SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IX - Issue #68

August 28, 2007

Question for NewsBites readers: have you any experience with data leakage tools? One important part of the upcoming National Workshop on Data Leakage will highlight the tools that actually work and will illuminate the challenges users faced in implementing enterprise laptop encryption programs. We are including in this summit the database security and monitoring tools and backup protection as well as tools more commonly known as data leakage protection tools. If you have assessed these products, developed criteria for assessment, implemented one or more or have other reasons to be familiar with them, please let us know so we can talk with you about your experiences. Email apaller@sans.org with the subject leakage. If you have not already implemented a comprehensive data leakage program and want an invitation to the upcoming workshop, email apaller@sans.org with the subject data leakage workshop.

Alan

---

TOP OF THE NEWS

FTC Complaint Targets Company Behind the Spam
Judge Dismisses Proposed Class Action Lawsuit in Data Breach Case
Government Needs Metrics to Prove ROI for Security Investments

THE REST OF THE WEEK'S NEWS

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
China Denies Involvement with German Government Computer Hacking
POLICY & LEGISLATION
New Zealand Gets Draft Breach Notification Guidelines
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
35,000 Veterans' Data Stolen
Oklahoma Law Enforcement Database Breached
Cable & Wireless Customer Data on Stolen Laptop
STANDARDS & BEST PRACTICES
Security Manager's Journal: Data Security Prevails Over Mobility
STATISTICS, STUDIES & SURVEYS
Federal CISOs Don't Think Telecommuting is Security Risk
MISCELLANEOUS
Teen Unshackles iPhone From AT&T
LIST OF UPCOMING FREE SANS WEBCASTS

---

******************* Sponsored By Centrify Corporation *******************

IT auditors: PCI, SOX, and HIPAA mandate that you collect audit trails of user activity on key systems. This whitepaper shows how you can implement detailed, centralized logging of user sessions: commands typed, changes made, and all output displayed. Flexible querying and reporting helps you create activity reports by user, system, specific commands, or other criteria.

http://www.sans.org/info/14776

*************************************************************************

TRAINING UPDATE
The BIGGEST security event of the fall is SANS Network Security 2007 (September 22-30) in Las Vegas with more than 40 courses and wonderful evening sessions and a big vendor exposition. It brings you the top rated teachers in cybersecurity in the world, teaching the most up to date, hands-on courses.
How good are the courses? Here's what past attendees said:
"You learn something new every day...the experience of the instructor and of the students make the difference." (Gabriel Schmitt, Hoffmann-LaRoche)
"An extraordinary amount of information covered in a week, backed up with excellent documentation for those long winter nights." (Keith Mellism, Canada Life)
"This course has valuable information that can be implemented immediately in the work place." (Christopher O'Brien, Booz Allen Hamilton)
"You will never ever find anything more valuable than SANS superknowledge. Worth the price!!" (Carlos Fragoso, CESCA)
Registration information:
http://www.sans.org/ns2007/

*************************************************************************

---

TOP OF THE NEWS

FTC Complaint Targets Company Behind the Spam (August 27, 2007)

A judge has granted a temporary restraining order to stop Sili Neutraceuticals and its owner Brian McDaid from sending spam messages advertising herbal weight-loss pills. The order was granted following a complaint from the US Federal Trade Commission (FTC). The FTC's move is being applauded because the FTC is targeting the company that pays for the spam to be sent; most other cases target the company sending the unsolicited marketing email. A hearing is scheduled for August 27 at which time a judge will determine whether or not the company's assets should be frozen until the FTC investigation is complete.
-http://www.securecomputing.net.au/news/90644,ftc-files-complaint-against-weightl
oss-pill-spammer.aspx

Judge Dismisses Proposed Class Action Lawsuit in Data Breach Case (August 23, 24, & 27, 2007)

A US Federal Court of Appeals has dismissed a proposed class action lawsuit against Old National Bancorp. The judge ruled that people whose data were compromised in a breach at Old National Bancorp could not file a class action lawsuit because they "did not allege any completed direct financial loss to their accounts as a result of the breach, ... nor did they claim that they or any other member of the putative class already had been the victim of identity theft as a result of the breach." Under Indiana law, damage claims require actual damages and may not be filed based on speculative damages.
-http://arstechnica.com/news.ars/post/20070827-identity-theft-alone-not-enough-fo
r-class-action-lawsuit.html
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9032778&pageNumber=1
-http://blog.wired.com/27bstroke6/2007/08/federal-court-s.html
-http://blog.wired.com/27bstroke6/files/5W1FFXPR.pdf
[Editor's Note (Pescatore): Gee, that's an odd idea: requiring actual damage in order to file a damage claim? I know using the class action lawsuit monster is a common way of trying to drive security spending (just as downstream liability once was) but the actual hard costs of dealing with a disclosure episode are high enough that security managers (and vendor marketing) are better off avoiding the Chicken Little hyperbole. ]

Government Needs Metrics to Prove ROI for Security Investments (August 27, 2007)

According to former Pentagon officials, it is difficult to obtain adequate funding for Defense Department information assurance programs. Despite the increasing frequency of attacks on government networks, those seeking funding for information security projects are hard pressed to demonstrate how the funds they request will produce a positive return on investment (ROI). Former Deputy Assistant Secretary for Defense for Networks and Information Integration Linton Wells sees the need for improved metrics to help prove return on investment for information assurance projects, because the value of the programs appears to be demonstrated only in times of crisis.
-http://www.fcw.com/article103584-08-27-07-Print&printLayout
[Editor's Note (Northcutt): The single biggest issue expressed by people with security management responsibility seems to be, "how do I reach the truly senior managers with the purse strings to get more money." I am not personally convinced that more money would help in a number of cases, we tend to misspend security money as often as not. By the way if you are in the business of selling to the government the article is a must read if only for names of key people it includes. ]

---

*********************** Sponsored Links: ******************************

1) ALERT: "How a Hacker Launches an XPATH Injection Attack!"- SPI Dynamics White Paper
http://www.sans.org/info/14781

2) Free Webcast: Meeting the Challenge of Multiple Compliance Mandates In Government from FISMA to NIST.
http://www.sans.org/info/14786

3) SAVE BIG! Get 30% off upcoming courses via SANS. OnDemand AUD507, AUD411, SEC550, and many more. Contact: ondemand@sans.org

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

China Denies Involvement with German Government Computer Hacking (August 27, 2007)

China will cooperate with Germany to discover the source of Trojan horse programs found on German government computers. A report in Der Spiegel last week claimed the malware had been placed on the computers by Chinese hackers. The article maintains the attacks can be traced back to China's People's Liberation Army, but Chinese authorities have denied allegations that their country is behind the attacks, which involved the thwarted transfer of 160 gigabytes of data. Trojans were first detected on the computers in May, and "there have been continued attempts to sneak spyware onto government computers" since then.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9032898&source=rss_topic17
-http://www.timesonline.co.uk/tol/news/world/europe/article2332130.ece
-http://www.zdnet.com.au/news/security/soa/China-assures-Germany-of-hacking-oppos
ition/0,130061744,339281533,00.htm

POLICY & LEGISLATION

New Zealand Gets Draft Breach Notification Guidelines (August 26 & 27, 2007)

New Zealand Privacy Commissioner Marie Shroff has released voluntary guidelines to help organizations manage the aftermath of data security breaches. Public submissions of the draft guidelines will be accepted through September 28, 2007. While New Zealand law does not require that consumers be notified of data security breaches, the country's Privacy Act requires that organizations storing personal information take reasonable steps to secure those data. Shroff pointed out that breach notification is law in 30 US states and certain Canadian provinces; she may consider recommending that notification become law in New Zealand. The draft guidelines suggest notifying affected consumers of breaches of their personal data that pose risk of potential harm. The guidelines break breach management into four parts: containment and assessment; risk evaluation; determination if notification is appropriate; and establishment of preventive measures.
-http://lawfuel.com/show-release.asp?ID=14532
-http://computerworld.co.nz/news.nsf/scrt/55C4F59E7E9F94A3CC257340007E7D52

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

35,000 Veterans' Data Stolen (August 26, 2007)

Computer hard drives and paper files stolen from a POW support organization in Arlington, Texas contain personally identifiable information of approximately 35,000 US veterans and their families. The organization, American Ex-Prisoners of War, plans to notify affected members in a mailing. The theft occurred during the weekend of August 11-12. The data include addresses, dates of birth and Social Security numbers (SSNs). The Department of Veterans Affairs (VA) is participating in the investigation that includes the POW organization and law enforcement authorities.
-http://www.estripes.com/article.asp?section=104&article=55899&archive=tr
ue

Oklahoma Law Enforcement Database Breached (August 25, 2007)

The Oklahoma state Department of Public Safety says that cyber intruders gained unauthorized access to three state law enforcement agency computer systems. The breaches reportedly affect the Elk City and Eufaula police departments and the Kiowa County Sheriff Department. Details of the breaches remain sparse as the investigation is ongoing. The law enforcement agencies will notify those they believe to be affected by the breaches. "The breach involved information used by the Oklahoma Law Enforcement Telecommunications System, a statewide computer network used by dispatchers to obtain instant access to all types of ... law enforcement databases." The breach involves malware that may have caused information viewed on computer screens to be sent to a third party. The malware reportedly made its way onto the computers when state employees visited "inappropriate or undesirable websites." The computers had been allowed unrestricted Internet access. Since the breach was discovered, Internet access has been severely limited.
-http://newsok.com/article/3110406/1187986334

Cable & Wireless Customer Data on Stolen Laptop (August 22, 2007)

A former Cable & Wireless employee allegedly stole a laptop computer that holds personally identifiable information about approximately 100,000 of the UK company's customers. The former employee is being enjoined from using the data, and C&W is seeking GBP 300,000 (US $602,400) in damages from her. Seemab Zafar allegedly went on a business trip to Pakistan in 2005 on behalf of C&W, but did not return to work as scheduled and was fired.
-http://www.contractoruk.com/news/003412.html
[Editor's Note (Schultz): Statistics I have seen show that a far greater percentage of laptop thefts are perpetrated by outsiders than information security and IT professionals might suspect. (Honan and Grefer): According to a May article on the BBC website some of the information in the stolen database has been used to defraud customers
-http://news.bbc.co.uk/2/hi/business/6693307.stm]

STANDARDS & BEST PRACTICES

Security Manager's Journal: Data Security Prevails Over Mobility (August 27, 2007)

The pseudonymous author of Computerworld's Security Manager's Journal describes how she had to tell a program manager his group couldn't have its wireless laptops because their security is not adequate to protect the data that need to be protected under the Health Insurance Portability and Accountability Act (HIPAA). While the program manager informed of the decision expressed frustration that the laptops had to be used in the office and connected directly to the network to allow for security updates, the security manager insisted on placing data security over worker mobility.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=300758&source=rss_topic17
[Editor's Note (Pescatore): There are many, many ways to allow secure mobility. Every one of them comes with a cost, but that's what IT spending is supposed to be for - helping the business do business. It's one thing if the funds don't get approved - then drop back to the old restrictions. But saying "Sorry, the only way to do it is the way we were doing it 2 years ago" is a losing strategy. (Schultz): After reading this article, I was dismayed because whoever this security manager is did not appear to carefully weigh the potential business benefits of having wireless laptops against the risks. Effective information security practices do not simply focus on risks--they measure costs versus benefits. Security for security's sake is a losing proposition. ]

STATISTICS, STUDIES & SURVEYS

Federal CISOs Don't Think Telecommuting is Security Risk (August 27, 2007)

According to a survey, 94 percent of US government CISOs (chief information security officers) do not perceive telecommuting to be a security threat, but approximately two-thirds say that they give top priority to making sure their mobile devices are secure. Eighty-three percent of CISOs say laptop use has increased since last year; 17 percent of respondents said laptops account for half of their agencies' computers. Eighty-three percent of those responding said telecommuting and mobile commuting have no effect on their ability to comply with the Federal Information Security Management Act (FISMA).
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201802462
-http://www.teleworkexchange.com/cisostudy/CISO-Release-08-27-07.pdf
[Editor's Note (Liston): All I can say is... wow! This is the same crew that is (in another article in this NewsBites) looking for "metrics" for security ROI. Perhaps, rather than spending time in that hybrid of fiction and mathematics I like to call "rectally generated numerics," they should spend some time understanding what security is really about. If they truly believe that telecommuting has no security implications, then they truly don't get it. ]

MISCELLANEOUS

Teen Unshackles iPhone From AT&T (August 25, 2007)

A teenager has successfully unlocked the iPhone to allow it to be used on networks other than AT&T's. The teen managed to get his particular phone to work on the T-Mobile network. Other people have used another method to enable the phone to be used on networks overseas. The teenager says he does not want his discovery to be used to make money; he says he worked in collaboration with four other people to develop his method.
-http://news.bbc.co.uk/2/hi/technology/6963696.stm
[Editor's Note (Northcutt): This is a hardware hack "heard around the world." Even my mom and my real estate agent have heard of this. According to some of the articles on this topic, the hack is not illegal (yet). ]

LIST OF UPCOMING FREE SANS WEBCASTS

Ask The Expert Webcast: Regaining Your Technical Edge: SANS Hacking for Managers Webcast
-http://www.sans.org/info/14681
WHEN: Tuesday, August 28, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKER: Dr. Eric Cole
Sponsored By: Core Security
-http://www.coresecurity.com/

Managers are responsible for making sure their organizations are secure. However they are at a disadvantage since they are not technical and in some cases, blindly trusting that the technical staff is doing the correct things. Knowing the right questions to ask is a key part of validation, but there is still a chance they are not getting the complete answer. Therefore a manager still needs to be able to verify the information they receive. As scary as it might sound there are reasons where a manager would need to be able to do limited hacking/penetration testing as one way of being able to validate this information.

Ask The Expert Webcast: What's New in Malware and Top 5 things Required for Total Protection
-http://www.sans.org/info/14691
WHEN: Wednesday, August 29, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and Brian Grayek
Sponsored By: CA
-http://www.ca.com/worldwide/

Over the past several years, malware has evolved from relatively simple viruses and worms to complex and distributed software with Trojan capabilities. Today we are faced with sophisticated bots, worms that can update themselves dynamically, and a significant increase in the types of platforms affected. In this webcast, you will learn of the latest types of malware threats in the wild, with several recent examples.

Ask the Expert Webcast: "Lose Your Laptop - Keep the Data: Top 10 Mobile Security Issues"
-http://www.sans.org/info/14701
WHEN: Wednesday, September 5, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Mark Jordan and Dr. Eric Cole
Sponsored By: Sybase
-http://www.sybase.com/

Mobile computing relies on laptop computers, which are extremely vulnerable to being physically stolen, as well as to network intrusions via wireless card. Because of their portability and widespread use, this presentation focuses on encryption and information security solutions for laptop computers.

Ask The Expert Webcast: Security Tools Landscape plus Top 10 UNIX Shell Tricks to Review Your Web Logs
-http://www.sans.org/info/14746
WHEN: Thursday, September 6, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Johannes Ullrich and Danny Allen
Sponsored By: Watchfire
-http://www.watchfire.com/

While Web sites streamline access to information, they are vulnerable, potentially exposing critical corporate information and customer data, or otherwise compromising enterprise IT. Online security breaches can lead to a number of damaging consequences. To advert these types of situations you must first understand the Security Landscape.

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/