SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume X - Issue #10
February 05, 2008
TOP OF THE NEWS
Proposed Law in CA Clarifies Breach Notification RulesCA Bill Would Allow Local Prosecution for ID Fraud
More Undersea Cables Damaged
Visa Updates List of Apps that Are Not PCI DSS Compliant
THE REST OF THE WEEK'S NEWS
LEGAL MATTERSDA May Face Contempt Charge for Deleting Subpoenaed eMail
Police Sergeant Pleads Guilty to Accessing FBI Database Without Authorization
PI Licensing required for computer forensics in court
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Proposed Budget Includes Hefty Increase in Cyber Security Funding
SPYWARE, SPAM & PHISHING
Spear Phishers Target US Colleges
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Exploit Writer Refuses to Share Flaw Data with RealNetworks
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
LimeWire Exposes Data on 153 Newfoundland Residents
Davidson Companies Data Security Breach
Missing Flash Drive Holds Fertility Treatment Patient Data
STATISTICS, STUDIES & SURVEYS
Network Availability Tops List of IT Managers' Concerns
MISCELLANEOUS
Wireless Headsets Would Benefit from Encryption
LIST OF UPCOMING FREE SANS WEBCASTS
******************* Sponsored By Utimaco Safeware ***********************
The SafeGuard LeakProof(TM) solution complements Utimaco's portfolio for 360-degree security by addressing the silent threat of data leakage at the hands of authorized users. As such, the solution helps businesses identify all confidential data on laptops, desktops, and servers and track or prevent the movement of that information to unauthorized destinations. http://www.sans.org/info/23544
*************************************************************************
TRAINING UPDATE
Where can you find the newest Penetration Testing techniques, Application Pen Testing, Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, CISSP, and SANS' other top-rated courses?
- - Las Vegas (3/17 - 3/18) Penetration Testing Summit: (an ultra cool program) http://www.sans.org/pentesting08_summit
- - San Jose (2/2 - 2/8): http://www.sans.org/siliconvalley08/event.php
- - Phoenix (2/11 - 2/18) http://www.sans.org/phoenix08/event.php
- - Prague (2/18-2/23): http://www.sans.org/prague08
- - SANS 2008 (4/18-4/25) In Orlando SANS' biggest program with myriad bonus sessions: http://www.sans.org/sans2008
- - and in 100 other cites and on line any-time: www.sans.org
*************************************************************************
TOP OF THE NEWS
Proposed Law in CA Clarifies Breach Notification Rules (February 4, 2008)
A bill passed by the California State Senate details how government agencies and other organizations should notify consumers when their personal data have been compromised in a security breach. The bill requires that the notices be clear about exactly what happened, when it happened, the number of people affected by the breach, what information was exposed, and steps people can take to protect themselves from fraud. They would also be required to provide toll-free phone numbers for credit bureaus. The state already has a breach notification law in place; this bill clarifies the responsibilities of the organization whose systems were breached.-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=206103872
[Editor's Note (Liston): I always find laws like this one to be a very depressing statement on the current status of ethics within the modern business world. That such a minimal effort needs to be mandated speaks volumes. ]
CA Bill Would Allow Local Prosecution for ID Fraud (February 1, 2008)
California state legislators have passed another bill related to data theft. It allows identity theft cases to be prosecuted in the victim's county of residence; current law allows for prosecution in the county where the data were stolen or where the fraud occurred. Sponsors of the bill say the current configuration favors the criminals; the proposed change would allow a judge to decide where the trial should take place.-http://cbs5.com/local/identity.theft.bill.2.644169.html
More Undersea Cables Damaged (January 4, 2008)
Two more undersea cables are reportedly out of service, raising questions about whether four severed cables in under a week is coincidence or sabotage. In addition to the two cables cut in the Mediterranean last week, reports that a cable off the coast of Dubai was damaged emerged on Friday, February 1. The most recent damaged cable links Qatar to the United Arab Emirates. Gartner emphasizes the importance of developing and maintaining redundancy and business resumption plans.-http://afp.google.com/article/ALeqM5i03tUdyj8wf2Xa9P4trWEjqAJdyQ
-http://blogs.usatoday.com/ondeadline/2008/02/4th-undersea--1.html
-http://www.gartner.com/DisplayDocument?doc_cd=155170&ref=g_homelink
[Editor's Note (Ullrich): Multiple failures like this will of course look suspect. However, in this case some of the failures may be linked to smaller earthquakes in the area, while at least one of the cables was already known to be unstable and failed after it was exposed to additional traffic in an attempt to bypass the earlier outages. ]
Visa Updates List of Apps that Are Not PCI DSS Compliant (January 31, 2008)
Visa has added three more products to their list of applications that store too much payment card data. The list, which is provided to the banks that authorize retailers to accept credit card payments, identifies applications that store all the data on a payment card's magnetic strip following a transaction in violation of Payment Card Industry Data Security Standard (PCIDSS) rules. The list is updated every three months, but is not made public, as Visa is concerned that it could get into the wrong hands. The information on the list is particularly helpful to merchants because they may not be aware that the application is storing all the extra data in its default setting. None of the vendors of these products has been publicly identified, and many of them have updated their products so they no longer violate the rules. Visa also compiles a list of products that are PCI DSS compliant; that list is made public.-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9060538&intsrc=hm_list
************************** Sponsored Links: ***************************
1) Looking for Laptop Encryption? Wait 'til you hear what's coming. We've redefined security. Live webcast.
http://www.sans.org/info/23549
2) SANS Third Annual Log Management Survey
What are the challenges in log management? Have perceptions changed since last year? Help us find out! Take the survey at http://www.sans.org/info/23554
*************************************************************************
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
DA May Face Contempt Charge for Deleting Subpoenaed eMail (February 1, 2008)
Harris County (TX) District Attorney Chuck Rosenthal could be facing a contempt charge for deleting emails that had been requested as part of a civil rights lawsuit being brought against the Harris County Sheriff's Department. Rosenthal told the judge he believed he was merely deleting the emails from his account, but that they were maintained somewhere else so that they could be produced as requested. The office manager says that 2,000 of the approximately 2,500 deleted emails are unrecoverable.-http://www.washingtonpost.com/wp-dyn/content/article/2008/02/01/AR2008020102045_
pf.html
[Editor's Note (Schultz): Where are the computer forensics experts in this case? Just because some office manager says that most of the deleted email messages are unrecoverable does not at all necessarily mean that this is true.
(Ranum): He has a perfect defense, "If the White House can do it, why can't I?"
(Honan): Take this as an opportunity to review your own email retention policy and determine whether it is clear, concise and communicated in such a manner that even people like Mr. Rosenthal and his Office Manager can follow if you are served court orders to preserve email evidence. ]
Police Sergeant Pleads Guilty to Accessing FBI Database Without Authorization (January 31 and February 1, 2008)
A Fairfax County, Virginia police sergeant has pleaded guilty to unauthorized computer access. Court documents indicate that Weiss Rasool accessed the FBI's National Crime Information Center (NCIS) database and gathered information about several license plates for a friend. The license plates in question belonged to cars that had been leased for use in federal surveillance. The friend, who believed the people in the cars were following him, was later convicted of felony offenses. Rasool also apparently checked his name and those of several others to see if they were registered in the Violent Crime and Terrorist Offender File. Rasool will be sentenced in April, when he could face up to a year in prison followed by a year of supervised release and a US $100,000 fine. Rasool's attorney maintains Rasool "didn't divulge any information he shouldn't divulge."-http://washingtondc.fbi.gov/dojpressrel/pressrel08/wfo013108.htm
-http://www.washingtonpost.com/wp-dyn/content/article/2008/01/31/AR2008013103458_
pf.html
[Editor's Note (Cole): A bigger problem is that organizations are not implementing a policy of "least privilege." If you give an employee more access than what they need to do their job, the chances of abuse are very high. To combat these problems, data classification, role based access control and least privilege must be at the top of the security agenda. ]
PI Licensing required for computer forensics in court
Groklaw blog: the ante is increasing on the credentials required for digital evidence submitted in courts.-http://www.groklaw.net/article.php?story=2008013014235863
Possibly related case: Another odd example... Last week, an expert witness was excluded due to a challenge saying an individual who graduated college with a biochemistry major does not have enough expertise to be a computer forensic expert despite having experience and certifications.
-http://ridethelightning.senseient.com/2008/01/when-logic-and.html
[Guest Editor (Robert Lee - SANS Forensics instructor and track lead): Many forensic analysts/experts who testify or examine evidence may not be licensed PIs, and, as a result motions to dismiss the testimony or the analysis will be filed in the court. It will be up to counsel to have a persuasive argument to counter the motion and up to the judge to make fair decisions based on the arguments presented. Even in Texas and South Carolina where state opinions are surfacing on the PI question, it is still ultimately up to the judge in each case to allow the evidence or the analysis to be included in the proceedings. I think logic will eventually win here, but I'm glad to see it brought up in court so more people can discuss it. Buckle your seatbelts; expect many more such cases to keep popping up. We cover this issue in greater depth in SANS forensics course:
-http://www.sans.org/training/description.php?mid=98]
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Proposed Budget Includes Hefty Increase in Cyber Security Funding (February 4, 2008)
President Bush's proposed budget includes nearly US $300 million for the Department of Homeland Security (DHS) efforts to protect government computer networks from attacks. The amount marks close to a 40 percent increase over last year's allocation. The budget also provides US $39 million for FBI cyber security programs.-http://www.latimes.com/news/nationworld/politics/wire/sns-ap-budget-homeland-sec
urity,1,5558176,print.story?ctrack=2&cset=true
Spear Phishers Target US Colleges (February 1 & 4, 2008)
A recent spate of spear phishing attacks has been targeting students and faculty at about a dozen colleges and universities across the US. The emails arrive in the guise of messages from administrators conducting database updates. The students are asked to provide their user names, passwords, and dates of birth. The attacks started in mid-January and are ongoing. Many of the email accounts that are compromised through the attack have been used to send 419 lottery scam spam.-http://www.vnunet.com/vnunet/news/2208721/email-scammers-target-students
-http://www.securityfocus.com/news/11504
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Exploit Writer Refuses to Share Flaw Data with RealNetworks (January 31, 2008)
RealNetworks is getting the cold shoulder from a researcher who released a zero-day exploit for RealPlayer through a subscription-only exploit package. Gleg, the company that released the exploit package, has thus far refused to share details of the vulnerability with RealNetworks. The company's founder maintains they have had unpleasant experiences dealing with vendors in the past, and that they need more time to allow their customers to see how serious the flaw is. Someone who has access to the exploit package says the flaw is serious; "basically, you play a corrupted song file in RealPlayer, you're owned." There have been suggestions that vendors subscribe to the exploit packages. Others suggest that those who purchase the packages be allowed to share the information with affected vendors.-http://www.eweek.com/index2.php?option=content&task=view&id=46084&po
p=1&hide_ads=1&page=0&hide_js=1
[Editor's Note (Ullrich): Withholding vulnerability data from vendors is unethical. However, vendors have to figure out how to better manage relationships with vulnerability researchers. Right now, researchers can not be expected to be compensated for bugs they find and may have to fight to convince the vendor to fix the bugs. Voluntary "bug bounty" programs may be a good compromise.
(Liston): Having disclosed several security flaws to vendors over the years, I certainly agree that sometimes the process can be "unpleasant." However, unpleasant or not, disclosing to the vendors FIRST is right thing to do. Unfortunately, the "pay-for-sploit" climate within which Gleg operates has been created, and now we're reaping the "benefits."
(Ranum): For years I have been predicting that building a market for vulnerability disclosure would eventually result in this kind of extortionate practices. Do I get to say "I TOLD YOU SO!" now? ]
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
LimeWire Exposes Data on 153 Newfoundland Residents (February 1, 2008)
Personally identifiable information of 153 people was exposed when a consultant for the Newfoundland and Labrador Workplace, Health, Safety and Compensation Commission used a laptop computer on which LimeWire filesharing software was installed. The information includes names, addresses, dates of birth and medical and employment histories of Commission clients. Newfoundland and Labrador Justice Minister Jerome Kennedy says that the Commission will now require minimum security standards for contractors. Another security breach exposed medical files on the Internet for approximately 10 hours last November. After that incident, security policies were established to forbid the use of filesharing software and chat programs on government computers.-http://www.cbc.ca/canada/newfoundland-labrador/story/2008/02/01/limewire-breach.
html
-http://canadianpress.google.com/article/ALeqM5gqxosW_NCcl10mVyhnreE5muJYcg
[Editor's Note (Honan): When outsourcing services to third parties make sure that the contracts include a clause to ensure the third party maintains at least the same level of security that you do and will abide by your policies. Also be sure to retain your right to audit third party systems to ensure compliance with the terms of the contract. ]
Davidson Companies Data Security Breach (January 31, 2008)
Montana-based financial services firm Davidson Companies has acknowledged that its computer network was breached and some customer information compromised. Affected clients have been notified of the breach. The compromised database includes the names and Social Security numbers (SSNs) of roughly 226,000 past and current Davidson clients. The company has hired an outside party to investigate the incident.-http://www.networkworld.com/news/2008/013108-davidson-customer-information-hacke
d.html?nlhtsec=rn_020108&nladname=020108securityal
-http://www.scmagazineus.com/Hackers-breach-Davidson-Companies-database-access-cl
ients-names-Social-Security-numbers/article/104782/
-http://www.greatfallstribune.com/apps/pbcs.dll/article?AID=/20080130/NEWS01/8013
00301
Missing Flash Drive Holds Fertility Treatment Patient Data (January 30, 2008)
A Minnesota doctor lost a flash drive containing personal information about approximately 3,100 patients seen for fertility treatments at the University of Minnesota's Reproductive Medicine center dating back to 1999. While Univ. of Minnesota requires that doctors encrypt data in flash drives, this particular drive was not protected by encryption or even by a password. Patients have been notified of the drive's loss.-http://wcco.com/health/doctor.patient.information.2.642107.html
[Editor's Note (Ranum): Policy, meet practice. Practice? Practice? Hey, are you listening...? ]
STATISTICS, STUDIES & SURVEYS
Network Availability Tops List of IT Managers' Concerns (February 4, 2008)
According to Symantec's most recent IT Risk Management Report, seventy-eight percent of the 405 polled IT managers ranked network availability their number one IT concern. Security ranked number two, followed by performance and compliance. The results of this survey mark the first time network availability has topped the list. Jennie Grimes, who is senior director of Symantec's IT risk management program office says the results indicate that "the ways in which respondents define IT is broadening." The survey also found that half of those surveyed expect to face 10 major IT incidents each year; last year, that number was one. In addition, more than half of the major incidents reported by the managers were due to "failure of a process, not a failure of technology."-http://www.scmagazine.com/uk/news/article/781155/symantec-says-network-%20-avail
ability-biggest-concern-managers/
[Editor's Note (Schultz): I conducted a survey in the late 1990's in which senior-level managers were asked to rate the relative importance of confidentiality, availability and integrity on a scale from 1 to 5. Availability was rated first with an average rating of 4.5. Confidentiality and integrity did not come close. ]
Wireless Headsets Would Benefit from Encryption (February 1, 2008)
The wireless headsets used by many people in the worlds of finance and law allow for easy eavesdropping unless they are encrypted. Off-the-shelf scanners can pick up conversations as far as 200 yards away. In some cases, even when one party hangs up after a conversation, scanners can still hear conversations in the vicinity of the targeted headset. According to one consultant, "These guys are bugging their own office, essentially." Companies would be well advised to encrypt their headset communication. Other steps companies can take to protect their communications include frequency hopping and shielding buildings from eavesdroppers.-http://www.upi.com/International_Security/Emerging_Threats/Analysis/2008/02/01/a
nalysis_wireless_phone_headsets_insecure/2674/
Follow up story:
-http://www.spybusters.com/blog/2008/01/hacking-wireless-headsets.html
[Editor's Note (Cole): Encryption only helps protect the data if the keys are implemented correctly. Many of the vendors are not implementing it correctly allowing attackers to bypass it easily. ]
LIST OF UPCOMING FREE SANS WEBCASTS
SANS Special Webcast: A Brief History of Hacking with Dave ShacklefordWHEN: Wednesday, February 6, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Dave Shackleford
-https://www.sans.org/webcasts/show.php?webcastid=91521
Sponsored By: Core Security
Quick quiz: What do Phreaking, Captain Crunch, Blue boxes, LoD and MoD have in common?
Answer: They were all milestones in the evolution of hacking and information security.
Please join Dave Shackleford, CTO at the Center for Internet Security and SANS certified instructor, for a look at the evolution of hacking and hackers. You'll hear Dave's take on lessons learned from hacking milestones, including: The early days of phone phreaks and bulletin boards The growth of hacker gangs and 2600: The Hacker Quarterly The 75-cent accounting error that led to an international crime investigation Bill Cheswick's evening with "Berferd" The first malware and Trojan horse programs At the same time, Dave will give his predictions for the coming year of hacking - and discuss which hacker movies are most realistic (if any)!
WhatWorks Webcast: WhatWorks in Intrusion Detection and Prevention: Improving Network Visibility at GraceKennedy
WHEN: Tuesday, February 12, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Alan Paller and Gregory Henry
-http://www.sans.org/info/22559
Sponsored By: Sourcefire
A need for increased visibility into its diverse network prompted GraceKennedy's security team to seek an intrusion detection system. They found a solution that met all their needs and offered great tech support, as well as a component that could establish a network activity baseline and another that included a top vulnerability scanner for the same price as other solutions they tried. GraceKennedy is one of the Caribbean's largest and most dynamic corporate entities. The company started in Jamaica in 1922 as a small trading establishment and wharf founder. It has expanded and diversified over the years, changing from a privately-owned enterprise to a public company listed on the stock exchanges of Jamaica, Trinidad, Barbados and the Eastern Caribbean. Today, the GraceKennedy Group comprises a varied network of some 60 subsidiaries and associated companies located across the Caribbean, in North and Central America and the United Kingdom. The group's operations span the food distribution, financial services, insurance, remittance, hardware retailing and food-processing industries.
Ask the Expert: You've Collected the Logs, Now What? Reducing Risk through Integrated Log Management, Database Monitoring and Real-time Event Management
WHEN: Thursday, February 14, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Dave Shackleford
-http://www.sans.org/info/23528
Sponsored By: netForensics
So you've collected event logs from security devices and other critical systems and stored them away - great. Check the compliance box. Now what?
Logs are important... but only if you are doing something with them.
They provide valuable, credible, accurate information about what is going on in your inter-connected environment. But if your logs are not being analyzed regularly and in real-time, how can you tell if data isn't seeping out of your databases and other critical applications? Manually glancing through logs may be enough to "check the box" for compliance purposes, but it is definitely not enough to detect data theft or other malicious activity.
Ask the Expert: Security Needs a Paradigm
WHEN: Thursday, February 21, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and A.N. Ananth
-http://www.sans.org/info/22959
Sponsored By: Prism MicroSystems
In this webcast, we'll discuss the reasoning behind a "whitelist" approach, how change monitoring can complement logging and event monitoring in your security program, and common system changes that may indicate malicious activity.
Tool Talk Webcast: A Practical Approach to Cyber Security within Control System Environments
WHEN: Tuesday, February 26, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Brian Contos
-http://www.sans.org/info/22964
Sponsored By: ArcSight
Recently there has been substantial media hype surrounding cyber attacks against critical infrastructure: oil and gas, power and energy, chemical, etc. Few disagree that systems controlling critical infrastructure make valuable targets for a wide range of attackers and pursuits; but the FUD sometimes shadows the facts. So rather than debate the threat level, this webcast will focus on empirical findings derived from multiple, federally funded research projects. These collaborative projects have brought together federal agencies, academia, control system vendors, IT security vendors like ArcSight, and industry representatives to research and test practical cyber incident prevention, detection and response.
=========================================================================
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/