SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume IX - Issue #7
January 23, 2007
Two especially good stories this week in Top of the News. The first story, retracting last week's story about Australian Bankers lobbying to get consumers to take over the liability for online banking losses, illuminates how big this issue really is. It wouldn't have been reported originally if bankers were not looking for ways to shift liability to consumers. The quick retraction means banks have discovered they will have to eat the losses that are growing at 400% per year and already have reached at least $250 million per year. The good news there is that they may be forced to implement effective authentication. The other "good news" story this week is about New York's inoculation project. If you want to change people's behavior, New York showed that you need to allow them to "feel the pain," and you can do that by following New York's model.
Alan
PS If you know any C/C++ programmers who know how to write secure code, please ask them to email me at paller@sans.org. We seek their opinion on the draft rules and recommendations for secure C/C++ coding.
TOP OF THE NEWS
Australian Banks Not Lobbying ASIC for Customer LiabilityItalian Court: Downloading Music, Movies and Software OK if Not Profit Motivated
NY "Inoculates" Employees Against eMail-Borne Malware
THE REST OF THE WEEK'S NEWS
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITYVermont Sec. of State Removes Links to Docs Containing SSNs
Israel's Interior Ministry Wants Investigation into Data Leak
SPYWARE, SPAM & PHISHING
Phishers Target Nordea Customers
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
European Consumer Groups Call for Apple to Provide iTunes Interoperability
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Storm eMails Hold Trojan
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Thieves Targeted Thrift Savings Plan Participants
Stolen Computer Holds Info of KB Homes Site Visitors
STANDARDS & BEST PRACTICES
PCIDSS Compliance Products Require Diligence
MISCELLANEOUS
Can You Find Me Now? Good.
********************* Sponsored By Credant Technologies *****************
Best Practice for Controlling the Security of All Things Mobile Define encryption rules as simple or detailed as your environment dictates while delivering authentication; device detection, synchronization and application controls; reporting and auditing; and innovative, user friendly features. Go beyond older encryption methods and balance usability with security: Policy-based Intelligent Encryption. CREDANT Mobile Guardian datasheet.
http://www.sans.org/info/3041
*************************************************************************
SECURITY TRAINING UPDATE: Several of the hands-on immersion security training courses at SANS 2007 (San Diego, March 29 - April 4) are starting to fill up. If you want a place, register early. You'll also save hundreds of dollars if you do it in the next few weeks. Full Schedule (53 courses):
http://www.sans.org/sans2007/event.php
*************************************************************************
TOP OF THE NEWS
Australian Banks Not Lobbying ASIC for Customer Liability (22 January 2007)
The Australian Banking Association (ABA) is refuting allegations made in the media that they were lobbying the Australian Securities and Investment Commission (ASIC) to offload liability for Internet fraud from banks to consumers. In a statement, the ABA said the organization has not been lobbying ASIC and they do not "support moves to hand responsibility for Internet fraud over to the customer." ASIC recently called for submissions for review of the Electronic Funds Transfer Code of Conduct, particularly issues regarding liability for losses related to Internet fraud. ASIC corroborates the ABA statement, saying they are not aware of any lobbying efforts undertaken by ABA members regarding the issue.-http://www.computerworld.com.au/index.php/id;755873229;fp;16;fpid;1
Italian Court: Downloading Music, Movies and Software OK if Not Profit-Motivated (22 January 2007)
An Italian court has ruled that downloading is permissible if it is not motivated by profit. The ruling overturns the convictions of two former students who had set up a peer-to-peer network in 1994. Analysts observed that while downloading may no longer be illegal, the ruling does not decriminalize copyright violations.-http://www.msnbc.msn.com/id/16756121/
[Editor's Note (Pescatore): If downloading is motivated by avoiding paying for a product, that seems profit motivated to me. When I shoplift, I can get arrested even if they can't prove I intended to resell what I stole.
(Ranum): I see. I hope the Italian judges wouldn't mind if someone "borrowed" their stuff. As long as it's not profit-motivated, it's OK, right?
(Northcutt): Things are moving very fast on the intellectual property rights front in Europe, but I have to wonder if they truly understand the genie is not going back in the bottle one they let him out. Earlier Grefer reported
-http://www.lexexakt.de/eartikel.php?datname=neues/message0133.xml
On January 2, 2007 NewsBites carried a story on a landmark decision in France limiting the rights of copyright holders to track down pirates:
-http://www.iht.com/articles/2006/12/21/business/privacy.php
And Peter Giannoulis sent me this link saying that Pirates Cove wants to buy their own island so they can serve up copyrighted goods with impunity:
-http://www.thelocal.se/6076/20070112/]
NY "Inoculates" Employees Against eMail-Borne Malware (22 January 2007)
Will Pelgrin, New York State's chief information security officer (CISO), worked with AT&T and the SANS Institute to develop an "inoculation" program to protect state agency computer systems from malware infections. First, approximately 10,000 state agency employees received email messages alerting them to ongoing phishing activity and encouraging them to be aware of the risks of opening email from unknown users and clicking on links in unsolicited email. The next month, the employees were told that in keeping with a tightened security posture, all employees were required to have passwords. That was followed by an email that came from outside the network containing a link that if clicked on, would prompt users for their user IDs and passwords. The email contained some clues that it was not legitimate. If the users provided the requested information, they got a pop-up telling them they had failed the test and then were shown a video and given a 10-question exam. Eighty-three percent of the recipients did not fall for the scam. When a similar test was run two months later, that number rose to 92 percent.-http://www.gcn.com/print/26_2/42983-1.html?topic=security&CMP=OTC-RSS
[Editor's Note (Kreitner): This is an excellent example of good security management supported by a security metric that quantitatively measures actual progress toward a specific security goal, in this case a particular change in human behavior.
(Pescatore): A good effort as long as it is continuous. If they measure a month later, the number will likely drop quite a bit. If the process continues, they will likely find that the 11% improvement drops off quite a bit. ]
*************************** Sponsored Links: **************************
1) Visit Utimaco and Lenovo at RSA Booth 531 to learn about our layered security solution.
http://www.sans.org/info/3046
2) Gain total network visibility and secure your internal network. For simple, fast and cost-effective security, view this FREE demo at:
http://www.sans.org/info/3051
3) Stop malware - get the updated white paper from MX Logic. Click here!
http://www.sans.org/info/3056
*************************************************************************
THE REST OF THE WEEK'S NEWS
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Vermont Sec. of State Removes Links to Docs Containing SSNs (19 January 2007)
Vermont Secretary of State Deborah Markowitz says her office has removed Internet links from its site that led to files containing individuals' Social Security numbers (SSNs). The move came following the revelation that certain commercial records contained SSNs, including that of an unnamed state legislator. A Vermont state law that took effect on July 1, 2006 directs state and local government agencies to redact SSNs from public records.-http://www.wcax.com/Global/story.asp?S=5965913&nav=menu183_2
-http://www.boston.com/news/local/vermont/articles/2007/01/19/state_web_site_a_ro
ad_map_for_identity_thieves/
[Editor's Note (Ranum): It is long past the time where SSNs should be kept secret. Basically, it's a 9-digit "password" and it's one you can't change and that is written down on post-it notes all over cyberspace. Here's a counterintuitive idea to deal with the SSN issue: announce that on April 1st they are all going to be published, and any organization that is still relying on SSN as any form of authenticator is liable for ensuing damages that result from their doing so. Then publish them all. If they had to foot the bill for failure, you'd be amazed at how quickly everyone would scramble and come up with a plethora of new, different, and incompatible (exactly what we need!) ways to authenticate users, customers, and patients. ]
Israel's Interior Ministry Wants Investigation into Data Leak (16 January 2007)
Israel's Interior Ministry has called for an investigation into how sensitive personal information of all Israeli citizens was leaked to the Internet. Citizens could be at risk of identity fraud. The leaked data include addresses of government and security officials. The Interior Ministry says the information was leaked some time after it was given to political parties running for the Knesset.-http://www.jpost.com/servlet/Satellite?cid=1167467740937&pagename=JPost%2FJP
Article%2FShowFull
[Editor's Note (Schultz): The story on jpost.com says that passing the population registry data on to the political parties running in elections is required by Israeli law. This law may have been appropriate at one point in time, but given the greatly elevated risk of identity fraud over the last few years, perhaps Israeli legislators should now consider repealing this law or, if not, requiring suitable protection of the data.
(Shpantzer): For those in Tehran/Damascus/Moscow/Beijing/Paris and other places monitoring Israeli open sources for intelligence, this could prove more valuable than traditional spying like signal intercepts of IDF commanders. This treasure trove may help bring ID theft to the level of a strategic weapon, depending on the level of detail in the leaked identities of the entire citizenry of this tiny country of 7 million people ]
SPYWARE, SPAM & PHISHING
Phishers Target Nordea Customers (22 & 19 January 2007)
Phishers have stolen roughly 900,000 Euros (US $1.1 million) from Nordea, a bank based in Sweden. The phishers used a Trojan horse program known as haxdoor.ki to steal funds from the accounts of at least 250 Nordea customers. More than 120 individuals are under investigation for alleged involvement in the scheme. Nordea plans to compensate its customers for their losses.-http://www.theregister.co.uk/2007/01/19/phishers_attack_nordea/print.html
-http://www.siliconrepublic.com/news/news.nv?storyid=single7657
-http://news.bbc.co.uk/1/hi/business/6279561.stm
[Editor's Note (Schultz): To clear up any confusion, TSP should instead have said that although some customer accounts were breached, no evidence of unauthorized access to the system itself exists.
(Northcutt): Haxdoor.ki has been creating havoc since August 2006. It is fully rootkit capable, so not all anti-virus can detect it. The worst problem is that the payload can be given a command by the handler to destroy all of the infected systems to cover his tracks. I had thought it usually spreads as an email attachment, so the world has some more inoculating to do. However, in this case it appears to be spreading through spear phishing where the bogus email looks like it is from Nordea telling customers to download a new anti-spam program. The best writeup on haxdoor.ki is F-Secure's:
-http://www.f-secure.com/v-descs/haxdoor_ki.shtml]
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
European Consumer Groups Call for Apple to Provide iTunes Interoperability (22 January 2007)
Groups in France and Germany are lending their voices to a call begun by Scandinavian countries urging Apple to "make its iTunes online store compatible with digital music players made by rival companies." As it stands now, music files bought through iTunes play only on Apple hardware and iPods cannot play copyright protected music purchased from other sources. Norway, Sweden and Denmark have maintained that Apple is "violating contract and copyright law in their countries." Apple could face legal action in Norway if changes are not made by September 2007. Interestingly, a French law that went into effect in August 2006 "allows regulators to force Apple to make its iPod player and iTunes store compatible with rival offerings."-http://www.msnbc.msn.com/id/16754095/
[Editor's Note (Shpantzer): Harvard Law School's Digital Media Project wrote a paper on iTunes and its impact on the music industry in 2004, addressing some of these same issues.
-http://cyber.law.harvard.edu/media/itunes
is the site for that project's iTunes page and the paper is here:
-http://cyber.law.harvard.edu/media/uploads/81/iTunesWhitePaper0604.pdf]
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Storm eMails Hold Trojan (22 & 19 January 2007)
Malware is spreading under the guise of information about the storms that have been ravaging Europe. Computer users are urged not to open unexpected email attachments. This particular piece of malware is a Trojan horse program dubbed Small.DAM; when users click on the attachment, a backdoor is placed on their PCs. Detected attachment names include Full Clip.exe, Full Story .exe, Read More.exe and Video.exe.-http://news.bbc.co.uk/2/hi/technology/6278079.stm
-http://www.theregister.co.uk/2007/01/19/trojan_storm/print.html
-http://www.informationweek.com/showArticle.jhtml?articleID=196902579&cid=RSS
feed_TechWeb
[Editor's Note (Liston): Why, oh why does this stuff still continue to work? On a Darwinian level, perhaps we're getting to the point now where if you fall for an email-borne "click on me" virus, your computer should just be taken away... ]
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Thieves Targeted Thrift Savings Plan Participants (19 January 2007)
Attackers surreptitiously placed keystroke loggers on the computers of some Thrift Savings Plan (TSP) participants and used the information they gathered to steal about US $35,000. TSP is a retirement and investment savings plan for federal employees. The attackers withdrew funds from approximately two dozen accounts and used electronic fund transfers to forward the money to other accounts. TSP says their system has not been breached, but it has suspended electronic fund transfers.-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9008619
[Editor's Note (Pescatore): This and the Nordea incident, as well as the huge TJ Maxx compromise, continue to point out how commonplace financially motivated, targeted attacks now are. Attacks change faster than regulations - tunnel vision on being compliant with regulations, whether Sarbanes Oxley, Basel, or PCI, means you will not be looking at processes and architectures that can deal with changing threats. (Honan): "TSP says their system has not been breached, but it has suspended electronic fund transfers." Hmm, the often cited three pillars of computer security are confidentiality, integrity and availability. As a result of this incident the availability of electronic fund transfers has been impacted, so if it walks like a breach, looks like a breach and talks like a breach, then .... ]
Stolen Computer Holds Info of KB Homes Site Visitors (18 January 2007)
A computer stolen from a KB Home builder's sales office holds personally identifiable customer information. The company has sent letters to 2,700 individuals notifying them of the incident. The computer was stolen from the locked Charleston, SC office on December 30, 2006. The company believes the data belong only to people who visited the sales office at Foxbank Plantation and had provided their SSNs to pre-qualify for loans.-http://www.thestate.com/mld/thestate/business/16485189.htm
[Editor's Note (Liston): Its frightening to think of the number of goofy places where people's personal information is stored. The digital age creates opportunities for the bad guys far faster than we can develop the means to control them. ]
STANDARDS & BEST PRACTICES
PCIDSS Compliance Products Require Diligence (22 January 2007)
The appearance of "a number of merchant retail solutions that address[the Payment Card Industry Data Security Standard ]
compliance" has prompted one PCIDSS auditor to warn companies that simply purchasing these approved products does not ensure compliance with the standard. The auditor notes that organizations need to be cognizant not only of how they implement the solution, but of how they "manage and maintain those systems." Companies found not to be in compliance with PCIDSS could face stiff fines.
-http://www.computerworld.com.au/index.php/id;962716575;fp;16;fpid;1
[Editor's Note (Pescatore): There are payment applications and card processing/handling systems that are validated against the PCI Payment Applications Best Practices, but security products are not. The PCI DSS standards and assessment process are pretty clear on this, and recent clarifications make it pretty clear that merchants are still responsible for protecting customer data whether they use those products or approved service providers.
(Ranum): This is one of the few bits of news I've seen in NewsBites in the last few years that actually cheers me up. The idea that it's not just enough to simply OWN a doo-dad - that you have to UNDERSTAND how it WORKS! Wow! Maybe security is maturing, after all...
(Honan): The auditor Mr. Drazic is highlighting a common problem with many security implementations. Security is not solely about a technical solution or product, but more so on how that product and technology is integrated within a comprehensive security program involving people, policies, processes and technology. Too often companies treat information security as a technical problem and therefore apply technical solutions rather than treating information security as a business issue.
(Liston): Unfortunately PCIDSS compliance, as evidenced by the stories about Nordea and TSP, is only half the battle. Locking down merchants is great, but only shifts the battleground to the consumer's PC. Even if we deny them the "big score" by locking down the basket containing *all* the eggs, the Nordea story clearly shows that there is still a lot of profit to be had by hanging out with the chickens. ]
MISCELLANEOUS
Can You Find Me Now? Good. (19 January 2007)
Three people stole what they thought were mobile phones from cars in the parking lot of the Town of Babylon Public Works in Lindenhurst, NY. Police quickly tracked down the thieves who had in fact stolen GPS systems with features that enabled them to be located by other GPS units.-http://www.theregister.co.uk/2007/01/19/gps_thieves_busted/print.html
-http://tomshardware.co.uk/2007/01/19/stolen_gps/
=========================================================================
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.
Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/