SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume X - Issue #5
January 18, 2008
SANS FLASH
CIA Confirms Cyber Attack Caused Multi-City Power Outage
On Wednesday, in New Orleans, US Central Intelligence Agency senior analyst Tom Donahue told a gathering of 300 US, UK, Swedish, and Dutch government officials and engineers and security managers from electric, water, oil & gas and other critical industry asset owners from all across North America, that "We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands. We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. We have information that cyber attacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet."
According to Mr. Donahue, the CIA actively and thoroughly considered the benefits and risks of making this information public, and came down on the side of disclosure.
Delegates at the meeting shared information on how attackers are eluding current defenses and on promising practices for mitigating the most critical vulnerabilities. They also shared a jointly developed "SCADA and Control Systems Survival Kit." Next week an electronic version of the Survival Kit will be available (free) to all SANS alumni. Email scada@sans.org.
Alan
PS. If you have expertise in secure coding in .NET languages, and want to help review and shape the new "Essential Skills" document and/or the assessment and certification examinations for .NET programmers, please email spa@sans.org with your relevant credentials.
TOP OF THE NEWS
Federal Government Appeals Judge's Decryption Key DecisionChina Seeks International Cooperation to Fight Piracy
CMS to Begin HIPAA Compliance Reviews
Most Oracle DBAs are Not Applying Security Updates
Microsoft Warns of Flaw in Older Versions of Excel
THE REST OF THE WEEK'S NEWS
LEGAL MATTERSMan Pleads Guilty in Logic Bomb Case
Suspect Charged in Tennessee Computer Theft
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Internet Cafe Raid Prompts Others to Purge Pirated Content from Servers
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Oracle's Quarterly Security Update Patches 26 Flaws
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Data Breach at "Major Retailer" Likely Source of Debit Card Fraud
Carphone Warehouse Violated Data Protection Act
Lost Memory Sticks Hold NHS Patient Data
MISCELLANEOUS
MySpace and State AGs Form Task Force to Protect Minors
LIST OF UPCOMING FREE SANS WEBCASTS
************************ Sponsored By Cenzic ****************************
Security Test Production Web Applications! Continuously testing your production web applications - without corrupting your applications or their data - is NOW possible. With over 400 new application vulnerabilities every month it is imperative to test and re-test all Web applications, and not just the ones in development and quality assurance stages. Learn how.
http://www.sans.org/info/22579
*************************************************************************
TRAINING UPDATE
Where can you find the newest Penetration Testing techniques, Application Pen Testing, Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, CISSP, and SANS' other top-rated courses?
- - Las Vegas (3/17 - 3/18) Penetration Testing Summit:
(this is an ultra cool program) http://www.sans.org/pentesting08_summit
- - San Jose (2/2 - 2/8): http://www.sans.org/siliconvalley08/event.php
- - Phoenix (2/11 - 2/18) http://www.sans.org/phoenix08/event.php
- - Prague (2/18-2/23): http://www.sans.org/prague08
- - SANS 2008 (4/18-4/25) SANS' biggest: http://www.sans.org/sans2008
- - and in 100 other cites and on line any-time: www.sans.org
*************************************************************************
TOP OF THE NEWS
Federal Government Appeals Judge's Decryption Key Decision (January 16, 2008)
The federal government has appealed a decision by a judge in Vermont that has prevented a man from divulging the password necessary to decrypt his computer. Magistrate Judge Jerome J. Niedermeier said that to force an individual to enter the password into his computer is a violation of the Fifth Amendment, which grants protection from self-incrimination. The case involves a Canadian citizen with legal residency in the US whose computer was found to contain child pornography. The computer was seized, but the government has been unable to access data in drive Z because it is protected by PGP encryption. (please note this site requires free registration)-http://www.washingtonpost.com/wp-dyn/content/article/2008/01/15/AR2008011503663_
pf.html
-http://www.heise-security.co.uk/news/101935
[Editor's Note (Pescatore): In the US (and I think at least also Canada) there is certainly legal precedent for law enforcement using court orders to require a suspect to open a locked desk drawer, locker or safe. So, it is hard to see how in the long run this same thinking wouldn't extend to decrypting data - entering a password is pretty equivalent to entering a combination. But in the short run technology always moves faster than laws and regulations.
(Schultz): The judge's ruling makes considerable sense given that the US Bill of Rights guarantees that a person does not have to testify against himself. Requiring an accused person to surrender a password, encryption key, or some other object that allows investigators to access evidence against that person is in reality equivalent to forcing someone to provide self-incriminating testimony. ]
China Seeks International Cooperation to Fight Piracy (January 17, 2008)
China is seeking international help in its effort to fight Internet piracy. The number of Internet piracy cases Chinese authorities had last year was more than double the number of the previous two years combined. Many Internet pirates use servers in other countries to conduct their business; senior public security ministry official Gao Feng said the country wants international law enforcement officials to cooperate and share information. Because Chinese authorities do not have access to server registration information outside their own country, it is difficult for them to block the offending websites.-http://news.smh.com.au/china-asks-help-over-internet-piracy/20080117-1mkz.html
-http://today.reuters.co.uk/news/articlenews.aspx?type=internetNews&storyID=2
008-01-17T0
CMS to Begin HIPAA Compliance Reviews (January 17, 2008)
The Centers for Medicare and Medicaid Services (CMS) will begin reviewing hospitals around the US to ensure that their practices are in compliance with the Health Insurance Portability and Accountability Act (HIPAA) of 1996. Between 10 and 20 hospitals will be examined within the next nine months. CMS plans to publish the results of their reviews. While CMS will not divulge the names of the facilities they are reviewing, they plan to start with larger institutions as well as those that have been the object of complaints. The CMS Office of E-Health Standards and Services will post checklists of security practices mandated by HIPAA.-http://www.govhealthit.com/online/news/350176-1.html?type=pf
[Editor's Note (Schultz): This is a potentially very significant development. Until the CMS made this announcement, the HIPAA compliance arena had been relatively dormant. The reviews will now force hospitals to expend more time and resources to ensure that they are HIPAA compliant.
(Kreitner): I hope these reviews focus on significant security issues and urge healthcare providers to stop wasting time on silly things like refusing to send a routine lab report to your home fax because they don't have a signed release from you authorizing your spouse (who might happen to walk by the fax machine) to see it, even when you give them your birth date, city of birth, mother's maiden name, and tell them it's OK for your spouse to see it. ]
Most Oracle DBAs are Not Applying Security Updates (January 14, 2008)
According to a survey from Sentrigo, Inc., two-thirds of Oracle database administrators (DBAs) do not apply Oracle's patches. Of the 305 DBAs surveyed, 206 said they had never applied critical patch updates (CPUs) from Oracle. Only 31 of the respondents, just over 10 percent, said they had installed the most recent Oracle CPU. Sentrigo said the two main reasons for the low rate of patch installation are concern about how the fixes will affect the database's performance and the fact that each CPU requires that the previous CPU has been installed, so missing one installation can have a snowball effect. Readers responding to the initial story offered additional reasons why the CPUs were not being applied -- "DBAs don't have the leverage they need for best security practices to be followed;" organizations are running versions of Oracle products that are no longer supported -- but no one disputed the fact that they are not widely applied.-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9057226&pageNumber=1
-http://blogs.computerworld.com/dbas_not_to_blame_for_oracle_patch_application_fa
ilures
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=205603104
[Editor's Note (Ranum): It's important to remember that constantly patching one's software because of security flaws flies in the face of good administrative practice for production systems. Namely: make it work, and as long as it's working - don't mess with it. I don't think there's a great deal of vocal push-back on this topic, but one can make a good case that security is a major quality control problem for production systems. Current practices surrounding vulnerability disclosure place administrators in a lose/lose situation while simultaneously claiming it's for their own good.
(Liston): Software vendors live under the mistaken assumption that their customers actually trust them. Mission critical systems will never have patches applied without rigorous in-house testing, and even then, only when the perceived danger represented by the unpatched flaw far exceeds the "if it ain't broke don't fix it" mindset of the average DBA. While the "security" part of my brain cringes at the results of this survey, the part of me that has spent hours trying to roll back a patch that hosed a system understands and sympathizes with the DBA's dilemma. ]
Microsoft Warns of Flaw in Older Versions of Excel (January 15,16 & 17, 2008)
Microsoft has issued an advisory warning of targeted attacks that exploit a remote code execution vulnerability in older versions of Excel. Excel 2003 SP3, Excel 2007, and Excel 2008 for Mac are not believed to have the vulnerability. The US Computer Emergency Readiness Team (US-CERT) has issued its own advisory, recommending that users of older versions of Excel refrain from opening unexpected or unfamiliar attachments; Microsoft's advisory also offers workarounds, as there is presently no fix available.-http://www.theregister.co.uk/2008/01/17/0day_excel_bug_menace/print.html
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9057439&source=rss_topic17
-http://www.scmagazine.com/uk/news/article/777761/excel-exploit-targets-%20-vulne
rability-wild/
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=62036690-39000005c
-http://www.microsoft.com/technet/security/advisory/947563.mspx
-http://www.us-cert.gov/current/index.html#microsoft_office_excel_remote_code
-http://isc.sans.org/diary.html?storyid=3854
************************* Sponsored Links: ***************************
| 1) SANS-LogLogic Third Annual Log Management Survey What are the challenges in log management? Have perceptions changed since last year? Help us find out! Take the survey at http://www.sans.org/info/22584
2) Come to Ed Skoudis' Penetration Testing and Ethical Hacking Summit March 17-18 - Las Vegas. Come learn the newest techniques what works. http://www.sans.org/info/22589
*************************************************************************
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
Man Pleads Guilty in Logic Bomb Case (January 10, 2008)
Jeffrey Howard Gibson has pleaded guilty to one count of intentional damage to a protected computer system for planting a logic bomb on the St. Cloud (Minnesota) Hospital computer system. The hospital had hired Gibson to develop a computer-based training program for its employees; he apparently placed the malicious code on the system during the time he was employed by the hospital. It activated several months after his departure, disabling the program he had created. Gibson faces up to 10 years in prison and a fine of up to US $250,000.-http://minneapolis.fbi.gov/dojpressrel/pressrel08/logicbomb011008.htm
[Editor's Note (Northcutt): If anyone reading this is even *considering* writing a logic bomb, don't do it. You will get caught, you will do time in jail, and you will suffer. ]
Suspect Charged in Tennessee Computer Theft (January 2008)
A suspect in the theft of computers from the Davidson County (Tennessee) Election Commission has turned himself in at police headquarters. Robert Osborne has been charged with breaking into Commission offices; he allegedly stole computers that contain voter data, including Social Security numbers (SSNs). The stolen laptops were not encrypted. Police have not yet recovered the computers.-http://www.newschannel5.com/Global/story.asp?S=7735032
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Internet Cafe Raid Prompt Others to Purge Pirated Content from Servers (January 17, 2008)
On December 18, 2007, the Australian Federal Police raided an Internet cafe in Sydney for allegedly providing its customers with inexpensive access to pirated music and movies. The raided cafe reopened a day later. Other Internet cafes in the Sydney central business district have removed similar content from their servers in the wake of the raid. The cafes had been using the lure of inexpensive music and movies to attract customers.-http://www.smh.com.au/news/technology/internet-cafes-clean-out-after-raid/2008/0
1/17/1200419959751.html
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Oracle's Quarterly Security Update Patches 26 Flaws (January 16, 2008)
Oracle's quarterly security update comprises fixes for 26 vulnerabilities, including nine that address remotely exploitable flaws. Oracle advises administrators to apply the patches as soon as possible. The vulnerabilities affect a variety of Oracle products, including E-Business Suite and Applications, PeopleSoft Enterprise PeopleTools, and Collaboration Suite.-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9057442&source=rss_topic17
-http://isc.sans.org/diary.html?storyid=3850
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Data Breach at "Major Retailer" Likely Source of Debit Card Fraud (January 17, 2008)
A rash of reports of debit card fraud are likely linked to a recent data security breach at an unnamed major retailer. What differentiates these instances of fraud from others is that the thieves are swiping cards in brick-and-mortar establishments to purchase merchandise instead of using them to make withdrawals from ATMs. The problems started in late December and have continued into this month. People have been reporting that their banks have called them to verify suspicious card activity and some have had their cards reissued by their banks.-http://consumerist.com/345016/major-retailers-data-breach-results-in-wave-of-cre
dit-card-fraud
Carphone Warehouse Violated Data Protection Act (January 17, 2008)
The UK Information Commissioner's Office (ICO) has given Carphone Warehouse and TalkTalk five weeks to tighten up their data security. The ICO says the companies have violated the Data Protection Act by providing debt collection agencies with inaccurate customer names and other information. The ICO has been receiving complaints for a year about Carphone Warehouse exposing customer data online. In some cases, customer data were incorrectly associated with account information and customers were unable to obtain loans. Some customers were incorrectly linked on their accounts so that they could view others' personal information. The companies were also reportedly unresponsive to customer requests for information about themselves. If the companies do not address the data security problems, they could face hefty fines.-http://www.zdnet.co.uk/misc/print/0,1000000169,39292224-39001093c,00.htm
-http://www.pcadvisor.co.uk/news/index.cfm?newsid=11859
Lost Memory Sticks Hold NHS Patient Data (January 11, 2008)
The Oldham NHS Primary Care Trust has acknowledged that two memory sticks containing sensitive patient information are missing. The loss affects NHS 148 patients. An internal investigation is underway and affected patients are being notified about the incident. The trust has recalled all data sticks and is in the process of evaluating policies and procedures. This is just one of the latest acknowledged data breaches affecting UK agencies.-http://www.manchestereveningnews.co.uk/news/s/1031694_personal_info_lost_in_oldh
am
[Editor's Note (Pescatore): This is one of those wildly under-reported problems: since most employees use random memory sticks they pick up at conferences and the like, if they lose them they just grab another and never report it as lost. Same thing when they lose personally owned cellphones and PDAs (which increasingly may have business and customer data on them) - since they aren't company-owned assets they don't report the loss. Since so many enterprises are buying laptop encryption software, as part of those procurements and rollouts look for products that can force data to be encrypted if written to a peripheral device, and/or buy encrypting memory sticks and issue them to employees along with policy and responsibility guidance. ]
MISCELLANEOUS
MySpace and State AGs Form Task Force to Protect Minors (January 15, 2008)
MySpace has reached an agreement with the attorneys general of 49 US states and the District of Columbia to employ stronger protections for minors from predators. MySpace will also spearhead an effort to develop technology to verify Internet users' ages and identities. According to the agreement, adults' profiles will be separate from children's. MySpace and the AGs will work together to protect minors from harmful content and online activity, such as pornography, harassment, cyberbullying, and identity fraud. The Multi-State Working Group on Social Networking hopes to bring other social networking sites, particularly Facebook, on board. (please note this site requires free registration)-http://www.nytimes.com/2008/01/15/us/15myspace.html?_r=1&oref=slogin&ref
=us&pagewanted=print
-http://www.news.com/8301-13577_3-9849909-36.html?tag=nefd.lede
LIST OF UPCOMING FREE SANS WEBCASTS
SANS Ask the Expert Webcast: Going beyond log management to solve security, risk and audit challengesWHEN: Wednesday, January 23, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and Vijay Basani
-http://www.sans.org/info/21639
Sponsored By: eIQnetworks
In this webcast, learn the benefits of going beyond log management to perform end-to-end correlation and analysis, how compliance can tie into the use of security technologies, and why the future of security information management (SIM) systems is shaping up to integrate security, risk and audit management onto one platform.
SANS Special Webcast: Things That Go Bump in the Network: Embedded Device Security
WHEN: Thursday, January 24, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Paul Asadoorian
-http://www.sans.org/info/21644
Sponsored By: Core Security
Embedded devices come into your network and appear in many different forms, including printers, iPhones, wireless routers and network-based cameras. What you might not realize is that these devices offer unique opportunities for attackers to do damage and gain access to your network - and to the information it contains. This webcast will review known embedded device vulnerabilities and cover how these vulnerabilities can be used to gain control of devices, networks, and data - and, more importantly, what can be done about it.
SANS Special Webcast: The SANS Database and Compliance Survey
WHEN: Tuesday, February 5, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Barb Filkins
-http://www.sans.org/info/20247
Sponsored By: Lumigent Technologies
SANS analyst Barbara Filkins uncovers the findings in the SANS Database Auditing and Compliance Survey. Conducted over three months, 348 respondents answered a variety of questions ranging from their perceptions of compliance issues to security frameworks and roles and responsibilities for data privacy protection inside their organizations.
We will also be announcing the $250 American Express card winner from among nearly 200 respondents who signed up for our drawing.
WhatWorks in Intrusion Detection and Prevention: Improving Network Visibility at GraceKennedy
WHEN: Tuesday, February 12, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Alan Paller and Gregory Henry
-http://www.sans.org/info/22554
Sponsored By: Sourcefire
A need for increased visibility into its diverse network prompted GraceKennedy's security team to seek an intrusion detection system. They found a solution that met all their needs and offered great tech support, as well as a component that could establish a network activity baseline and another that included a top vulnerability scanner for the same price as other solutions they tried. GraceKennedy is one of the Caribbean's largest and most dynamic corporate entities. The company started in Jamaica in 1922 as a small trading establishment and wharf founder. It has expanded and diversified over the years, changing from a privately-owned enterprise to a public company listed on the stock exchanges of Jamaica, Trinidad, Barbados and the Eastern Caribbean. Today, the GraceKennedy Group comprises a varied network of some 60 subsidiaries and associated companies located across the Caribbean, in North and Central America and the United Kingdom. The group's operations span the food distribution, financial services, insurance, remittance, hardware retailing and food-processing industries.
=========================================================================
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/
