Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume IX - Issue #70

September 04, 2007


(1) Today is the last day for the special hotel room rate (including high speed Internet access) in Las Vegas for SANS Network Security 2007.
http://www.sans.org/ns2007
(2) And the December (11-18) Washington DC training conference, called SANS Cyber Defense Initiative, just opened for registration.
http://www.sans.org/cdi07/

TOP OF THE NEWS

US Says June Attack on Pentagon Networks Came From China
US May Invoke State Secrets Privilege to Halt SWIFT Lawsuit
Germany Wants Permission to Use Spyware on Terror Suspects
Sony Acknowledges Worrisome Software on USB Drives

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Man Says He Was Fired for Reporting Data Theft to Police
Former Health Clinic Employee Convicted on Hacking Charges
POLICY & LEGISLATION
Calif. Bill Would Place Burden of Breach Costs on Retailers
SPYWARE, SPAM & PHISHING
New Zealand Anti-Spam Law Takes Effect September 5
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Bank of India Website Attacked; Visitors PCs Infected With Malware
ISC Terminates Support for BIND8, Says Upgrade to BIND9
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Stolen Johns Hopkins Hospital Computer Holds Patient Data
STATISTICS, STUDIES & SURVEYS
Study Says Mobile Users Present More Security Problems
MISCELLANEOUS
A Call For Irish Breach Notification Laws
Hard Drive Sold on eBay Holds Arkansas Dem. Party Data
LIST OF UPCOMING FREE SANS WEBCASTS


*********************** Sponsored By SPI Dynamics **********************

ALERT: "How a Hacker Launches a LDAP Injection Attack Step-by-Step"- White Paper It's as simple as placing additional LDAP query commands into a Web form input box giving hackers complete access to all your backend systems!
Firewalls and IDS will not stop such attacks because LDAP Injections are seen as valid data. Download this *FREE* white paper from SPI Dynamics for a complete guide to protection!
http://www.sans.org/info/15406

*************************************************************************

TRAINING UPDATE
The BIGGEST security event of the fall is SANS Network Security 2007 (September 22-30) in Las Vegas with more than 40 courses and wonderful evening sessions and a big vendor exposition. It brings you the top rated teachers in cybersecurity in the world, teaching the most up to date, hands-on courses.
How good are the courses? Here's what past attendees said:
"You learn something new every day...the experience of the instructor and of the students make the difference." (Gabriel Schmitt, Hoffmann-LaRoche)
"An extraordinary amount of information covered in a week, backed up with excellent documentation for those long winter nights." (Keith Mellism, Canada Life)
"This course has valuable information that can be implemented immediately in the work place." (Christopher O'Brien, Booz Allen Hamilton)
"You will never ever find anything more valuable than SANS super knowledge. Worth the price!!" (Carlos Fragoso, CESCA)
Registration information:
London: http://www.sans.org/london07/

*************************************************************************

TOP OF THE NEWS

US Says June Attack on Pentagon Networks Came From China (September 3, 2007)

US government officials are acknowledging that the Chinese military launched a cyber attack on US military computers in June of this year. Portions of a computer system used by defense secretary Robert Gates's office were shut down in response to the attack. Officials are indicating that China's People's Liberation Army is behind the attack. An investigation into the data downloaded during the attack is ongoing.
-http://www.ft.com/cms/s/0/9dba9ba2-5a3b-11dc-9bcd-0000779fd2ac.html
[Editor's Note (Ullrich): Sadly, neither the fact that China is attacking US government systems, nor that they succeeded in penetrating them is a big surprise. To me, news releases like this always sound like sad cries for help.]

US May Invoke State Secrets Privilege to Halt SWIFT Lawsuit (August 31, 2007)

Evidence is pointing to the likelihood that the US government will invoke the state secrets privilege to prevent a lawsuit against Belgium-based international banking consortium SWIFT from moving forward. For the state secrets privilege to be successfully invoked, both the US attorney general and the director of intelligence must certify that to proceed with a case would threaten national security;t he Bush administration says their involvement with SWIFT is a valuable asset in the war on terror. SWIFT allegedly provided the US government with millions of transaction records. Two US customers filed the lawsuit against SWIFT alleging invasion of privacy.
-http://iht.com/articles/2007/08/31/america/swift.php

Germany Wants Permission to Use Spyware on Terror Suspects (August 30 & 31 & September 3, 2007)

The German government's plan to infect terror suspects' computers with Trojan horse programs has met with resounding criticism from defenders of civil liberties. The government is seeking approval for the tactics as part of an anti-terrorism bill. The government wants to send email messages to the suspects that cause their computers to become compromised, allowing the government to monitor their communications. German Interior Minister Wolfgang Schauble says the spyware's use would be limited. Proponents maintain the emails containing the Trojan will be tailored to each suspect and the malware will search for specific data. Opponents say they do not think spyware can operate that specifically and that for the government to misrepresent itself by sending email that appears to come from a different entity is not allowed.
-http://www.theregister.co.uk/2007/09/03/german_trojan_plan/print.html
-http://news.bbc.co.uk/2/hi/europe/6973018.stm
-http://www.spiegel.de/international/germany/0,1518,502955,00.html

Sony Acknowledges Worrisome Software on USB Drives (September 3, 2007)

Sony has acknowledged a recently disclosed security problem with several of its USB drives. The drives contain software that installs hidden directories on users' computers, which could allow attackers access to those computers. Sony says it will have a fix available in the next two weeks. All models of the affected USB drives have been discontinued. The software was developed with the intention of "cloaking sensitive files related to the fingerprint verification feature included on the USB drives." Sony is investigating the issue.
-http://news.bbc.co.uk/2/hi/technology/6975838.stm


*********************** Sponsored Links: ******************************

1) Free Webcast: Meeting the Challenges of Energy Industry Regulations including NERC and FERC.
http://www.sans.org/info/15411

2) Calling CSO and CISOs- Win a Wii and participate in the 2007 Web Security Leadership Survey
http://www.sans.org/info/15416

*************************************************************************

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Man Says He Was Fired for Reporting Data Theft to Police (September 1, 2007)

Steven Shields has filed a wrongful termination lawsuit against Providence Health System. Shields was fired from his job after a thief broke into his car and stole computer disks and digital tape holding personally identifiable information of approximately 365,000 Providence patients. Shields maintains he was fired because he notified police of the theft. Providence Health System notified affected patients of the breach three weeks after the theft, which occurred in late December 2005. Providence paid out US $95,000 in a class action lawsuit filed in response to the breach.
-http://www.wweek.com/wwire/?p=9179

Former Health Clinic Employee Convicted on Hacking Charges (August 27, 2007)

A federal jury has convicted Jon Paul Olson of intentionally damaging protected computers. Olson left his job at the Council of Community Health Clinics (CCC) in San Diego after he received what he believed to be a negative performance evaluation. Several months after his resignation, Olson deleted patient data that belonged to the North County Health Services (NCHS) clinic, causing financial losses at both CCC and NCHS. Olson had worked for CCC as a network engineer and technical services manager.
-http://sandiego.fbi.gov/dojpressrel/pressrel07/sd082707.htm
[Editor's Note (Northcutt): You can't be too careful when releasing an employee that had technical access, let's look at some similar cases:
-http://www.securityinfowatch.com/online/Cabling--and--Connectivity/Medica-Health
-Plan-Alleges-t

-http://www.jsonline.com/story/index.aspx?id=337260
-http://seattlepi.nwsource.com/local/180654_hacking03.html
-http://www.infosecwriters.com/text_resources/pdf/Disgruntled_employees_DMorrill.
pdf

-http://news.zdnet.co.uk/itmanagement/0,1000000308,39164364,00.htm
And on and on it goes, don't let your organization add to these news stories.
(Honan): It is good practice for IT and security managers to ask the HR department to ensure they are made aware of any negative performance reviews, particularly with regards to employees who have administrator type access to systems or access to sensitive information. ]

POLICY & LEGISLATION

Calif. Bill Would Place Burden of Breach Costs on Retailers (August 31, 2007)

California's state Senate Appropriation Committee last week approved a measure that would require retailers to bear responsibility for costs incurred by banks and credit unions as a result of data breaches. The State Assembly approved the Consumer Data Protection Act (AB 779) in June by a vote of 58-2. Retailers have been actively lobbying legislators to vote against the bill. The bill is expected to go before the full Senate in about a week. If it is approved, it will then go to Governor Schwarzenegger. Under the bill, retailers would reimburse banks and credit unions for the costs of notifying customers of data breaches and issuing new cards. Retailers would also be required to employ strong data protection measures surrounding credit card information. Retailers would also have to provide details about breaches, including precisely what type of information was compromised.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9034000&intsrc=news_ts_head

[Editor's Note (Ullrich): The credit card system was designed by banks to be easy to use, not to be secure. Asking retailers to pay up for these design decisions seems like the wrong way to fix the problem. ]

SPYWARE, SPAM & PHISHING

New Zealand Anti-Spam Law Takes Effect September 5 (September 1, 2007)

Businesses in New Zealand are scrambling to obtain consumers' permission to send commercial email before a new anti-spam law takes effect on Wednesday, September 5. The Unsolicited Commercial Messages Act prohibits the sending of spam messages through texting or email without the recipient's consent. Companies may choose to obtain consent either through direct communication or through inference of a pre-established relationship that permitted the messages to be sent. Companies are not permitted to send opt-out emails and assume that no response indicates consent to receive the messages. Companies are encouraged to obtain express consent to avoid misunderstandings. All messages must contain clear instructions for unsubscribe procedures. Companies violating the new law could face penalties of A$500,000 (US $412,000); individuals could be fined up to A$200,000 (US $165,000).
-http://www.nzherald.co.nz/section/story.cfm?c_id=5&objectid=10461094&pnu
m=0

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Bank of India Website Attacked; Visitors PCs Infected With Malware (August 31 & September 1 & 3, 2007)

The Bank of India shuttered its website early on Friday, August 31 to address the fact that a malicious iframe was directing users to sites where approximately 30 pieces of malware were being downloaded to their computers. The Bank of India site has been cleaned and is back up and running. Researchers believe the malware was planted by the Russian Business Network, a group known for its criminal Internet activity. The malware includes Trojans that steal sensitive data and upload them to an FTP server in Russia. The malicious iframe exploited a known vulnerability in Microsoft Windows 2003.
-http://www.scmagazine.com/us/news/article/734987/exploited-bank-india-website-do
wnloads-malware/

-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=62031723-39000005c
-http://www.theregister.co.uk/2007/09/01/bank_of_india_website_takeover/print.htm
l

-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9033999&source=rss_topic17

ISC Terminates Support for BIND8, Says Upgrade to BIND9 (August 31, 2007)

ISC has announced that it will no longer support BIND8 DNS Server following the disclosure of a cache poisoning vulnerability in BIND8's random number generator. The problem allows attackers to predict transaction IDs with great accuracy. Attackers could then poison caches with manipulated IP addresses. A patch has been released that addresses the random number generator flaw, but "developers have acknowledged that BIND8 is struggling with fundamental architectural problems" and recommend that users upgrade to BIND9 or turn off DNS service.
-http://www.heise-security.co.uk/news/95237
-http://www.kb.cert.org/vuls/id/927905
-http://www.isc.org/sw/bind/stoprunningbind8.txt

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Stolen Johns Hopkins Hospital Computer Holds Patient Data (September & 3, 2007)

Johns Hopkins Hospital waited five weeks to inform patients that their personally identifiable information was on a desktop computer stolen from an administrative work area. The computer was stolen on July 15, 2007, but the 5,783 people affected by the data security breach were not notified until August 24. The data include names, Social Security numbers (SSNs), and medical histories. Evidence gathered from a surveillance camera suggests a Hopkins employee and an on-site vendor employee may be involved in the incident. Families of the 1,202 patients who are now deceased are also being notified. The data were neither encrypted nor password protected.
-http://www.baltimoresun.com/news/health/bal-te.theft01sep01,0,6558465,print.stor
y

STATISTICS, STUDIES & SURVEYS

Study Says Mobile Users Present More Security Problems (August 1, 2007)

A report from Trend Micro says the more mobile an employee is, the greater the likelihood that he or she will engage in Internet behavior that poses a threat to the company's network. Fifty-eight percent of US respondents who have Internet access outside of work have used webmail to send confidential information. Similar results were obtained from workers in Europe and Japan. In addition, respondents from Germany, the US and the UK say they have visited social websites and downloaded files, including movies, through their companies' networks.
-http://www.enterprisenetworkingplanet.com/netsecur/article.php/3697536
[Editor's Note (Grefer): Given that most email still is sent unencrypted, confidentiality quite often is compromised no matter whether webmail is used or an SMTP-capable POP3 or IMAP client or a text-based mail client on a server. ]

MISCELLANEOUS

A Call For Irish Breach Notification Laws (August 31, 2007)

Brian Honan, who is organizing Global Security Week, will call on the Irish government to establish laws that would require organizations to notify individuals in the event their personal information is compromised in a data security breach. Honan points out that while there are laws requiring organizations to have data protection measures in place, they are not required to inform consumers when their data have been breached.
-http://www.tmcnet.com/usubmit/2007/08/31/2901198.htm

Hard Drive Sold on eBay Holds Arkansas Dem. Party Data (August 30 & 31, 2007)

A hard drive purchased for US $69 on eBay was found to contain confidential information belonging to the Arkansas Democratic Party. The unencrypted data include cell phone numbers of party donors and members of the state's congressional delegation. Arkansas Democratic Party director Bruce Sinclair apparently dropped his computer and sought help from David Qualls, who is currently a lead programmer and analyst for the Arkansas Department of Information Systems. When Qualls's attempt to re-image the drive proved unsuccessful, he was allowed to keep the drive. Then while Qualls was away on National Guard duty, he maintains his wife offered the drive on eBay, believing it to be new.
-http://www.theregister.co.uk/2007/08/30/governors_data_sold_on_ebay/print.html
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9034001&source=rss_topic17

[Editor's Note (Ullrich): Hard drives are not "broken" until they look broken. As a national guard member, he should have access to the necessary tools to ensure destruction of the data. ]

LIST OF UPCOMING FREE SANS WEBCASTS

sk the Expert Webcast: Lose Your Laptop - Keep the Data: Top 10 Mobile Security Issues
-http://www.sans.org/info/15046
WHEN: Wednesday, September 5, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Mark Jordan and Dr. Eric Cole
Sponsored By: Sybase

Mobile computing relies on laptop computers, which are extremely vulnerable to being physically stolen, as well as to network intrusions via wireless card. Because of their portability and widespread use, this presentation focuses on encryption and information security solutions for laptop computers.

Ask The Expert Webcast: Security Tools Landscape plus Top 10 UNIX Shell Tricks to Review Your Web Logs
-http://www.sans.org/info/15056
WHEN: Thursday, September 6, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Johannes Ullrich and Danny Allen
Sponsored By: Watchfire

While web sites streamline access to information, they are vulnerable-potentially exposing critical corporate information and customer data, or otherwise compromising enterprise IT. Online security breaches can lead to a number of damaging consequences. To avoid these types of situations you must understand the Security Tools Landscape.

Internet Storm Center: Threat Update
-http://www.sans.org/info/15096
WHEN: Wednesday, September 12, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKER: Johannes Ullrich
Sponsored By: Core Security

This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.

Ask the Expert: Encryption Face-Off: Software Encryption vs. DriveTrust Technology
WHEN: Thursday, September 20, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Jim Hietala and Joni Clark
-http://www.sans.org/info/15066
Sponsored By: Seagate Technology

The stakes have never been higher for organizations that process and store sensitive information on customers and employees. This webcast will explore the business drivers for encryption of system disks and provide the results of a hands-on evaluation comparing SeagateR DriveTrustT against a software-based approach.

Ask the Expert Webcast: Separated at Birth - Identity and Access Reunited!
WHEN: Tuesday, September 25, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Andrew Hay and Stuart Rauch
-http://www.sans.org/info/15076
Sponsored By: Secure Computing

This webcast will focus on the trend toward reuniting Access and Identity and why it is important to consider strong authentication right from the planning phase of a remote access project. We will also review key criteria associated with choosing and deploying two-factor authentication in an enterprise environment.

Ask the Expert Webcast: Curing The Common Cold With Log Management
WHEN: Wednesday, September 26, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and A.N. Ananth
-http://www.sans.org/info/15126
Sponsored By: Prism MicroSystems EventTracker

Well, perhaps that is a stretch, but Log Management is incredibly valuable to help solve a host of other real problems in IT beyond simple compliance. Compliance drives most log management purchases but IT Managers are constantly challenged to maximize investments in technology.



=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/