3 Days Left to Save $400 on SANS Cyber Defense Initiative 2014, Wash DC

SANS NewsBites - Volume: X, Issue: 2


2008 brings real opportunities for security professionals whose technical skills are up to date (and some embarrassment for those still using techniques from 2005 and 2006). A great place to refresh skills is Orlando in April at SANS 2008 where we'll have 40 different long and short courses. More data: http://www.sans.org/sans2008


*************************************************************************
SANS NewsBites                     January 08, 2008                    Volume: X, Issue: 2
*************************************************************************
TOP OF THE NEWS

   SQL Injection Attack Infects Thousands of Websites
   California Expands Breach Notification Law
   FAA: Dreamliner 787 Computer Systems Pose Security Risk
   Al-Qaeda Offers Video Downloads Formatted for Cell Phones

THE REST OF THE WEEK'S NEWS

  LEGAL MATTERS
   Teen Arrested for Alleged Israeli Website Defacements
  HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
   PA State Gov Websites Taken Down Briefly After Attacks
   Flash Drive Left in Swedish Library Holds Sensitive Military Data
  POLICY & LEGISLATION
   19 EU Member States Have Yet to Pass Data Retention Laws
   California Has New ID Theft Prevention Office
  SPYWARE, SPAM & PHISHING
   Sears Assailed Over Spyware and Sued for Data Exposure
  COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
   Sony to Offer DRM-Free Music Downloads
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
   iPhone Trojan Causes Problems When Uninstalled
  MISCELLANEOUS
   UK TV Host Learns a Lesson About Data Exposure
  LIST OF UPCOMING FREE SANS WEBCASTS


*********************** Sponsored By SenSage, Inc. **********************

In his latest report, ESG security analyst Jon Oltsik comments that, "This slapdash approach to security management is no longer adequate". Find out why in this informative HP-sponsored webinar based on research with hundreds of security professionals.
Discover the latest trends and where your organization ranks in terms of best practices and compliance.
http://www.sans.org/info/21773

*************************************************************************

TRAINING UPDATE
Where can you find Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, CISSP, and SANS' other top-rated courses?
- - New Orleans (1/12-1/17): http://www.sans.org/security08/event.php
- - San Jose (2/2 - 2/8): http://www.sans.org/siliconvalley08/event.php
- - Phoenix (2/11 - 2/18) http://www.sans.org/phoenix08/event.php
- - Prague (2/18-2/23): http://www.sans.org/prague08
- - and in 100 other cites and on line any-time: www.sans.org

*************************************************************************


TOP OF THE NEWS

SQL Injection Attack Infects Thousands of Websites (January 7 & 8, 2008)
At least 70,000 websites have fallen prey to an automated SQL injection attack that exploits several vulnerabilities, including the Microsoft Data Access Components (MDAC) flaw that Microsoft patched in April 2006. Users have been redirected to another domain
[u c 8 0 1 0 . c o m ]
, that attempted to infect users' computers with keystroke loggers. Many of the sites have since been scrubbed. The attack is similar to one launched last year against the Miami Dolphins' Stadium website just prior to the Super Bowl.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyId=16&articleId=9055858&intsrc=hm_topic

-http://www2.csoonline.com/blog_view.html?CID=33430
-http://www.theregister.co.uk/2008/01/08/malicious_website_redirectors/print.html
[Editor's Note (Paller): Research published in 2006 showed that more than 70% of web sites had vulnerabilities (25% SQL injection) because they were written by programmers who never had to demonstrate they could write secure web applications. If anyone still needs proof of the scale of the problem, this massively successful attack provides it. There is now a standardized test of web application security skills. Engaging a programmer who has not passed the test demonstrates the kind of negligence that leads to financial liability in attacks like the one reported here - attacks that will surge during 2008. The exam can be found at www.sans.org/gssp . ]


California Expands Breach Notification Law (January 3 & 7, 2008)
California's data breach notification law, SB 1386, has been expanded to include incidents involving unencrypted electronic medical and health insurance data. Previously, the law applied only to financial data. The law requires that a name be associated with the data to necessitate breach notification, but Social Security numbers (SSNs) do not have to be present. The law affects all state agencies and companies that do business in the state of California. The change to the law was prompted in part by a report from the World privacy Forum that said a quarter of a million people become victims of medical identity theft every year. In addition, the law now requires that organizations holding personal health information do not disclose that information without the patient's consent.
-http://www.scmagazineus.com/California-data-breach-disclosure-law-extended-to-co
ver-medical-records/PrintArticle/100459/

-http://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2008/01/04/BUR6U9000.DTL&
;type=printable

[Editor's Note (Schultz): California is once again leading the way concerning legislation requiring notification after data security breaches. Other states will undoubtedly once again follow California's lead. A disturbing question, however, is why the US government has not yet passed legislation with similar provisions.
(Honan): Bravo to California for once again leading the way in data breach notification. I wish that the EU would take positive steps to introduce similar legislation here. ]


FAA: Dreamliner 787 Computer Systems Pose Security Risk (January 4 & 7, 2008)
A report from the US Federal Aviation Administration (FAA) says that a vulnerability in the onboard computer networks of the Boeing 787 Dreamliner passenger jets could be exploited to gain access to the aircraft's control systems. The network that allows passengers on the plane to access the Internet is connected to aircraft control, navigation and communication systems as well as airlines' business and support network. Boeing says it is aware of the problem and plans to test a fix soon. The 787 Dreamliner is slated to begin service in November 2008; the FAA is requiring Boeing to demonstrate that it has fixed the security problem before it will allow the planes to fly. A Boeing spokesperson says the FAA report is misleading and that "there are places where the networks are not touching and there are places where they are."
-http://www.wired.com/politics/security/news/2008/01/dreamliner_security
-http://www.theregister.co.uk/2008/01/07/boeing_dreamliner_hacker_concerns/print.
html

[Editor's Note (Ullrich): if there is a place for an air gap, it is between the aircraft's control systems and a passenger network.
(Pescatore): This is another one of those areas (like voting machines) where an open security review would go a long way towards determining whether there are real issues or just over-hype. There have been many other instances (think some ATM networks going down and some trains not leaving the station when the Windows worms hit) where "controls were in place" between network that are "touching in some places and not others" were completely ineffective.
(Schultz): Actually, information security problems in aircraft are by no means limited to the ones in the Boeing 787, but the ones about which I have become aware in the past have not been exploitable without physical access to the computing systems. It is truly frightening to envision scenarios in which passengers could gain unauthorized remote access to on-board computing systems. ]


Al-Qaeda Offers Video Downloads Formatted for Cell Phones (January 6, 2008)
USA Today and others report that al-Qaeda's media wing, al-Sahab has started posting videos on their web sites that are formatted for cell phone download.
-http://www.usatoday.com/tech/wireless/phones/2008-01-05-alqaeda_N.htm?csp=34
-http://www.textually.org/textually/archives/2008/01/018562.htm
[Editor's Note (Northcutt): The only thing that surprises me is that it took them so long to do this. I think you can expect al-Sahab's ability to leverage technology to increase. In the mean time, in the west, arm chair bound desk jockey's modify Al-Qaeda style training footage to try to make them a joke:
-http://www.youtube.com/watch?v=ehGlqEQSiCI
-http://www.youtube.com/watch?v=Yd9vLW1D5Uw&feature=related
I would almost rather have the YouTube generation exposed to the beheading videos, at least that way they would understand how totally serious these folks are. Final note, great security awareness tip, a day after Bhutto was assassinated, word spread there was a video of it, so people everywhere started clicking blindly and of course, got their machines infected. Let's make a 2008 New Years' resolution as a community, somehow, someway, we will teach people to think before they click:
-http://www.vnunet.com/vnunet/news/2206379/bhutto-assassination-becomes
-http://www.avertlabs.com/research/blog/index.php/2007/12/28/benazir-bhutto-assas
sination-new-avenue-for-spreading-malware/
]



************************* Sponsored Links: ***************************

1) Keep your data in house. Download free data erasure and leak prevention demo from Blancco now.
http://www.sans.org/info/21778

2) Over 450 security professional participated in the 2007 Web Security Leadership Survey. Get the results at
http://www.sans.org/info/21783

*************************************************************************


THE REST OF THE WEEK'S NEWS

LEGAL MATTERS


Teen Arrested for Alleged Israeli Website Defacements (January 1, 2008)
Police in Israel have arrested a 17-year-old in connection with hundreds of website defacements that appear politically motivated and against Israeli interests. The arrest is the culmination of an 18-month investigation, prompted by a June 2006 attack in which approximately 750 Israeli websites were defaced; the targeted sites included a bank, a hospital, and the Kadima party. A similar attack occurred in August 2007 when the Likud party's website was defaced. In both instances, most websites were back to normal within a day. One consultant observed that the attacks were launched with simple tools, and the sites could be exploited because they had not been kept up to date with the most current patches. The arrested teen is believed to be part of a larger group of attackers.
-http://www.israelnationalnews.com/News/News.aspx/124768


HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY


PA State Gov Websites Taken Down Briefly After Attacks (January 4 & 7, 2008)
The state of Pennsylvania briefly took down most of its government websites last week after it became apparent that attackers had breached their security. A spokesperson for Pennsylvania's Office of Administration said there is no reason to believe that anyone's personal information was compromised. An investigation indicated that the attacks originated from a domain registered in China.
-http://www.msnbc.msn.com/id/22509653/
-http://www.scmagazineus.com/Pennsylvania-government-website-back-online-after-ha
cking-attack-traced-to-China/article/100492/

[Editor's Note (Ullrich): This "defacement" was part of a widespread attack against hundreds if not thousands of websites. The attack is very similar to the attack against the dolphinstadium.com site about a year ago. The attackers use SQL injection to place malicious javascript on these sites. The attacks appear to be automated and government sites are not targeted in this case. Like in the dolphinstadium case, the final goal appears to be the theft of online game credentials. (see "SQL Injection Attack Infects Thousands of Websites" in Top of the News, above.) ]


Flash Drive Left in Swedish Library Holds Sensitive Military Data (January 4, 2008)
A flash drive found in a library computer center in Sweden contains classified NATO information. The individual who found the device gave it to a newspaper, which in turn gave it back to the Swedish military. The portable storage device contains information about security threats in Afghanistan as well as information about other countries. A Swedish military employee had notified superiors that the device had been lost; that person could face up to six months in prison.
-http://newsvote.bbc.co.uk/mpapps/pagetools/print/news.bbc.co.uk/2/hi/europe/7172
440.stm

-http://www.theregister.co.uk/2008/01/04/another_stick_with_military_secrets_foun
d/print.html



POLICY & LEGISLATION


19 EU Member States Have Yet to Pass Data Retention Laws (January 4, 2008)
Just eight of the 27 EU member states have passed data retention legislation as required by a February 2006 EU directive. The EU Commission sent those countries letters of notice late last year. The directive allows for some flexibility in implementation; the minimum length of time data may be retained is six months, and the maximum is two years. In Germany, where a data retention law took effect on January 1, privacy advocates have already filed an appeal challenging the law's constitutionality. The UK has only partially fulfilled the directive's requirements; ISPs in the UK are exempt from the one-year data retention requirement.
-http://www.heise.de/english/newsticker/news/101312
[Editor's Note (Honan): A recent audit by the Irish Data Protection Commissioner showed that An Garda Siochana, the Irish police force, registered over 10,000 queries in an 18 month period under the Irish implementation of this directive. It appears that either the privacy advocates have grounds for their concerns or we have a bigger serious crime and terrorism problem than believed. ]


California Has New ID Theft Prevention Office (January 3, 2008)
California Governor Arnold Schwarzenegger has opened a new office focused on fighting high tech identity theft. The Office of Privacy Protection in the Department of Consumer Affairs and the state Information Security Office have been combined to create the California Office of Information Security and Privacy Protection. The office will provide guidance for law enforcement, businesses and others regarding California's "landmark consumer privacy laws." A recently released survey from the California Public Interest Research Group (Cal-PIRG) says that many companies are not in compliance with the state's privacy rules and wants legislators to do something about it.
-http://www.siliconvalley.com/news/ci_7869776?nclick_check=1


SPYWARE, SPAM & PHISHING


Sears Assailed Over Spyware and Sued for Data Exposure (January 1, 3, 6 & 7, 2008)
Sears has been accused of placing spyware on the computers of customers who opt-in to their market research program. The software placed on the computers tracks virtually every move the user makes on that computer and sends it back to ComScore. Sears maintains the customers were informed of the situation and that the information gathered is not sold. While it is true that customers who choose to participate are warned, the meat of the warning is found on page 10 of a 54-page privacy statement. Some have pointed out that the practice falls short of Federal Trade Commission guidelines established in earlier spyware cases. In a separate issue, Sears has closed down its ManageMyHome.com website because customers found they could view other customers' personal data by entering names, addresses and phone numbers. A class action lawsuit has been filed, alleging that Sears violated its privacy policy.
-http://www.suntimes.com/business/729861,sears010708.article
-http://www.theregister.co.uk/2008/01/03/sears_snoopware_disclosure/print.html
-http://www2.csoonline.com/blog_view.html?CID=33414&source=nlt_csonewswatch
-http://www.benedelman.org/news/010108-1.html
-http://www.eweek.com/article2/0,1895,2245853,00.asp
-http://blog.washingtonpost.com/securityfix/2008/01/class_action_suit_alleges_sea
r.html?nav=rss_blog



COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT


Sony to Offer DRM-Free Music Downloads (January 7, 2008)
On January 15, Sony BMG will begin selling music gift cards that will allow people to download digital music files free of digital rights management (DRM) protection. Sony is the last of the four major music labels to offer DRM-free music online.
-http://www.eweek.com/article2/0,1895,2246032,00.asp


WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES


iPhone Trojan Causes Problems When Uninstalled (January 7 & 8, 2008)
A Trojan horse program that targets iPhones has been spreading. The malware claims to be the iPhone firmware 1.1.3 prep tool, an update users must install before they upgrade to version 1.1.3 of the iPhone firmware. Although the program does not appear to have a malicious payload once it has been placed on the phones, problems arise when users try to remove it. The phony update affects components of other applications, so when it is removed, those applications are deleted as well. The site hosting the Trojan has been taken offline.
-http://www.theregister.co.uk/2008/01/07/iphone_trojan/print.html
-http://www.itwire.com/content/view/15995/1103/
[Editor's Note (Northcutt): This is reminiscent of the excellent video Rick Farrow did for Fast Company on the iPhone. If you have an iPhone and you have not watched this, take a look:
-http://www.fastcompany.com/multimedia/2007/11/hacking-the-iphone.html
Who knows, maybe UK television personality Jeremy Clarkson can purchase an iPhone and bet GBP 500 that no one can break into his phone for a year. Both of these attacks required the user to browse a malicious web site, wonder what else is possible? ]


MISCELLANEOUS


UK TV Host Learns a Lesson About Data Exposure (January 7 & 8, 2008)
UK television personality Jeremy Clarkson put his money where his mouth is and lost GBP 500 (US $984). Clarkson published his bank account information to demonstrate that the media frenzy over lost HMRC data belonging to 25 million people was unwarranted. Clarkson was certain that no money could be transferred out of his account. However, one reader managed to set up a GBP 500 direct debit to a UK charity. Because of the Data Protection Act, there is no way for the bank to discover who established the direct debit, nor is there a way to ensure that it doesn't happen again. Clarkson has admitted he was wrong about the potential risks inherent in data exposure.
-http://news.bbc.co.uk/2/hi/entertainment/7174760.stm
-http://www.sunderlandecho.com/latest-entertainment-news/Clarkson-Uturn-%20-over-
identity-theft.3645707.jp



LIST OF UPCOMING FREE SANS WEBCASTS
Internet Storm Center: Threat Update
WHEN: Wednesday, January 9, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Johannes Ullrich
-http://www.sans.org/info/20187
Sponsored By: Core Security

This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.

SANS Tool Talk Webcast: NAC - After the Honeymoon
WHEN: Tuesday, January 15, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Alok Agrawal, Jimmy Ray Purser, and Robb Boyd
-https://www.sans.org/webcasts/show.php?webcastid=91714
Sponsored By: Cisco Systems

Its fair to say that NAC, or Network Admission Control, has certainly enjoyed its day in the sun. Despite being a very real technology solving very real problems, NAC has now moved out of the spotlight of center stage and is firmly entrenched as a set of technologies that every enterprise has some kind of an opinion on. Whether you have deployed some type of NAC solution today, have plans for it in the future or perhaps are truly wondering what the heck we are talking about.this conversation is for you. The problems can be pretty easy to understand but the devil is in the details - we promise to sort through the details in this interactive conversation. Please join Robb Boyd from Cisco's TechWiseTV as he welcomes his panel of experts, Jimmy Ray Purser, Chief Geek for Cisco's TechWiseTV and Alok Agrawal, Manager of Technical Marketing from Cisco's NAC Business Unit.

SANS Ask the Expert Webcast: Going beyond log management to solve security, risk and audit challenges
WHEN: Wednesday, January 23, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and Vijay Basani
-http://www.sans.org/info/20202
Sponsored By: eIQnetworks

In this webcast, learn the benefits of going beyond log management to perform end-to-end correlation and analysis, how compliance can tie into the use of security technologies, and why the future of security information management (SIM) systems is shaping up to integrate security, risk and audit management onto one platform.

SANS Special Webcast: Things That Go Bump in the Network: Embedded Device Security
WHEN: Thursday, January 24, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Paul Asadoorian
-http://www.sans.org/info/20207
Sponsored By: Core Security

Embedded devices come into your network and appear in many different forms, including printers, iPhones, wireless routers and network-based cameras. What you might not realize is that these devices offer unique opportunities for attackers to do damage and gain access to your network - - and to the information it contains. This webcast will review known embedded device vulnerabilities and cover how these vulnerabilities can be used to gain control of devices, networks, and data - and, more importantly, what can be done about it.

SANS Special Webcast: The SANS Database and Compliance Survey
WHEN: Tuesday, February 5, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Barb Filkins
-https://www.sans.org/webcasts/show.php?webcastid=91486
Sponsored By: Lumigent Technologies

On Feb. 5, SANS analyst Barbara Filkins uncovers the findings in the SANS Database Auditing and Compliance Survey. Conducted over three months, 348 respondents answered a variety of questions ranging from their perceptions of compliance issues to security frameworks and roles and responsibilities for data privacy protection inside their organizations. We will also be announcing the $250 American Express card winner from among nearly 200 respondents who signed up for our drawing.
********************************************************************

Be sure to check out the following FREE SANS archived webcasts:

Internet Storm Center: Threat Update
WHEN: Wednesday, December 12, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Johannes Ullrich and John Weinschenk
-http://www.sans.org/info/20062
Sponsored By: Cezic
-http://www.cenzic.com/

This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.

SANS Special Webcast: Pinpointing and Proving Web Application Vulnerabilities with Eric Cole
WHEN: Monday, December 10, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Dr. Eric Cole
-http://www.sans.org/info/20057
Sponsored By: Core Security

The September "Internet Security Threat Report" from Symantec reported that 61% of all vulnerabilities disclosed in the first half of 2007 were web application vulnerabilities. It's no wonder, since web apps are often highly customized and can be rife with potential security holes. Fortunately, recent advances in penetration testing products can help you to pinpoint and prove web application security weaknesses - even in customized apps.

SANS Special Webcast: Analyzing a Traffic Analyzer: NIKSUN NetDetector/NetVCR 2005
WHEN: Wednesday, December 5, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Jerry Shenk
-http://www.sans.org/info/20052
Sponsored By: NIKSUN

How deep can traffic inspection reach without hindering data flow and how much data should it store for post-mortem analysis? Join this Webcast to hear senior SANS Analyst Jerry Shenk go over his test results on the NetDectector/NetVCR 2005 and features such as full packet inspection and the ability to call up and review raw data in its native format.

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/