SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume X - Issue #38

May 13, 2008

As government leaders in Washington and London leak more and more facts about how big the cyber threat really is against commercial and government enterprises, and how much critical information is being stolen every day, demand for safe, effective, thorough penetration testing is skyrocketing. Pen testers (and their customers) who heard about Ed Skoudis' new in-depth, hands-on penetration testing course wrote asking whether there is a SANS certification for pen testers. There is but we didn't have feedback. Test results are now in, and here's what the people are saying about how the new GPEN certification is different from tools-based certifications:

"Finally an up-to-date certification that focuses on penetration testing as a methodology vs. merely knowing a few tools. The GIAC GPEN is a breath of fresh air for real world pen testers." (Justin Kallhoff, Infogressive, Inc.)

"The GPEN certification measures the appropriate mix of methodology, tools, and techniques that a professional security tester should know. Not having taken the course, nor read the book, I was able to pass the exam based solely on penetration testing field experience. This is indicative to me of its relevance to the profession." (Adrien de Beaupre, Manager, Vulnerability Assessment and Penetration Testing, Bell Canada Professional Services)

"SANS new Penetration Testing and Ethical Hacking Course was the best and most focused training I've been to at SANS. It should be required training for anyone wanting to be a professional penetration tester. In that one course I learned how to set the correct scope of the test and then test completely, safely and securely." (Rick Smith)

Many of the top pen testers are getting together with Ed in Las Vegas in two weeks for discussions of the newest attack methods and to attend Ed's course: http://www.sans.org/info/22104
If you have more than 10 pen testers and want to get into the invitation-only program offering discounts on the course and certification, send an email to mbrown@sans.org.
If you already have the skills and want to challenge for the GPEN you can get more data here www.giac.org/certifications/security/gpen.php.
Alan

---

TOP OF THE NEWS

Proposed Legislation Mandates Tougher Cybersecurity Standards at DHS
Revised British Banking Code Could Place Fraud Liability on Customers
New Law Will Allow UK ICO to Impose Big Fines for Reckless Data Disclosure

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Three Arrested in Dave & Buster's Data Theft
Two Arrested in Connection with California Debit Card Skimming Scheme
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
West Point Wins NSA Cyber Defense Exercise
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Another Data Security Breach for Pfizer
Sensitive Hong Kong Immigration Dept. Document Leaked Through Filesharing Network
STANDARDS & BEST PRACTICES
Many Won't Meet Deadline for PCI-DSS Web App Security Compliance
STATISTICS, STUDIES & SURVEYS
Irish Data Protection Commissioner Issues Annual Report
MISCELLANEOUS
Back to My Mac and PhotoBooth Used to Identify Thieves
Engineer Recovers Data From Space Shuttle Columbia Hard Drive
LIST OF UPCOMING FREE SANS WEBCASTS

---

********************* Sponsored By Sourcefire, Inc. *********************

SC Magazine Names Snort(r) "Best Network Security." Learn how Snort is the engine powering the Sourcefire 3D(tm) System. This IPS is different from others because it shows you everything running on your network in real time. It also gives you context for your security events. Know more real threats. No more wild goose chases. Call 1.800.917.4134 today. http://www.sans.org/info/28934

*************************************************************************

TRAINING UPDATE
Where can you find the newest Penetration Testing techniques, Application Pen Testing, Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, both new Pen Testing courses, CISSP, and SANS' other top-rated courses plus evening sessions with Internet Storm Center handlers.
- - SANSFire 2008 in Washington DC (7/22-7/31) SANS' biggest summer program with many bonus sessions and a big exhibition of security products: http://www.sans.org/info/26774
- - London (6/2-6/7) and Amsterdam (6/16-6/21) and Brussels (6/16-6/21) http://www.sans.org/secureeurope08
- - Denver (6/7-6/13) http://www.sans.org/rockymnt2008/
- - Singapore (6/30-7/5) http://www.sans.org/singapore08/
- - Boston (8/9-8/16) http://www.sans.org/boston08/
- - and in 100 other cites and on line any time: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Proposed Legislation Mandates Tougher Cybersecurity Standards at DHS (May 8 & 9, 2008)

US Congressman Jim Langevin (D-RI) has introduced the Homeland Security Network Defense and Accountability Act of 2008 (HR 5983). The bill would require the Department of Homeland Security (DHS) to establish more stringent qualifications for cybersecurity positions, including that of CIO. The bill would also address a "fundamental flaw" in the Federal Information Security Management Act (FISMA) that requires agencies to certify and accredit their systems to comply with certain requirements, but does not mandate effective and current vulnerability testing. DHS will be required to test its networks and those of its contractors rigorously against vulnerabilities used in known cyberattacks. DHS will receive information on the attacks to look for from the National Security Agency (NSA), other government agencies, and private sector organizations. If the bill passes, it would take effect immediately. Congressman Langevin chairs the House Homeland Security Subcommittee on Emerging Threats, Cybersecurity and Science and Technology.
-http://homeland.house.gov/press/index.asp?ID=369
-http://www.nextgov.com/nextgov/ng_20080509_6170.php
[Editor's Note (Paller): This bill shows insights into the problems that have been plaguing federal systems, that earlier laws largely glossed over. Chairman Langevin is making a major mark in Washington both in cyber security and in health care. He won the top award for Excellence in the Field of Public Policy at the RSA conference this year. His ability to work well with both republicans and democrats and his willingness to share the credit for big successes marks him as one of the members to watch in coming years. ]

Revised British Banking Code Could Place Fraud Liability on Customers (May 5, 2008)

The recently revised British Banking Code permits banks to place liability for fraud on customers if they have not taken adequate security precautions to protect their information. The measure has been criticized for lacking fundamental, concrete information about how to secure systems because "many customers have not been educated to maintain a high enough level of vigilance when it comes to security." Research from Gartner reveals that 37 percent of survey participants did not know how their accounts were used to commit fraud, and another 19 percent blame the breaches on retailers, government agencies, or other third parties. Section 12.11 of the revised code says, "If you act without reasonable care and this causes losses, you may be responsible for them." Reasonable care includes but is not limited to keeping PINs and other account details secret, using current anti-virus and anti-spyware software and a personal firewall, and accessing online banking sites by typing the address into browsers.
-http://www.securitypark.co.uk/security_article261598.html
-http://www.bba.org.uk/bba/jsp/polopoly.jsp?d=348&a=13157&artpage=all

New Law Will Allow UK ICO to Impose Big Fines for Reckless Data Disclosure (May 12, 2008)

The United Kingdom's Information Commissioner's Office (ICO) will have the authority to impose "substantial" fines on anyone who "intentionally or recklessly disclose
[s ]
information
[or ]
repeatedly and negligently" allows exposure of personal data. MPs approved an amendment to the Criminal Justice and Immigration Act creating the new civil offense. The bill received Royal Assent on May 9, but it is not known when the new law will take effect.
-http://www.silicon.com/publicsector/0,3800010403,39216158,00.htm
-http://www.scmagazine.com/uk/news/article/808512/privacy-watchdog-welcomes-tough
-data-laws/
-http://www.vnunet.com/vnunet/news/2216374/fines-data-protection-breaches
[Editor's Note (Schultz): A federal statute of this nature is desperately needed in the US. Why such legislation has not been proposed and passed is disgraceful. ]

---

********************** Sponsored Links: *******************************

1) Application Security Managers will be sharing best practices in a meeting in Las Vegas in two weeks:
http://www.sans.org/info/24609

2) Special Lancope Webcast: 'Virtualization: Are You Ready for the Network and Security Implications?' Register Now!
http://www.sans.org/info/28939

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Three Arrested in Dave & Buster's Data Theft (May 12, 2008)

Three men have been arrested in connection with attacks on cash register terminals at Dave & Busters restaurants in the US. Two of the men, Maksym Yastremskiy of Ukraine and Aleksandr Suvorov of Estonia, allegedly broke into 11 cash register terminals, placed packet sniffers on the systems and stole credit card details; they allegedly sold the information to other people who used it to make fraudulent purchases. The sniffers captured data as they were being sent from the point-of-sale server through the system at corporate HQ to the data processor's system. A third man, Albert Gonzalez of Miami, is being charged with wire fraud conspiracy. According to the indictment, losses incurred from data theft at one restaurant alone totaled more than US $600,000.
-http://theusdaily.com/articles/viewarticle.jsp?id=383646&type=home

Two Arrested in Connection with California Debit Card Skimming Scheme (May 10, 2008)

Police in Orange County, CA have arrested two men believed to be involved in the theft of debit card information from shoppers at Lunardi's Supermarket in Los Gatos, CA. The account information was stolen with the use of a skimmer, a device that is placed on the regular card-reading machine. The two men had in their possession two of the 222 account numbers stolen from the store as well as US $70,000 in cash. In all, US $225,000 has been stolen from the debit card users in the case.
-http://www.mercurynews.com/valley/ci_9216246

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

West Point Wins NSA Cyber Defense Exercise (May 10, 2008)

For the second year in a row, West Point took top honors in the National Security Agency's (NSA) Cyber Defense Exercise, the training competition for seven US military academies. Cadets at West Point, the US army university, fended off SQL attacks and then realized that the relatively obvious attack was masking a more insidious one - NSA "bad guys" placed a kernel-level rootkit on West Point's network. NSA provided some basic requirements for structuring the networks to be used in the exercise, but participants also had leeway to customize their networks; they were not, however, permitted to attack each other's networks.
-http://www.wired.com/print/politics/security/news/2008/05/nsa_cyberwargames

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Another Data Security Breach for Pfizer (May 12, 2008)

Pfizer Inc. has suffered another data security breach, the sixth since May 2007. A company laptop and flash drive stolen about a month ago contain personally identifiable information of approximately 13,000 employees. The data include names, addresses, employee ID numbers, job descriptions and salaries, but no Social Security number (SSNs).
-http://www.theday.com/re.aspx?re=712c0410-ee9a-47a8-b08d-c7a71a713a5e

Sensitive Hong Kong Immigration Dept. Document Leaked Through Filesharing Network (May 9, 2008)

A Hong Kong immigration department watch list was leaked to the Internet through a filesharing program. The breach occurred when a new immigration officer took home some classified files without authorization and used them on a home computer, which contained the filesharing software. The work files were inadvertently distributed. The compromised data include a list of names for officers to look out for as well as travel history records.
-http://www.topnews.in/classified-hong-kong-watch-list-leaked-internet-240641

STANDARDS & BEST PRACTICES

Many Won't Meet Deadline for PCI-DSS Web App Security Compliance (May 12, 2008)

Most retailers will not meet the June 30 deadline for complying with new Payment Card Industry Data Security Standard (PCI-DSS) requirements for securing web applications. Companies can achieve compliance with either a specialized firewall or web application software code review, which entails finding vulnerabilities and fixing them. Many retailers appear to be opting for firewalls, which are "quick fixes," according to Gartner analyst Aviva Litan. "Application firewalls are a reactive measure. You have a lot of vulnerable applications that still need to be fixed," she added, and noted that scanning for vulnerabilities and fixing them should take precedence over firewalls, and that firewalls should be used in addition to scanning, not instead of it.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9085038&source=rss_topic17

STATISTICS, STUDIES & SURVEYS

Irish Data Protection Commissioner Issues Annual Report (May 8, 2008)

According to the recently released Irish Data Protection Commissioner's annual report, the number of new complaint investigations in 2007 was 1,037, up from 658 in 2006. The increase is due in large part to an escalating number of complaints about unsolicited text messages, according to Data Protection Commissioner Billy Hawkes; 38 percent of all complaints received were in regard to text messages. More than 350 cases initiated by the DPC's Office are now in the courts. Interestingly, a blogger managed to access the report through the DPC Office's website before it was released.
-http://www.ireland.com/newspaper/breaking/2008/0508/breaking57.htm
-http://www.siliconrepublic.com/news/news.nv?storyid=single10966
[Editor's Note (Honan): this report makes good reading, in particular the case studies are useful to help prevent you make the same mistakes. While the DPC welcomes the increase in breaches reported to him, they only amount to 11 reports highlighting the need for mandatory breach disclosure laws in Ireland and the EU. ]

MISCELLANEOUS

Back to My Mac and PhotoBooth Used to Identify Thieves (May 10, 2008)

Police were able to track down a pair of thieves after the owner of a stolen laptop computer used the "Back to My Mac" service to gain access to the computer when the thieves used it to surf the Internet, and then took pictures of the suspects using PhotoBooth, a standard software on new Apple laptops. One of the woman's roommates recognized one of the men from the photo as a guest at a recent party. The two men were arrested and police recovered two laptops, two flat screen televisions, two iPods, and other electronic and related items.
-http://www.nytimes.com/2008/05/10/nyregion/10laptop.html?_r=1&oref=slogin&am
p;partner=rssnyt&emc=rss&pagewanted=print
-http://www.smh.com.au/news/technology/mac-thief-caught-on-webcam/2008/05/12/1210
444306538.html

Engineer Recovers Data From Space Shuttle Columbia Hard Drive (May 9 & 12, 2008)

Engineer Jon Edwards describes how he recovered data from a disk drive that melted and fell to earth when the US Space Shuttle Columbia disintegrated on re-entry on February 1, 2003. According to Edwards, "When we got it, it was two hunks of metal stuck together. We couldn't even tell it was a hard drive. It was burned and the edges were melted." Edwards was successful with this particular drive because the platters on which the data were stored were not warped, and any damage they sustained was on a part of the disk where no data were written; the astronauts were running DOS, which does not scatter data on drives. Edwards was able to recover 99 percent of the data. Edwards did not have the same luck with two other drives salvaged from Columbia's wreckage.
-http://www.msnbc.msn.com/id/24542368/?news=newsclip_MSNBC_May_08
-http://www.informationweek.com/news/storage/disaster_recovery/showArticle.jhtml?
articleID=207602714

UPCOMING SANS WEBCAST SCHEDULE

Internet Storm Center Webcast: Threat Update
WHEN: Wednesday, May 14, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Johannes Ullrich
-http://www.sans.org/info/27109

Sponsored By: Core Security
-http://www.coresecurity.com/


The SANS Internet Storm Center (ISC) uses advanced data correlation and visualization techniques to analyze data collected from thousands of sensors in over sixty countries. Experienced analysts constantly monitor the Storm Center data feeds searching for trends and anomalies in order to identify potential threats. When a threat is identified, the team immediately begins an intensive investigation to gauge the threat's severity and impact. This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.

***
Security Inside the Perimeter: Confronting the Gap Between Talking About the Threat and Doing Something About it
WHEN: Thursday, May 15, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Paul Smith
-http://www.sans.org/info/27114
Sponsored By: PacketMotion
-http://www.packetmotion.com/


Most security and IT professionals agree that the corporate network "perimeter" is no longer viable due to laptops, tunneling applications, VPNs and wireless, etc. But network security conventional wisdom is still very perimeter oriented. Why the inconsistency? Perhaps people really don't think the problem is that significant and the risk is not that high. Or maybe they do think it's a real problem, but hesitate to act because of cost, complexity, and risk to application availability. This webinar will review the key aspects of this inconsistency and offer solutions to better manage the "inside risk."

***
WHEN: Tuesday, May 20, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Rush Carskadden
-http://www.sans.org/info/27119

Sponsored By: Cisco Systems
-http://www.cisco.com/


Effective mitigation of application-layer threats requires defeating attempts to obfuscate malicious headers and payloads. However, active evasion protections can introduce misleading results in the testing of a network IPS. This session will present well-known and recent obfuscation techniques, methods for their mitigation and prevention, and guidelines for effective testing.

***
SANS Special Webcast: Understanding and Selecting a Database Activity Monitoring Solution
WHEN: Wednesday, May 21, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Rich Mogull
-http://www.sans.org/info/27124
Sponsored by the Following:

Guardium
-http://www.guardium.com/
Imperva
-http://www.imperva.com/
Secerno
-http://www.secerno.com/
Setrigo
-http://www.sentrigo.com/
Tizor
-http://www.tizor.com/


Thanks to increasing compliance requirements and growing security threats, enterprises must adopt new strategies and techniques to protect their databases. Security and database administrators are charged with protecting these essential corporate assets, but are challenged to improve security and auditing in the least intrusive way possible. Database Activity Monitoring is emerging as a powerful tool to ensure compliance while detecting, and sometimes preventing, database attacks and internal abuse. In this webcast independent consultant Rich Mogull will review the inner workings of Database Activity Monitoring, highlight key features, and present a three step selection process.

***
Ask the Expert: Enterprise Incident Management with Security Monitoring
**** Previously scheduled for Thursday, May 8, 2008****
WHEN: Thursday, May 22, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Adrien de Beaupre and A.N. Ananth
-http://www.sans.org/info/27104
Sponsored By: Prism MicroSystems

Some of the issues revolving around log management include privacy, storage requirements, and meeting regulatory or legislative requirements. Finally, integration of LM into an organization's overall security dashboard will be the focus of this presentation.

*******************************************************************

Be sure to check out the following FREE SANS archived webcasts:

Tool Talk Webcast: The ABC's of Dealing with Unique Network Security Risks in a World of Open Campus Networks
WHEN: Wednesday, March 5, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Brian Mehlman
-http://www.sans.org/info/22979
Sponsored By: Q1 Labs

SANS Special Webcast: A Response to the "Cold Boot Attack" Announcement
WHEN: Thursday, March 6, 2008 at 3:00 PM EST (1900 UTC/GMT)
FEATURING: John Strand
-https://www.sans.org/webcasts/show.php?webcastid=91884


********************************************************************

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/