SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IX - Issue #94

November 30, 2007

TOP OF THE NEWS

SANS Top 20: Attackers Now Look to Web Apps and Social Engineering
Government Contract Hopefuls Must Establish and Enforce Code of Ethics
Fifth Third Bank No Stranger to Merchant Data Security Compliance Fines

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Authorities Question Suspect in Bot-Herder Crackdown
Former Employee Charged with Unauthorized Access to SCADA System
Certegy Employee Pleads Guilty to Stealing Data
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Computers Stolen from Indian Defense R&D Facility Do Not Contain Classified Data
Hindsight's 20-20 in HMRC Data Breach
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
OpenSSL Patch Presents Dilemma for Federal Users
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
TelSell Didn't Inform Customers of Credit Card Data Breach
Authorities Investigating Tesco Data Breach
MISCELLANEOUS
Pros and Cons of IT Security Workers Becoming Professionals
LIST OF UPCOMING FREE SANS WEBCASTS

---

*************************************************************************

TRAINING UPDATE
Where can you find Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, CISSP, and SANS' other top-rated courses?
- - Washington DC (12/13-12/18): http://www.sans.org/cdi07
- - New Orleans (1/12-1/17): http://www.sans.org/security08/event.php
- - London (11/26 - 12/1): http://www.sans.org/london07/
- - and in 100 other cites and on line any-time: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

SANS Top 20: Attackers Now Look to Web Apps and Social Engineering (November 27, 2007)

The most recent SANS Institute Top 20 Internet Security Risks notes that cyber criminals have shifted their focus away from more traditional attack vectors to targeting custom-built applications and exploiting users' trust through social engineering. The move comes in response to strengthened system and network security. The SANS Top 20 does not discount the seriousness of the more traditional attack vectors; browser flaws are still a significant problem. The new attacks are harder to defend against because they require constant vigilance both through monitoring and adherence to policy. Developers need to learn and incorporate secure coding into their products to help protect systems.
-http://www.theregister.co.uk/2007/11/27/sans_top_20_security_risks/print.html
-http://www.gcn.com/online/vol1_no1/45468-1.html?topic=security&CMP=OTC-RSS
-http://www.sans.org/top20/

Government Contract Hopefuls Must Establish and Enforce Code of Ethics (November 29, 2007)

As of December 24, 2007, companies hoping to win US government contracts will have to establish a code of business ethics and conduct, an ethics compliance training program and an internal control system. The final rule amends the Federal Acquisition Regulation. Small businesses awarded contracts valued below US $5 million and for less than 120 days are exempt, as is work performed outside the US.
-http://www.govexec.com/story_page_pf.cfm?articleid=38695&printerfriendlyvers
=1
-http://a257.g.akamaitech.net/7/257/2422/01jan20071800/edocket.access.gpo.gov/200
7/07-5800.htm
[Editor's Note (Skoudis): The internal control system here is particularly useful. Several times a year, someone contacts me telling me that they know of a significant security issue (vulnerability, breach, etc.) in their company, but their management has told them to shut up about it. They ask me what to do. My first reaction is to have them contact an ethics council inside their organization. If their enterprise doesn't have an ethics council, things get much more complicated, often involving lawyers.
(Northcutt): I think this is a good thing. It is along the lines of "locks are there to keep honest people honest." If we keep establishing what is right it does help many people stay on track. For extra credit the government could create a free sample program to minimize the cost to the taxpayer so that every company that does business with the government is not required to re-invent the wheel. After all, that cost will inevitably be passed to the taxpayer. ]

Fifth Third Bank No Stranger to Merchant Data Security Compliance Fines (November 24, 2007)

According to court documents, Fifth Third Bancorp, which was fined US $880,000 by Visa in connection with the TJX data security breach, paid an even larger fine for a similar situation several years ago involving a data breach at BJ's Wholesale Club. Credit card companies cannot fine the merchants directly, so instead the fines are levied against the banks that process the transactions, making those banks responsible for ensuring the merchants meet data security standards. The "pass-the-buck" mentality regarding data security has led to a fair amount of finger pointing and little accepting of responsibility for the problems.
-http://www.boston.com/business/globe/articles/2007/11/24/visa_fines_ohio_bank_in
_tjx_data_breach/?page=full

---

************************* Sponsored Links: ***************************

1) Link here to complete the SANS Database Security Compliance Survey and register to win a $250 AMEX Gift card.
http://www.sans.org/info/20276

2) Stop data leaks and sanitize your servers before they leave your premises. Blancco them today. http://www.sans.org/info/20281

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Authorities Question Suspect in Bot-Herder Crackdown (November 29 & 30, 2007)

In the last five months, the FBI's Operation Bot-Roast II has resulted in eight indictments and arrests. One of those arrested is University of Pennsylvania student Ryan Goldstein, who was indicted earlier this month. He faces up to five years in prison and a US $250,000 fine if he is convicted. Authorities are also questioning a New Zealand man in connection with the bot-herder raids. The man, identified only by his online moniker of AKILL, was allegedly involved in a distributed denial-of-service (DDoS) attack against a University of Pennsylvania server sometime last year. AKILL is believed to be the ringleader, but has not yet been arrested. The group is believed to have infected more than one million computers with malware to enlist them in botnets.
-http://home.nzcity.co.nz/news/article.aspx?id=79139&fm=newsmain,nrhl
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9049941&source=rss_topic17
-http://www.scoop.co.nz/stories/SC0711/S00084.htms
-http://www.news.com.au/story/0,23599,22847084-2,00.html
-http://www.securityfocus.com/brief/635
-http://www.msnbc.msn.com/id/22030837/
-http://www.cnn.com/2007/TECH/11/29/fbi.botnets/index.html
-http://www.theregister.co.uk/2007/11/29/fbi_botnet_progress_report/print.html

Former Employee Charged with Unauthorized Access to SCADA System (November 30, 2007)

A man who used to work for a California canal system has been charged with "intentionally causing damage without authorization to a protected computer." Michael Keehn allegedly placed software on the Tehama Colusa Canal Authority's (TCAA) Supervisory Control and Data Acquisition (SCADA) system, damaging the computer used to divert water from the Sacramento River. Keehn could face up to 10 years in prison if he is convicted on all charges. The incident in question took place in August 2007.
-http://www.computerworld.com.au/index.php/id;511545055;fp;2;fpid;1
[Editor's Note (Skoudis): People who have taken my SANS Security 504 course know that I frequently scour NewsBites for articles that can help incident handlers and other security pros illustrate useful points to our management to help ensure we get the resources we need to do our jobs. This article is a good illustration of the insider threat, issues with employee termination, and security concerns about SCADA and the public infrastructure. While the situation behind the story is unfortunate, we can still use it to improve awareness. ]

Certegy Employee Pleads Guilty to Stealing Data (November 27 & 29, 2007)

The former Certegy database administrator who sold data to unnamed entities has reached a plea bargain with prosecutors. William Sullivan has agreed to plead guilty in exchange for a "reduced sentence." Sullivan still faces up to five years in prison and a US $250,000 fine for each count, but his sentence will likely be less harsh because he has admitted his wrongdoing. He will also be required to pay restitution to Certegy parent company Fidelity National Information Services. The data were stolen from Certegy, a check processing company, and used for marketing purposes. Court documents indicate that there is a co-conspirator in the case who paid Sullivan more than US $580,000 for the 8.5 million customer records.
-http://www.americanchronicle.com/articles/viewArticle.asp?articleID=44194

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

Computers Stolen from Indian Defense R&D Facility Do Not Contain Classified Data (November 22, 2007)

Three computers stolen from the Kanpur (India) Defence Material Store Research Development and Establishment (DMSRDE) contain unclassified information. One of the computers holds personally identifiable information about Defence Research Development Organization (DRDO) scientists as well as their current projects. The others contain software used for "quality measurement of defense related products." DMSRDE is a part of the DRDO, which has appointed a six-member panel to look into the incident; the panel will issue a report within the next two weeks. Of particular concern is the fact that the computers were stolen from a secured zone.
-http://timesofindia.indiatimes.com/Lucknow/Comps_stolen_from_Kanpur_DRDO_lab/art
icleshow/2560576.cms

Hindsight's 20-20 in HMRC Data Breach (November 22 & 25, 2007)

A November 2005 report from a security expert warned that a data breach could damage the UK government's reputation and made recommendations for protecting sensitive data, including encryption, the use of new systems or filters to allow selective release of data, monitoring of security procedures by an independent body, and penalties meted out to those failing to comply with security procedures. That same security expert, commenting on the recent loss of data associated with HM Revenue & Customs (HMRC), observed that a junior level official should not have had access to that amount of data.
-http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2007/11/25/ncustoms625.xml
-http://www.bloomberg.com/apps/news?pid=20601087&sid=aLOzw1xz9RqU&refer=h
ome

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

OpenSSL Patch Presents Dilemma for Federal Users (November 29, 2007)

A flaw in the pseudo random number generator (PRNG) OpenSSL cryptographic module means that "generated random data is far more predictable than it should be." The Open Source Software Institute has released both a patch and a workaround for the flaw. Federal users are faced with a dilemma regarding the fix. Federal agencies are required to use FIPS-certified cryptographic products. The patch has not been certified, so the agencies must choose between running unpatched versions of the software or applying the patch and falling out of compliance. A new version of OpenSSL that does not have the flaw is currently undergoing FIPS testing.
-http://www.gcn.com/online/vol1_no1/45481-1.html?topic=security&CMP=OTC-RSS
[Editor's Note (Schultz): This kind of dilemma occurs too often in the compliance arena. Compliance is by its very nature a more slow and gradual process. Urgency and patching, on the other hand, go hand-in-hand.
(Northcutt): I will not even ask how a non-random version passed the Government's crypto testing in the first place. This does need to be fixed. Please keep in mind that you may be running OpenSSL and not know it. If I remember right there was a nasty bug a while back and a LOT of commercial products were found to be using OpenSSL. I wrote a paper a while back on TLS and getting FIPS approval. As this story unfolds, I will update it. The paper is located and under that is the OpenSSL advisory:
-http://www.sans.edu/resources/securitylab/296.php
-http://openssl.org/news/secadv_20071129.txt]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

TelSell Didn't Inform Customers of Credit Card Data Breach (November 27, 2007)

In May of this year, cyber attackers infiltrated the computers of TelSell, a television shopping company, and made off with details of more than 30,000 credit cards belonging to Dutch customers. Although TelSell has known of the breach and subsequent data theft for six months, the company did not notify affected customers. A statement from the company maintains, "It is not our responsibility to warn our customers."
-http://www.first.org/newsroom/globalsecurity/176842.html
[Editor's Note (Honan): TelSell's attitude is why the EU needs to introduce information security breach disclosure laws similar to those in place in many states in the United States as soon as possible. ]

Authorities Investigating Tesco Data Breach (November 24, 2007)

The UK's Information Commissioner and police are investigating reports of a data breach at Internet store Tesco Direct. The data leak appears to be connected to an individual who took phone orders for merchandise advertised on the website and in the catalog. In one case, a customer's credit card details were used to make fraudulent purchases just hours after they had been used by the customer through Tesco. A Tesco employee has been arrested in connection with the data theft.
-http://www.thisislondon.co.uk/news/article-23422816-details/Tesco+online+store+i
s+infiltrated+by+insider+card+fraudster/article.do
[Editor's Note (Grefer): Given that an ever increasing number of phone orders are placed through part time staff working from home on their personal computers, this likely is just the tip of the iceberg. Not only are there in a lot of cases insufficient checks and balances in place, but quite often their computers are also less well protected than those setup in corporate environments. ]

MISCELLANEOUS

Pros and Cons of IT Security Workers Becoming Professionals (November 23, 2007)

Speaking at a security conference in Toronto, Dr. Richard Reiner, chief security and technology officer for Telus Security Solutions, raised the possibility of IT security workers establishing themselves as self-regulating professionals. While there are a variety of certifications available, the landscape is fragmented, according to Reiner. If IT security workers established themselves as professionals, training and licensing would be regulated and standards of ethical conduct established. Organizations hiring IT security professionals would have the confidence of knowing that the people would adhere to established practices. Reiner also enumerated the drawbacks to establishing IT security as a profession. The necessary legislation would likely take years. Personal ethics would have to take a back seat to established professional ethics. Also, professionalization would require that members face disciplinary action from a governing body.
-http://www.itworld.com/Career/071123prof/
[Editor's Note (Northcutt): At the 2007 RSA there was an ethics panel comprised of leaders from ISC2, GIAC, ISSA, ISACA and ASIS. They were challenged by industry analyst Fred Cohen to create a unified code of ethics for our profession. Everyone said they would do so and a committee was appointed. A draft was created and I know the GIAC Board of Directors voted to ratify it. As to what has gone on in the other four organizations, I am clueless at this point, but not for want of trying. So if you work in computer security or audit and want to be considered a professional there are two basic things that need to be approved and administered by a neutral industry board. One, standards of technical competence, Two, an enforceable code of ethics. So if you belong to ISC2, ISACA, ASIS, or ISSA ask your leaders to update you on the status of the unified code of ethics. (and if you find out drop me a note, stephen@sans.edu ) ]

LIST OF UPCOMING FREE SANS WEBCASTS

SANS Special Webcast: Analyzing a Traffic Analyzer: NIKSUN
NetDetector/NetVCR 2005
WHEN: Wednesday, December 5, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Jerry Shenk
-http://www.sans.org/info/20052
Sponsored By: NIKSUN

How deep can traffic inspection reach without hindering data flow and how much data should it store for post-mortem analysis? Join this Webcast to hear senior SANS Analyst Jerry Shenk go over his test results on the NetDectector/NetVCR 2005 and features such as full packet inspection and the ability to call up and review raw data in its native format.

SANS Special Webcast: Pinpointing and Proving Web Application Vulnerabilities with Eric Cole
WHEN: Monday, December 10, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Dr. Eric Cole
-http://www.sans.org/info/20057
Sponsored By Core Security

The September "Internet Security Threat Report" from Symantec reported that 61% of all vulnerabilities disclosed in the first half of 2007 were web application vulnerabilities. It's no wonder, since web apps are often highly customized and can be rife with potential security holes. Fortunately, recent advances in penetration testing products can help you to pinpoint and prove web application security weaknesses - even in customized apps.

Internet Storm Center: Threat Update
WHEN: Wednesday, December 12, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Johannes Ullrich
-http://www.sans.org/info/20062

This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.

SANS Special Webcast: Things That Go Bump in the Network: Embedded Device Security
WHEN: Thursday, January 24, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Paul Asadoorian
-http://www.sans.org/info/20087
Sponsored By: Core Security

Embedded devices come into your network and appear in many different forms, including printers, iPhones, wireless routers and network-based cameras. What you might not realize is that these devices offer unique opportunities for attackers to do damage and gain access to your network - - and to the information it contains. This webcast will review known embedded device vulnerabilities and cover how these vulnerabilities can be used to gain control of devices, networks, and data - and, more importantly, what can be done about it.

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/