SANS NewsBites - Volume: XI, Issue: 33


Amazing article in this morning's New York Times by Sanger, Markoff and Shanker. It surprised a lot of people in Washington. http://www.nytimes.com/2009/04/28/us/28cyber.html?hp
Alan

*************************************************************************
SANS NewsBites                     April 28, 2009                    Volume: XI, Issue: 33
*************************************************************************
TOP OF THE NEWS

  EU Telecom Commissioner Calls For Cyber Security Tsar
  UK Home Secretary Says Government Will Not Have Central Electronic Traffic Database
  Judge to Decide if RealNetworks Can Sell DVD-Copying Product

THE REST OF THE WEEK'S NEWS

  ARRESTS, CHARGES, CONVICTIONS & SENTENCES
   Former Sys Admin Pleads Guilty to Making Cyber Threats
   Nugache Worm Author to be Sentenced
   Former Federal Reserve Analyst Charged with Bank Fraud and Identity Theft
  GOVERNMENT SYSTEMS AND HOMELAND SECURITY
   Memory Stick Lost in 2006 Held Data on Agents and Informants in International Drug Case
  DATA THEFT, LOSS & EXPOSURE
   Thieves Take Computers from 60+ Businesses in One Building
   Hospital Data on Stolen Laptop Were Not Encrypted
  MISCELLANEOUS
   Satyam Accounting Fraud Perpetrated Through Invisible Business Applications


********************** Sponsored By CA **********************************

Web-Based Security for Business Enablement

While "secure" and "Web" were once incompatible notions, they are now co-elements that support dynamic Web-based commerce. Technologies such as Web access management, single sign-on, identity management, federation, and strong authentication - when leveraged together - represent a more efficient way to conduct IT-enabled business. This IDC whitepaper explores how competitive advantage can be effectively realized through secure Web business enablement technologies. Learn more... http://www.sans.org/info/42893

*************************************************************************

TRAINING UPDATE

- - Application Security Workshop April 29, Washington DC http://www.sans.org/appsec09_summit
- - Toronto 5/5-5/13 (15 courses) http://www.sans.org/toronto09/event.php
- - SANSFIRE in Baltimore 6/13-6/20 (24 long courses, 12 short courses) http://www.sans.org/sansfire09/event.php
- - New Orleans 5/5-5/10 (6 courses) http://www.sans.org/securityeast09/event.php
- - Pen Testing and Web Add Summit - Looking for training in your own community? http://sans.org/community/
For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

TOP OF THE NEWS

EU Telecom Commissioner Calls For Cyber Security Tsar (April 27, 2009)
European Union (EU) telecommunications commissioner Viviane Reding says that the EU needs a "Mister Cyber Security" to take the lead in defending its communications infrastructure from cyber attacks. Reding considers the efforts of the EU's 27 member states to secure communications networks to be "quite negligent," and points to the May 2007 attacks against Estonian government, financial and other commercial sites as an example of what could happen. A cyber security tsar would have the authority to take immediate steps in the event of such an attack.
-http://www.techworld.com/security/news/index.cfm?newsID=115016&pagtype=all
-http://ec.europa.eu/commission_barroso/reding/index_en.htm
[Editor's Note (Schultz): Note, however, that there is lamentably no mention of any kind of authority to mandate proactive control measures--a major shortcoming with Reding's proposal. ]


UK Home Secretary Says Government Will Not Have Central Electronic Traffic Database (April 27, 2009)
UK Home Secretary Jacqui Smith has said the government will not create a central database of communications data. Instead, the government is asking telecommunications companies to retain logs of Internet and telephone traffic, including website visits. Smith says the companies would be required to keep records of who called whom, when the communication occurred, where the parties were when the communication occurred and what method of communication the parties used; no conversation content would be kept.
-http://www.msnbc.msn.com/id/30435251/
-http://news.bbc.co.uk/2/hi/uk_news/politics/8020039.stm


Judge to Decide if RealNetworks Can Sell DVD-Copying Product (April 24, 2009)
RealNetworks is back in court over its RealDVD product that the movie industry says violates the Digital Millennium Copyright Act. The product was temporarily banned last fall; Judge Marilyn Hall Patel will decide whether or not the product can be returned to the market. At issue is whether companies outside the film industry have the right to develop products that allow users who have legally purchased movies to copy them to other devices. In the past six months, movie studios have begun marketing premium DVDs that allow purchasers to download a copy of the movie onto a computer.
-http://blogs.wsj.com/digits/2009/04/24/realnetworks-and-hollywood-spar-over-dvd-
ripping/

-http://www.msnbc.msn.com/id/30386423/
[Editor's Note (Liston): The problem with almost all DMCA-related issues is that both sides of the debate are convinced that their "rights" trump those of the opposition. There are no easy solutions to these issues. ]



*************************** Sponsored Links: ****************************

1) "Intel White Paper for Software Developers: Top 5 Security Vulnerabilities and How to Mitigate Them." http://www.sans.org/info/42898

2) EDUCATIONAL WEBCAST: Keynote by Gartner's Peter Firstbrook, "Web Security in the Cloud - Hype or Reality?" http://www.sans.org/info/42903

*************************************************************************

THE REST OF THE WEEK'S NEWS

ARRESTS, CHARGES, CONVICTIONS & SENTENCES


Former Sys Admin Pleads Guilty to Making Cyber Threats (April 27, 2009)
Viktor Savtyrev has pleaded guilty in federal court to charges related to cyber attack threats made against his former employer. The day after he and 13 others were laid off from their positions at an unnamed mutual fund company in New Jersey, Savtyrev emailed the company's general counsel, threatening that unless certain demands were met, he would launch serious attacks on the company's network. He is scheduled to be sentenced on August 24; he faces up to five years in prison and a US $250,000 fine. Savtyrev had been employed at the company as a system administrator.
-http://www.theregister.co.uk/2009/04/27/bofh_cops_plea/
[Editor's Note (Northcutt): the way I interpret the Verizon Breach Report, such as the chart on page 10 and the internal breach sources discussion beginning on page 13, these insider issues related to termination are inching up.
-http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf]


Nugache Worm Author to be Sentenced (April 26, 2009)
Jason Michael Milmont, who last year reached a plea agreement with prosecutors regarding malware he created, will be sentenced tomorrow. Milmont wrote the Nugache worm, a program that he used to steal credit card information in 2007. Under the terms of the plea agreement, Milmont will pay more than US $73,000 in restitution. He also faces up to five years in prison and a US $250,000 fine. According to prosecutors, this is the first case to be tried in the US in which malware was spread through peer-to-peer (P2P) software.
-http://www.businessweek.com/ap/financialnews/D97QDE0G0.htm
[Editor's Note (Schultz): The toll of the bad economy on employment has resulted in many ex-employees being embittered against their former employers. Statistics now indicate that the majority of so-called "insider" attacks are actually by revenge-seeking ex-employees. (Statistics also still show that the overwhelming majority of attacks are by former system and network administrators.) ]


Former Federal Reserve Analyst Charged with Bank Fraud and Identity Theft (April 24, 2009)
A man who used to work as an IT analyst at the US Federal Reserve Bank of New York has been arrested, along with his brother, on charges of fraud and identity theft. Curtis Wiltshire and his brother Kenneth Wiltshire allegedly used stolen information to obtain student loans and apply for a loan to purchase a boat. While working at the Reserve Bank, Curtis Wiltshire had access to employees' names, dates of birth and Social Security numbers (SSNs).
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9132110&source=rss_null17

-http://newyork.fbi.gov/dojpressrel/pressrel09/nyfo042409.htm


GOVERNMENT SYSTEMS AND HOMELAND SECURITY


Memory Stick Lost in 2006 Held Data on Agents and Informants in International Drug Case (April 26 & 27, 2009)
Three years after the fact, UK's Serious Organized Crime Agency (SOCA) has acknowledged that a lost memory stick caused it to abandon a major drug case. The memory stick, which was in a purse inadvertently left on a shuttle in the airport in Bogota, Colombia, held specifics about five years of intelligence work as well as information about dozens of intelligence agents and informants. The device was not encrypted. The agent responsible for the device was recalled to London. The cost of the scrapped operation was estimated to be GBP 100 million (US $146.2 million). SOCA says its data handling procedures have been improved.
-http://www.vnunet.com/vnunet/news/2241156/mi6-scraps-operation-loss
-http://www.timesonline.co.uk/tol/news/politics/article6169946.ece
[Editor's Note (Hogan): Given the fact that people's lives were at stake it beggars belief that this type of data was firstly entrusted to a relatively new employee and secondly that it was not encrypted. It is rare that a story on data loss due to ineptitude will now illicit a "Wow" response from me, but this is certainly one of them. ]


DATA THEFT, LOSS & EXPOSURE


Thieves Take Computers from 60+ Businesses in One Building (April 26, 2009)
Thieves stole computers, files, and other items from at least 60 businesses in a landmark Ventura Boulevard office building in Woodland Hills, CA. The thieves left fax machines, copiers and printers untouched, leading some of the victims to speculate that the thieves were after the data stored on the stolen devices. There were no signs of forced entry and thieves did no physical damage to the building during the heist. The perpetrators allegedly disabled the building's surveillance system, and a guard who routinely checks the inside of the building was called away on an emergency.
-http://www.latimes.com/news/local/la-me-heist26-2009apr26,0,7638865.story
[Editor's Note (Schmidt): While it is speculation that the motivation is that of the data theft, which I would not discount, there are still active "computer chop shops" that sell stolen rebuilt computer systems. This sounds like a pretty well planned burglary and all indications has the earmarks of an inside job.
(Ullrich): These thieves went through a lot of trouble to get this data. A lot of planning went into this and an insider connection is likely. A good warning to all of us. This building appears to have been a bit better secured then most office buildings. ]


Hospital Data on Stolen Laptop Were Not Encrypted (April 23 & 24, 2009)
A laptop computer stolen from a locked office at Aberdeen Royal Infirmary contains personally identifiable information of 1,392 patients. The data, which include names, addresses and dates of birth, were not encrypted. The computer also contains clinical information, which is all numerically coded. Affected patients have been notified by paper mail. The computer was stolen on April 15 or 16; IT personnel dug through hospital backup files to determine which patients were affected by the breach.
-http://www.pressandjournal.co.uk/Article.aspx/1186347/?UserKey=
-http://news.bbc.co.uk/2/hi/uk_news/scotland/north_east/8014420.stm
[Editor's Note (Hoelzer): Somewhere in our information security program there needs to be an analysis of what data really needs to be where. The best way I've seen to do this is to develop matrix based policy that shows how each type of data may be handled. Something as simple as that should tell us very clearly that it's just never ok to have sensitive data of this level on a portable device. Organizations may consider selecting controls out of ISO-27000 that deal with management approval for movement of sensitive data. ]


MISCELLANEOUS


Satyam Accounting Fraud Perpetrated Through Invisible Business Applications (April 27, 2009)
According to India's Central Bureau of Investigation, an executive at Satyam and his accomplices who allegedly fraudulently inflated company revenue did so by creating phony invoices. The Bureau's statement alleges that former Satyam Chairman Ramalinga Raju and his accomplices managed to insinuate a subroutine into the source code of the company's Invoice Management System to create the fraudulent paperwork. The suspects were apparently able to access the system through a superuser account that shielded the documents they created from the rest of the company's business applications. The group allegedly falsely inflated the company's revenue by more than US $900 million.
-http://www.informationweek.com/news/global-cio/outsourcing/showArticle.jhtml?art
icleID=217200194

[Editor's Note (Northcutt): if you cannot monitor any other event, monitor the creation of new accounts. If Barings bank had noticed Nick Leeson creating "88888" they might have survived instead of having to be recapitalized.]


**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/