SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IX - Issue #66

August 21, 2007

TOP OF THE NEWS

TJX Says Losses to Top US $150 Million
Certegy Faces Class Action Lawsuit Following Data Theft
Man Draws Seven-Year Sentence for Identity Theft

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Alleged Phishing Gang Arrested in Italy
Three Indicted in Software Piracy Case
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
DoD Websites Violate Security Policy More Frequently Than Soldiers' Blogs
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Gentoo Server Offline Due to Software Vulnerability
Prg Trojan Steals Information from Online Job Hunters
Storm Botnet Intensifies
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Thumb Drive Containing National Guard Data Recovered
MISCELLANEOUS
FBI Announces New Cybersecurity Research Center
Skype Says Outage Due to Flaw Exposed by Massive Restarts
LIST OF UPCOMING FREE SANS WEBCASTS

---

********************* Sponsored By ArcSight, Inc. ***********************

Free Whitepaper: Extracting Value From Log Data Discover how to extract the value in your event log data. Learn how to capture log data across your enterprise, reduce long-term retention costs and simplify access to historical data with this free whitepaper. Brought to you by ArcSight, the SIM leader that turns operational data into action.
http://www.sans.org/info/14521

************************************************************

TRAINING UPDATE
The BIGGEST security events of the fall are SANS Network Security 2007 (September 22-30) in Las Vegas with more than 40 courses and wonderful evening sessions and a big vendor exposition, and SANS London (Nov 26 - Dec 4). They bring you the top rated teachers in cybersecurity in the world, teaching the most up to date, hands-on courses. How good are they? Here's what past attendees said:
"You learn something new every day...the experience of the instructor and of the students make the difference." (Gabriel Schmitt, Hoffmann-LaRoche)
"An extraordinary amount of information covered in a week, backed up with excellent documentation for those long winter nights." (Keith Mellism, Canada Life)
"The depth of knowledge is awesome." (Stephen Hall, Barclays)
"This course has valuable information that can be implemented immediately in the work place." (Christopher O'Brien, Booz Allen Hamilton)
"The quality of teachers, speakers, and even attendees is far superior to any other training event I've attended." (Corinne Cook, Jeppesen)
"You will never ever find anything more valuable than SANS superknowledge. Worth the price!!" (Carlos Fragoso, CESCA)

Registration information:
Las Vegas: http://www.sans.org/ns2007
London: http://www.sans.org/london07/

*************************************************************************

---

TOP OF THE NEWS

TJX Says Losses to Top US $150 Million (August 11, 14 & 20, 2007)

TJX Companies has estimates that losses from the massive security breach that came to light early this year could top US $150 million. More than 45.6 million customer records containing credit and debit card information were stolen over an 18-month period. TJX president and CEO Carol Meyrowitz says the company has taken steps to improve their systems' security. Others outside of TJX suggest much greater losses because the company is facing litigation, as well. TJX's projected losses could provide strong business cases for security directors at other organizations to get spending on cyber security investments approved.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=300994&source=rss_topic17
-http://www.forbes.com/markets/2007/08/14/tjx-retail-update-markets-equity-cx_jl_
0814markets31.html
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201400171
[Editor's Note (Northcutt): My guess is that is low, but time and CPAs will tell, some other opinions:
May 2007 - 29 Million:
-http://www.eweek.com/article2/0,1895,2130594,00.asp
May 2007 - 1 Billion:
-http://msmvps.com/blogs/harrywaldron/archive/2007/05/09/wep-security-pringles-ca
n-1-billion-tjx-loss.aspx
Aug 2007 - 168 Million:
-http://www.eweek.com/article2/0,1759,2171101,00.asp
(Schultz): TJX's losses do indeed provide a strong business case for having adequate security. USD 150 million or more in losses is, after all, nothing that can be ignored.
(Honan): This story and the piece on the lawsuit against Certegy should be bookmarked by every CSO to highlight to management that good security costs money but inadequate and ineffective security costs a whole lot more.]

Certegy Faces Class Action Lawsuit Following Data Theft (August 16, 2007)

A class action lawsuit filed against Certegy Check Services and parent company Fidelity National Information Services Inc. alleges the companies did not provide adequate security measures to protect consumer data. In July, Certegy acknowledged that a former employee accessed and stole consumer records and sold the information to marketing companies. The number of compromised records was initially given as 2.3 million, but an investigation has since indicated that the number is closer to 8.5 million. The class action suit alleges negligence, invasion of privacy, and breach of implied contract. The suit was initiated by an individual who began getting an unusual amount of direct marketing offers and who shortly after that received notice of the breach from Certegy.
-http://www.bizjournals.com/tampabay/stories/2007/08/13/daily45.html
[Editor's Note (Pesctaore): Even without class action lawsuits, the cost per account exposed has ranged from $6 per account (TJX) for large (1M+) exposures to $125 or more per account for smaller (tens of thousands) exposures. The cost of protecting the data is invariably less than the cost of dealing with the breach, so claims of negligence are pretty much dead on.]

Man Draws Seven-Year Sentence for Identity Theft (August 20, 2007)

Jacob Vincent Green-Bressler was sentenced to seven years in prison for buying sensitive personal data from others who had stolen them electronically. Green-Bressler used the information to manufacture phony credit cards and withdrew more than US $1 million from ATMs. Green-Bressler pleaded guilty to two felony offenses in March. He was also ordered to pay restitution to his victims, forfeit property, and serve three years of supervised release.
-http://www.vnunet.com/vnunet/news/2196943/seven-stretch-identity-fraud
-http://www.usdoj.gov/usao/az/press_releases/2007/2007-182(Green-Bressler).pdf
[Editor's Note (Schmidt): There has been much focus on investigating those that are stealing personal information, but convicting the buyer and getting this type of sentence will, I hope, cause those that want to traffic in this stolen information think twice. ]

---

*********************** Sponsored Links: ******************************

1) Find out what Seagate knows about secure storage. It could improve your company's security.
http://www.sans.org/info/14526
2) How are you utilizing NetFlow to improve network security and performance? Register for a FREE webinar "Cisco IOS NetFlow for Network Security and Traffic Analysis"
http://www.sans.org/info/14531
3) ALERT: "How A Hacker Launches A Blind SQL Injection Attack Step-by-Step"- White Paper
http://www.sans.org/info/14536

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Alleged Phishing Gang Arrested in Italy (August 20, 2007)

Police in Italy have arrested 24 people believed to be part of a phishing gang. Approximately 10,000 computers were compromised and used to launch the attacks. The gang allegedly used financial information gathered by phony emails to drain victims' bank accounts. In addition to the arrests, authorities in Italy seized computer equipment and tools used to make phony credit cards.
-http://www.itpro.co.uk/security/news/123003/italian-police-arrest-phishing-gang.
html
[Editor's Note (Schmidt): Well done on making the arrest but the final analysis will be found in how many are convicted and what kind of sentences they get. The cynic in me asks how many of these will hang out their shingle as a "security consultant" after they serve their time. ]

Three Indicted in Software Piracy Case (August 17. 2007)

Three men have been indicted on charges stemming from the activities of a software piracy ring. Maurice A. Robberson, Thomas K. Robberson, and Alton Lee Grooms all face charges of conspiracy to violate copyright and counterfeiting laws; the two Robbersons face additional charges of felony copyright infringement and trafficking in counterfeit goods. A fourth man, Danny Ferrer, pleaded guilty to similar charges in June and was sentenced to five years in prison. The men allegedly operated a number of websites that offered the pirated software at discount prices.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9031199&source=rss_topic17

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

DoD Websites Violate Security Policy More Frequently Than Soldiers' Blogs (August 17, 2007)

Audits conducted by the Army Web Risk Assessment Cell indicate that Defense Department websites are far more likely to violate security policy than are soldiers' personal blogs. Between January 2006 and January 2007, auditors found 1,813 security policy violations on 878 military websites, but just 28 violations on 594 personal blogs. The evidence runs contrary to statements made by the Army that soldiers' blogs pose a significant security risk. The Electronic Frontier Foundation obtained the audit results under the Freedom of Information Act (FOIA).
-http://www.wired.com/politics/onlinerights/news/2007/08/milbloggers?currentPage=
all
-http://www.eff.org/news/archives/2007_01.php#005103

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Gentoo Server Offline Due to Software Vulnerability (August 17, 2007)

Large portions of the Gentoo Project's website have been disconnected after the discovery of an SQL injection vulnerability on the site. The flaw lies in the source code for packages.gentoo.org. Gentoo is conducting a forensic investigation on the affected sites and has not provided an estimate for when the sites and services will be available again. Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=3283
-http://www.theregister.co.uk/2007/08/17/gentoo_disconnects_vulnerable_server/pri
nt.html
-http://www.heise-security.co.uk/news/94504
[Editor's Note (Ullrich): Aside from the fact that this vulnerability should probably have been caught earlier, I applaud the response. They took down the servers, investigated and were open about this incident. The more common, and much more dangerous alternative is to go on using vulnerable servers and pretend nothing happened. ]

Prg Trojan Steals Information from Online Job Hunters (August 16 & 17, 2007 and the attack is spreading, August 20)

The Prg Trojan horse program has reportedly been used to steal information from people who visit job-hunting sites. Approximately 100,000 people have been victimized by the malware. At least twelve caches of stolen data, including names, Social Security numbers (SSNs) as well as bank and credit card account information, have been found; the largest contains information belonging to approximately 46,000 people. The attackers used online ad aggregation services to place infected advertisements on the websites; the aggregators were apparently unaware that the ads led to exploit pages. The attackers have been launching new variants every five days or even more frequently, which is making it difficult for antivirus programs to keep up. Several of the variants listen for connections on port 6081.
-http://www.scmagazine.com/us/news/article/732170/46000-job-hunters-victimized-ma
licious-recruitment-ads/
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9031139&source=rss_topic17
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201800958
Identity attack spreads; 1.6M records stolen from Monster.com
-http://www.networkworld.com/news/2007/082007-monster-trojan.html?nltxsec=0820sec
urityalert2&code=nlsecuritynewsal89590
[Editor's Note (Northcutt): There has been a very significant increase in traffic to port 6081 in the second half of August; worth a quick look at your firewall logs to make sure none of it is outbound to the Internet from your organization. ]

Storm Botnet Intensifies (August 15 & 16, 2007)

The Storm botnet has taken a new tack, launching distributed denial of service (DDoS) attacks against computers that are scanning networks for vulnerabilities. The Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) has issued a warning to its 200 members that their networks could be attacked as they are scanned for malware introduced by returning students. When the scanner scans a computer that is part of the Storm botnet, the rest of the botnet inundates that computer with traffic. The reason colleges and universities are more vulnerable to this new twist is that their scanners are visible to the Internet. Most companies have their scanners on private networks, where the botnet would not be able to find them. Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=3286
-http://isc.sans.org/diary.html?storyid=3298
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201800635
-http://www.securityfocus.com/news/11482
[Editor's Note (Ullrich): This is a significant battle that was lost due to reliance on antiquated anti-malware technology and our inability to learn the lessons we have to learn from these outbreaks. Again: Storm does not use technical vulnerabilities. But 7 years after "I Love You", users are still clicking at will, system admins still can't protect them from exposure to these links, and anti-malware vendors still sell products that don't protect the customer's machines from important attacks. ]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Thumb Drive Containing National Guard Data Recovered (August 18, 2007)

A stolen thumb drive with Idaho National Guard member information has been recovered. Police in Boise have arrested a suspect in the case, which involves several burglaries from cars. Police also recovered a laptop computer.
-http://www.idahopress.com/news/?id=172

MISCELLANEOUS

FBI Announces New Cybersecurity Research Center (August 20, 2007)

The National Center for Supercomputing Applications (NCSA) at the University of Illinois at Urbana-Champaign will be the home of the FBI-funded National Center for Digital Intrusion Response (NCDIR). NCDIR is "a cooperative venture that will significantly enhance the FBI's capabilities in investigating cybercrime in high-end computer systems by providing intrusion detection expertise, ... software to automate the investigative process, ...
[and ]
documentation, training, and tools for FBI agents." The FBI will provide US $3 million in support over the first two years.
-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn_daily&stor
y.id=44898
-http://www.ncdir.us/about_ncdir.php
[Editor's Note (Schultz): If I were CERT/CC, I'd be a bit nervous right now. The NCDIR is taking over territory that CERT/CC has traditionally owned.]

Skype Says Outage Due to Flaw Exposed by Massive Restarts (August 20, 2007)

Skype has apologized for last week's outage and says it was due to a high number of simultaneous restarts due to Microsoft's patch Tuesday. The restarts prompted a deluge of login requests that ultimately unveiled a vulnerability in the services' network resource allocation program. The flaw prevented the service from fixing itself.
-http://www.scmagazine.com/us/news/article/732380/skype-blames-downtime-patch-tue
sday-re-start-not-hackers/
-http://news.bbc.co.uk/2/hi/technology/6954675.stm
[Editor's Note (Ullrich): Why does Skype claim last month's patch and reboot were worse than the prior month's patch and reboot? Was it just that this month a DoS exploit for Skype happened to be published right around the time the Skype network went up in smoke.
(Grefer): As I had pointed out to the ISC, there were reports of a Skype exploit just prior to their outage. Also, there is no explanation why the outage would have occurred with a delay of up to 24 hours relative to the default 3 am patch/reboot time Microsoft uses. Also bear in mind that the Snort Skype Preprocessor became available just a few days prior. If some of the supernode sites Skype used installed this Skype blocker, it would have had a detrimental effect on Skype's overall performance. Interestingly enough, an updated version of Skype (3.5.0.214) was released around that time, too.
-http://isc.sans.org/diary.html?storyid=3292
-http://isc.sans.org/diary.html?storyid=3275
-https://developer.skype.com/WindowsSkype/ReleaseNotes
(Honan): This outage highlights two things, (a) if your company uses Skype make sure your business continuity planning includes the impact of a Skype outage and (b) The complex interdependencies of modern systems make it increasingly difficult to identify all possible risks against one application in isolation, resulting in us having to look at the bigger picture when securing applications and consider all other systems and applications it depends on. ]

LIST OF UPCOMING FREE SANS WEBCASTS

Wednesday, 8/22/07 - WhatWorks in Log Management: Maximizing Logging ROI at Premier
Featuring: Alan Paller, Fred Rickabaugh, Jean Wilson, Dave Gratton and Ron McGinnis
-https://www.sans.org/webcasts/show.php?webcastid=91361
Sponsored By: SenSage

Thursday, 8/23/07 - Full Disk Encryption - The Reasons, Options and Deployment Issues
Featuring: Mike Alexenko, Michael Willett, and Bill Bosen
-https://www.sans.org/webcasts/show.php?webcastid=91216
Sponsored By: Seagate

Tuesday, 8/28/07 - Regaining Your Technical Edge: SANS Hacking for Managers Webcast
Featuring: Dr. Eric Cole
-https://www.sans.org/webcasts/show.php?webcastid=90891
Sponsored By: Core Security

Wednesday, 8/29/07 - What's New in Malware and Top 5 things Required for Total Protection
Featuring Dave Shackleford and Brian Grayek
-https://www.sans.org/webcasts/show.php?webcastid=91301
Sponsored By: CA

Please be sure to check out the following Archived FREE SANS Webcasts:

8/15/07 - Internet Storm Center: Threat Update
Featuring: Johannes Ullrich and Anthony Alves
-https://www.sans.org/webcasts/show.php?webcastid=90811
Sponsored By: Core Security

8/9/07 - The Service/Help/Support Desk Implications of Migrating to 802.1x Standards
Featuring: Matthew Luallen
-https://www.sans.org/webcasts/show.php?webcastid=91356
Sponsored By: AirWave

8/1/07 - Host Based Intrusion Prevention (HIPS), what does it do for me? Featuring: Patricia (Pat) Booth
-https://www.sans.org/webcasts/show.php?webcastid=91296
Sponsored By: CA

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/