SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume X - Issue #71

September 09, 2008

The hottest job in information security in 2008 and 2009 is application security penetration testing, and the only course preparing these folks will be held in Las Vegas in three weeks (See SEC542 at http://www.sans.org/ns2008) Regular pen testers can prepare for the their GPEN exam with SEC560 course at the same site.
Alan

---

TOP OF THE NEWS

Proposed Calif. Law Would Impose Security Requirements on Retailers
Seattle-based Healthcare Organization Agrees to Action Plan to Address HIPAA Concerns
IRS Network Has 1,811 Unauthorized Web Servers
French Citizens Oppose Massive Database

THE REST OF THE WEEK'S NEWS

ARRESTS, CHARGES, CONVICTIONS & SENTENCES
Man Sentenced in Pump-and-Dump Scheme
'90s DoD Hacker Arrested in Debit Card Fraud Scheme
LEGAL ISSUES
Comcast Appeals FCC Ruling
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
Profiles For Your Eyes Only: Social Networking for Spies
Lost Drive Holds Prison Officers' Data
UPDATES AND PATCHES
Google Releases Chrome Update
Cisco Patches Vulnerabilities in Access Control Server, ASA and PIX Security Appliances
DATA LOSS AND EXPOSURE
Arrest Warrants Issued in Connection with Customer Data Found on Discarded Disks
Iowa County Officials Planned to Sell Data

---

********************** Sponsored By Sourcefire, Inc. ********************

Best of Open Source Security (BOSS) Conference
February 8-10, 2009 -- Flamingo, Las Vegas
Be sure to register the first IT security conference dedicated to promoting open source security (OSS) technologies and the commercial products that embrace them.
This long overdue conference will bring together passionate OSS advocates and vendors under the same roof to share ideas and experiences.
For more information, visit http://www.sans.org/info/32943

*************************************************************************

TRAINING UPDATE

- - NETWORK SECURITY 2008: Las Vegas (9/28-10/6) 50 courses; big tools expo; lots of evening sessions: http://www.sans.org/ns2008)
- - Chicago (9/3-9/10) http://www.sans.org/chicago08 AUDIT & COMPLIANCE
- - Monterey (10/31-11/6) http://www.sans.org/info/30738
- - Sydney Australia (10/27-11/1) http://www.sans.org/sydney08/
- - Vancouver (11/17-11/22) http://www.sans.org/vancouver08/ and in 100 other cites and on line any time: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Proposed Calif. Law Would Impose Security Requirements on Retailers (September 8, 2008)

The Consumer Data Protection Act (AB 1656) that is now before California Governor Arnold Schwarzenegger would require businesses to provide more information about data breaches when they occur, but would also impose specific requirements on businesses for protecting customers' financial data. The latter is a controversial idea; Gartner analyst Avivah Litan notes that while the government can impose breach disclosure regulations, "it's totally inappropriate for a state to mandate security controls." Lobbyists are more optimistic that this version of the bill will pass now that a provision that would have required retailers to bear the cost of replacing cards affected by breaches has been removed.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=325574&source=rss_topic17
[Editor's Note (Shpantzer): PCI already specifies specific controls and anyone subject to SB 1386 already knows the costs of reporting are astronomical, so these inputs are already in place for anyone handling sensitive information. This bill is starting to get a bit too close for comfort.
(Schultz): Litan's statement is incredibly out of touch. Some of the best cybersecurity legislation in the US is in effect only at the state level, something that shows that states are often more in touch concerning the need for security-related statutes than is the federal government. ]

Seattle-based Healthcare Organization Agrees to Action Plan to Address HIPAA Concerns (September 8, 2008)

Providence Health & Services, a Seattle, Washington-based organization, has agreed to adopt a corrective action plan (CAP) to address "potential violations" of the Health Insurance Portability and Accountability Act (HIPAA). The plan is part of a resolution agreement between Providence and the US Department of Health and Human Services (HHS). Providence will pay US $100,000 to settle the "potential violations." The resolution agreement is the first to be issued under HIPAA; it was prompted by the loss or theft of a variety of media holding unencrypted Providence patient data. The CAP calls for Providence to overhaul security policies, deploy technical data protection, such as encryption, conduct unannounced audits and submit compliance reports to HHS for the next three years. Of particular note is part of the agreement that prohibits Providence from contesting or appealing any obligations as described in the CAP.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=Security&articleId=325376&taxonomyId=17&pageNumber=1
-http://www.dhhs.gov/ocr/privacy/enforcement/agreement.pdf

IRS Network Has 1,811 Unauthorized Web Servers (September 4 & 8, 2008)

According to a report from the US Treasury Inspector General for Tax Administration, more than 1,800 unapproved internal web servers are connected to the Internal Revenue Service's network. The audit findings indicate that 2,093 web servers with at least one known security flaw are connected to the IRS network. Of the 1,811 unauthorized servers, 1,150 were being used for purposes other than business. "The IRS requires that business units register all internal web sites and web servers with the Web Services Division in the Modernization and Information Technology Services organization." Unregistered servers are a danger "because the IRS has no way to ensure that they will be continually configured in accordance with security standards and patched when new vulnerabilities are identified." The report makes several recommendations to improve network security at the IRS, including conducting scans to detect all machines connected to the network and blocking unauthorized servers from network access.
-http://www.nextgov.com/nextgov/ng_20080904_3324.php
-http://www.fcw.com/online/news/153690-1.html
-http://www.theregister.co.uk/2008/09/05/irs_network_report/print.html
-http://www.ustreas.gov/tigta/auditreports/2008reports/200820159fr.pdf
[Editor's Note (Pescatore): There are a lot of things going on here that point out the futility of requiring business units to "register" web servers with some manual process. The database had over 2800 "registered" web servers of which only 282 could be actually found on the network - basically 90% of the "registered" web servers didn't seem to exist. The network scan found 1,800 web servers that were *not* registered. Essentially the dashboard (the database) was not really connected to the engine. There are plenty of open source and commercial tools to support automated network discovery and baselining, which is absolutely necessary to any reliable vulnerability management process.
(Veltsos): The report also points out the high number of different web software packages used (33) and that 437 servers were found to have high- risk vulnerabilities.
(Honan): An interesting note from the report at ustreas.gov web site is that of the unauthorized servers detected " We did find some that were operating unintentionally as web servers." With modern operating systems including inbuilt web server functionality this is something that can easily happen, especially when users are granted local administrator access to their PCs . These unauthorized web servers are one of the more common items we discover when auditing customers' networks for weaknesses and will often be unpatched with default settings. Make sure you that you regularly scan you own network for unauthorized servers to ensure you are not also exposed.]

French Citizens Oppose Massive Database (September 4 & 9, 2008)

French citizens and some government officials are voicing their opposition to Edvige, a police database that will store vast amounts of personal information about anyone over the age of 13 who is "likely to breach public order." Edvige, which has been called "Sarkozy's Big Sister" (Edvige is also a woman's name) and an "electronic Bastille," would store a wide range of data, including people's opinions, circle of friends, sexual orientation, ethnic origins and financial information. The government maintains that the database is merely an updated, centralized version of information that has already been gathered for many years.
-http://www.timesonline.co.uk/tol/news/world/europe/article4703054.ece
-http://ca.reuters.com/article/technologyNews/idCAL434783820080904?sp=true

---

************************** SPONSORED LINKS: *****************************

1) Visit the SANS Buyers Guide for updated listings and useful information when selecting the latest in IT security technologies. http://www.sans.org/info/32948
2) Worried about NetFlow overhead? Consult Lancope's NetFlow Bandwidth Calculator http://www.sans.org/info/32958

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CHARGES, CONVICTIONS & SENTENCES

Man Sentenced in Pump-and-Dump Scheme (September 8, 2008)

A US District Judge in Oklahoma has sentenced Thirugnanam Ramanathan to two years in prison for his involvement in a pump-and-dump scheme. Ramanathan, who is from India and was living in Malaysia, was indicted along with two other men in January 2007; he was extradited to the US in May 2007. Ramanathan pleaded guilty to conspiracy to commit wire fraud, securities fraud, computer fraud and aggravated identity theft. He and the other two men used stolen information to pose as investors and drive up the price of securities they held in their own brokerage accounts; they sold the shares once the price had been artificially inflated. Ramanathan was also ordered to pay US $362,000 in restitution.
-http://money.cnn.com/news/newsfeeds/articles/apwire/9b2f904ec34b59c1284133e274bb
d84e.htm

'90s DoD Hacker Arrested in Debit Card Fraud Scheme (September 5, 6 & 8, 2008)

Ehud Tenenbaum is one of four people arrested in Calgary, Canada, in connection with a CAD $1.8 million (US $1.685 million) cyber theft from a company in Calgary; they have been charged with fraudulent use of credit card data and fraud. Tenenbaum remains in custody. As a teenager, Tenenbaum infiltrated US Defense Department computers. The recent crime involved increasing the values of pre-paid debit cards and withdrawing funds from bank machines during the last two weeks of 2007. Tenenbaum is believed to be the one who broke into the computers; the others allegedly used the cards to withdraw the funds.
-http://www.canada.com/calgaryherald/news/city/story.html?id=c442f4a5-4deb-440b-8
5b0-c7329d76d063
-http://blog.wired.com/27bstroke6/2008/09/the-analyzer-su.html
-http://www.theregister.co.uk/2008/09/08/israeli_hacker_atm_fraud_charges/print.h
tml
[Editor's Note (Northcutt): Tennenbaum was called the Analyst in those earlier attacks. The Solar Sunrise video is still worth watching and the lesson just as valid as it was ten years ago:
-http://vimeo.com/1179948?pg=embed&sec=1179948]

LEGAL ISSUES

Comcast Appeals FCC Ruling (September 5, 2008)

Comcast is appealing a recent US Federal Communications Commission (FCC) ruling that concluded the company was throttling users' Internet traffic in a discriminatory fashion. Comcast maintains that the FCC ruling was "legally inappropriate and its findings were not justified by the record." The issue came to a head when users complained that Comcast was selectively blocking BitTorrent traffic, ostensibly to discourage users' filesharing activity. Comcast plans to comply with the FCC order, which requires the company to disclose the methods it used to block traffic and describe a remediation process it will implement so it will be in compliance with the order by the end of 2008.
-http://blog.wired.com/27bstroke6/2008/09/fears-swirling.html

GOVERNMENT SYSTEMS AND HOMELAND SECURITY

Profiles For Your Eyes Only: Social Networking for Spies (September 8, 2008)

A social networking site has been created for use solely by US intelligence agencies. Called A-Space, the site was designed to allow analysts to share information, to "think out loud, think in public amongst their peers." The site, which is scheduled to launch on September 22, will be on the US government's Joint Worldwide Intelligence Communications System. It will be available only to members of the intelligence agencies, and will be monitored by a system designed to recognize anomalous behavior to catch potential infiltrators.
-http://www.cnn.com/2008/TECH/ptech/09/05/facebook.spies/index.html
-http://www.heise-online.co.uk/security/US-intelligence-community-launches-its-ow
n-social-network--/news/111488
[Editor's Note (Northcutt): We always talk about enforcing the "need to know," and that has its place, but the US Intelligence world is starting to realize they have a requirement to share as well. I hope this works out well for them.]

Lost Drive Holds Prison Officers' Data (September 5, 2008)

UK Justice Secretary Jack Straw has launched an inquiry into the loss of a computer drive that holds personally identifiable information of 5,000 justice staff members. Prison officers threatened to strike after they learned of the incident. The disk was in the possession of EDS, a government contractor, when it was lost; the last time anyone at EDS saw the disk was July 2007, but the Prison Service was not notified that the disk was missing until July 2008.
-http://www.guardian.co.uk/society/2008/sep/08/prisonsandprobation.justice/print
-http://www.dailymail.co.uk/news/article-1053381/Jail-staff-risk-data-loss.html
-http://www.timesonline.co.uk/tol/news/politics/article4699110.ece

UPDATES AND PATCHES

Google Releases Chrome Update (September 8, 2008)

Google has released an update for Chrome less than a week after the company's browser was introduced. Among the vulnerabilities found in the Chrome beta was a buffer overflow flaw that could be exploited to take control of vulnerable computers. Google Chrome 0.2.149.29 fixes a problem that crashed the browser when a website's URL contained the characters ".%;" a problem with JavaScript on Facebook; and an unspecified number of security vulnerabilities, but does not provide specific information about which vulnerabilities have been mitigated. At least one flaw disclosed last week a blended threat known as a "carpet bomb" was not fixed in the update. Chrome will check for available updates every few hours and download them automatically as they become available.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9114287&source=rss_topic17
-http://news.cnet.com/8301-1009_3-10035004-83.html?part=rss&subj=news&tag
=2547-1009_3-0-20
[Editor's Note (Pescatore): Consumer grade software times beta software = many vulnerabilities. That said, more browser competition, especially towards reducing browser bloat and increasing security as a top of mind feature, is badly needed.
(Skoudis): The lack of specificity in the number or nature of vulnerabilities fixed by this update leaves me very ill at ease. Without such information, it will be hard to compare this browser's security history against its competitors over time. It's almost like they want to keep their users, and the industry more generally, in the dark about what they're up to and their security flaws. Imagine that! ]

Cisco Patches Vulnerabilities in Access Control Server, ASA and PIX Security Appliances (September 5, 2008)

Cisco has issued updates for several flaws in its products. A denial-of- service vulnerability in the way the Access Control Server handles Remote Access Dial-In User Service (RADIUS) communications could be exploited to crash the server. Attackers would need to know the targeted server's IP address and the RADIUS Shared Secret. There are also a half dozen flaws in Cisco's ASA and PIX Security Appliances; five are denial-of-service flaws and one is an information disclosure flaw. Users are urged to apply updates as soon as possible.
-http://www.vnunet.com/vnunet/news/2225515/cisco-warns-security-risks
-http://www.cisco.com/warp/public/707/cisco-sr-20080903-csacs.shtml
-http://www.cisco.com/warp/public/707/cisco-sa-20080903-asa.shtml

DATA LOSS AND EXPOSURE

Arrest Warrants Issued in Connection with Customer Data Found on Discarded Disks (September 6 & 8, 2008)

Two disks found in a trash pile near a Seoul, Korea subway station contain personal information of 11.1 million GS Caltex customers. GS Caltex is one of South Korea's largest oil refineries. The information correlates to data gathered through the company's bonus card membership sign-up; the bonus card gives customers discounts at filling stations. The card does not contain bank or credit card account information. GS Caltex said there is no evidence that their systems were breached by an outsider and suggested that it may have been an inside job. Arrest warrants have been issued for three GS Caltex employees.
-http://english.donga.com/srv/service.php3?bicode=040000&biid=2008090631088
-http://english.donga.com/srv/service.php3?bicode=040000&biid=2008090844298

Iowa County Officials Planned to Sell Data (September 4 & 5, 2008)

An organization made up of county officials in Iowa has admitted that it was negotiating with Data Tree for access to county mortgage records and other documents that contain personally identifiable information of Iowa residents. IowaLandRecord.org, the organization, had planned to sell Data Tree its database and updates in the future for US $11,750 a month. The officials agreed to hold off on the deal when state legislators became concerned about the situation. The site is maintained by the Iowa County Recorders Associations. The site has been inaccessible since last week, shortly after the issue was made public in The Des Moines Register. The site is estimated to hold more than 10 million records.
-http://www.chicagotribune.com/news/chi-ap-ia-landrecords,0,4324310.story
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9114172&source=rss_topic17

---

*************************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescastore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.


Alan Paller is director of research at the SANS Institute


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.


Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.


Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E- Warfare course and the Business Continuity Step-by-Step Guide.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security courses at Minnesota State University, Mankato. He is the President of Prudent Security LLC and also serves as the President of the Mankato Chapter ISSA.


Roland Grefer is an independent consultant based in Clearwater, Florida.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/