SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume X - Issue #46
June 11, 2008
Tomorrow is the last day for early registration discounts for SANSFIRE 2008 (July 22-31 in Washington, DC).
Alan
TOP OF THE NEWS
The Changing Landscape of Cyber ThreatsStudy Says Hong Kong and China Host Greatest Proportion of Malicious Sites
Trend Micro Won't Seek VB100 Certification
THE REST OF THE WEEK'S NEWS
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITYHome Affairs Committee Report Says UK Not a Surveillance Society
UK Home Office Web Page Used in Phishing Scheme
US Presidential Candidates on Internet and Technology Issues
UK Government Depts Report Disciplinary Action for Data Breaches
MALWARE, VULNERABILITIES AND PATCHES
Kaspersky Wants Help Cracking Ransomware Encryption Key
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Dubai Development Company Investigating Data for Sale on eBay
MISCELLANEOUS
Australia Launches Threat Alert Service for SMBs
ISP's Plan to Use Targeted Ad Program Spurs Call for Investigation
Why Security is a Hard Sell
LIST OF UPCOMING FREE SANS WEBCASTS
*************************************************************************
TRAINING UPDATE
- - Wash. DC (7/22-7/31) (SANSFIRE 2008) http://www.sans.org/sansfire08
- - Singapore (6/30-7/5) http://www.sans.org/singapore08/
- - Boston (8/9-8/16) http://www.sans.org/boston08/
- - and in 100 other cites and on line any time: www.sans.org
*************************************************************************
TOP OF THE NEWS
The Changing Landscape of Cyber Threats (June 4, 2008)
Speaking at the Government Forum of Incident Response and Security Teams (GFIRST) conference, Jeanie Larson, program manager of the Incident Management Division at the US Department of Energy, said, "The old perimeter model[of cyber security incident response ]
is ineffective." If the absolute number of cyber attacks declines, it doesn't mean that the cyber threat has declined. Instead, people responsible for responding to cyber security incidents need to be on the lookout for targeted attacks. Even one compromised workstation could be a more serious threat than a large number of infections, depending on that workstation's user. One hindrance to addressing emerging cyber threats effectively is the difficulty many government agencies have with sharing information with each other and even within their own organizations.
-http://www.federalnewsradio.com/?nid=169&sid=1415201
[Editor's Note (Ranum): People keep saying stuff like "The old perimeter model
[of cyber security incident response ]
is ineffective" but I don't see anyone offering a viable alternative. Isn't that a bit unsettling? I've been in this industry long enough to watch some organizations flip-flop back and forth repeatedly between perimeter and host security approaches. They invariably find that neither, unless it is executed with incredible discipline, works by itself. You can tell a security n00b when they say the perimeter model doesn't work - just ask them "what do you intend to do about DNS and ARP?" If they don't have a good answer (they never do) take away their internet car-keys until they sober up.
(Schultz): The lack of information sharing within U.S. government agencies has been a problem over many years. Despite numerous attempts to promote better information sharing, individuals within the government tend to persist in viewing possession of security-related information, especially information about security-related threats and incidents, as power. Accordingly, they withhold information from others.]
Study Says Hong Kong and China Host Greatest Proportion of Malicious Sites (June 4 & 6, 2008)
A report from McAfee says that the country domain hosting the highest proportion of malicious websites is Honk Kong (.hk) with 19.2 percent of tested websites hosting some type of malware. Following Hong Kong are China (.cn) with 11.8 percent, and the Philippines (.ph) and Romania (.ro). The likelihood of downloading malicious software while web surfing increased 41 percent over last year, according to the report. Among the safest country domains were Finland (.fi), Japan (.jp) and Australia (.au); the .gov domain also had a very low incidence of malicious sites. Of generic top-level domains, .info is still the riskiest - 11.7 percent of .info sites potentially contain malware.-http://www.securityfocus.com/brief/749
-http://www.gcn.com/online/vol1_no1/46417-1.html?topic=security&CMP=OTC-RSS
-http://www.msnbc.msn.com/id/24966835/
Trend Micro Won't Seek VB100 Certification (June 8 & 9, 2008)
TrendMicro says it will no longer seek VB100 certification for its products. The VB100 certification tests antivirus products against the WildList, a small set of malware signatures, to see if they can detect a small sample of known virus signatures without any false positives. Trend Micro maintains that the most significant Internet threats are no longer viruses, but Trojans and bot software, for which VB100 does not test. Panda has not submitted its products for VB100 certification since 2002. Standards and methods for testing antivirus products have been hot topics for some time; earlier this year, companies that make security software and the laboratories that conduct the testing agreed to create the Anti-Malware Testing and Standards Organization (AMTSO) to develop best practices and standards for testing the products. Virus Bulletin, the company that conducts the VB100 testing, says that a string of passed certifications indicates a well-maintained product. The company says the WildList will evolve to include Trojans.-http://www.securityfocus.com/news/11522
-http://www.pcworld.com/businesscenter/article/146833/antivirus_vendors_gripe_tha
t_test_isnt_current.html
********************** SPONSORED LINKS *********************************
1) PCI Compliance: You Can't Be the Big Cheese if Your Network is Full of Holes http://www.sans.org/info/29499
2) Expert Webcast: The Path to a Secure Application. A security checklist to eliminate errors and design flaws that put you at risk. http://www.sans.org/info/29504
*************************************************************************
THE REST OF THE WEEK'S NEWS
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Home Affairs Committee Report Says UK Not a Surveillance Society (June 9, 2008)
The UK House of Commons Home Affairs Committee has published a report titled "A Surveillance Society," which expresses the committee's opinion that the UK is not presently a surveillance society but could become one if policies regarding data collection and retention are not clearly established. The report recommends that "in the design of its policies and systems for collecting data, the Government should adopt a principle of data minimization: it should collect only what is essential, to be stored only for as long as is necessary."-http://www.publications.parliament.uk/pa/cm200708/cmselect/cmhaff/58/58i.pdf
-http://www.theregister.co.uk/2008/06/08/home_affairs_report_surveillance/print.h
tml
-http://www.heise-online.co.uk/security/UK-Parliament-rejects-surveillance-societ
y-concept--/news/110875
[Editor's Note (Weatherford): This is an interesting subject for a report by a government with over 4M CCTV cameras installed throughout the country, one for every 14 people and where each person is monitored on camera an average of 300 times a day. When you add in the electronic footprint of cell phone calls, email, and credit card transactions, I'd say they are getting pretty close to being what the report says they are not.
(Honan): Interestingly the 2007 annual report from Privacy International shows the UK to have one of the most extensive surveillance societies in the world and the country with most surveillance within the European Union:
-http://www.privacyinternational.org/article.shtml?cmd%5B347%5D=x-347-559597]
UK Home Office Web Page Used in Phishing Scheme (June 8, 2008)
Phishers managed to establish a phony web page on the UK's Home Office crime reduction website. The attackers then sent out email messages asking customers of a certain Italian bank to visit the fraudulently established page and confirm their login credentials. The breach was detected and resolved within a day.-http://www.telegraph.co.uk/news/uknews/2091958/Fraudsters-hack-into-Home-Office-
website.html?service=print
US Presidential Candidates on Internet and Technology Issues (June 5, 2008)
This article lays out the major US presidential candidates' positions on important technology issues, including net neutrality, broadband availability, H1B visas, privacy and intellectual property. One analyst observes that the current candidates "see the social Internet as another form of broadcast media," but future candidates will need to harness the power of social applications to get in touch with what voters are thinking.-http://www.pcmag.com/print_article2/0,1217,a%253D228276,00.asp
UK Government Depts Report Disciplinary Action for Data Breaches (June 4, 2008)
The UK Department for Work and Pensions says it disciplined 20 employees for data security infringements between April 2007 and March 2008. The infringements included "breaches of data-protection requirements" and "inappropriate use of personal or sensitive data." It does not appear that any staff members were dismissed over the incidents. Over the same period of time, HM Revenue & Customs (HMRC) disciplined 192 employees. The two organizations employ roughly the same number of people.-http://www.zdnet.co.uk/misc/print/0,1000000169,39429132-39001093c,00.htm
MALWARE, VULNERABILITIES AND PATCHES
Kaspersky Wants Help Cracking Ransomware Encryption Key (June 6 & 8, 2008)
Kaspersky is asking for help in cracking a 1024-bit RSA key used in a Trojan horse variant. The Gpcode Trojan horse program has been used in ransomware attacks over the last two years and encrypts files on infected computers; the attackers demand payment to unlock the files. The key is created by Microsoft Enhanced Cryptographic Provider. Researchers estimate that cracking the key would require millions of computers working for about a year, so they are calling on others to help.-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9094818&source=rss_topic17
-http://www.theregister.co.uk/2008/06/06/ransomeware_call_to_arms/print.html
[Editor's Note (Veltsos and Honan): While up to date anti-virus software will provide protection against this type of attack, timely and up to date backups provide the ultimate defence. A well tested daily backup strategy would go a long way in preventing the need to crack 1024-bit encryption in the first place by having a suitable Recover Point Objective (amount of tolerable data loss). The backups should be encrypted, of course, but this time, you hold the key to your data.
(Northcutt): Well, it is interesting, I will spot you, that. They have published two RSA public keys and are asking folks to brainstorm ways to factor the key.
-http://www.viruslist.com/en/weblog]
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Dubai Development Company Investigating Data for Sale on eBay (June 5, 2008)
Dubai-based Damac Properties is investigating how a database containing personally identifiable information of more than 8,000 of its customers turned up for sale on eBay. The offering has since been removed. The compromised data include email addresses and phone numbers of investors in the development company.-http://www.itp.net/news/521308-damac-clients-information-offered-on-ebay
[Editor's Comment (Northcutt): This has happened a couple of times. UC Berkeley had a stolen laptop with about the same number of records turn up for sale on eBay, as well:
-http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/06/07/BAR9115907.DTL]
MISCELLANEOUS
Australia Launches Threat Alert Service for SMBs (June 9, 2008)
The Australian government has launched an online Internet threat alert service aimed at small and midsize businesses. The service is free and offers advice on security threats and how to mitigate them. Other alert services are tailored more to large companies with professional security resources and expertise, but small businesses lack that sort of support. The service will also alert customers to Australia-focused threats, such as specific phishing schemes. Some believe that ISPs should still do more to protect users from Internet threats.-http://www.zdnetasia.com/news/security/0,39044215,62042374,00.htm
ISP's Plan to Use Targeted Ad Program Spurs Call for Investigation (June 6, 2008)
Privacy and consumer advocacy groups in the US and Canada are calling on US legislators to conduct an investigation into a cable television and Internet provider's plan to launch a targeted advertising program. St. Louis, Missouri-based Charter Communications plans to share customers' web search information with NebuAd, a plan Charter maintains will enhance its customers' online experience. There are reports that other ISPs are considering similar schemes.-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9094498&source=rss_topic17
Why Security is a Hard Sell (May 26, 2008)
Bruce Schneier makes a strong argument for building security into products rather than pursuing the arduous job of selling security products as add-ons. Schneier says that the reason security products are such a hard sell is exemplified in Prospect Theory, the foundation of modern behavioral economics. In essence, the theory states that people will choose a for-sure smaller gain over a possible larger gain, but will opt for a possible big loss over a certain small loss. Simply put in terms of security products, people are reluctant to make a small investment to protect themselves from a security breach; instead, they are willing to take the chance that they will not be the target of a cyber security incident. Baking security into all products from the start makes selling security a non-issue.-http://www.cio.com/article/print/367913
[Editor's Note (Weatherford): Once again, Bruce nails it with a thought-provoking example that will help people re-evaluate and repackage their approach to selling security. ]
UPCOMING SANS WEBCAST SCHEDULE
Internet Storm Center Webcast: Threat UpdateWHEN: Wednesday, June 11, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Johannes Ullrich
-http://www.sans.org/info/28719
This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.
Tool Talk Webcast: A Million Little Pieces: Detecting Fraudulent Transactions
WHEN: Tuesday, June 17, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Brian Contos
-http://www.sans.org/info/28729
Sponsored By: ArcSight
-http://www.arcsight.com/
Today's business is digital across the board, relying on digital processes, communications, assets, and commerce. This has spawned a massive increase in fraud. We read about it nearly every week, and in almost every case, the problem seems obvious in hindsight. Societe Generale, with $7 billion in trading fraud, is the current poster child. Too often, fraud could have been detected and stopped if only someone noticed the connection between several activities, each of which was fine in isolation. Taken together, however, they paint a picture of fraud.
SANS Special Webcast Series: Security Insights with Dr. Eric Cole This month's topic: Information Security Priorities for the SMB
WHEN: Wednesday, June 18, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Dr. Eric Cole
-http://www.sans.org/info/28734
SMBs need IT security solutions that are easy to adopt and maintain. How are small and medium-size businesses (SMBs) adopting, using, and managing IT security technologies, including security information management (SIM), network security, intrusion prevention, application security, content filtering, and network access control (NAC)? Leading areas of focus for SMB security programs are data security and business continuity, followed by application security and access control to support partners and channels as their business grows. While these issues are not unlike those facing larger enterprises, SMBs must prioritize their security program most carefully to avoid costly pitfalls. Undiscovered security threats that slow down the large enterprise can cause the SMB to close its doors if they are not prepared for risk avoidance.
SANS Special Webcast: Endpoint Security: Point- Solution or Protection Platform
WHEN: Tuesday, June 24, 2008 at 3:00 PM EDT (1900 UTC/GMT)
FEATURING: Stephen Northcutt and Dan Teal
-https://www.sans.org/webcasts/show.php?webcastid=91963
Sponsored By: CoreTrace
-http://www.coretrace.com/
Join SANS President Stephen Northcutt as he reviews the key features in endpoint security that really matter, how to shop for the best products, and why implementing defense in depth on your organization's endpoint is a best practice.
Ask the Expert: Lessons from the Fontline: Avoiding Costly Breach Investigation Mistakes and Downtime
WHEN: Thursday, June 26, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Ed Skoudis
-http://www.sans.org/info/28754
Sponsored By: Mu Security
-http://www.mudynamics.com/
This webcast will discuss some of the most egregious mistakes made by enterprises and network operators who have suffered costly and/or embarrassing security breaches.
=========================================================================
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/
