6 days to save $250 for SANS Seattle 2014
6 Days Left to Save $400 on SANS Network Security 2014

SANS NewsBites - Volume: X, Issue: 13

*************************************************************************
SANS NewsBites                     February 15, 2008                    Volume: X, Issue: 13
*************************************************************************
TOP OF THE NEWS

   Senate FISA Amendment Bill Would Give Telecomms Immunity from Prosecution
   Legislators Introduce Bill Aimed at Preserving Net Neutrality
   UK Database Will Compile Educational Records

THE REST OF THE WEEK'S NEWS

  LEGAL MATTERS
   Woman Sues Best Buy for US $54 Million Over Lost Laptop
   Brothers Guilty of Manslaughter in Revenge Attack
  POLICY & LEGISLATION
   Interactive Breach Notification Map
  COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
   Danish ISP Will Fight Court Order to Block Pirate Bay
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
   Adobe Releases Fixes for Critical Flaws in Flash Media Server and Connect Enterprise Server
   Exploit Code for Microsoft Works Flaw Circulating
   Microsoft Issues 11 Security Bulletins
  ATTACKS, INTRUSIONS, DATA THEFT & LOSS
   Bloodbank Donor Information on Missing Computers
  MISCELLANEOUS
   Undersea Cables Repaired; Internet Access Restored
   Police Officer Suspended for Unauthorized Database Access
  LIST OF UPCOMING FREE SANS WEBCASTS


*************************************************************************

TRAINING UPDATE Where can you find the newest Penetration Testing techniques, Application Pen Testing, Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, CISSP, and SANS' other top-rated courses? - - SANS 2008 in Orlando (4/18-4/25) SANS' biggest program with myriad bonus sessions and a huge exhibition of security products: http://www.sans.org/sans2008 - - Washington DC (Tyson's) 3/24-3/31 http://www.sans.org/tysonscorner08 - - Prague (2/18-2/23): http://www.sans.org/prague08 - - San Diego (5/9-5/16) http://www.sans.org/securitywest08 - - Toronto (5/10-5/16) http://www.sans.org/toronto08 - - and in 100 other cites and on line any-time: www.sans.org

*************************************************************************


TOP OF THE NEWS

Senate FISA Amendment Bill Would Give Telecomms Immunity fromProsecution (February 13, 2008)
The US Senate has approved S.B. 2248, a measure that grants immunity from prosecution to telecommunications companies that cooperate with intelligence gathering requests from the government. The proposed amendment to the Foreign Intelligence Surveillance Act (FISA) also increases government powers to eavesdrop on communications in certain cases without a warrant. The White House has said that another temporary law will not be signed; the House of Representatives' version of the bill does not provide immunity for the telecommunications industry.
-http://www.washingtonpost.com/wp-dyn/content/article/2008/02/12/AR2008021201202_
pf.html

-http://www.securityfocus.com/brief/681
[Editor's Note (Schultz): It is inevitable that some kind of legislation of this nature will pass in the US. Protection of privacy continues to crumble in the name of intelligence collection, fighting crime, and stopping piracy. ]


Legislators Introduce Bill Aimed at Preserving Net Neutrality (February 13, 2008)
US Representatives Ed Markey (D-Mass.) and Chip Pickering (R-Miss.) have introduced the Internet Freedom Preservation Act. Markey says the bill is designed "to assure consumers, content providers, and high-tech innovators that the historic, open architecture nature of the Internet will be preserved and fostered." Advocacy groups are pleased with the bill, particularly in light of recent allegations that Comcast engages in traffic throttling to limit user access to applications that consume large amounts of bandwidth.
-http://www.infoworld.com/archives/emailPrint.jsp?R=printThis&A=/article/08/0
2/13/Lawmakers-introduce-new-net-neutrality-bill_1.html

-http://www.savetheinternet.com/blog/2008/02/12/internet-bill-would-bar-discrimin
ation-engage-the-public-on-better-policy/

-http://www.freepress.net/docs/markey_086_xml.pdf


UK Database Will Compile Educational Records (February 13, 2008)
This September, the UK government intends to launch a database that will retain information about every student between the ages of 14 and 19, including personal details, examination results and school records. Students will be provided with a Unique Learner Number to identify their record; they will be required to have a number to obtain a diploma. The files will be permanent and teachers and employers will have access to them, although students would reportedly have control over how the information in their records is shared. The database project is called Managing Information Across Partners (MIAP) and is expected to cost GBP 45 million (US $88.7 million). The plan has been met with skepticism, particularly in light of the recent data security breaches the UK government has experienced. Students are also concerned that every little event that occurred in their schooling will follow them for the rest of their careers.
-http://www.news.com/2102-1029_3-6230380.html?tag=st.util.print
-http://education.guardian.co.uk/schools/story/0,,2256044,00.html
-http://www.theregister.co.uk/2008/02/13/england_child_database/print.html



************************** Sponsored Links: ***************************

1) SANS Third Annual Log Management Survey What are the challenges in log management? Have perceptions changed since last year? Help us find out! Take the survey at http://www.sans.org/info/24113

2) More than 50% of latest online scams are hosted on compromised web sites. New report has the details. http://www.sans.org/info/24118

*************************************************************************


THE REST OF THE WEEK'S NEWS

LEGAL MATTERS


Woman Sues Best Buy for US $54 Million Over Lost Laptop (February 14, 2008)
A woman has filed a US $54 million lawsuit against Best Buy for losing her computer. Raelyn Campbell acknowledges that the amount far exceeds replacement cost and compensation, but she wants to draw "attention to the reprehensible state of consumer property and privacy protection at" Best Buy. Campbell says that her computer was stolen from the Best Buy store and that employees falsified records to hide that fact. She also says they lied to her for weeks about the status of her computer. Campbell brought her computer in for repairs in May 2007, and filed the lawsuit in mid-November.
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=206504123
[Editor's Note (Pescatore): I was thinking of suing my employer for about that much for forcing to me to carry a laptop all the time. This does point out an issue where some companies have allowed employees to do business on personal laptops that get repaired at places that don't protect them very well, and then the business information ends up on eBay and thousands of customers have to get notified, etc. etc.
(Cole): This will continue to happen; so two key take aways. One, use folder level encryption with a strong passphrase so repair people will not have access to your data. Full disk encryption will not work, since the techs need to log into the system. Second, backup of all of your critical data on a removable drive.
(Schultz): It is easy to predict that lawsuits of this kind are going to proliferate in the future. Many organizations have been downright irresponsible in handling personal and financial information, let alone others' computers. The threat of a lawsuit is likely to force such organizations to radically tighten their procedures for handling such information and computing equipment.]


Brothers Guilty of Manslaughter in Revenge Attack (February 5, 11, 14 & 15, 2008)
Brothers Mark and Steven Forbes have been found guilty of manslaughter in the January 2007 death of Bernard Gilbert, a man involved in a dispute over a parking space with Mark's wife. Gilbert and Zoe Forbes became engaged in a dispute over a supermarket parking space, at which time Gilbert allegedly reacted in an "over-the-top, abusive, and insulting" manner to Forbes. Forbes contacted her husband, who then asked a friend to ask a policeman friend to use Gilbert's license plate number to find out Gilbert's home address. Forbes's husband and his brother threw a brick through a window at Gilbert's home; he died of a heart attack less than an hour later. Stephen Smith, the police officer who provided Forbes with the information, has resigned; last year he pleaded guilty to disclosing information in violation of the Data Protection Act.
-http://www.timesonline.co.uk/tol/news/uk/crime/article3371948.ece
-http://news.bbc.co.uk/2/hi/uk_news/england/derbyshire/7244728.stm
-http://www.dailymail.co.uk/pages/live/articles/news/news.html?in_article_id=5145
39&in_page_id=1770

[Editor's Note (Shpantzer): Most private investigators have 'a guy at the DMV' or 'a friend on the force' to do favors for them. Increased logging and monitoring will help put the word out that these databases have a specific purpose and no 'recreational' use will be tolerated. ]


POLICY & LEGISLATION


Interactive Breach Notification Map (January 2008)
This map provides highlights of data breach notification laws in the 39 US states that have enacted such legislation, as well as "the status of several pending federal bills pertaining to breach disclosure." Information provided includes notification timeframe requirements, penalties for not disclosing breaches, whether or not the law allows for private right of action, and exemptions to the law.
-http://www.csoonline.com/read/020108/ammap/ammap.html
[Editor's Note (Skoudis): This is a great piece of work. Kudos to CSO Online for putting it together and making it freely available. I just bookmarked it, and will be consulting it often. ]


COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT


Danish ISP Will Fight Court Order to Block Pirate Bay (February 13, 2008)
Danish Internet service provider (ISP) Tele2 says it will fight a court order that it block access to the Bit-Torrent website known as Pirate Bay. In the mean time, the ISP has cut off access to the site for its customers; other ISPs in Denmark have not yet received letters requesting that they also prevent their users from accessing the website. The International Federation of the Phonographic Industry (IFPI) plans to send the letters this week.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9062482&source=rss_topic17

-http://www.heise-online.co.uk/security/Code-injection-vulnerability-in-Adobe-s-F
lash-Media-Server--/news/110115



WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES


Adobe Releases Fixes for Critical Flaws in Flash Media Server and Connect Enterprise Server (February 13, 2008)
Adobe has released three more security bulletins, two for critical vulnerabilities in Flash Media Server and Adobe Connect Enterprise Server and one for an important vulnerability in RoboHelp 7 and RoboHelp 7 installations. The Flash bulletin addresses three flaws that could be exploited to allow remote code injection. The flaws are known to affect Flash Media Server 2 version 2.0.4 on Windows; earlier versions and the Linux version may be vulnerable as well. Users are urged to upgrade to version 2.0.5. The Adobe Connect Enterprise Server bulletin addresses three flaws that could be exploited to take control of vulnerable systems. Adobe also released a bulletin earlier this week to fix problems in its Reader and Acrobat products.
-http://www.eweek.com/index2.php?option=content&task=view&id=46377&po
p=1&hide_ads=1&page=0&hide_js=1

-http://www.adobe.com/support/security/bulletins/apsb08-03.html
-http://www.adobe.com/support/security/bulletins/apsb08-04.html


Exploit Code for Microsoft Works Flaw Circulating (February 13, 2008)
Proof-of-concept exploit code has been posted for a vulnerability in the Microsoft Works file converter software in Office 2003, a flaw that is addressed in a Microsoft security bulletin (MS08-011) released on Tuesday. Users are urged to apply the fix as soon as possible. The flaw can be exploited to allow unauthorized code to run on vulnerable machines. The flaw affects Microsoft Works 8 and Work Suite 2005 as well. To become infected, users would have to open a maliciously crafted Microsoft Works attachment.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9062579&source=rss_topic17



Microsoft Issues 11 Security Bulletins (February 12, 2008)
Microsoft's monthly security release for February comprises 11 security bulletins, six with maximum severity ratings of critical and five with maximum severity ratings of important. All of the critical bulletins address remote code execution vulnerabilities; the five important bulletins address flaws that could be exploited to cause denial-of-service conditions, gain elevation of privilege and allow remote code execution. Notably absent from the release is a fix for a vulnerability in Excel that Microsoft acknowledged in a security advisory a month ago.
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=206502000
-http://www.microsoft.com/technet/security/bulletin/ms08-feb.mspx
-http://www.microsoft.com/technet/security/advisory/947563.mspx
Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=3973
[ISC Guest Editor's Note (Swa Frantzen): Not only is the excel patch missing, one of the 12 announced patches also didn't make it. Let's hope we get the Windows Script (JavaScript and VBScript) and the excel patch next month. Exploits known to be around publicly include at this point in time those targeting the vulnerabilities fixed in MS08-006, Ms08-007, MS08-010 and MS08-011. ]


ATTACKS, INTRUSIONS, DATA THEFT & LOSS


Bloodbank Donor Information on Missing Computers (February 13 & 14, 2008)
Approximately 320,000 people who donated blood through Lifeblood in Memphis are at risk of identity fraud after two laptop computers were reported missing from the company. Lifeblood has enhanced its security practices since the incident. Areas where laptops are kept now have more stringent access restrictions as well as closed circuit monitoring. Software installed on company laptops allows their locations to be tracked remotely and provides a means for erasing the computers' hard drives should they be lost or stolen. Finally, the company has altered the programming so that complete Social Security numbers (SSNs) are not downloaded to mobile computers. The missing computers were reported to Lifeblood management in early January; the company decided to refrain from making the incident public knowledge until all affected donors had been notified.
-http://www.sunherald.com/447/story/368296.html
-http://www.tennessean.com/apps/pbcs.dll/article?AID=/20080214/NEWS03/802140369/1
017/NEWS01



MISCELLANEOUS


Undersea Cables Repaired; Internet Access Restored (February 12, 2008)
Internet access in the United Arab Emirates has been "completely restored," according to Etisalat, the UAE's main telecommunications operator. Undersea cables damaged in the last few weeks had disrupted service, but repairs are now complete.
-http://news.smh.com.au/uae-back-online-after-cable-repairs/20080212-1rnh.html


Police Officer Suspended for Unauthorized Database Access (February 8, 2008)
DeKalb County (Georgia) police officer Teresa Shover has been suspended for five weeks for accessing the Georgia Crime Information Center, a classified database, to find a private citizen's personal Information. Officers in the department sign forms acknowledging that they understand that misusing the information is a crime. Shover, who is separated from her husband, used the information in an attempt to strike out at the woman her husband was dating. Shover sent defamatory flyers to the woman's friends and family, including her mother, former employer, neighbors and other relatives.
-http://www.wsbtv.com/news/15256835/detail.html
[Editor's Note (Honan): In our rush to fight the terrorist/serious criminal/paedophile bogeyman by accumulating more and more databases on our citizens, these stories should be a salutory lesson as to why we need to ensure proper checks and balances, and punishment for misuse, are in place to ensure those with access to these systems do not abuse them for their own needs or those of others. ]


LIST OF UPCOMING FREE SANS WEBCASTS
SANS Special Webcast: Beyond Security Basics: Emerging Defensive Strategies You Shouldn't Miss
WHEN: Tuesday, February 19, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: John Strand
-http://www.sans.org/info/22954
Sponsored By: Core Security

Still think that locking down root access to operating systems is the cornerstone of security, or that your perimeter can't be tunneled under? Please join John Strand, certified SANS instructor and security consultant with Argotek, for this free webcast.

Ask the Expert: Security Needs a Paradigm
WHEN: Thursday, February 21, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and A.N. Ananth
-http://www.sans.org/info/22959
">
-http://www.sans.org/info/22959

Sponsored By: Prism MicroSystems

In this webcast, we'll discuss the reasoning behind a "whitelist" approach, how change monitoring can complement logging and event monitoring in your security program, and common system changes that may indicate malicious activity.

SANS Special Webcast Series: Part 1 of 3: "Security Insights with Dr. Eric Cole"
WHEN: Wednesday, February 20, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Dr. Eric Cole
-https://www.sans.org/webcasts/show.php?webcastid=91783


The 2008 information security environment suggests new challenges and increasing potential for organizations to fall victim to the latest threats. While information security practices are improving, attackers and business requirements continue to raise the bar for the security professional. As organizations look at a technical landscape fraught with viruses, web-based exploits and social-engineering attacks, data loss challenges and beyond, the need to select proven technologies that address threats to their unique environment is crucial. Too often organizations are trying out new strategies and wonder what other organizations have done in similar situations. One of the leading experts in network security will draw above his teaching experience and interacting with thousands of students and different organizations, to show strategies that will allow organizations to implement cost effective solutions. Participants will walk away with insights they can directly apply, to increase their security. Register now for this free webcast!

Ask the Expert: Security Needs a New Paradigm
WHEN: Thursday, February 21, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and A.N. Ananth
-http://www.sans.org/info/22959
">
-http://www.sans.org/info/22959

Sponsored By: Prism MicroSystems

In this webcast, we'll discuss the reasoning behind a "whitelist" approach, how change monitoring can complement logging and event monitoring in your security program, and common system changes that may indicate malicious activity.

Tool Talk Webcast: A Practical Approach to Cyber Security within Control System Environments
WHEN: Tuesday, February 26, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Brian Contos
-http://www.sans.org/info/22964
Sponsored By: ArcSight

Recently there has been substantial media hype surrounding cyber attacks against critical infrastructure: oil and gas, power and energy, chemical, etc. Few disagree that systems controlling critical infrastructure make valuable targets for a wide range of attackers and pursuits; but the FUD sometimes shadows the facts. So rather than debate the threat level, this webcast will focus on empirical findings derived from multiple, federally funded research projects. These collaborative projects have brought together federal agencies, academia, control system vendors, IT security vendors like ArcSight, and industry representatives to research and test practical cyber incident prevention, detection and response.

SANS Special Webcast: How to Win Friends and Influence People (for Penetration Testers)
WHEN: Tuesday, March 4, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Lenny Zeltser
-http://www.sans.org/info/22984
Sponsored By: Core Security

The success of a security test is often determined in the planning stage, when the "human element" plays a critical role. This is especially true for penetration testing projects, which sometimes encounter political hurdles before they even begin.

Please join us to learn how, with a little transparency and tact, you can not only get approval for pen testing projects but also help colleagues use the results to improve your overall security.


=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/