SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume X - Issue #83

October 21, 2008

Only eight more days to save $350 on SANS big winter training program in Washington, DC (12/10 - 12/16). Features SANS eleven best courses including new pen testing and forensics - preparing you for the two hottest career paths in security. Register at http://www.sans.org/cdi08

---

TOP OF THE NEWS

Court Says Pair Must Turn Over Encryption Keys
Mobile Phone Buyers in UK May Have to Provide Identification
EFF Challenges Constitutionality of New FISA Law

THE REST OF THE WEEK'S NEWS

ARRESTS, CHARGES & CONVICTIONS
Guilty Plea in Scientology Web Attack
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
Audit Finds Fault With Physical Security at the Canada Revenue Agency
DHS Inspector General Report Says Portable Storage Device Security Lacking
South Korean Prime Minister Warns of Cyber Attacks
EVOTING
Supreme Court Vacates Order Directing Ohio AG to Update Voter Database
STUDIES AND STATISTICS
Data Breaches at State and Local Level Far Exceed Those at Federal Level
MISCELLANEOUS
Georgian Cyber Attacks Traced to Russian Online Forum
NIST Request for Information Seeks "Revolutionary Ideas" for Cyber Security

---

******************* Sponsored By Palo Alto Networks *********************

Attention Cisco PIX Users: Now that Cisco announced "end of life" for its PIX Security Appliances, consider a transition to award-winning next generation firewalls from Palo Alto Networks. Get unprecedented visibility and control of all applications, users, and content - and get instant rebates of up to $6,000! Learn more, watch this short webcast.
http://www.sans.org/info/34343">http://www.sans.org/info/34343

*************************************************************************

TRAINING UPDATE

- - SANS CDI in Washington 30 courses; big security tools expo; lots of evening sessions: http://www.sans.org/ cdi08/
- - Monterey (10/31-11/6) http://www.sans.org/info/30738
- - Sydney Australia (10/27-11/1) http://www.sans.org/sydney08/
- - Vancouver (11/17-11/22) http://www.sans.org/vancouver08/
and in 100 other cites and on line any time: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Court Says Pair Must Turn Over Encryption Keys (October 16, 2008)

A British Court of Appeals has ruled that two men must divulge their encryption keys to law enforcement authorities. The men maintained that turning over the keys would be tantamount to self-incrimination and therefore a violation of their rights. The court said that the right not to incriminate oneself is not absolute; the password itself is not incriminating and the keys and the computers' contents exist as separate entities from the men. "In the eyes of the law, the information on the computers is already in the possession of the police." One of the men had been charged with offenses under the Terrorism Act for allegedly helping a third individual move to a new location, despite an order that required said individual to obtain permission from authorities before moving. Both men had received notices under the Regulation of Investigatory Powers Act (RIPA) ordering the keys' disclosure.
-http://www.out-law.com//default.aspx?page=9514
[Editor's Note (Northcutt): Establishing this sort of case law is important, the US just decided slightly differently (that you would have to give up crypto keys, but giving up the pin that protects those keys violates 5th amendment). My guess is that it will take a few more cases like this to find the legal center. There are also concerns about forcing travelers to decrypt data when entering customs, a particularly interesting question since you are between two countries:
-http://www.sans.org/newsletters/newsbites/newsbites.php?vol=10&issue=61#sID3
06]

Mobile Phone Buyers in UK May Have to Provide Identification (October 19, 2008)

People purchasing mobile phones in the UK could be required to provide a passport or other official identification under a government plan to create a database of all mobile phone owners. The plan is aimed at discovering the identities of people who buy prepaid mobile phones, which can be paid for with cash and no personal information is required. The office of UK Information Commissioner Richard Thomas says it is likely that the "compulsory mobile phone register" will be part of legislation introduced next year. Home Office officials have reportedly said the plan may be illegal.
-http://www.timesonline.co.uk/tol/news/politics/article4969312.ece
[Editor's Comment (Northcutt): I have been following this story and my best guess is the plan is going to stick. I would greatly appreciate the help of NewsBites readers in the UK. As news on this topic breaks, please forward the link to stephen@sans.edu.]

EFF Challenges Constitutionality of New FISA Law (October 17, 18 & 20, 2008)

The Electronic Frontier Foundation (EFF) has filed court documents challenging the legality of the FISA Amendments Act. The law grants retroactive immunity to telecommunications companies that have helped the National Security Agency (NSA) with wiretapping US citizens' phone calls and email. The EFF maintains that the new FISA law violates citizens' rights to due process of law as well as the federal government's separation of powers. The EFF maintains that as most of the eavesdropping under the new FISA law takes place without a warrant or a subpoena and the authorization for the eavesdropping comes from the president rather than the courts, the new FISA law violates citizens' rights to due process of law as well as the federal government's separation of powers.
-http://www.eweek.com/index2.php?option=content&task=view&id=50041&po
p=1&hide_ads=1&page=0&hide_js=1
-http://www.vnunet.com/vnunet/news/2228565/eff-takes-shot-immunity-law
-http://www.informationweek.com/news/telecom/policy/showArticle.jhtml?articleID=2
11201760

---

************************* SPONSORED LINK ******************************

1) Replace your desktop anti-virus or encryption for free - trade-up to StormShield Security Suite http://www.sans.org/info/34348

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CHARGES & CONVICTIONS

Guilty Plea in Scientology Web Attack (October 17 & 18, 2008)

An 18-year-old New Jersey man has admitted to having a role in a distributed denial-of-service (DDoS) attack against a Church of Scientology website in January. The attack reportedly cased US $70,000 worth of damage. Dmitriy Guzner has pleaded guilty to one count of unauthorized impairment of a protected computer. Guzner faces up to 10 years in prison and has agreed to pay US $37,500 in restitution.
-http://www.theregister.co.uk/2008/10/17/scientology_ddos_guilty_plea/
-http://www.vnunet.com/vnunet/news/2228567/teenage-hacker-charged-ddos

GOVERNMENT SYSTEMS AND HOMELAND SECURITY

Audit Finds Fault With Physical Security at the Canada Revenue Agency (October 20, 2008)

The tax information of Canadian citizens is at risk of exposure due to lax physical security. According to the June audit of the Canada Revenue Agency, "certain exterior doors and interior perimeter doors were not adequately secured." In three instances, electronic alarm systems were defective, unarmed or missing. Other security vulnerabilities noted in past audits have not been addressed. Many employees were not aware of security standards at the workplace. The Canada Revenue Agency also reported numerous pieces of equipment lost or stolen last year, including 25 laptops, 17 cell phones, six BlackBerries, five printers, a router and two video surveillance cameras. The audit did not examine the agency's electronic data systems.
-http://www.edmontonsun.com/News/Canada/2008/10/20/pf-7141301.html

DHS Inspector General Report Says Portable Storage Device Security Lacking (October 16, 2008)

According to a report from the US Department of Homeland Security (DHS) Inspector General Richard Skinner, DHS has not taken adequate security precautions with portable electronic devices that connect to its unclassified computer systems. The report, "Review of DHS Security Controls for Portable Storage Devices," says that while DHS has developed policies regarding "acceptable use of portable storage devices, ... the policies have not been implemented by the components. (There is no) centralized process to procure and distribute portable storage devices to ensure that only authorized devices that meet the technical requirements can connect to its systems." The report recommended that DHS "establish an inventory of authorized devices; implement controls to ensure that only authorized devices can connect to DHS systems: and perform discovery scans, at least annually, to identify unauthorized devices.
-http://www.fcw.com/online/news/154093-1.html
-http://www.dhs.gov/xoig/assets/mgmtrpts/OIG_08-95_Sep08.pdf

South Korean Prime Minister Warns of Cyber Attacks (October 14 & 15, 2008)

South Korean Prime Minister Hang Seung-Soo has warned his cabinet that cyber attacks from China and North Korea have resulted in the thefts of large numbers of state secrets. Prime Minister Han pointed to a lax security environment in which public servants have used sensitive data on personal computers or over the Internet. Government computer systems are now subject to monthly security checks in an effort to thwart further data theft. The majority of the documents stolen relate to foreign policy and national security.
-http://www.ioltechnology.co.za/article_page.php?iSectionId=2885&iArticleId=4
659863
-http://english.chosun.com/w21data/html/news/200810/200810150003.html

EVOTING

Supreme Court Vacates Order Directing Ohio AG to Update Voter Database (October 17 & 18, 2008)

As US states switch from local voting rolls to statewide databases of voters, inaccurate information has called into question some voters' eligibility, prompting lawsuits across the country. The problems arise when the information in the database does not mesh exactly with other official records. In Alabama, some voters were incorrectly identified as convicted felons. In Wisconsin, voters' eligibility was questioned due to small discrepancies, such as a missing middle initial or a mistyped birth date. Last week, the US Supreme Court blocked a challenge to 200,000 Ohio voters based on information discrepancies. Also, a judge in Michigan ruled that the names of thousands of voters must be restored to voter rolls in that state after they were taken off because of residency questions.
-http://www.washingtonpost.com/wp-dyn/content/article/2008/10/17/AR2008101703360_
pf.html
-http://www.washingtonpost.com/wp-dyn/content/article/2008/10/17/AR2008101703205_
pf.html
-http://www.supremecourtus.gov/opinions/08pdf/08A332.pdf

STUDIES AND STATISTICS

Data Breaches at State and Local Level Far Exceed Those at Federal Level (October 20, 2008)

According to statistics from the Privacy Rights Clearinghouse, breaches of systems at the local and state level of US government exposed the personally identifiable information of more than 3.8 million American citizens in the first nine months of 2008. The majority of the records compromised arose from a July 2008 breach at the Colorado Department of Motor vehicles that affected 3.4 million people. During those same nine months, the number of records breached at federal agencies is reported to be 23,024. The discrepancy calls attention to the need for standardized data security at the state and local levels of government.
-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn_daily&stor
y.id=47396
[Editor's Note (Weatherford): When asked by the FBI in 1934 why he robbed banks, Willie Sutton replied, "Because that's where the money is." Here's a provocative question, "Where is most American citizen PII located?" The real question is this..."Who is actually doing more reporting?" If you don't report it, maybe it didn't really happen and doesn't become part of a statistic right? It's still easy to avoid reporting a data breach if 1) you fail to accurately define an incident as a data breach or 2) you don't know if a data breach even occurred. A consistent enterprise Incident Management policy that helps internal organizations both identify, report and recover from data breaches is a positive action that helps avoid future incidents.
(Honan): Last year the State of California State Information Security Office released its "Information Security Guide For Agencies". The guide is well worth a read by anyone looking to implement an information security management system and other states, and indeed private organisations, would do well to learn from California's example.
-http://www.oispp.ca.gov/government/documents/pdf/Info_Sec_Program_Guide_Final_Oc
t07.pdf

MISCELLANEOUS

Georgian Cyber Attacks Traced to Russian Online Forum (October 16 & 17, 2008)

An investigation into August's cyber attacks launched against Georgian government websites indicate that they were "coordinated through a Russian online forum," and while "there was no external involvement or direction from State organizations," Russian officials appear not to have stepped in to stop the attacks. The group launching the attacks had a list of known vulnerabilities in the targeted websites along with instructions for exploiting those holes. The attackers apparently used SQL injection attacks to render the targeted sites inaccessible.
-http://voices.washingtonpost.com/securityfix/2008/10/report_russian_hacker_forum
s_f.html?nav=rss_blog
-http://www.scribd.com/doc/6967393/Project-Grey-Goose-Phase-I-Report

NIST Request for Information Seeks "Revolutionary Ideas" for Cyber Security (October 14, 2008)

The National Institute of Standards and Technology (NIST) has issued a request for Information (RFI) on behalf of the National Coordination Office (NCO) for Networking and Information Technology Research and Development (NITRD) seeking "just a few revolutionary ideas with the potential to reshape the (cyber security) landscape." The RFI marks the kickoff for the National Cyber Leap Year, which aims to develop "game-changing ideas" to make cyberspace safe for the American way of life." The first phase of the project will gather ideas; the second phase involves development of the best of those ideas. Ideas must be submitted by December 15, 2008. The project is part of the Comprehensive National Cybersecurity Initiative (CNCI).
-http://www.fcw.com/online/news/154063-1.html?type=pf
[Editor's Note (Schultz): This is a tremendous idea. We have been using time-proven but aging methods and strategies; it is time to consider new, promising ideas to address the rapidly evolving, very serious types of threats that seem to constantly be manifesting themselves.
(Paller): Some extraordinary people are behind this effort and they have access to a substantial amount of money test and further develop some of the best of the new ideas uncovered in this search. ]

---

*************************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescastore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.


Alan Paller is director of research at the SANS Institute


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security courses at Minnesota State University, Mankato. He is the President of Prudent Security LLC and also serves as the President of the Mankato Chapter ISSA.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/