SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume X - Issue #18

March 04, 2008

Tomorrow is the deadline for the big early registration discount for SANS 2008 in Orlando. Infoc: http://sans.org/info/20042

Alan

---

TOP OF THE NEWS

Naming Names: Identity Theft Study Identifies Banks
Pentagon Report Says Cyber Attacks Appear to Emanate from China
Virginia Supreme Court Upholds Spammer's Conviction
Wikileaks Ruling Dissolved

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Prison Time for Data Thieves
NZ Man in Court to Face Botnet Charges
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Encryption Pays Off for VA
NIST Seeks Comments on Authentication and PIV Guidance Documents
Dutch Tax Office Accidentally Deletes 730,000 Electronic Returns
UK Health Minister Wants Harsher Punishment for Unauthorized Access to NHS Data
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Lawyer Admits to Snooping on Other Law Firm's Network
STATISTICS, STUDIES & SURVEYS
Most Spam Comes from Just Six Botnets
MISCELLANEOUS
Futures Trader Costs Firm US $141.5 Million
LIST OF UPCOMING FREE SANS WEBCASTS

---

********************** Sponsored By PacketMotion ************************

How do you safeguard intellectual property, sensitive information and compliance-relevant data without hampering employee and contractor productivity? Find the facts, blind spots and new technology regarding real-time visibility and control of network user transactions and information assets. Download the FREE, must-read whitepaper "TRUST BUT VERIFY: 24/7 User Activity Monitoring to Protect Business Critical Information" now.
http://www.sans.org/info/25063

*************************************************************************

TRAINING UPDATE
Where can you find the newest Penetration Testing techniques, Application Pen Testing, Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, CISSP, and SANS' other top-rated courses?
- - SANS 2008 in Orlando (4/18-4/25) SANS' biggest program with myriad bonus sessions and a huge exhibition of security products: http://www.sans.org/sans2008
- - Washington DC (Tyson's) 3/24-3/31 http://www.sans.org/tysonscorner08
- - San Diego (5/9-5/16) http://www.sans.org/securitywest08
- - Toronto (5/10-5/16) http://www.sans.org/toronto08
- - and in 100 other cites and on line any-time: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Naming Names: Identity Theft Study Identifies Banks (February 29, 2008)

The Center for Law and Technology at the University of California at Berkeley reviewed thousands of FTC complaints and identified the 25 financial institutions whose customers have experienced the most identity theft. Non financial institutions with FTC identity theft complaints were also identified. Bank of America was top on the financial institution list while AT&T was top on the non-financial list.
-http://www.bankinfosecurity.com/articles.php?art_id=724
(subscription required)
[Editor's Note (Schultz): Although this study has several flaws, it paves the way for more studies of this nature that put the spotlight institutions that ostensibly don't do enough to prevent identity theft. The likely effect is to exert pressure on these institutions to "clean up their act." ]

Pentagon Report Says Cyber Attacks Appear to Emanate from China (March 3, 2008)

The Pentagon's annual report to Congress on China's military power says that "in the past year, numerous computer networks around the world ... were subject to intrusions that appear to have originated within the
[People's Republic of China ]
." This marks the first time that the Defense Department (DoD) has so clearly pointed a finger at China for such attacks, but does not make as bold a statement as a report from the US-China Economic and Security Review sent to Congress late last year. In that report, vice chairman of the joint Chiefs of Staff Marine General James Cartwright viewed the potential damage from a Chinese cyber attacks comparable to that "of a weapon of mass destruction."
-http://www.govexec.com/story_page.cfm?articleid=39438&dcn=todaysnews
-http://www.cnn.com/2008/US/03/03/pentagon.china/
-http://www.washingtonpost.com/wp-dyn/content/article/2008/03/03/AR2008030302516_
pf.html
-http://www.defenselink.mil/pubs/pdfs/China_Military_Report_08.pdf

Virginia Supreme Court Upholds Spammer's Conviction (March 1 & 3, 2008)

By a vote of 4-3, the Virginia Supreme Court upheld the felony conviction of Jeremy Jaynes, who in 2004 was found guilty of spamming and sentenced to nine years in prison; it was the first felony conviction for spamming in the US. Jaynes and his lawyer maintained that the Virginia law under which he was convicted violates both the First Amendment and the interstate commerce clause of the US Constitution, but the court rejected those claims.
-http://www.informationweek.com/security/showArticle.jhtml?articleID=206901389&am
p;cid=RSSfeed_TechWeb
-http://news.smh.com.au/prolific-spammers-conviction-upheld/20080301-1w04.html

Wikileaks Ruling Dissolved (February 29, March 2, 3 & 4, 2008)

Citing concerns about First Amendment rights, US federal district court judge Jeffrey White has rescinded an earlier order to shut down the Wikileaks.org website. In February, White had ordered that the whistleblower site be shut down after a Swiss bank accused the site of posting purloined internal documents. Judge White also expressed concern about the effectiveness of disabling the site.
-http://news.smh.com.au/us-judge-restores-wikileaks-website/20080302-1w76.html
-http://government.zdnet.com/?p=3690
-http://www.news.com.au/technology/story/0,25642,23316821-5014239,00.html
-http://www.washingtonpost.com/wp-dyn/content/article/2008/02/29/AR2008022903277.
html

---

************************** Sponsored Links: ***************************

1) Secure your Web 2.0 and Web applications with Rapid7 Unified
Vulnerability Management http://www.sans.org/info/25068

2) SANS Third Annual Log Management Survey
What are the challenges in log management? Have perceptions changed since last year? Help us find out! Take the survey at http://www.sans.org/info/25073

3) Register Now! Live eSeminar: Hertz, Forrester, and GuardianEdge Discuss Endpoint Data Protection - Beyond Encryption
http://www.sans.org/info/25078

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Prison Time for Data Thieves (March 1, 2008)

Two people have received prison sentences for their roles in a data theft scheme that victimized patients of the Kelsey-Seybold Clinic in Houston, Texas. Former insurance analyst Kretia Lutriel Griffin stole personal data belonging to approximately 200 of the clinic's patients. She sold them to Aubry Johnson, who used the information to open charge accounts at various stores. Johnson was sentenced to seven years in prison for access device fraud and aggravated identity theft. Griffin received a two-year sentence for conspiracy. The clinic has notified patients whose data were compromised. A clinic spokesperson said that no medical data were involved.
-http://www.chron.com/disp/story.mpl/headline/metro/5583753.html
[Editor's Note (Liston): Even if you do everything right, you'll still always be susceptible to data theft by a malicious insider. These types of convictions and the hefty sentences imposed are the best deterrent that we have against those who would abuse their positions of trust.]

NZ Man in Court to Face Botnet Charges (February 29, 2008)

An 18-year-old New Zealand man is in court to face charges stemming from his alleged role as the mastermind of a botnet scheme that infected more than one million computers around the world. The network was used to steal online banking and credit card information, send spam, launch denial-of-service (DoS) attacks, and place adware on computers. Owen Thor Walker has been charged with two counts of accessing a computer for dishonest purposes, two counts of accessing a computer without permission, one count of damaging a computer system, and possessing hacking software. If convicted, he could face up to 10 years in prison.
-http://www.theregister.co.uk/2008/02/29/nz_botmaster_latest/print.html
-http://www.smh.com.au/news/security/bail-for-alleged-spybot-leader/2008/02/29/12
04226977398.html

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

Encryption Pays Off for VA (March 3, 2008)

Security measures put in place at the Veterans Affairs department (VA) after the widely publicized theft of computer equipment in 2006 have proven to be effective. A laptop stolen last month from the home of an employee at the VA's Austin (TX) Corporate Data Center was encrypted, and department officials knew precisely what data were on the computer. The employee had permission to have the computer at home and had locked it down to furniture.
-http://www.fcw.com/online/news/151810-1.html?type=pf
[Editor's Note (Schultz): This is a wonderful information security success story. The VA appears to be very determined to greatly improve its practice of data security and is already reaping some benefits.
(Cole): The weakest link with full disk encryption is the password used to protect the encryption keys. Organizations cannot claim they are protected just because they use full disk encryption. If your company does not have a robust password policy or two factor authentication, full disk encryption is only adding an illusion of security.]

NIST Seeks Comments on Authentication and PIV Guidance Documents (March 3, 2008)

The National Institute of Standards and Technology (NIST) is seeking comments on two draft documents. Draft Special Publication 800-63 Revision 1 supplements Office of Management and Budget (OMB) guidelines for designing systems that allow remote authentication of citizens over open networks. NIST will accept comments on the draft through April 10, 2008. Special Publication 800-79-1 offers guidelines for federal agencies that are working to certify and accredit organizations that issue Personal Identity Verification (PIV) cards. Comments on this document will be accepted before March 30, 2008.
-http://www.gcn.com/online/vol1_no1/45917-1.html?topic=security&CMP=OTC-RSS
-http://csrc.nist.gov/publications/drafts/800-63-1/Draft_SP-800-63-1_2008Feb20.pd
f
-http://csrc.nist.gov/publications/drafts/800-79-1/DRAFT_SP800-79-1_public-review
.pdf

Dutch Tax Office Accidentally Deletes 730,000 Electronic Returns (February 29, 2008)

More than 730,000 people who filed taxes returns with the Dutch tax office for 2007 will have to resubmit their information after a computer problem deleted all their data except for social security numbers. Those affected filed electronically; the Dutch tax office did not back up the files. A similar problem occurred last year when 400,000 companies had to resubmit payroll information.
-http://www.theregister.co.uk/2008/02/29/sorry_we_lost_your_tax_return/print.html
[Editor's Note (Liston): And their reason for not backing up the data would be...? ]

UK Health Minister Wants Harsher Punishment for Unauthorized Access to NHS Data (February 29 & March 3, 2008)

UK health minister Ben Bradshaw is calling for more stringent penalties for NHS staff who violate the Data Protection Act. Bradshaw noted that the only people who may access individuals' health records are "authorized NHS health care professionals who must be authenticated users and members of the health care teams directly involved in the ... patient's care." In a separate but pertinent story, a document obtained under the Freedom of Information Act indicates that the new national summary care record database will be accessible by non-clinical NHS staff.
-http://www.e-health-insider.com/news/3516/dh_seeks_tougher_sanctions_for_securit
y_breaches
-http://www.computerweekly.com/Articles/2008/03/03/229636/patient-database-open-t
o-access-by-non-qualified-nhs.htm

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Lawyer Admits to Snooping on Other Law Firm's Network (March 2, 2008)

A Charleston, West Virginia lawyer has admitted to accessing email and other private documents at the law firm where his wife worked. At first, he was suspicious that she was having an affair, but then admitted he kept accessing and reading the material because he was curious. He allegedly accessed the law firm's computer system more than 150 times between November 2003 and March 2006. Michael P. Markins was employed at another law firm at the time, and at one point, the two firms were representing opposing sides in a case. The Lawyer Disciplinary Board has recommended that Markins's law license be suspended for two years. Before he could be reinstated, he would have to complete 12 hours of legal education in ethics and then he would be subject to one year of supervised practice.
-http://sundaygazettemail.com/News/200803010561
[Editor's Note (Liston): I sincerely doubt that if the same situation occurred in any field outside the practice of law that the sanctions would be so ludicrously petty. Where's the jail time? ]

STATISTICS, STUDIES & SURVEYS

Most Spam Comes from Just Six Botnets (February 29 & March 3, 2008)

According to research from an email security vendor, six botnets are responsible for 85 percent of all spam. Srizbi is identified as the largest of the bot networks, responsible for sending out an estimated 39 percent of all spam. The research also found that the size of a botnet does not correlate with its activity. For instance, the Mega-D botnet comprises 35,000 "drones" and generates 11 percent of spam; the Storm network has 85,000 "drones," yet generates just two percent of spam.
-http://www.heise-online.co.uk/security/Six-botnets-responsible-for-nearly-all-sp
am--/news/110219
-http://www.theregister.co.uk/2008/02/29/botnet_spam_deluge/print.html

MISCELLANEOUS

Futures Trader Costs Firm US $141.5 Million (February 29, 2008)

A Tennessee man has allegedly made unauthorized trades in the wheat futures market that cost his firm US $141.5 million in losses. Evan Dooley's firm, MF Global, normally has electronic protections in place to prevent such situations, but the controls were deactivated for certain traders, Dooley among them, because they slowed down transactions.
-http://www.iht.com/articles/2008/02/29/business/29trader.php

LIST OF UPCOMING FREE SANS WEBCASTS

Tool Talk Webcast: The ABC's of Dealing with Unique Network Security Risks in a World of Open Campus Networks
WHEN: Wednesday, March 5, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Tom Turner
-http://www.sans.org/info/22979
Sponsored By: Q1 Labs

Universities continue to face a challenge in the balancing act of two diametrically opposed networking requirements. On one hand, IT services have must meet the requirements of delivering an open campus network with minimal restriction on use. And, on the other hand, you have networks and systems that maintain sensitive information that requires tight security controls, often under the scrutiny of specific regulatory mandates.

***
SANS Special Webcast: The Little Hybrid Web Worm That Could
WHEN: Thursday, March 6, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Billy Hoffman
-http://www.sans.org/info/24614
Sponsored By: HP

The past year has seen several web worm attacks against various online applications. While these worms have gotten more sophisticated and made use of additional technologies like Flash and other media formats, they all have had some basic limitations such as infecting new domains and using new injection methods. These worms are fairly easily detected using signatures, so they are annoying, but ultimately controllable. This webcast examines the possibility of hybrid web worms which use several methods to overcome the limitations of current web worms. Specifically the authors examine how a hybrid web worm (1) mutates itself to evade defenses; (2) updates itself with new attack vectors while in the wild; and (3) finds and exploits targets regardless of whether they are client web browsers or web servers.

***
SANS Special Webcast: A Response to the "Cold Boot Attack" Announcement
WHEN: Thursday, March 6, 2008 at 1:00 PM EST (1800 UTC/GMT)
-https://www.sans.org/webcasts/show.php?webcastid=91884


This webcast will provide attendees with actionable advice on how to reduce their organization's risk against the Cold Boot Attack using encryption tools and real-world best practices. Hear responses from leading providers in the encryption market to gain better understanding of how these solutions can help mitigate or avoid the vulnerabilities associated with the Cold Boot Attack. Attendees will walk away with actionable advice on how this vulnerability can impact their organization and which encryption solutions can provide best-in-class protection from this and other security risks.

***
ISC Threat Update: March 2008
WHEN: Wednesday, March 12, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Johaness Ullrich and Tony Magallanez
-http://www.sans.org/info/24623
Sponsored By: F-Secure

The SANS Internet Storm Center (ISC) uses advanced data correlation and visualization techniques to analyze data collected from thousands of sensors in over sixty countries. Experienced analysts constantly monitor the Storm Center data feeds searching for trends and anomalies in order to identify potential threats. When a threat is identified, the team immediately begins an intensive investigation to gauge the threat's severity and impact. This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.

***
WhatWorks Webcast: PaulDotCom's Penetration Testing Dojo: Core IMPACT Style
WHEN: Tuesday, March 18, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Alan Paller and Paul Asadoorian
-http://www.sans.org/info/24628
Sponsored By: Core Security Technologies

When beginning a security process at a consortium of non-profits, senior network security engineer, Paul Asadoorian of Pauldotcom began looking for a penetration testing tool that did network, web application and social engineering tests. The tool he purchased is low on manpower use, mostly self-maintaining and reliably proves the existence of network vulnerabilities. Please attend this webcast to find out why Paul selected CORE IMPACT and learn how it can help you safely perform network, web application and end-user penetration testing.

***
SANS Special Webcast: Monthly Series: Security Insights with Dr. Eric Cole
This Month's Topic: Encryption
WHEN: Wednesday, March 19, 2008 at 1:00 PM EDT (1700 UTC/GMT)
-http://www.sans.org/info/24633


Based on first-hand experience, this talk will look at areas where encryption should be used and how to avoid common mistakes. Dr. Cole will also identify areas where encryption should not be deployed. Overall, this talk will provide expert knowledge of the landscape of encryption, proper uses and common pitfalls. Register now for this free webcast!

***
Ask the Expert: Malcode Analysis and Response: Proficiency vs. Complexity
WHEN: Thursday, March 20, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Matt Allen and Russ McRee
-https://www.sans.org/webcasts/show.php?webcastid=91808
Sponsored By: Norman Data Defense Systems

The threat landscape changes constantly, driven in part by the "bot economy" and changing malcode techniques. In response, incident handler techniques must keep pace. This presentation will cover the use of RAPIER, a security tool built to facilitate first response procedures for incident handling. It is designed to acquire commonly requested information and samples during an information security event, incident, or investigation. RAPIER automates the entire process of data collection and delivers the results directly to the hands of a skilled security analyst. From detection and discovery, capture and containment, count on a useful discussion meant to further your incident response practices.

***
Tool Talk Webcast: Are You Naked? Why virtualization and service processors are leaving traditional log management customers naked.
WHEN: Tuesday, March 25, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKER: Bill Johnson
-https://www.sans.org/webcasts/show.php?webcastid=91798
Sponsored By: Tdi

Virtualization and on board service processors are making log management systems obsolete and opening their customers to huge compliance issues. All existing log management systems are based on an 'inside out' agent based, SYSLOG and SNMP architecture. This model is obsolete in today's datacenter. Traditional log management systems do not log all events or watch the data center all the time, opening the door to Sarbanes Oxley, HIPAA and other compliance risks.

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/