SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume X - Issue #73
September 16, 2008
TOP OF THE NEWS
Virginia Supreme Court Says Anti-Spam Law is Too BroadSenators Introduce 2008 Federal Information Security Management Act
House Subcommittee Holds Hearing on Increasing FERC Authority
THE REST OF THE WEEK'S NEWS
ARRESTS, CHARGES & CONVICTIONSFirst Guilty Plea in TJX Case
Former Intel Employee Charged with Theft of Trade Secrets
VULNERABILITIES
Student Faces Charges in Carleton University Network Intrusion
UPDATES AND PATCHES
Apple Releases OS X 10.5.5
COMPROMISES & BREACHES
Cyber Thieves Hit UAE Bank Accounts
DATA LOSS AND THEFT
Countrywide Notifying Customers of Data Breach
Insurance Office Employee Allegedly Used Customer Data to Open Accounts
ATTACKS
Hackers Deface Collider Website
******************** Sponsored By ArcSight, Inc. ************************
Complimentary Whitepaper: Mitigating Fraud with the ArcSight SIEM Platform, 2008 Detecting, investigating and responding to fraudulent transactions from within and outside an organization is an essential function of business operations. Unfortunately, most organizations have inadequate solutions in place to deter fraudsters and lack the support tools for fraud investigators to quickly identify fraud and respond to the threats effectively.
This whitepaper will outline the requirements for an effective fraud mitigation solution.
http://www.sans.org/info/33129
*************************************************************************
TRAINING UPDATE
- - NETWORK SECURITY 2008: Las Vegas (9/28-10/6) 50 courses; big security tools expo; lots of evening sessions: http://www.sans.org/ns2008/
- - Monterey (10/31-11/6) http://www.sans.org/info/30738
- - Sydney Australia (10/27-11/1) http://www.sans.org/sydney08/
- - Vancouver (11/17-11/22) http://www.sans.org/vancouver08/
and in 100 other cites and on line any time: www.sans.org
*************************************************************************
TOP OF THE NEWS
Virginia Supreme Court Says Anti-Spam Law is Too Broad (September 12 & 13, 2008)
The Virginia Supreme Court has overturned a Virginia anti-spam law and a lower court spam conviction on the grounds that the state's anti-spam law violates the defendant's First Amendment rights to free speech. Jeremy Jaynes was sentenced to nine years in prison in 2005. He was convicted in 2004 on three counts for sending unsolicited commercial email to tens of thousands of AOL customers. He obtained the AOL addresses from a stolen database. The court ruled that the 2003 Virginia anti-spam law is overly broad because it does not distinguish between commercial and political messages and under its purview, the Federalist Papers sent in a similar manner would constitute a violation of the law.-http://www.theregister.co.uk/2008/09/13/virginia_overturns_antispam_conviction/
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9114618&source=rss_topic17
Senators Introduce 2008 Federal Information Security Management Act (September 12, 2008)
US Senators Tom Carper (D-Delaware) and Joseph Lieberman (I-Connecticut) have introduced Senate bill 3474, the 2008 Federal Information Security Management Act. Among the bill's provisions is a requirement that federal agencies appoint chief information security officers; the CISOs would have the authority to block network access if established security policies are not being adhered to. The bill would also require that the Department of Homeland Security (DHS) conduct annual tests to determine if attackers could access sensitive government data. Senator Carper noted that the current Federal Information Security Management Act is an exercise in paperwork rather than an effective means of determining the security of federal computer networks.-http://www.nextgov.com/nextgov/ng_20080912_7543.php
-http://www.fcw.com/online/news/153773-1.html?type=pf
[Editor's Note (Schultz): Hopefully, the 2002 version of FISMA will soon become a thing of the past. I suppose that this version of FISMA was at least a start towards achieving better cybersecurity within US government agencies and departments. Anyone who has gone through the exercise of trying to achieve FISMA compliance knows, however, that it is indeed a paperwork game, one that has little relevance to countering real-world security risks.
(Pescatore): CISO's with authority is a very good thing, as long as that authority includes some influence over budgets *and* that the government actually starts making security funds be included as part of all budget requests. Having DHS compete with private industry to do security audits is *not* a good thing - there is a thriving commercial market for security audits and penetration testing that will be more effective and more efficient than any government agency.
(Paller): John Pescatore's comment illuminates one of the dirtiest little secrets of federal cyber security - that federal agencies promise, in writing, to spend a specific percentage of each IT project budget on cyber security (usually 4-8%). My best guess, based on interviews with a lot of federal folks, is that only 35-45% of the promised funds are spent on security - the rest go for other uses. That means that when a CIO testifies before Congress that he or she is spending a certain percent of the IT budget on cyber security (a number derived from those promised percentages in the budget documents) that CIO is almost certainly lying to Congress.
On the other hand, the new FISMA 2008 bill solves three of the most difficult problems caused by OMB and NIST's implementation of the old law and should be a breath of fresh air to any cyber security professional who wants to see federal cyber security funds spent on securing systems rather than on consultants who write reports that do not improve security. ]
House Subcommittee Holds Hearing on Increasing FERC Authority (September 11, 12 & 15, 2008)
The US House of Representatives Energy and Commerce Committee's Subcommittee on Energy and Air Quality is drafting legislation aimed at giving the Federal Energy Regulatory Commission (FERC) greater authority over the country's power grids. The move comes in response to increased concerns about the potential for cyber attacks on the nation's critical infrastructure, as suggested by testimony from witnesses and legislators last week. At a hearing later in the week, industry representatives provided input regarding the process, indicating that while the idea of strengthening federal authority in the event of an imminent threat would be welcomed, the government should not be overly broad in expanding its powers and "legislation must be carefully drawn."-http://www.govexec.com/story_page.cfm?articleid=40940
-http://news.cnet.com/8301-13578_3-10040101-38.htmls
-http://www.fcw.com/online/news/153769-1.htmls
-http://uaelp.pennnet.com/display_article/339577/22/ARTCL/none/none/1/FERC-boss-a
sks-House-subcommittee-for-more-authority-over-cyber-security-standards/
-http://energycommerce.house.gov/cmte_mtgs/110-eaq-hrg.091108.Cybersecurity.shtml
s
[Editor's Note (Pescatore): Improvements are definitely needed in mechanisms that require utilities to demonstrate sufficient cyber-security, but I will bet that over the next 10 years outages due to cyber attacks will be less than 1% of those due to other causes. More centralized oversight of security while the utilities are facing deregulated commerce markets is not going to change that, let alone make it better.]
************************** SPONSORED LINKS: *****************************
1) Visit the SANS Buyers Guide for updated listings and useful information when selecting the latest in IT security technologies. http://www.sans.org/info/33134
2) 'Worried about NetFlow overhead? Consult Lancope's NetFlow Bandwidth Calculator http://www.sans.org/info/33139
*************************************************************************
THE REST OF THE WEEK'S NEWS
ARRESTS, CHARGES & CONVICTIONS
First Guilty Plea in TJX Case (September 12 & 15, 2008)
One of 11 people arrested in connection with the TJX data breach has pleaded guilty to wire fraud, credit card fraud and aggravated identity theft. Damon Patrick Toey has also agreed to provide the names of more people involved in the scheme to prosecutors. The charges stem from breaches at TJX and other retailers that compromised more than 45 million credit and debit card numbers. The group had members in the US, Estonia, Ukraine, Belarus and China. Toey faces a maximum prison sentence of five years and a fine of US $250,000 for each of four felony counts. He must also forfeit all the money he gained from his participation in the scheme. The group allegedly broke into the retailers' payment systems through vulnerabilities in their wireless networks. The group allegedly broke into the retailers' payment systems through vulnerabilities in their wireless networks. It is also alleged that the group stored the stolen data on servers in the US, Latvia and Ukraine and that the information was sold to other criminals or used to create fraudulent payment cards. The alleged ringleader of the group, Albert Gonzalez, has pleaded not guilty to the charges against him.-http://securecomputing.net.au/News/122774,tjx-hacker-pleads-guilty-as-charged.as
px
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=knowledge_center&articleId=9114579&taxonomyId=1&intsrc=kc_t
op
Former Intel Employee Charged with Theft of Trade Secrets (September 12, 2008)
Former Intel Corp. employee Biswamohan Pani has been charged with theft of trade secrets for allegedly stealing proprietary company data, including information about the development of new chips. Pani allegedly accessed an encrypted system at Intel and downloaded 13 top secret documents. He had resigned from Intel in May and was taking accrued vacation time through June 11; the intrusions occurred between June 8 and June 10. Pani had already begun to work for Intel competitor AMD. The issue was discovered when an employee looked into Pani's access and download history on the system in question.-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9114592&source=rss_topic17
VULNERABILITIES
Student Faces Charges in Carleton University Network Intrusion (September 15, 2008)
A student at Carleton University in Ottawa, Ontario is facing charges of mischief to data and unauthorized use of a computer for allegedly breaking into a university computer network and then providing university administrators with a detailed report about the vulnerabilities he exploited and possible ways to fix them. Mansour Moufid is cooperating with authorities. Mansour allegedly broke into the accounts of 32 Carleton University students, but did not access any sensitive information, instead choosing to send a list of the compromised accounts along with their passwords and suggested remedies for the vulnerabilities to school officials.-http://www.securityfocus.com/brief/819
-http://www.canada.com/ottawacitizen/news/editorials/story.html?id=0f2b40a0-a005-
40b6-971d-571aaad26399
Follow-Up: The student gained access by "installing software that he wrote on a terminal in a computer lab that was attached to a card reader."
-http://www.cbc.ca/technology/story/2008/09/11/ot-carleton-080911.html
[Editor's Note (Veltsos): Carleton's web site provides additional updates and goes as far as saying that "A third-party audit of the university's computer network concluded earlier in the year that the system had multiple security features and was deemed very secure."
-http://www2.carleton.ca/newsroom/news-releases/update-on-carleton-university-ema
il-breach/]
UPDATES AND PATCHES
Apple Releases OS X 10.5.5 (September 15, 2008)
Apple has released the latest version of its Leopard operating system to address more than two dozen vulnerabilities, some specific to Apple and others to a variety of open-source components. Mac OS X 10.5.5 fixes vulnerabilities that could be exploited to allow arbitrary code execution, create denial-of-service conditions, allow users to log in without a password or change another user's password, allow DNS cache poisoning or allow unexpected application termination. Internet Storm Center:-http://isc.sans.org/diary.html?storyid=5041
-http://isc.sans.org/diary.html?storyid=5020
-http://isc.sans.org/diary.html?storyid=5032
-http://www.pcworld.com/businesscenter/article/151104/apple_update_finally_fixes_
important_dns_bug.html
-http://news.cnet.com/8300-1009_3-83.html?tag=hdr;snav
-http://support.apple.com/kb/HT2405
-http://support.apple.com/kb/HT3137
COMPROMISES & BREACHES
Cyber Thieves Hit UAE Bank Accounts (September 12, 2008)
Cyber thieves have used cloned bank and credit cards to withdraw funds from bank customers' accounts in the United Arab Emirates (UAE). It appears that the criminals placed skimming devices on cash machines that recorded the cards' essential information, although some are suggesting that the banks' internal systems were breached. The withdrawals were made in more than 20 countries outside the UAE. Some of the affected banks have sent their customers text messages, urging them to change their PINs. Others have blocked the accounts of customers who have not changed their PINs, and one bank temporarily blocked access to international cash machines.-http://business.timesonline.co.uk/tol/business/industry_sectors/banking_and_fina
nce/article4735682.ece
-http://www.theregister.co.uk/2008/09/12/uae_atm_hacking_attack/print.html
-http://www.gulfnews.com/business/Banking_and_Finance/10244411.html
DATA LOSS AND THEFT
Countrywide Notifying Customers of Data Breach (September 13 & 14, 2008)
Personally identifiable information of as many as 2 million Countrywide customers may have been sold by data thieves, according to the mortgage company. While there have been no reports of the information being used to commit identity fraud, Countrywide is offering two years of credit monitoring to affected customers. The data were allegedly stolen by a former Countrywide employee who downloaded approximately 20,000 customer records every week for two years. Each batch was allegedly sold for US $500, or about US 2.5 cents for each record. It appears that the data were sold to other mortgage brokers.-http://www.washingtonpost.com/wp-dyn/content/article/2008/09/13/AR2008091300337_
pf.html
-http://www.miamiherald.com/business/personal-finance/story/684578.html
Insurance Office Employee Allegedly Used Customer Data to Open Accounts (September 13, 2008)
Attorneys general in 45 US states have been notified that a State Farm Insurance employee in Surprise, Arizona used customer information to obtain credit cards. The compromised data include addresses, Social Security numbers (SSNs), driver's license numbers and in some cases, bank account numbers. A company spokesperson did not specify the number of people affected by the breach. Police are investigating. All affected customers have been contacted and offered one year of free credit monitoring.-http://www.azcentral.com/community/westvalley/articles/2008/09/13/20080913gl-nwv
statefarm0913.html
[Editor's Note (Schultz): This and the previous news item once again show how insidious the insider threat is. I fear that too many organizations deploy a disproportionate amount of controls against external attacks at the expense of controls designed to counter insider attacks.
(Skoudis): This issue of NewsBites has several stories about insider malfeasance at a variety of commercial and governmental organizations leading to data breaches. These stories provide excellent examples for infosec people to cite to management for illustrating the need for good internal monitoring of traffic and file system access to detect insider attacks.
(Veltsos): Enforcing need-to-know, least-privilege, and auditing access logs would have restricted the number of accounts compromised and provided early warning of such access. ]
ATTACKS
Hackers Deface Collider Website (September 12 & 13, 2008)
A group of Greek attackers calling itself Greek Security Team managed to infiltrate and deface the public website of the Large Hadron Collider (LHC) with text that appeared to be disparaging the site's security. The compromised server belongs to the European Organization for Nuclear Research (CERN), which runs the collider. A recent update indicates that the text on the defaced site is making fun of other hackers in the Greek Internet underground. The website is no longer publicly accessible. CERN scientists have expressed concern that the attackers, whatever their motives, were "one step away" from the computer system that controls one of the machine's detectors. The attackers indicated that they have no interest in disrupting LHC activity.-http://www.securityfocus.com/brief/818
-http://www.timesonline.co.uk/tol/news/uk/science/article4744329.ece
-http://www.telegraph.co.uk/earth/main.jhtml?xml=/earth/2008/09/12/scicern212.xml
-http://grayhatforensics.secbible.org/index.php/2008/09/13/greek-hackers-deface-c
erns-lhc-related-website/
[Editor's Note (Skoudis): There is some dispute about whether the attackers were "one step away." Still, if true, it's kind of scary to contemplate that such elements of the LHC are connected to the Internet. Converged networks worry me significantly, with many enterprises blindly putting very sensitive equipment on IP networks and then connecting them to the Internet. We're seeing such convergence in the electric power grid, commercial airliners, and possibly even particle accelerators like the LHC. Very worrisome indeed. If you work in an organization with such critical infrastructure, make sure you ask a lot of questions about why such convergence is needed and if you can even reasonably secure it whenever someone suggests moving parts of your systems to control via IP networks. ]
*************************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescastore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security courses at Minnesota State University, Mankato. He is the President of Prudent Security LLC and also serves as the President of the Mankato Chapter ISSA.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/