SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume X - Issue #15

February 22, 2008

TOP OF THE NEWS

Losses From Cyber Intrusions at US Banks Rise Significantly
Paper Describes Weakness of Disk Encryption Software
UK Lords to Push Again for Internet Security Policy Changes

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Canadian Police Arrest 17 in Alleged Botnet Scheme
Lawsuit Filed Against Bloodbank Over Handling of Computer Theft
Man Gets Three Years Probation for eMail Harassment
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
UK PM Promises Inquiry into Mishandling of Criminal DNA Data Disk
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Microsoft Acknowledges Compatibility Problems from Vista SP1
Opera Releases Browser Update
MISCELLANEOUS
Microsoft Announces Plan to Share More Technical Info
Judge Orders Registrar to Disable Domain Name of Leak Site
LIST OF UPCOMING FREE SANS WEBCASTS

---

********************** Sponsored By PacketMotion ************************

Are your internal controls and acceptable use policies for consultants, temporary, and high-risk users working? What information assets are in jeopardy? Find the facts, blind spots and new technology regarding real-time visibility and control of network user transactions. Download the FREE whitepaper "TRUST BUT VERIFY: 24/7 Monitoring of High-risk User Activity in the Network" now. http://www.sans.org/info/24433

*************************************************************************

TRAINING UPDATE
Where can you find the newest Penetration Testing techniques, Application Pen Testing, Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, CISSP, and SANS' other top-rated courses?
- - SANS 2008 in Orlando (4/18-4/25) SANS' biggest program with myriad bonus sessions and a huge exhibition of security products: http://www.sans.org/sans2008
- - Washington DC (Tyson's) 3/24-3/31 http://www.sans.org/tysonscorner08
- - San Diego (5/9-5/16) http://www.sans.org/securitywest08
- - Toronto (5/10-5/16) http://www.sans.org/toronto08
- - and in 100 other cites and on line any-time: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Losses From Cyber Intrusions at US Banks Rise Significantly (February 20, 2008)

According to an anonymously obtained copy of a non-public Federal Deposit Insurance Corporation (FDIC) quarterly Technology Incident Report, financial institutions in the US experienced a considerable increase in the number of intrusions leading to account hijackings and stolen money over the last year. The report indicates that the cost of these breaches is increasing for all involved - banks, businesses, and consumers. The report looks into suspicious activity reports, or SARs. Banks are required to report fraudulent and suspicious transactions of US $5,000 or more. The report says that the average cost per SAR in the second quarter of 2007 was US $29,630; the average cost per SAR in the same period a year earlier was US $10,536. The majority of SARs were classified as "unknown unauthorized access - online banking." The report suggests that Trojan horse programs and keystroke loggers are used in many instances of unauthorized access.
-http://blog.washingtonpost.com/securityfix/2008/02/banks_losses_from_computer_in
t.html
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=206801184
[Editor's Note (Pescatore): That report does point out that the number of suspicious activity reports that are computer intrusion-related are still less than 2% of those due to mortgage and check fraud, but the widespread prevalence of compromised PCs is causing the computer related incidents to be fast growing.
(Paller): While the overall pattern of increase may be correct, several banks have experienced significant decreases in losses from money taken stolen from customer accounts through theft of customer credentials (via phishing or keystroke loggers, primarily). These banks set up a series of increasingly difficult challenges to transactions based on the transaction's score on (at least) three variables: (1) whether the transaction is done regularly, (2) whether the IP address is the one usually used, and (3) how large the transaction is. Customers doing their regular banking from home are not impacted because they don't trigger the defenses. Defense in depth; simple and effective. ]

Paper Describes Weakness of Disk Encryption Software (February 21, 2008)

Researchers from Princeton University, the Electronic Frontier Foundation, and Wind River Systems have published a paper explaining how attackers with physical access to computers can use disk encryption keys in the machine's RAM to bypass disk encryption. Apparently encryption keys remain in RAM for a period of time even when the computer is powered off. powered off. One of the researchers calls the problem "a fundamental limitation in the way these systems were designed."
-http://blog.wired.com/27bstroke6/2008/02/researchers-dis.html
[Editor's Note (Northcutt): Definitely worth your time to read this paper. They have a video explaining this that even non-technical audiences will be able to understand. If you have bought a full disk encryption product, start a dialog with your vendor. And above all, if an officer or auditor from your organization asks you if DRAM memory retains information even when the system is powered off, say yes!
(Skoudis): The concepts underlying the attacks have been rumored and discussed for years. But, the paper provides more details and real-world explanations than I've seen anywhere else on this topic.
(Honan): The paper is a very interesting read and highlights a number of takeaways that we regularly discuss in NewsBites. Firstly, once someone has physical access to your computer it is extremely difficult to secure the data on it. Secondly having data distributed across many devices and locations makes it difficult to protect that data. Thirdly, new attacks are constantly being developed and you need to regularly review your defences and your incident response plan accordingly.
(Guest Editor Frantzen): Critical questions need to be asked of encryption software vendors: how they keep the keys in memory, and if they wipe the data whenever a screensaver is activated, whenever the computer is put to sleep, whenever the computer is hibernating. ]

UK Lords to Push Again for Internet Security Policy Changes (February 21, 2008)

The UK House of Lords Science and Technology Committee will launch a follow-up inquiry to the "Personal Internet Security" report it released in August 2007. The government apparently did not put much stock in the report when it was delivered and chose not to adopt many of the report's recommendations, including establishing a data breach notification law and reversing the requirement that online payment card fraud victims report security incidents top banks instead of to police. The committee is asking representatives from organizations that gave evidence at the initial inquiry for their opinions on the government's response to the report.
-http://www.kablenet.com/kd.nsf/FrontpageRSS/5D72E7E11523FF4B802573F5005FC318!Ope
nDocument
[Editor's Note (Schultz): Policy changes, let alone changes in information security policy, do not come easily, no matter what the level (organizational or federal). Persistence is the best remedy. ]

---

************************** Sponsored Links: ***************************

1) SANS Third Annual Log Management Survey What are the challenges in log management? Have perceptions changed since last year? Help us find out! Take the survey at http://www.sans.org/info/24438

2) SANS OnSite Training
Your Location! Your Schedule! Lower Cost! Contact us by March 31 and receive additional free seats (up to $25,000 value) Click here today!
http://www.sans.org/info/24443

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Canadian Police Arrest 17 in Alleged Botnet Scheme (February 21, 2008)

Police in Quebec have arrested 17 people in several home raids earlier this week as a result of an investigation into a botnet ring that allegedly infected as many as one million computers around the world with malware. Most of the infected machines were in Poland and Brazil, although there were also some in Canada and the US. In one of the countries, government computers were also compromised. The gang was allegedly involved in identity fraud, data theft, denial-of-service attacks and sending spam. If convicted, the suspects could face prison sentences of up to 10 years.
-http://www.cbc.ca/technology/story/2008/02/20/qc-hackers0220.html
-http://www.upi.com/NewsTrack/Top_News/2008/02/21/quebec_smashes_ring_of_17_compu
ter_hackers/8519
-http://www.darkreading.com/document.asp?doc_id=146639&WT.svl=news2_2
[Editor's Note (Pescatore): Botnets are one of those problems like zebra mussels: they haven't really damaged the vessels that carry them but they cause huge damage to the environment around those vessels. This means that the incentive to clean up the compromised host hasn't been there but increasingly (see the story on cyber intrusion losses at banks rising) those compromised PCs are being used in bot networks that download targeted attack code that *does* cause local losses.]

Lawsuit Filed Against Bloodbank Over Handling of Computer Theft (February 19, 2008)

The Lifeblood Mid-South Regional Blood Center is facing a lawsuit following the revelation that laptop computers holding donors' personal information are missing. The lawsuit, which seeks class action status, alleges that the blood center was "grossly negligent and engaged in a willful and intentional pattern of conduct to conceal its negligence from affected persons." The computers hold information of approximately 321,000 donors.
-http://www.commercialappeal.com/news/2008/feb/19/lawsuit-targets-lifeblood/

Man Gets Three Years Probation for eMail Harassment (February 13, 2008)

California law student Victor Vevea has been sentenced to three years of probation with 90 days of monitored confinement for breaking into an attorney's email account and sending harassing messages so that they appeared to come from that attorney. The attack was apparently motivated by the fact that the attorney had represented Vevea's former girlfriend in a lawsuit against him about 10 years ago.
-http://sacramento.fbi.gov/filelink.html?file=dojpressrel/pressrel08/sc021308.pdf

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

UK PM Promises Inquiry into Mishandling of Criminal DNA Data Disk (February 20 & 22, 2008)

The UK government is facing more publicity over yet another incident of mismanaging data. Dutch police sent a disk containing DNA profiles of 4,000 serious criminal suspects to the Crown Prosecution Service (CPS) more than a year ago in the hope that CPS could identify and catch some of the criminals. The disk had been misplaced; when it was found last week, it turned out that 17 of the people identified on the disk were in the UK and 11 of them had committed offenses within the past year. While this is not overtly a data security issue - the disk was never out of the building -- the incident demonstrates lack of effective data management. Prime Minister Gordon Brown has ordered an inquiry.
-http://www.thisislondon.co.uk/news/article-23439932-details/Brown+pledges+inquir
y+after+admission+assaults+were+committed+by+murderers+and+rapists+while+DNA+dis
c+was+lost/article.do
-http://www.theregister.co.uk/2008/02/20/government_data_loss/print.html

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Microsoft Acknowledges Compatibility Problems from Vista SP1 (February 21, 2008)

Microsoft has issued a list of applications that will either be broken or experience reduced functionality after Windows Vista Service Pack 1 is installed. Microsoft recommends that users install updates from vendors to fix the compatibility problems. In a related story, Microsoft has removed a problematic SP1 pre-update file from its software update service because of reports that it was causing some machines to continually reboot.
-http://www.news.com/2102-1002_3-6231449.html?tag=st.util.print
-http://www.heise.de/english/newsticker/news/103815
-http://support.microsoft.com/kb/935796/en-us
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=206800819
[Editor's Note (Pescatore): It appears that Microsoft will slow down wide distribution of SP1 because of the high level of compatibility issues. SP1 should be treated like any other patch - don't move to it until you have tested all your images to make sure all apps still work. It is not always a bad thing when this happens - apps breaking because they are being forced to operate more securely is good breakage - but business interruption from pushing patches and upgrades out too fast is never a career-enhancing move. ]

Opera Releases Browser Update (February 20, 2008)

Opera has released an updated version of its web browser, Opera 9.26 for Windows, to address at least three vulnerabilities that could be exploited to "trick users into uploading arbitrary files," use image properties to execute scripts, and allow cross-site scripting. Opera learned of one of the flaws from Mozilla and has criticized Mozilla's decision to disclose details about the vulnerability without giving ample time to address the flaw.
-http://www.eweek.com/index2.php?option=content&task=view&id=46505&po
p=1&hide_ads=1&page=0&hide_js=1
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9063683&source=rss_topic17
-http://www.opera.com/support/search/view/877/
-http://www.opera.com/support/search/view/879/
-http://www.opera.com/support/search/view/880/

MISCELLANEOUS

Microsoft Announces Plan to Share More Technical Info (February 21, 2008)

Calling the decision "a major step" and "a strategic shift," Microsoft has said it will share more technical details about its products with others in the software industry. The move was motivated by the need for interoperability to make transfer of documents, data, and code across the Internet run smoothly. It is also a nod to European Union antitrust regulators who remain skeptical, noting that Microsoft did not "address allegations it seeks to undercut rivals by illegally giving away IE with Windows desktop OS."
-http://www.nytimes.com/2008/02/21/technology/21cnd-soft.html?ei=5088&en=ac78
8bb40091a52e&ex=1361336400&partner=rssnyt&emc=rss&pagewanted=pri
nt
-http://www.washingtonpost.com/wp-dyn/content/article/2008/02/21/AR2008022101268_
pf.html
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=206801085

Judge Orders Registrar to Disable Domain Name of Leak Site (February 20, 2008)

A US federal judge has ordered that a website that posts leaked information aimed at exposing corporate and governmental "unethical behavior" be shut down. The order came as a result of a lawsuit brought by a Cayman Islands bank that said a former employee had leaked stolen documents to the site in violation of a confidentiality agreement and banking laws. The judge issued a permanent injunction ordering that the site's registrar disable the site's domain name. The order appears to indicate a lack of understanding of how the Internet works. Savvy people view the action as locking the front door but leaving the back door open; the site can still be accessed at its IP address and mirror sites. The judge also issued an order to Wikileaks that it stop distributing the bank's documents. Citizen media Law Project director David Ardia said the judge's order to disable the site "is clearly not constitutional."
-http://www.nytimes.com/2008/02/20/us/20wiki.html?ei=5088&en=94c15d10c2263334
&ex=1361336400&partner=rssnyt&emc=rss&pagewanted=print
[Editor's Note (Northcutt): Too funny! Three strikes and the Judge is out! First, Judge Jeffery White's decision will be overturned for blatant First Amendment abuse. Second, this will also serve as a reminder that trying to push US law on other countries doesn't work, and is not appreciated. I expect to see some well-deserved negative press from Europe. Third, these guys are technically way smarter than the Judge, you might be able to keep
-http://88.80.13.160/wiki/Wikileaks
from working, but what about
-http://wikileaks.be/
and
-http://wikileaks.de
? And there are ties from this group to Pirate Bay and those guys are very attack resistant:
-http://www.theregister.co.uk/2008/02/21/wikileaks_bulletproof_hosting/]

LIST OF UPCOMING FREE SANS WEBCASTS

Tool Talk Webcast: A Practical Approach to Cyber Security within Control System Environments
WHEN: Tuesday, February 26, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Brian Contos
-http://www.sans.org/info/22964
Sponsored By: ArcSight

Recently there has been substantial media hype surrounding cyber attacks against critical infrastructure: oil and gas, power and energy, chemical, etc. Few disagree that systems controlling critical infrastructure make valuable targets for a wide range of attackers and pursuits; but the FUD sometimes shadows the facts. So rather than debate the threat level, this webcast will focus on empirical findings derived from multiple, federally funded research projects. These collaborative projects have brought together federal agencies, academia, control system vendors, IT security vendors like ArcSight, and industry representatives to research and test practical cyber incident prevention, detection and response.

***
Ask the Expert Webcast: Regulatory Compliance and Securing Endpoint Data against Internal Threats
WHEN: Wednesday, February 27, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Jim Hietala and Richard Stone
-http://www.sans.org/info/22969
Sponsored By Credant Technologies

This webcast will then discuss why today's dynamic IT environments must move away from first gen encryption products and to a more data-centric, not stand-alone, platform-specific point product of old. Gone are the days of the "encrypt everything" approaches, which lack protection against insider threats and have significant manageability, recovery, and usability issues. Hear how a new solution simultaneously meets security, IT operations, and compliance needs.

***
SANS Special Webcast: How to Win Friends and Influence People (for Penetration Testers)
WHEN: Tuesday, March 4, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Lenny Zeltser
-http://www.sans.org/info/22984
Sponsored By: Core Security

The success of a security test is often determined in the planning stage, when the "human element" plays a critical role. This is especially true for penetration testing projects, which sometimes encounter political hurdles before they even begin. Please join us to learn how, with a little transparency and tact, you can not only get approval for pen testing projects but also help colleagues use the results to improve your overall security.

***
Tool Talk Webcast: The ABC's of Dealing with Unique Network Security Risks in a World of Open Campus Networks
WHEN: Wednesday, March 5, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Tom Turner
-http://www.sans.org/info/22979
Sponsored By: Q1 Labs

Universities continue to face a challenge in the balancing act of two diametrically opposed networking requirements. On one hand, IT services have must meet the requirements of delivering an open campus network with minimal restriction on use. And, on the other hand, you have networks and systems that maintain sensitive information that requires tight security controls, often under the scrutiny of specific regulatory mandates.

***
Ask the Expert: Malcode Analysis and Response: Proficiency vs. Complexity
WHEN: Thursday, March 20, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Matt Allen and Russ McRee
-https://www.sans.org/webcasts/show.php?webcastid=91808
Sponsored By: Norman Data Defense Systems

The threat landscape changes constantly, driven in part by the "bot economy" and changing malcode techniques. In response, incident handler techniques must keep pace. This presentation will cover the use of RAPIER, a security tool built to facilitate first response procedures for incident handling. It is designed to acquire commonly requested information and samples during an information security event, incident, or investigation. RAPIER automates the entire process of data collection and delivers the results directly to the hands of a skilled security analyst. From detection and discovery, capture and containment, count on a useful discussion meant to further your incident response practices.

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/