SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume X - Issue #68

August 29, 2008

TOP OF THE NEWS

European Court of Human Rights Will Not Prevent McKinnon's Extradition
Judge Dismisses Lawsuit Against Video Sharing Site
US Government and Private Sector Can't Agree on Cyber Security Responsibilities

THE REST OF THE WEEK'S NEWS

ARRESTS, CHARGES & CONVICTIONS
Six Arrested in Taiwan for Data Theft
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
FAA Computer System Glitch Delays Flights
VULNERABILITIES
Locked iPhones Not So Secure
 Space Station Laptop Has Virus
DATA LOSS
Number Affected by Bank of New York Mellon Corp Breach Increases
Computer Purchased on eBay Holds Bank Customers' Data
ATTACKS
Best Western Offers Details of Data Breach
STUDIES AND STATISTICS
Reported Data Breaches on the Rise
MISCELLANEOUS
Researchers Develop Technique to Detect Man-in-the-Middle Attacks

---

************************ Sponsored By F-Secure **************************

F-Secure's FREE Security Threat Webinar: STOP Online Crime!
Do YOU know enough to protect yourself, your customers and your business against the latest Internet Security Threats? Be an expert by staying on top of the latest web threats and trends by joining F-Secure's FREE security threat webinar - STOP Online Crime!
Space is limited!
Register NOW! http://www.sans.org/info/32464

*************************************************************************

TRAINING UPDATE

- - NETWORK SECURITY 2008: Las Vegas (9/28-10/6) 50 courses; big tools expo; lots of evening sessions: http://www.sans.org/ns2008)
- - Chicago (9/3-9/10) http://www.sans.org/chicago08 AUDIT & COMPLIANCE
- - Monterey (10/31-11/6) http://www.sans.org/info/30738
- - Sydney Australia (10/27-11/1) http://www.sans.org/sydney08/
- - Vancouver (11/17-11/22) http://www.sans.org/vancouver08/
and in 100 other cites and on line any time: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

European Court of Human Rights Will Not Prevent McKinnon's Extradition (August 28, 2008)

The European Court of Human Rights has refused Gary McKinnon's appeal against extradition to the United States to face charges related to infiltrating US government computer networks.  McKinnon claimed that the penalties he would face if he were tried in the US would constitute inhumane treatment.  There is no higher court to which his attorneys can take his case, but they plan to take a new tack and appeal to the UK Home Secretary on the grounds that McKinnon suffers from Asperger's Syndrome.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9113702&source=rss_topic17
-http://news.bbc.co.uk/2/hi/uk_news/7585861.stm
[Editor's Note (Schultz): McKinnon should receive some kind of "drama queen" award. When all is said and done, he almost certainly will end up being extradicted to the US, where he is bound to serve prison time. Meanwhile, it is entertaining to learn of yet another futile attempt on his part to escape justice.
(Northcutt): Per Wikipedia in case I am not the only one that did not know: Asperger syndrome is named after Austrian pediatrician Hans Asperger who, in 1944, described children in his practice who lacked nonverbal communication skills, failed to demonstrate empathy with their peers, and were physically clumsy. Fifty years later, AS was standardized as a diagnosis. ]

Judge Dismisses Lawsuit Against Video Sharing Site (August 28, 2008)

A US District Court judge has dismissed a case against Veoh Networks which had been sued by Io Group Inc. for violating copyright laws because it hosted content without authorization from copyright holders. The judge ruled that Veoh, a video-sharing website, is protected under the safe harbor provisions of the Digital Millennium Copyright Act (DMCA) and cannot be held liable for the uploading activity of its users.  Companies are protected under the safe harbor provisions as long as they remove unauthorized content when asked to remove it by the copyright holder.  The ruling is somewhat heartening to YouTube, which is facing a similar lawsuit brought by Viacom.  One major difference in the lawsuits, however, is that Io did not notify Veoh about the copyright violations before it filed its lawsuit.  In contrast, YouTube received more than 100,000 takedown notifies from Viacom before that lawsuit was filed.
-http://www.informationweek.com/news/management/legal/showArticle.jhtml?articleID
=210201310
-http://news.cnet.com/8301-1023_3-10028214-93.html
[Editor's Note (Schultz): This appears to be an extremely reasonable ruling. ISPs should not be expected to police every action in which their users engage. If ISPs are informed of user copyright violations, however, they should cooperate by cracking down on the offending users. ]

US Government and Private Sector Can't Agree on Cyber Security Responsibilities (August 26, 2008)

Despite several major cyber security incidents that have made headlines in recent weeks, the US government and the private sector still cannot agree on who is responsible for managing the security of the country's computer networks.  Contributing to the problem are the decentralized nature of government cyber security and the fact that much of the nation's critical infrastructure runs on private networks.  Recent events, including arrests in connection with a cyber theft ring involving millions of credit card numbers, the disclosure of a critical DNS vulnerability and the seemingly politically motivated attacks on Georgian government websites, have made no discernible impact on either presidential candidate's platform.
-http://www.latimes.com/business/la-fi-security26-2008aug26,0,2021258.story

---

************************** SPONSORED LINKS: *****************************

1) Please join Eric Cole and Core Security for their webcast: From Spend Game to Endgame - Balancing Security ROI. Previously scheduled for July 22, 2008 http://www.sans.org/info/32469
2) Register for Control Systems Cyber Security Trainings. SANS Process Control and SCADA Summit September 8-9 - Amsterdam, NL. http://www.sans.org/info/32474

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CHARGES & CONVICTIONS

Six Arrested in Taiwan for Data Theft (August 27, 2008)

Six people have been arrested in Taiwan in connection with the theft of personal data from a variety of organizations.  The stolen data include information about Taiwan's current and former presidents. More than 50 million records are believed to have been stolen from government agencies, state-run organizations, telecommunications companies and a television shopping network; the suspects allegedly tried to sell the data for about US $10 per record.  If they are convicted, they each face up to five years in prison.
-http://news.smh.com.au/technology/taiwan-cracks-major-hacking-ring-data-on-presi
dent-stolen-20080827-43th.html
[Editor's Note (Northcutt): According to  the people I talk to, identity information in general only sells for about $1.50 per identity. If you have a current source that would support the $10 claim in the article I would love to hear from you (stephen@sans.org) ]

GOVERNMENT SYSTEMS AND HOMELAND SECURITY

FAA Computer System Glitch Delays Flights (August 26, 2008)

"An internal software processing problem" is being blamed for a glitch in the Federal Aviation Administration's (FAA) National Aerospace Data Interchange Network, which delayed hundreds of flights across the US on Tuesday, August 26.  A facility that processes flight plan information went down, so data were sent to a backup facility, which could not sustain the additional traffic.  Radar systems were unaffected, as were communications with aircraft in flight; the issue affected only planes that had not yet taken off.  By Wednesday morning, flights were back to a normal schedule; officials say that terrorism and cyber attack have been ruled out.   The FAA plans to have a new system in place by the end of the calendar year.
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=210200907
-http://www.washingtonpost.com/wp-dyn/content/article/2008/08/26/AR2008082602203_
pf.html
-http://www.eweek.com/c/a/IT-Infrastructure/Corrupt-File-Brought-Down-FAAs-Antiqu
ated-IT-System/
[Editor's Note (Honan): This story demonstrates why it is important to run live tests of your business continuity plan rather than a desktop review or simulation exercise.  You don't want to discover your backup systems cannot "sustain the additional traffic" when you are in the middle of a disaster.]

VULNERABILITIES

Locked iPhones Not So Secure (August 27 & 28, 2008)

Apple says it is preparing a fix for a vulnerability in its iPhone that could allow unauthorized users to gain access to locked phones. The devices can be locked with a four digit code, but a locked iPhone can be used to make calls to any number.  In addition, with just a few more taps, unauthorized users can get to the phone's "favorites" page without entering the unlock code.  An Apple spokesperson said that until the fix is available, users should set their "Home" buttons to their iPod music rather than their "favorites" menu.
-http://www.infoworld.com/article/08/08/27/Locked_iPhones_can_be_unlocked_without
_a_password_1.html
-http://www.msnbc.msn.com/id/26438428/
[Editor's Note (Ullrich): The iPhone "lock" has never actually done much. Even on a locked phone you can still dial arbitrary numbers. This has also been used in some early "jail breaking" exploits. ]

Space Station Laptop Has Virus (August 26, 2008)

A laptop computer brought aboard the International Space Station was found to have been infected with the W32.Gammima.AG virus.  The malware is designed to steal passwords, and though its presence has not affected operational systems, NASA is investigating how the security breach occurred.  A NASA spokesperson said this was not the first time viruses have been found aboard the space station.  Two laptops are known to be infected; it is likely that the same memory device was plugged into both machines.  The affected computers are used for email and to store data on nutritional experiments.
-http://blog.wired.com/27bstroke6/2008/08/virus-infects-s.html
-http://www.telegraph.co.uk/connected/main.jhtml?xml=/connected/2008/08/27/dlviru
s127.xml
-http://www.theregister.co.uk/2008/08/26/nasa_laptops_infected/
-http://news.cnet.com/8301-13554_3-10027754-33.html?tag=rsspr.6246142&part=rs
s&subj=news
-http://www.universetoday.com/2008/08/26/has-the-first-extraterrestrial-computer-
virus-been-discovered-on-the-space-station/
[Editor's Note (Honan): The Honey Stick Project
-http://www.honeystickproject.com/
provides an interesting perspective showing how curiosity results in over 40% of the seeded USB stick are plugged into people's computers after they find them. ]

DATA LOSS

Number Affected by Bank of New York Mellon Corp Breach Increases (August 28, 2008)

The estimated number of people affected by a data breach at Bank of New York Mellon Corp has been raised from 4.5 million to 12.5 million.  In February, the bank lost between six and ten unencrypted backup tapes containing customer names, addresses, birth dates and Social Security numbers (SSNs).  In May, Connecticut Governor M. Jodi Rell launched an investigation into the incident which affected hundreds of thousands of Connecticut residents.
-http://www.reuters.com/article/domesticNews/idUSN2834717120080828?sp=true

Computer Purchased on eBay Holds Bank Customers' Data (August 27, 2008)

The UK Information Commissioner's Office is investigating an incident in which a used computer sold on eBay still held personally identifiable information of one million bank customers. The affected banks plan to also launch investigations. The computer, which was purchased for GBP 35 (US $64) in an eBay auction, belonged to Graphic Data UK Ltd, a document management services firm; a spokesperson for the company called the incident an "honest mistake." The information includes names, account numbers and signatures. The computer and another piece of equipment purchased at the same time by the same buyer were returned to Graphic Data. Graphic Data is owned by Mail Source UK.
-http://www.dailymail.co.uk/news/article-1049121/Government-probe-launched-detail
s-million-bank-customers-sold-eBay.html
[Editor's Note (Honan): If you outsource processing of sensitive data to a third party make sure that company abides by your data handling and destruction policies. Ultimately the data is your data and so is the responsibility of ensuring it is kept secure. ]

ATTACKS

Best Western Offers Details of Data Breach (August 28, 2008)

Best Western has provided additional information about a data security breach it says occurred at one facility in Germany and affected 10 customers.  The company refutes as "grossly unsubstantiated" claims made in the media that the breach affected more than 8 million customers.  In its statement, Best Western acknowledges a breach in which "three separate attempts were made via a single logon ID to access the same data from a single hotel."  The logon account used to access the system was terminated and the computer is no longer being used.
-http://news.cnet.com/8301-1009_3-10028291-83.html?part=rss&subj=news&tag
=2547-1009_3-0-20
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9113757&source=rss_topic17
-http://www.marketwatch.com/news/story/statement-best-western-international/story
.aspx?guid={DC0141F6-85D0-468E-97DC-92BB3F54D1BB}&dist=hppr
[Editor's Note (Pescatore): This is mostly an example of the need for a well defined (and tested/dry run) incident response process. If your company receives a call from a reporter saying "we have evidence that your branch office was breached and your customers' data exposed, please comment" what would happen? Just the way many learn *after* the generator didn't start that it is a good idea to dry run disaster recovery operations, same is true for incident response. ]

STUDIES AND STATISTICS

Reported Data Breaches in the US on the Rise (August 26, 2008)

According to statistics from the Identity Theft Resource Center, there have already been more data breaches reported this year in the US than were reported in all of 2007.  Businesses, government agencies and universities have reported 449 data breaches so far this year; in 2007, 446 breaches were reported.  It is not clear if the number of breaches is rising or if organizations are doing a better job of reporting breaches.  Last year, the total number of records reported compromised was 127 million, the majority of which were part of the TJX breach.  So far this year, 22 million records have been reported compromised.
-http://www.washingtonpost.com/wp-dyn/content/article/2008/08/25/AR2008082502496.
html
Direct link to the tool:
-http://www.cs.cmu.edu/~perspectives/
Additional info (CMU site):
-http://www.cmu.edu/news/archive/2008/August/aug25_internetperspectives.shtml

MISCELLANEOUS

Researchers Develop Technique to Detect Man-in-the-Middle Attacks (August 26 & 28, 2008)

Researchers at Carnegie Mellon University have developed software that they hope will help thwart man-in-the-middle cyber attacks.  The system, called Perspectives, designates a series of websites as trusted notaries that check for discrepancies in the encryption keys used by the sites people are visiting.  Such differences could indicate that attackers are routing traffic though machines they control before sending users on to the sites they want to visit.  The software is available as a Firefox add-on and for Apple OS X on Intel and Linux machines.
-http://news.smh.com.au/technology/researchers-offer-new-way-to-avoid-bogus-web-s
ites-20080828-447m.html
-http://news.bbc.co.uk/2/hi/technology/7581949.stm
[Editor's Note (Ullrich): The value of this technique is questionable. Proper usage of SSL certificates appears to be a simpler and better solution than this workaround. On the other hand, the technique may be useful for research purposes. ]

---

*************************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescastore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa).  He is leading SANS' global initiative to improve application security.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.


Alan Paller is director of research at the SANS Institute


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.


Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.


Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security courses at Minnesota State University, Mankato. He is the President of Prudent Security LLC and also serves as the President of the Mankato Chapter ISSA.


Roland Grefer is an independent consultant based in Clearwater, Florida.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/