employees. Although company policy requires that such information on laptops be encrypted, these data were not. The data include names, addresses, birth dates, salary information and Social Security numbers (SSNs). VeriSign has disabled the stolen laptop's access to the company computer network, and the employee from whose car the computer was stolen no longer works at VeriSign. The computer was stolen on July 12 or 13; notification letters sent to employees were dated July 25.-http://www.theregister.co.uk/2007/08/06/verisign_laptop_theft/print.html
-http://wizbangblog.com/content/2007/08/02/laptop-theft-leaves-verisign-employees
-data-exposed.php
Stolen Computer Holds Capital Health Patient Data (August 3, 2007)
One of four laptop computers stolen from a Capital Health office in the Edmonton, Alberta (Canada) area contains personally identifiable information of approximately 20,000 patients. The theft occurred on May 8, but notification letters were sent on August 2 because the organization needed time to confirm the addresses of the affected patients. While the data are not encrypted, Capital Health uses software that locks computer hard drives. A similar data breach incident in 2006 prompted the Privacy Commissioner to recommend that personal and health data not be stored on laptop computers unless deemed necessary, in which case it should be encrypted. The data include names, addresses, personal health care numbers, and reasons for hospital admission.-http://www.edmontonsun.com/News/Alberta/2007/08/03/pf-4390118.html
MISCELLANEOUS
Legislators to Look Into Yahoo!'s Role in Chinese Journalist's Arrest (August 3, 2007)
US legislators will look into how much Yahoo! knew about the situation when the company provided information that helped Chinese authorities identify and arrest a Chinese journalist. Shi Tao was sentenced to 10 years in jail for sending an email message that discussed media restrictions in his country. Yahoo!'s general counsel maintains the company had no knowledge of Shi's situation when it provided Chinese officials with information about his identity. However, a document has been produced that indicates Yahoo! was asked for information about Shi regarding his "suspected 'illegal provision of state secrets to foreign entities.'"-http://www.msnbc.msn.com/id/20113651/
China's Great Firewall Could Offer Protection in Cyber War (July 31, 2007)
China's staunch enforcement of Internet traffic has been referred to as "the Great Firewall of China." With an interest in controlling the flow of information, traffic both in and out of the country is monitored and often blocked. The Mandarin term used is "jindun gongcheng," which translates to "the Golden Shield." Interestingly, the very technology that limits the free flow of information could prove to be valuable protection in the event of a cyber war. The fact that China's ISPs and its government are so closely linked gives them another advantage in a theoretical cyber war - they could "pull the plug," effectively isolating China from the rest of the Internet. The way to attack Chinese computer networks would be to create botnets on computers within the country.-http://www.forbes.com/technology/ebusiness/2007/07/30/china-cybercrime-war-tech-
cx_ag_0730internet.html
[Editor's Note (Northcutt): which leads to sites being created like
-http://www.greatfirewallofchina.org/
which by the way says www.sans.org is one of the banned sites. ]
LIST OF UPCOMING FREE SANS WEBCASTS
Thursday, 8/9/07 - The Service/Help/Support Desk Implications of Migrating to 802.1x Standards-http://www.sans.org/info/13171
Sponsored By: AirWave
Wednesday, 8/15/07 - Internet Storm Center: Threat Update
-http://www.sans.org/info/13176
Thursday, 8/23/07 - Full Disk Encryption - The Reasons, Options and Deployment Issues
-http://www.sans.org/info/13181
Sponsored By: Seagate
Be sure to check out the following FREE SANS archived webcasts:
August 1, 2007 - Host Based Intrusion Prevention (HIPS), what does it do for me?
-http://www.sans.org/info/13186
Sponsored By: CA
July 31, 2007 - WhatWorks in Intrusion Prevention and Detection: PCI, Global Compliance and Log Management at a Large Financial Firm
-http://www.sans.org/info/13191
Sponsored By: Sourcefire
July 25, 2007 - Meeting PCI Data Security Standards: It's more than log collection
-http://www.sans.org/info/13196
Sponsored By: Q1 Labs
=========================================================================
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.
Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/