Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume IX - Issue #64

August 14, 2007

TOP OF THE NEWS

DOD Requires Mobile Data To Be Encrypted
Agencies Struggling To Implement OMB Policies
Concerns Raised as Germany Enacts 'Anti-Hacker' Law
UK House of Lords Calls for More Government Action on Cyber-Crime

THE REST OF THE WEEK'S NEWS

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Microsoft to Release Nine Fixes for This Month's Patch Tuesday
Storm Worm Blamed for Canadian DDOS Attack
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
UK Police Database Containing Terrorist Evidence Stolen
Hackers Steal Sensitive Data on 60,000 Norwegians
UN Website Victim to Hack
LEGAL MATTERS
Major Cyber-Crime Suspect Detained in Turkey
Web Designer Pleads Guilty to Hacking
STATISTICS, STUDIES & SURVEYS
European Union Sponsors Global Malware Study
LIST OF UPCOMING FREE SANS WEBCASTS


********************* Sponsored By SPI Dynamics *************************

ALERT: "How A Hacker Launches A Blind SQL Injection Attack Step-by- Step"- White Paper Even if your web application does not return error messages, it may still be open to a Blind SQL Injection Attack. Blind SQL Injection can deliver total control of your server to a hacker. Download this *FREE* white paper from SPI Dynamics for a complete guide to protection!
http://www.sans.org/info/13761

*************************************************************************
SECURITY TRAINING UPDATE

If you live near Virginia Beach, Houston, Chicago, Atlanta, Helsinki, Oslo, Dubai, Tokyo, or Dallas, you may attend great SANS training right in your area. (see http://www.sans.org/training/bylocation/index_all.php)

But the BIGGEST security event of the fall is SANS Network Security 2007 (September 22-30) in Las Vegas) with more than 40 courses and wonderful evening sessions and a big vendor exposition. Most importantly, it brings together the top rated teachers in cybersecurity in the world. How good are they? Here's what past attendees said:
"This course has valuable information that can be implemented immediately in the work place." (Christopher O'Brien, Booz Allen Hamilton)
"The quality of teachers, speakers, and even attendees is far superior to any other training event I've attended." (Corinne Cook, Jeppesen)
"SANS provides by far the most in-depth security training with the true experts in the field as instructors." (Mark Smith, Costco Wholesale)
Registration information: http://www.sans.org/ns2007/

*************************************************************************

TOP OF THE NEWS

DOD Requires Mobile Data To Be Encrypted (August 13, 2007)

The CIO for the US Department of Defense, John Grimes, has issued a memo requiring the encryption of all sensitive data stored on mobile devices. Mobile devices are defined as laptop PCs, personal digital assistants, USB thumb drives and other removable media devices such as compact discs. According to the memo, all mobile devices must be encrypted in accordance with the National Institute of Standards and Technology's Federal Information Processing Standard 140-2. Dave Wennergren, DOD's deputy CIO states, "The memo will help to ensure that we protect all DOD information on devices and media while outside a protected workplace"
-http://www.fcw.com/article103467-08-13-07-Print
[Editor's Note (Pescatore): The July 3 memo says that "unclassified DoD data that has not been approved for public release" must be encrypted when on mobile devices like PDAs or USB drives and the like. This is badly needed - there have been many reports of boxes of USB drives at dry cleaners near military bases with sensitive but unclassified information on them. ]

Agencies Struggling To Implement OMB Policies (August 13, 2007)

Many agencies report that they are struggling to keep up with the number of policies issued by the Office of Management and Budget in response to the 2006 security breach at the Veterans Affairs Department, where an employee lost personal data on 26.5 million veterans. The requirement to log and verify all computer-readable extracts from databases containing sensitive information is proving to be the most difficult to meet for most agencies. In the latest memo issued by the OMB, a deadline of September 21 is set for agencies to report on their plans to remove Social Security numbers from publicly accessible information systems and procedures for notifying federal authorities when a data breach occurs.
-http://www.fcw.com/article103460-08-13-07-Print
[Editor's Note (Pescatore): Many of those OMB guidelines on data security were simply reiterating existing US Government policies; the others were shown to be badly needed based on the incidents at government agencies. I once had a boss who would always say "I only micromanage you when you force me to." ]

Concerns Raised as Germany Enacts 'Anti-Hacker' Law (August 13, 2007)

Germany has enacted controversial anti-hacking laws which make Distributed Denial of Service Attacks and gaining unauthorized access to data illegal, with the most serious offences punishable by up to 10 years in prison. The law also makes it illegal to possess, create or distribute security tools which could be used to commit a crime. Many claim exact interpretation of the new law could criminalize security professionals who use security tools to test their systems or those of their customers. In reaction to the law, several security researchers have shut down their German-based websites and moved them to other countries such as the Netherlands
-http://www.securityfocus.com/print/brief/567
-http://www.computerworld.com/action/article.do?command=printArticleBasic&art
icleId=9030404

-http://www.theregister.co.uk/2007/08/13/german_anti-hacker_law/print.html
[Editor's Note (Pescatore): This concern has come up many times before and generally been unfounded. Laws are a blunt tool, but we do have to make sure there are legal consequences for illegal actions. After a few pieces of case law get on books sanity usually (well, at least often) reigns.
(Ranum): Every year there is some kind of yatter yatter yatter from the "security researchers" complaining that this law or that law will criminalize their tools. It's complete B.S.!!!!! No district attorney or prosecutor is going to try to go after a security professional for using a copy of Nessus - it's simply not going to happen. What's going on, really, is that the "researchers" are worried that someone is actually going to hold them accountable for their little bags of tricks and the exploits they trade. (Grefer): Outlawing the possession of security/hacker tools will have about the same impact on criminals as gun control legislation: none. Anybody with sufficient criminal intent will continue to obtain guns and hacking tools illegally, while the "good guys" are put at a disadvantage when it comes to defending law and order. Bad laws are easy to come by but hard to get rid of.
(Northcutt): Keep in mind that Germany also has very strong privacy laws, so running the trail from IP address to the human actor involved in a breach is quite challenging. I think the most interesting statement is that some researchers simply move their websites to another country. If legit researchers take this action we may see a future five or so years hence as Eastern Europe becomes less Wild West and more European Union where the hot hacking action will be centered in Indonesia or Lesotho. ]

UK House of Lords Calls for More Government Action on Cyber-Crime (August 10, 2007)

In a 121 page report titled "Personal Internet Security", the UK House of Lords Science and Technology Committee claims the Internet is now "the playground of criminals." The report calls on the government and industry stakeholders such as Internet Service Providers and hardware and software manufacturers to take more responsibility and be more proactive in tackling cybercrime. A "laissez-faire" attitude to cyber crime by these various stakeholders, the report claims, has left the end users alone in protecting themselves from online criminals and that urgent measures need to be taken. Some of the recommendations from the Lords committee are far reaching and controversial and include calls for legal liability against software and hardware manufacturers for damage resulting from security flaws and the establishment of a data breach disclosure law similar to those found in the United States.
-http://www.theregister.co.uk/2007/08/10/lords_net_security_report/print.html
-http://news.bbc.co.uk/2/hi/technology/6938796.stm
-http://www.govtech.com/gt/130148?topic=117671
-http://www.scmagazine.com/uk/news/article/731106/government-slammed-e-crime-repo
rt/

The report is available at
-http://www.publications.parliament.uk/pa/ld200607/ldselect/ldsctech/165/165i.pdf
[Editor's Note (Schultz): The UK House of Lords Science and Technology Committee is taking a most reasonable approach. More pressure needs to be put on ISPs, which currently for the most part function as major weak links in Internet security. ]


*********************** Sponsored Links: ******************************

1) Find out what Seagate knows about secure storage. It could improve your company's security.
http://www.sans.org/info/13766
2) How are you utilizing NetFlow to improve network security and performance? Register for a FREE webinar "Cisco IOS NetFlow for Network Security and Traffic Analysis"
http://www.sans.org/info/13771
SPECIAL: A number of readers have stated they are not sure what the ICE project (https://www.sans.org/ns2007/whitewolf.php ) is exactly and to be honest, there are days I wonder myself. Security podcaster PaulDotCom and team will be interviewing Tim Rosenberg, the guy who is behind most of the major cyber exercises the colleges are running as competitions and one of his technical leads August 16th, 7:00PM EST. The next week they will interview Ed Skoudis and Tom Liston on escaping from Virtual Machines into the host operating system ( a scary thought). Here is the schedule:
http://www.pauldotcom.com/2007/08/12/upcoming_pauldotcom_interviews.html
And any questions drop me a note at stephen@sans.edu and I will try to get the answer.

*************************************************************************

THE REST OF THE WEEK'S NEWS

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Microsoft to Release Nine Fixes for This Month's Patch Tuesday (August 13, 2007)

Microsoft is expected to release nine fixes for a range of its products for this month's Patch Tuesday, August 14. Products impacted include most versions of the Windows Operating System (including Vista), Microsoft Office, Internet Explorer, Windows Media Player, Visual Basic and Virtual PC. Six of the bulletins address vulnerabilities that have a maximum severity rating of 'critical', Microsoft's highest alert level. The remaining three patches all carry a maximum rating of 'important.'
-http://www.zdnet.co.uk/misc/print/0,1000000169,39288501-39001093c,00.htm
-http://blog.washingtonpost.com/securityfix/2007/08/theres_a_black_tuesday_on_the
.html

-http://www.vnunet.com/articles/print/2196471
-http://www.microsoft.com/technet/security/bulletin/ms07-aug.mspx

Storm Worm Blamed for Canadian DDOS Attack (August 13, 2007)

A number of Canadian websites were victims of a Distributed Denial of Service attack over the weekend. Researchers at the Internet Storm Center have identified the Storm Worm Botnet as the source of the attack. While the attack appears to be unfocused with no specific goal, there are fears that it was being used as part of a test for future attacks. Researchers at SecureWorks and Postini now estimate there are 1.7 million infected PCs within the Storm Worm Botnet.
-http://informationweek.com/shared/printableArticle.jhtml?articleID=201500196
-http://isc.sans.org/diary.html?storyid=3259

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

UK Police Database Containing Terrorist Evidence Stolen (August 12, 2007)

Police in the United Kingdom are investigating the theft of a server containing a database of highly confidential mobile phone records used by the police in investigating crimes relating to terrorist and organised criminal gangs. The server was stolen from the offices of a private company, Forensic Telecommunications Services (FTS), whose clients include Scotland Yard, The Police Service of Northern Ireland, HM Revenue and Customs and the Crown Prosecution Service. FTS reported a break in at their offices over the weekend which resulted in pieces of IT equipment, including the server, being stolen. All the missing data were restored within 24 hours and FTS state that all data held on the server are encrypted.
-http://news.independent.co.uk/uk/crime/article2856892.ece
-http://news.bbc.co.uk/2/hi/uk_news/england/kent/6943104.stm
-http://www.vnunet.com/vnunet/news/2196525/police-alert-phone-information-theft
-http://www.scmagazine.com/uk/news/article/731274/terrorist-database-stolen-raid-
encrypted-police-confirm/

[Editor's Note (Pescatore): I'd like to congratulate them for having the stored data encrypted, but if some one could physically break into the computer room holding the server, who knows whether pre-encrypted data had been walking out the door before. ]

Hackers Steal Sensitive Data on 60,000 Norwegians (August 10, 2007)

Hackers gained access to the personal ID numbers of up to 60,000 Norwegians through the website of the telephone operator Tele2. Amongst the victims is Georg Apenes who is director of Datatilsynet, the Norwegian data protection agency. The Norwegian ID number is an 11 digit number that must be kept confidential. When used in conjunction with other personal information such as names and numbers, it can be used for ID theft. Tele2 has promised to address the weaknesses in its website which enabled the attack.
-http://news.brisbanetimes.com.au/internet-hackers-steal-confidential-data-on-600
00-norwegians/20073511-spc.html

-http://www.aftenposten.no/english/local/article1930521.ece?service=print

UN Website Victim to Hack (August 13, 2007)

Web pages normally used to display the speeches of the Secretary-General of the United Nations, Ban Ki Moon, were attacked and defaced over the weekend by hackers claiming to be from Turkey. The attackers appeared to have used SQL Injection attacks to alter the pages.
-http://technology.timesonline.co.uk/tol/news/tech_and_web/article2250127.ece?pri
nt=yes&randnum=1187054625046

-http://news.bbc.co.uk/2/hi/technology/6943385.stm
-http://www.computerworld.com/action/article.do?command=printArticleBasic&art
icleId=9030318

LEGAL MATTERS

Major Cyber-Crime Suspect Detained in Turkey (August 10, 2007)

A 24 year old Ukrainian man allegedly responsible for stealing tens of millions of dollars from individuals worldwide through online identity theft schemes has been detained by Turkish authorities. The suspect, Maksym Yastremskiy who went by the nickname Maksik, was detained as a result of US Secret Service agents monitoring his activity in online chat rooms frequented by fraudsters. It is claimed that Yastremskiy is one of the top three suspected traffickers of stolen-card information being monitored by the US Secret Service.
-http://online.wsj.com/article/SB118669696407393439.html?mod=rss_law_page

Web Designer Pleads Guilty to Hacking (August 10, 2007)

The boss of a British web design firm, Mark Hopkins, received a five month suspended jail sentences after pleading guilty to hacking into the website of a competitor. Hopkins was arrested after the source of a breach at a website owned by competitor company ME Publishing, was traced to a PC belonging to Hopkin's company NXGN. Hopkins was sentenced under Section One of the Computer Misuse Act and in addition to the five month suspended sentence he was ordered to pay GBP5,000 (US$10,000) compensation to his victim, GBP2,500 (US$5,000) in costs to the police and to serve 100 hours community service.
-http://www.theregister.co.uk/2007/08/10/motorcycle_website_hack_sentencing/print
.html

STATISTICS, STUDIES & SURVEYS

European Union Sponsors Global Malware Study (August 10, 2007)

The European Union is to sponsor a global study into malware with the aim of finding out more about its sources around the world. The project, called the Worldwide Observatory of Malicious Behaviour and Attack Tools (WOMBAT), will last for three years and has been given a grant of US$7.1 million by the European Union and various corporate sponsors. The goal of the project is to correlate data relating to malware from various sources and researchers, and analyse it to spot trends that might indicate the source of malware and how it proliferates.
-http://www.darkreading.com/document.asp?doc_id=130677&print=true
-http://campustechnology.com/articles/49622/

LIST OF UPCOMING FREE SANS WEBCASTS

Wednesday, 8/15/07 - Internet Storm Center: Threat Update
-http://www.sans.org/info/13691
Sponsored By: Core Security

Thursday, 8/23/07 - Full Disk Encryption - The Reasons, Options and Deployment Issues
-http://www.sans.org/info/13701
Sponsored By: Seagate

Tuesday, 8/28/07 - Regaining Your Technical Edge: SANS Hacking for Managers Webcast, featuring Eric Cole
-http://www.sans.org/info/13681
Sponsored By: Core Security

Wednesday, 8/29/07 - What's New in Malware and Top 5 things Required for Total Protection
-http://www.sans.org/info/13686
Sponsored By: CA

Be sure to check out the following SANS Archived Webcasts

8/9/07 - The Service/Help/Support Desk: Implications of Migrating to 802.1x Standards
-http://www.sans.org/info/13706
Sponsored By: AirWave

8/1/07 - Host Based Intrusion Prevention (HIPS), what does it do for me?
-http://www.sans.org/info/13711
Sponsored By: CA

7/31/07 - WhatWorks in Intrusion Prevention and Detection: PCI, Global Compliance and Log Management at a Large Financial Firm
-http://www.sans.org/info/13716
Sponsored By: Sourcefire

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/