SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume X - Issue #48

June 17, 2008

TOP OF THE NEWS

Verizon Study Says Most Data Breaches are External
Estonian Undersecretary of Defense Talks About Last Year's Cyber Attacks
Man Exonerated After Examination Determines Malware Downloaded Pornography

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Canada Unveils Digital Copyright Reform Act
Casino Workers Indicted for Allegedly Stealing Customer List
Law Lords Hear McKinnon Extradition Appeal
MySpace Awarded US $6 Million in Spam Case
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Presidential Directive Requires Biometric Database Interoperability
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Cisco Warns of Authentication Vulnerabilities in SNMP
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Indiana Credit Unions Investigating Unauthorized Overseas Withdrawals
STATISTICS, STUDIES & SURVEYS
Blogger Arrests on the Rise
22 Percent of European PC Users Say They Were Hit by Cyber Crime
MISCELLANEOUS
Kaspersky Publishes Recovery Information for Files Encrypted by Gpcode Trojan
LIST OF UPCOMING FREE SANS WEBCASTS

---

********************** Sponsored By IBM (Watchfire) *********************

You wouldn't lock your front door and leave the windows wide open, so why invest in network security if you have no plans for your Web applications?
IBM(r) Rational(r) AppScan is an application scanner that monitors, identifies and helps remediate security vulnerabilities. Download AppScan and try it free today to see how it can help protect against intrusion.
http://www.sans.org/info/29764

*************************************************************************

TRAINING UPDATE
- - Wash. DC (7/22-7/31) (SANSFIRE 2008) http://www.sans.org/sansfire08
- - Singapore (6/30-7/5) http://www.sans.org/singapore08/
- - Boston (8/9-8/16) http://www.sans.org/boston08/
- - and in 100 other cites and on line any time: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Verizon Study Says Most Data Breaches are External (June 16, 2008)

A four-year study from Verizon of 500 data security breaches found that 73 percent of data loss incidents come from external sources. Thirty-nine percent of the data breaches involved some level of business partner responsibility, although it was not always deliberate. For instance, attackers gained access to company systems by compromising remote vendors' credentials. Insider data breaches, while less prevalent than expected, were often more serious than their external counterparts; the number of records compromised in internal breaches on average exceeded the number compromised in external breaches by a factor of 10.
-http://www.out-law.com/page-9179
-http://www.infoworld.com/archives/emailPrint.jsp?R=printThis&A=/article/08/0
6/16/Insider_threat_exaggerated_says_study_1.html
-http://www.heise-online.co.uk/security/Startling-findings-in-Verizon-Data-Breach
-Report--/news/110936
-http://www.verizonbusiness.com/resources/security/databreachreport.pdf
[Editor's Note (Skoudis): This is a fascinating read, and kudos to Verizon for releasing it. There are lots of gems here that I also see in many of the breach cases I investigate, including: "Ninety percent of known vulnerabilities exploited by these attacks had patches available for at least six months prior to the breach," and, "...the most common of which was data that was not known to be on the compromised system." I encourage you to read the study to learn from the mistakes of others.
(Kreitner): The learning that results from this kind of forensic analysis of actual security failures is invaluable if it is used as feedback to inform our security investments. It also is useful to guide the selection of security outcome metrics we should be tracking on a continuing basis to determine how well or poorly our security investments are working. Cybersecurity begs for more application of causality oriented feedback learning. The lack of this type of analysis and feedback is a great weakness in so-called risk management. ]

Estonian Undersecretary of Defense Talks About Last Year's Cyber Attacks (June 16, 2008)

In an interview, Estonian undersecretary of Defense Lauri Almann describes how his department responded to the barrage of cyber attacks on government networks last spring. A team was assembled from a variety of departments and organizations including Estonian CERT. They quickly put out an alert to other CERTs worldwide to get international help. Almann described two phases of attacks, the second more sophisticated than the first. Although it is not possible to say with absolute certainty who was responsible for the attacks, Almann says the attack patterns make it clear that it was an organized effort.
-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn&story.id=4
6457
[Editor's Note (Northcutt): This is an important article. Estonia clearly realizes the next war they are involved in will have a significant cyber warfare dimension. Another good article is a reflection on the attack a year after the event:
-http://news.zdnet.co.uk/security/0,1000000189,39408158,00.htm]

(Veltsos): Botnets have changed the rules for network-based attacks. As Mr. Almann points out, "There is no such thing as a personal computer. Everyone's computer can be used to attack another country." Every government entity needs to review its own readiness and response procedures when faced with this type of unconventional attack. Botnets are like a multi-headed hydra; striking down one host or IP address results in new hosts on new IP addresses.
(Honan): One interesting point to come out of this interview is the recommendation that incident response teams should constantly review their response processes and tactics to prepare for new threats. If you have not done so, I recommend you review your own IR processes to see if they are up to date and suitable to the latest threat landscape affecting your organisation. ]

Man Exonerated After Examination Determines Malware Downloaded Pornography (June 16, 2008)

Prosecutors in Massachusetts have dropped charges against Michael Fiola, who was accused of downloading child pornography onto his work computer. Fiola was employed as an investigator at the Massachusetts Department of Industrial Accidents (DIA). He was issued a laptop in November 2006 that was determined to have been misconfigured; an examination of the computer turned up evidence that malware had surreptitiously downloaded the images onto the computer. There is no evidence that the downloaded images had ever been viewed on the computer. The content was discovered during an investigation prompted by a broadband bill that was several times those of his co-workers. Fiola was fired when the offending files were found.
-http://www.pcworld.com/businesscenter/article/147151/state_workers_child_porn_ch
arges_dropped_virus_blamed.html
-http://www.theregister.co.uk/2008/06/16/forensics_clear_child_abuse_suspect/prin
t.html
[Editor's Note (Skoudis): I expect this case to be referenced a lot in so-called "Trojan defenses", essentially blaming backdoors/bots on a computer for malfeasance conducted by that machine. While it sounds like that defense was legitimately applied in this case, the case will likely be cited in other cases that aren't so clear.
(Northcutt): I wasn't there, haven't examined the computer, but it only takes a page of Google results for "malware pornography" to come to the conclusion that getting infected by malware when visiting porn sites is much more likely than malware visiting porn sites to download pictures. ]

---

********************** SPONSORED LINK *********************************

1) SANS WhatWorks: Easing the Pains of PCI Compliance at AirTran Airways Read More
http://www.sans.org/info/29769

2) Expert Webcast: The Path to a Secure Application. A security checklist to eliminate errors and design flaws that put you at risk.
http://www.sans.org/info/29774

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Canada Unveils Digital Copyright Reform Act

Canada has unveiled its own copyright protection and reform legislation. Influenced by similar legislation in the USA and other countries it is a bill that " ...balances the interests of Canadians who use digital technology and those who create content" according to Government sources. A previous version of the bill had been denounced by consumer advocates and retracted. The impact will likely be far reaching, with heavy penalties for uploading content and circumvention of digital 'locks'. Worrisome are limitations making backup copies of CDs or DVDs illegal. Canadian law will likely now be more concerned with policing and restricting digital content use than privacy or consumer protection. (Thanks to Adrien de Beaupre, SANS Internet Storm Center Handler, for this report.)
-http://www2.parl.gc.ca/HousePublications/Publication.aspx?Docid=3570473&file
=4
Some commentary here:
-http://www.michaelgeist.ca/tags/canadian+dmca

Casino Workers Indicted for Allegedly Stealing Customer List (June 16 & 17, 2008)

Three casino workers have been indicted on charges related to the theft of a list of more than 20,000 "top level players" from the Tropicana Casino and Resort in Atlantic City, NJ. The three were once employed at the Tropicana, but have since left for jobs at other casinos. The data on the list include names, addresses, and gambling data. John Conklin, Justin Litterelle and James DiMarco were all charged with theft by unlawful taking, computer theft and conspiracy. Conklin also faces a charge of witness tampering for allegedly having a lawyer make Litterelle sign a false affidavit saying that Conklin had not asked him to download the information.
-http://cbs3.com/newjerseywire/22.0.html?type=local&state=NJ&category=n&a
mp;filename=NJ--Tropicana-PlayerL.xml
-http://www.nj.com/southjersey/index.ssf/2008/06/three_charged_with_stealing_tr.h
tml
-http://www.newsday.com/news/local/wire/newjersey/ny-bc-nj--tropicana-playerl0616
jun16,0,289889.story

Law Lords Hear McKinnon Extradition Appeal (June 16 & 17, 2008)

Gary McKinnon's extradition appeal is now before the House of Lords. McKinnon is accused of breaking into US government computers from his home in London. He has been fighting extradition to the US because he fears a lengthy sentence and being treated like a terrorist. The Law Lords will examine alleged threats made by US authorities. McKinnon has admitted to accessing the computer systems in question but maintains that he was merely curious that that the networks had lax security. McKinnon's legal team said that if this effort proved unsuccessful, they would take his case to the European Court of Human Rights.
-http://news.bbc.co.uk/2/hi/uk_news/7456216.stm
-http://www.theregister.co.uk/2008/06/16/mckinnon_law_lords/print.html
-http://news.scotsman.com/uk/Scot-fights-US-hacking-move.4190558.jp

MySpace Awarded US $6 Million in Spam Case (June 16, 2008)

A court-appointed arbitrator has ruled that Scott Richter and his company Media Breakaway must pay MySpace US $6 million in damages and legal fees for inundating MySpace members with spam. Some of the spam was allegedly sent from hijacked accounts; Media Breakaway maintained that independent contractors sending messages for the company are to blame for the problem.
-http://www.usatoday.com/tech/news/computersecurity/2008-06-16-myspace-win_N.htm?
csp=34
-http://news.cnet.com/8301-10784_3-9969899-7.html
-http://www.cio.com/article/397663/Former_spam_King_Must_Pay_MySpace_Million
[Editor's Note (Shpantzer): Outsourcing to contractors is like delegating to your employees. They will do the work, correctly or incorrectly, but the responsibility is still yours. ]

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

Presidential Directive Requires Biometric Database Interoperability (June 5 & 16, 2008)

A presidential directive released earlier this month "establishes a framework to ensure that Federal executive departments and agencies use mutually compatible methods and procedures in the collection, storage, use, analysis, and sharing of biometric ... information" so they can easily share the information. Agencies will also be required to make sure they comply with privacy and information security laws, policies and procedures.
-http://www.fcw.com/print/22_17/policy/152825-1.html?type=pf
-http://www.fas.org/irp/offdocs/nspd/nspd-59.html
[Editor's Comment (Northcutt): Yeah, and what controls will be in place to ensure the system designed to protect us against "KST"s (Known and Suspected Terrorists) will not be abused? Anyway, it is a fascinating technical and database problem, how do you compare a fingerprint to an iris scan. Here are the standards; they were announced in February of this year:
-http://engineers.ihs.com/news/standards/biometrics.htm]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Cisco Warns of Authentication Vulnerabilities in SNMP (June 13, 2008)

Cisco has issued an advisory warning of two security flaws in version 3 of the Simple Network Management Protocol (SNMP). The authentication vulnerabilities could be exploited to gain access to system data or change network equipment configurations. The vulnerabilities affect a number of Cisco products although Cisco products ship with SNMP turned off by default. Patches for the flaws are available.
-http://www.gcn.com/online/vol1_no1/46464-1.html?topic=security&CMP=OTC-RSS
-http://www.cisco.com/en/US/products/products_security_advisory09186a00809ac83b.s
html
[Editor's Note (Skoudis): This is an interesting one, given that one of the reasons to move to SNMPv3 is its improved security over earlier versions. Please test and deploy these patches quickly if you used SNMPv3 in your Cisco environment. Because SNMP messages occur over UDP, they can be easily spoofed. One can imagine tools that spray spoofed UDP messages into a target environment that take advantage of this flaw. ]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Indiana Credit Unions Investigating Unauthorized Overseas Withdrawals (June 16, 2008)

Teachers Credit Union in South Bend Indiana is investigating reports from about 100 members that funds had been withdrawn from their accounts via ATMs in Russia, the Ukraine, and other overseas locations. Ten members of Notre Dame Federal Credit Union reported unauthorized withdrawals as well.
-http://www.chicagotribune.com/news/chi-ap-in-creditunions-brea,0,5481329,print.s
tory
-http://www.wsbt.com/news/local/19979729.html
[Editor's Note (Veltsos): Credit card companies employ theft prevention systems requiring travelers to provide advance notice of which countries would be visited. Banks, credit unions, and payment networks might do well to consider implementing a similar deny-all, allow-only-permitted approach. ]

STATISTICS, STUDIES & SURVEYS

Blogger Arrests on the Rise (June 16, 2008)

The most recent World Information Access (WIA) report, an annual report from the University of Washington, found that 64 people have been arrested since 2003 for blogging about their personal opinions about their governments or human rights abuses. There were 36 arrests for blogging on political issues in 2007; three times higher than the previous year's figure. More than half of the 64 arrests were made in just three countries -- China, Egypt, and Iran -- although bloggers have also been arrested in the US, the UK, France and Canada. The average prison sentences for those arrested was 15 months.
-http://news.bbc.co.uk/2/hi/technology/7456357.stm
-http://www.wiareport.org/index.php/2008-briefing-booklet/

22 Percent of European PC Users Say They Were Hit by Cyber Crime (June 9, 2008)

A study of 7,000 European PC users found that 22 percent have experienced some type of cyber crime. When asked if they believed they would ever be victims of certain types of crimes, 34 percent of respondents said they believed they would experience cyber crime, while 22 percent said they would likely be hit by burglary. Among specific countries, 32 percent of Italian people had experienced cyber crime, while 31 percent of UK respondents said the same thing. The survey was conducted by Ipsos on behalf of AVG Technologies.
-http://www.vnunet.com/vnunet/news/2218582/national-economies-threatened

MISCELLANEOUS

Kaspersky Publishes Recovery Information for Files Encrypted by Gpcode Trojan (June 16, 2008)

Kaspersky Lab, which earlier this month called for a group effort to crack a 1,024-bit encryption key used in a new variant of ransomware, has published information about how to recover files that the Gpcode.ak Trojan horse program has encrypted. Kaspersky's call for a group effort to crack the encryption key used by Gpcode.ak met with resistance from some researchers.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9098338&source=rss_topic17

UPCOMING SANS WEBCAST SCHEDULE

SANS Special Webcast Series: Security Insights with Dr. Eric Cole This month's topic: Information Security Priorities for the SMB
WHEN: Wednesday, June 18, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Dr. Eric Cole
-http://www.sans.org/info/28734


SMBs need IT security solutions that are easy to adopt and maintain. How are small and medium-size businesses (SMBs) adopting, using, and managing IT security technologies, including security information management (SIM), network security, intrusion prevention, application security, content filtering, and network access control (NAC)? Leading areas of focus for SMB security programs are data security and business continuity, followed by application security and access control to support partners and channels as their business grows. While these issues are not unlike those facing larger enterprises, SMBs must prioritize their security program most carefully to avoid costly pitfalls. Undiscovered security threats that slow down the large enterprise can cause the SMB to close its doors if they are not prepared for risk avoidance.

SANS Special Webcast: Endpoint Security: Point- Solution or Protection Platform
WHEN: Tuesday, June 24, 2008 at 3:00 PM EDT (1900 UTC/GMT)
FEATURING: Stephen Northcutt and Dan Teal
-https://www.sans.org/webcasts/show.php?webcastid=91963
Sponsored By: CoreTrace
-http://www.coretrace.com/


Join SANS President Stephen Northcutt as he reviews the key features in endpoint security that really matter, how to shop for the best products, and why implementing defense in depth on your organization's endpoint is a best practice.

SANS Special Webcast: Top 10 Oracle Security Risks
WHEN: Wednesday, June 25, 2008 at 3:00 PM EDT (1800 UTC/GMT)
FEATURING: Tanya Baccam
-https://www.sans.org/webcasts/show.php?webcastid=91968


This keynote is an introduction to some of the Oracle Database risks that exist, and highlights the "Top 10" critical areas that should be checking when conducting an Oracle database audit.

Ask the Expert: Lessons from the Frontline: Avoiding Costly Breach Investigation Mistakes and Downtime
WHEN: Thursday, June 26, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Ed Skoudis
-http://www.sans.org/info/28754
Sponsored By: Mu Security
-http://www.mudynamics.com/


This webcast will discuss some of the most egregious mistakes made by enterprises and network operators who have suffered costly and/or embarrassing security breaches.

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Christophe Veltsos is president of the Mankato Chapter of the ISSA. Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/