SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume X - Issue #33
April 25, 2008
TOP OF THE NEWS
UK Businesses Report Breaches Down, Security Spending UpHannaford is Beefing Up Security
The Demise of the End-User Security Industry?
THE REST OF THE WEEK'S NEWS
LEGAL MATTERSLendingTree Files Suit Against Lenders for Unauthorized Data Access
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
SQL Injection Attacks on the Rise Again
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Hacker Exploits Cross-Site Scripting Flaw on Obama's Website
UMass Amherst Health Services Computer System Breached
Hard Drive Sold at UConn Bookstore Contains Personal Data
MISCELLANEOUS
Where Does the Responsibility for Security Lie?
Security Companies Could Block Phorm Cookies
LIST OF UPCOMING FREE SANS WEBCASTS
********************* Sponsored By Palo Alto Networks *******************
End users are circumventing IT controls and are using a new generation of Internet applications that are creating new security risks for the enterprise. The Application Usage & Risk Report is an analysis of actual application traffic from over 350,000 corporate end users. Learn more by downloading the free report now! http://www.sans.org/info/28343
*************************************************************************
TRAINING UPDATE
Where can you find the newest Penetration Testing techniques, Application Pen Testing, Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, both new Pen Testing courses, CISSP, and SANS' other top-rated courses plus evening sessions with Internet Storm Center handlers.
- - SANSFire 2008 in Washington DC (7/22-7/31) SANS' biggest summer program with many bonus sessions and a big exhibition of security products: http://www.sans.org/info/26774
- - London (6/2-6/7) and Amsterdam (6/16-6/21) http://www.sans.org/secureeurope08
- - San Diego (5/9-5/16) http://www.sans.org/securitywest08
- - Toronto (5/10-5/16) http://www.sans.org/toronto08
- - and in 100 other cites and on line any time: www.sans.org
*************************************************************************
TOP OF THE NEWS
UK Businesses Report Breaches Down, Security Spending Up (April 22 & 23, 2008)
Over the last six years, security spending at UK companies has increased more than threefold from two percent to seven percent of the IT budget; during that same time, the overall cost of security breaches has dropped by one-third. The average cost of breaches varies depending on the size of the company from GBP 15,000 (US $29,632) to GBP 1.5 million (US $2.96 million). However, 21 percent of the companies surveyed spend less than one percent of their IT budget on security. Ninety four percent of wireless networks are encrypted, compared with 47 percent six years ago, but roughly 80 percent of companies that had computers stolen had not encrypted their hard drives. The study is conducted by a consortium managed by PricewaterhouseCoopers on behalf of the UK Department of Business, Enterprise and Regulatory Reform (BERR) for its 2008 Information Security Breaches Survey (ISBS). The survey is conducted every two years.-http://www.theregister.co.uk/2008/04/22/infosec_security_survey/print.html
-http://software.silicon.com/security/0,39024655,39201844,00.htm
-http://www.pwc.co.uk/eng/publications/berr_information_security_breaches_survey_
2008.html
Hannaford is Beefing Up Security (April 22, 23 & 24, 2008)
Hannaford Bros. says it is spending millions of dollars to improve data security after a breach that compromised as many as 4.2 million customer credit cards. The data were stolen while in transit during the authentication phase of the purchases; Hannaford says that now credit card data will be encrypted the whole time they are within the company's network. Hannaford is also now using a "24/7 managed security monitoring and detection service."-http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1310963,00.h
tml
-http://blog.washingtonpost.com/securityfix/2008/04/hannaford.html?nav=rss_blog
-http://ap.google.com/article/ALeqM5ic85268s4GzOT78ixJKz-vlSzxuwD90725C00
The Demise of the End-User Security Industry? (April 22 & 23, 2008)
Bruce Schneier writes in his blog that attendees at the recent RSA Conference were not buying what the 350 exhibitors were selling because "most ... can't understand what the products do or why they should buy them." Schneier views this as the beginning of a sea change that will see the demise of the end-user security industry while security is increasingly built into the IT products themselves. Schneier likens baked-in security in IT products to the security features of cars, which are not sold separately yet are valuable and important.-http://www.schneier.com/blog/archives/2008/04/the_rsa_confere_1.html
[Editor's Note (Skoudis): Fascinating read. My gut tells me that he's right, but it might take 5 or 10 years to get there.
(Schultz): End user security, a hyped up marketing term, is going to be a short-lived approach to security, but not for the reason Schneier mentions. Workstations, especially Windows workstations, have become fat clients, and they will become even fatter over time. Adding end user security functionality to them only bloats them more.
(Northcutt): I believe there is more to Bruce's insight than the writeup implies. Here is a quote, "The booths are filled with broad product claims, meaningless security platitudes, and unintelligible marketing literature." He is right! The vendors are using PR firms and marketing people who know nothing about security and everything about differentiation. It hurts the industry. Get the engineers to describe the products (in terms of what they actually do for the customer) and have their writing scrubbed by a good developmental editor, and vendors will sell more product. ]
********************** Sponsored Links: *******************************
1) Listen to the SANS Tool Talk web cast, Log Management for Security Monitoring and IT Operations http://www.sans.org/info/28348
*************************************************************************
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
LendingTree Files Suit Against Lenders for Unauthorized Data Access (April 22 & 24, 2008)
LendingTree has filed a lawsuit against five lenders for accessing customer information without authorization. The lawsuit alleges that former LendingTree executives took passwords and allowed the lenders to access the sensitive customer data. LendingTree believes at least one of the lenders paid the executives for the passwords and then turned around and sold them or the information they accessed with the passwords. There is no evidence that the defendants used the data for any other purpose than to offer loans. The compromised data include names, Social Security numbers (SSNs), and income and employment information. LendingTree has notified affected customers by mail; the breach affects people who submitted data between October 2006 and early 2008-http://www.latimes.com/business/la-fi-lendingtree24apr24,1,4088698.story
-http://www.news.com/8301-10784_3-9926007-7.html?tag=nefd.top
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
SQL Injection Attacks on the Rise Again (April 23, 2008)
The JavaScript attacks that have been plaguing websites since the beginning of the year have begun another round. Many of the infected websites are legitimate and well visited, including several affiliated with the United Nations and the UK government. The attacks use SQL injection techniques to infect the websites. Although the malicious payload associated with the attack is now hosted at a different domain from where it was last time the attacks spiked, it is still at a Chinese IP address. When surfers visit infected sites, the JavaScript loads malware onto their computers and then redirects their browsers to a page hosted on the Chinese server. The malware attempts a variety of exploits once it has been loaded onto the computer. Internet Storm Center:-https://isc.sans.org/diary.html?storyid=4331
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9079961&source=rss_topic17
[Editor's Note (Skoudis): These blended attack vectors are an interesting phenomenon -- but leveraging SQL Injection to put malicious Javascript on a website to exploit browsers that surf there is just scratching the surface. There are a lot of these kinds of vectors that blur the strict distinctions between web app and network attacks. Many penetration testers have split up into "network pen testers" and "web app pen testers", specializing in either bucket. While that's understandable, there is incredible power in being able to work deeply on both sides of that divide. The bad guys are seeing that now, and really good pen testers need to leverage these blended vectors as well.
(Honan): The Internet Storm Center has some good guidelines on how deal with this attack including blocking access to the malware hosted site at 2117966.net.
-http://isc.sans.org/diary.html?storyid=4139]
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Hacker Exploits Cross-Site Scripting Flaw on Obama's Website (April 24, 2008)
A hacker exploited a cross-site scripting vulnerability in Senator Barack Obama's website to redirect people visiting certain sections of the site to the website of Senator Hilary Clinton. The vulnerability has been fixed, and while the attack does not appear to have had a malicious intent, the incident draws attention to the fact that political candidates need to be attentive to security issues on their websites so as not to expose site visitors to malware that could infect their computers and/or steal sensitive data.-http://www.cbc.ca/cp/technology/080424/z042415A.html
UMass Amherst Health Services Computer System Breached (April 22, 2008)
Officials at the University of Massachusetts at Amherst have uncovered evidence of a data security breach on the University Health Services computer system. They believe the attackers were looking for a place to host illegal download files. University Health Services has records on more than half of UMass Amherst students. Officials are still assessing the incident.-http://www.cbs3springfield.com/news/local/18021744.html
Hard Drive Sold at UConn Bookstore Contains Personal Data (April 21 & 24, 2008)
A University of Connecticut (UConn) student who bought a 500 GB hard drive from the UConn Co-op bookstore found it contained sensitive personal details of 10 people who are in some way affiliated with the University. Investigators believe the affected individuals all had their computers serviced at the Co-op in the last several months. An unnamed professor said when he brought his computer in for servicing, he agreed to allow them to make a copy of his hard drive, but expected that the data would be destroyed once the work was complete. The compromised data include pictures, Word documents, and images of credit cards and driver's licenses.-http://www.wfsb.com/news/15949434/detail.html
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9080162
[Editor's Note (Grefer): When you get a system serviced, especially when this is done externally, ask first about data handling procedure, then decide if it is worth the risk, and preferably obtain something in writing. ]
MISCELLANEOUS
Where Does the Responsibility for Security Lie? (April 23, 2008)
A panel debate at Infosecurity Europe 2008 focused on the locus of responsibility for security in IT products. Panel members voiced opinions that vendors need to take responsibility for building security into their products, but that ultimately, IT departments are responsible for the security of the code they use, whether it is their own or someone else's.-http://software.silicon.com/security/0,39024888,39201852,00.htm?r=1
[Editor's Note (Ranum): There is so much blame to go around, it's hardly funny. But the bottom line is that responsibility must go to leadership. That's the CEOs, CIOs, CTOs, and middle management. Making sure that the designs are good and the details are covered is why they get paid the big bucks (and sometimes the small bucks). ]
Security Companies Could Block Phorm Cookies (April 22, 2008)
Some security companies say they will block cookies from Phorm's targeting advertisement service when it is launched. Although one ISP that has agreed to use Phorm says it will be strictly an opt-in service, other ISPs plan to make it an opt-out service, leading at least one security company to say it does not meet the criteria for informed consent and that its product will identify Phorm cookies as adware. Other companies say they will keep a close eye on Phorm when it launches and take action as they see fit.-http://news.bbc.co.uk/2/hi/technology/7359024.stm
[Editor's Note (Northcutt): This is the company formerly known as 121Media, with the proprietary "Open Internet Exchange" architecture. I am just thankful this particular social experiment (monitoring browsing habits and serving up targeted advertising) is in the UK, not the US. "Honest love, I have no idea why my computer keeps serving up ads for ______________"]
UPCOMING SANS WEBCAST SCHEDULE
Tool Talk Webcast: Staying on Top of the SANS Top 20 with CORE IMPACTWHEN: Tuesday, April 29, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Alex Horan
-http://www.sans.org/info/25539
Sponsored By: Core Security
The 2007 "SANS Top 20 Internet Security Risks" report makes it clear that attackers can now circumvent many traditional countermeasures, so simply implementing countermeasures is no longer enough. In fact, short of experiencing a breach, the only way to really know your security posture is by continually testing the defenses you've worked so hard to put in place.
***
SANS Special Webcast: The Little Hybrid Web Worm That Could
WHEN: Wednesday, April 30, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Billy Hoffman
-http://www.sans.org/info/24614
Sponsored By: HP
This webcast examines the possibility of hybrid web worms which use several methods to overcome the limitations of current web worms. Specifically the authors examine how a hybrid web worm: mutates itself to evade defenses; updates itself with new attack vectors while in the wild; and finds and exploits targets regardless of whether they are client web browsers or web servers.
***
WhatWorks in Intrusion Detection and Prevention: Easing the Pains of PCI Compliance at AirTran Airways
WHEN: Tuesday, May 06, 2008 at 1:00 PM EDT (UTC/GMT)
FEATURING: Alan Paller and Michelle Stewart
-http://www.sans.org/info/27099
Sponsored By: Lancope
-http://www.lancope.com/
Looking for a solution to ease the pains of PCI compliance, the data security manager for AirTran Airways needed a product that provided increased visibility into network behavior and accountability. It had to be behavior based and capable of collecting information from a widely dispersed network. She found a solution that was scalable, cost-effective and helps to quickly identify and resolve network and security issues.
***
Internet Storm Center Webcast: Threat Update
WHEN: Wednesday, May 14, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Johannes Ullrich
-http://www.sans.org/info/27109
Sponsored By: Core Security
-http://www.coresecurity.com/
The SANS Internet Storm Center (ISC) uses advanced data correlation and visualization techniques to analyze data collected from thousands of sensors in over sixty countries. Experienced analysts constantly monitor the Storm Center data feeds searching for trends and anomalies in order to identify potential threats. When a threat is identified, the team immediately begins an intensive investigation to gauge the threat's severity and impact. This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.
***
Security Inside the Perimeter: Confronting the Gap Between Talking About the Threat and Doing Something About it
WHEN: Thursday, May 15, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Paul Smith
-http://www.sans.org/info/27114
Sponsored By: PacketMotion
-http://www.packetmotion.com/
Most security and IT professionals agree that the corporate network "perimeter" is no longer viable due to laptops, tunneling applications, VPNs and wireless, etc. But network security conventional wisdom is still very perimeter oriented. Why the inconsistency? Perhaps people really don't think the problem is that significant and the risk is not that high. Or maybe they do think it's a real problem, but hesitate to act because of cost, complexity, and risk to application availability. This webinar will review the key aspects of this inconsistency and offer solutions to better manage the "inside risk."
*******************************************************************
Be sure to check out the following FREE SANS archived webcasts:
Tool Talk Webcast: The ABC's of Dealing with Unique Network Security Risks in a World of Open Campus Networks
WHEN: Wednesday, March 5, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Brian Mehlman
-http://www.sans.org/info/22979
Sponsored By: Q1 Labs
SANS Special Webcast: A Response to the "Cold Boot Attack" Announcement
WHEN: Thursday, March 6, 2008 at 3:00 PM EST (1900 UTC/GMT)
FEATURING: John Strand
-https://www.sans.org/webcasts/show.php?webcastid=91884
********************************************************************
=========================================================================
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/