SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume X - Issue #82

October 17, 2008

TOP OF THE NEWS

FBI Sting: DarkMarket Carder Forum Yields Big Criminal Roundup
DHS Criticized Again Over Lack of Cyber Attack Preparedness
State Data Encryption Laws Starting to Take Effect
Common Cause Report Says Some US States Need to Do More to Ensure Voting Accuracy
Fortify Report Examines Reliability of Voting Systems

THE REST OF THE WEEK'S NEWS

CYBER AND FINANCIAL SYSTEMS
U.S. Intelligence Officials Increasingly Worried That Hackers Could Wreak Havoc On The Financial System
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
UK Ministry of Defence Now Says Lost Drive Holds Data on 1.7 Million People
SPAM, PHISHING & ONLINE SCAMS
FTC Takes Action Against Prolific Spammers
UPDATES AND PATCHES
Adobe Update Addresses Clickjacking Flaw
Microsoft Issues 11 Security Bulletins
STUDIES AND STATISTICS
Security Suite Vendors Question Secunia Study
MISCELLANEOUS
Police Buy Computer Tracking Service Licenses for Students and Other Residents

---

****************** Sponsored By ArcSight, Inc. **************************

Complimentary Whitepaper: Mitigating Fraud with the ArcSight SIEM Platform, 2008 Detecting, investigating and responding to fraudulent transactions from within and outside an organization is an essential function of business operations. Unfortunately, most organizations have inadequate solutions in place to deter fraudsters and lack the support tools for fraud investigators to quickly identify fraud and respond to the threats effectively.
This whitepaper will outline the requirements for an effective fraud mitigation solution. http://www.sans.org/info/34249">http://www.sans.org/info/34249

*************************************************************************

TRAINING UPDATE
- - SANS CDI in Washington 30 courses; big security tools expo; lots of evening sessions: http://www.sans.org/ cdi08/
- - Monterey (10/31-11/6) http://www.sans.org/info/30738
- - Sydney Australia (10/27-11/1) http://www.sans.org/sydney08/
- - Vancouver (11/17-11/22) http://www.sans.org/vancouver08/
and in 100 other cites and on line any time: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

FBI Sting: DarkMarket Carder Forum Yields Big Criminal Roundup (October 14 & 16, 2008)

Documents obtained by a German public radio station show that the DarkMarket carder forum was actually a US FBI sting operation. The site was used as a haven to buy and sell card information, other financial account data and devices used to make cloned cards. The site operated for nearly two years and helped gather intelligence that led to at least 56 arrests and prevented the loss of millions of dollars to fraud. The FBI ran the sting operation in cooperation with the UK's Serious Organized Crime Agency (SOCA) and authorities in Turkey and Germany.
-http://www.theregister.co.uk/2008/10/14/darkmarket_sting/
-http://news.bbc.co.uk/2/hi/uk_news/7675191.stm
-http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomy
Name=security&articleId=9117361&taxonomyId=17&intsrc=kc_top
[Editor's Note (Paller): Another great example of how good the FBI cyber crime program really is. They make cyber criminals work a lot harder and take a lot more risk. What can be more important? There are three key differences between the FBI and other agencies responsible for cyber security: Priorities (they focus on the most important attacks)); Proactive (they use innovative investigative techniques to infiltrate groups during their activity, rather than merely reacting after the fact); and partnerships (where the partners in the private sector and in foreign law enforcement are people who can actually get things done.) ]

DHS Criticized Again Over Lack of Cyber Attack Preparedness (October 13, 2008)

Chairman of the US House Homeland Security Committee Rep. Bennie Thompson (D-Miss.) says the US Department of Homeland Security (DHS) has not taken necessary steps to prepare for major cyber attacks. DHS was to have completed eight planning scenarios and accompanying documents regarding preparation for different vectors of attack, including cyber attacks as the foundation of the National Response Framework. Rep. Thompson has asked DHS to submit a schedule for completion of the scenarios and associated documents by October 23. Just weeks ago, the DHS was criticized by the Commission of Cyber Security for the 44th Presidency regarding its lack of preparedness for fighting cyber attacks; the Commission recommended placing the locus of national cyber security somewhere else. DHS has refuted the Commission's allegations, saying that "a reorganization of roles and responsibilities is the worst thing that could be done to improve our nation's security posture against very real and increasingly sophisticated cyberthreats."
-http://www.fcw.com/online/news/154055-1.html
-http://news.cnet.com/8301-10787_3-10048033-60.html
[Editor's Note (Pescatore): There is a lot of political maneuvering going on, pretty much standard operating procedure for an administration change. The major problem is that information security is a very big business and there are major competing interests in government to control budgets - but also in private industry to influence potential spending. The real bottom line is *no* government agency is going to ever actually drive protection of the thousands of businesses connected to the Internet any more than any government agency can protect the wired or wireless telephone system - - or the economy. Thinking there can be a centralized solution to a totally distributed problem is like sending battleships after terrorists. However, there are proven mechanisms for how government and industry can cooperate for the good of the whole. Ten years ago Presidential Decision Directive 63 laid out what is still the best roadmap for the role government can play in all this - but since it didn't try to create new empires or new pork barrel opportunities it has largely been ignored.
(Northcutt): Timing is everything and this comes just after the Air Force is having second thoughts about their Cyber Command. The US has not prioritized security and this will probably bite us:
-http://blog.wired.com/defense/2008/08/air-force-suspe.html]

State Data Encryption Laws Starting to Take Effect (October 16, 2008)

A law that took effect this month in Nevada requires that all businesses encrypt electronically transmitted customer data. While Nevada's encryption law is the first to take effect, other states are starting to enact similar laws. A Massachusetts law that will take effect in January 2009 will require businesses that collect information about Massachusetts residents to encrypt sensitive data stored on laptops and other portable electronic devices. Businesses are subject to the state laws if they have customers or otherwise conduct business operations within those states.
-http://online.wsj.com/article/SB122411532152538495.html
[Editor's Note (Schultz): I predict that Nevada's law requiring encryption of transmitted customer information will (like California SB1386) serve as a huge impetus for passing similar legislation in other states. ]

Common Cause Report Says Some US States Need to Do More to Ensure Voting Accuracy (October 16, 2008)

A study released by Common Cause warns that "On November 4, 2008, voting machines will fail somewhere in the United States in one or more jurisdictions in the country. Unfortunately, we don't know where. For this reason, it is imperative that every state prepare for system failure.
[States are urged to ]
take steps necessary to insure that inevitable voting machine problems do not undermine either the individual right to vote or our ability to count each vote cast." The report examined laws, regulations and procedures regarding voting systems in four areas: provisions for machine repairs and availability of paper ballots; requirements for ballot accounting and vote reconciliation; use of a voter verifiable paper record; and post election audits of those verifiable paper records. Six states received high ratings in all categories; 10 states received low ratings in three of four categories.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9117347
-http://www.brennancenter.org/content/resource/is_america_ready_to_vote

Fortify Report Examines Reliability of Voting Systems (October 15, 2008)

A report from Fortify looks at the reliability of the various voting systems used in the US. Three of the six voting technologies - hand-counted ballots, optical scan ballots and absentee ballots - are fairly reliable; they are expected to be used for approximately 60 percent of ballots in the upcoming US general election. Two others - punch cards and lever machines - present some serious problems, but they are not widely used. Direct Recording Electronic voting systems, which are expected to be used for approximately 33 percent of ballots, are notoriously unreliable: they do not provide an easy way to verify individual votes, and they are easy to manipulate.
-http://blogs.usatoday.com/technologylive/2008/10/50-of-voting-sy.html
-http://www.betanews.com/newswire/pr/Fortify_Software_Releases_Voting_Guide_in_Ti
me_for_November_Elections/145273

---

************************* SPONSORED LINK ******************************

1) Sign up for SANS Webcast: Enterprise Log Management for Incident Handlers October 23, 2008 at 1:00 PM ET sponsored by Q1 Labs http://www.sans.org/info/34254

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

CYBER AND FINANCIAL SYSTEMS

U.S. Intelligence Officials Increasingly Worried That Hackers Could Wreak Havoc On The Financial System (October 17, 2008)

Today's National Journal, Shane Harris has a timely article illuminating examples of cyber security events that have caused significant problems for financial institutions, an dthe worries US intelligence officials are expressing. In closing, he quotes the Tom Kellerman, one of the first to shine a light on this problem, saying, "The reality is, we've been building our vaults out of wood in cyberspace for too long."
-http://www.shaneharris.net/2008/10/toxic-information.html

GOVERNMENT SYSTEMS AND HOMELAND SECURITY

UK Ministry of Defence Now Says Lost Drive Holds Data on 1.7 Million People (October 14, 2008)

The UK Ministry of Defence (MoD) has revised its estimate of the number of individuals affected by the loss of a hard drive from 100,000 to 1.7 million. Those who had made an initial inquiry about serving in the armed forces would have just their names and phone numbers on the drive, but those who had applied had provided information that includes next of kin and passport and national insurance numbers, driver's license information and banking data. The drive is believed to be unencrypted.
-http://www.theregister.co.uk/2008/10/14/mod_bigger_loss/
-http://www.vnunet.com/vnunet/news/2228142/mod-loss-total-hit-million

SPAM, PHISHING & ONLINE SCAMS

FTC Takes Action Against Prolific Spammers (October 14 & 15, 2008)

The US Federal Trade Commission (FTC) has taken action against two men described by the Spamhaus.org CIO as "probably the most prolific spammers at the moment." The FTC has obtained a court order that shuts down six companies operated by Lance Atkinson and Jody Smith by prohibiting the pair from sending unsolicited commercial email messages and freezes assets associated with their companies. The FTC logged more than three million complaints about spam associated with Atkinson's and Smith's companies. The FTC is working with authorities in New Zealand, where Atkinson is a native, although he currently lives in Australia.
-http://www.theregister.co.uk/2008/10/14/prolific_spammers_targeted/
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9117227
-http://www.cnn.com/2008/TECH/ptech/10/15/spam.ring.shutdown.ap/index.html
-http://www.nytimes.com/2008/10/15/technology/internet/15spam.html
-http://www.ftc.gov/opa/2008/10/herbalkings.shtm
UPDATES AND PATCHES

UPDATES AND PATCHES

Adobe Update Addresses Clickjacking Flaw (October 15 & 16, 2008)

Adobe has issued an update for its Flash Player software to address the clickjacking vulnerability. Clickjacking is a term coined to describe a series of flaws that allow attackers to trick users into clicking on potentially malicious links. The update also addresses an interoperability problem between Flash Player and Firefox and the clipboard vulnerability. Users are encouraged to update Flash Player to version 10.
-http://www.theregister.co.uk/2008/10/16/adobe_update_thwarts_clickjacking/
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9117268&source=rss_topic17
-http://www.adobe.com/support/security/bulletins/apsb08-18.html

Microsoft Issues 11 Security Bulletins (October 14, 15 & 16, 2008)

On Tuesday, October 14, Microsoft released 11 security bulletins to address vulnerabilities in Microsoft Windows, Internet Explorer, Microsoft Host Integration Server and Microsoft Office. The vulnerabilities could be exploited to allow information disclosure, remote code execution and privilege elevation. Four of the bulletins are rated critical, six are rated important and one is rated moderate.
-http://www.theregister.co.uk/2008/10/15/microsoft_october_patch_tuesday/
-http://www.microsoft.com/technet/security/bulletin/ms08-Oct.mspx
-http://isc.sans.org/diary.html?storyid=5180&rss

STUDIES AND STATISTICS

Security Suite Vendors Question Secunia Study (October 15, 2008)

Makers of antivirus products and security suites are calling into question the validity of a recent study from Secunia. The study tested a dozen security suites against "300 exploits targeting vulnerabilities in various high-end, high-profile programs" and found the highest scoring suite caught just 64 of the 300 exploits. Some of the companies whose products were tested say that just one aspect of their products was examined. Others whose products were not included called the study a publicity stunt.
-http://www.darkreading.com/document.asp?doc_id=166027
-http://www.theregister.co.uk/2008/10/15/secunia_tests_backlash/
[Editor's Note (Skoudis): Designing a thorough and fair test regimen is quite difficult, and running the suite of tests against increasingly complex products is very time consuming and expensive. Matt Carpenter and I did this in 2007 for seven endpoint security products, and it consumed two months of our time. Whenever you see a test report of security products, make sure you look carefully at the description of the test methodology and testbed to determine what they measured and how. No test suite is perfect, but some better reflect operational environments than others. ]

MISCELLANEOUS

Police Buy Computer Tracking Service Licenses for Students and Other Residents (October 15, 2008)

Police in Nottinghamshire, UK are paying for licenses for computer tracking and recovery software for people who live in high-crime areas. Last year, at least 665 laptop computers were stolen in Nottingham city. The software connects to a monitoring center once a day; the frequency changes to every 15 minutes if the machine is reported stolen.
-http://news.zdnet.co.uk/security/0,1000000189,39517297,00.htm
-http://www.scmagazineuk.com/ComputraceOne-used-by-Nottingham-police-to-reduce-la
ptop-theft/article/119491/

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescastore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security courses at Minnesota State University, Mankato. He is the President of Prudent Security LLC and also serves as the President of the Mankato Chapter ISSA.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/