And if you missed yesterday's webcast on actual attacks against SCADA Systems, you'll definitely want to listen to the archive posted at SCADA Security Summit: http://sans.org/scadasummit_fall06/ Network Security 2006: http://sans.org/ns2006/caag.php It was amazing! If you have *any* responsibility for IT security in organizations that use control systems (power, water, oil & gas, pipeline, rail, mining, process manufacturing, many more) you owe it to yourself to at least listen to the webcast and to try to come to Las Vegas.
************************************************************************* SANS NewsBites September 08, 2006 Volume: VIII, Issue: 71 *************************************************************************
******************** Sponsored By Fiberlink Communications **************
The Hack is Back! In Fiberlink's new on-demand video/companion guide, our ethical hacker demonstrates four advanced hacks using techniques used to target mobile endpoints and the corporate network. Learn about the changing security landscape, current hacking techniques used to exploit vulnerabilities on mobile systems, and fundamental security strategy changes that can protect your mobile enterprise from attack. http://www.sans.org/info.php?id=1336
Network Security 2006 (Las Vegas, Oct. 1-8) is the only place to find all 20 of SANS highest rated teachers. How Good Are The Courses at SANS Network Security 2006? Ask the alumni. ++ "I have attended courses by several of SANS rivals, and SANS blew them away." - Alton Thompson, US Marines ++ "This is the only conference/training I've ever attended at which I learned techniques and found tools I could apply immediately." - Dwight Leo, Defense Logistics Agency, DLA ++ "This program provided the opportunity to learn from many of the people who are defining the future direction of information technology" - - Larry Anderson, Computer Sciences Corp. ++ "The SANS classes have been uniformly excellent. To learn as much through traditional classes would have entailed weeks away from work." - David Ritch, Department of Defense See: www.sans.org/ns2006/caag.php
Bank of Ireland Will Refund Phishing Victims' Losses (6 September 2006)
Bank of Ireland (BOI) has apparently had a change of heart, agreeing to restore funds of nine customers bilked out of a total of 160,000 Euros with phishing emails. The nine customers had threatened to sue the bank after it initially said it would not refund the money that they had lost. Some people have expressed concern that BOI's willingness to refund the money will encourage other phishers to launch attacks and cause other customers to expect the same compensation should they fall victim to phishing attacks. Banks are likely to begin implementing more stringent security measures for online banking, including placing some of the onus of protecting account details on the customers' shoulders. -http://www.theregister.co.uk/2006/09/06/boi_refunds_phishing_victims/print.html [Editor' Note (Pescatore): Many banks have been refunding customer losses from these type of attacks. The banking industry has definitely seen that customers will take their money elsewhere (what's left of it, anyway) after identity theft attacks. (Ullrich): The reason we put our money into bank accounts, instead of keeping it underneath our mattresses is not our urge to pay high banking fees. Instead, we hope banks will be better able to safeguard all that money. Assuming financial responsibility for fraud is the least one should expect in support of this promise. (Grefer): This case sets a bad precedent. It sets ground rules for how to put your competitor out of business by instigating phishing attacks. ]
Trojans Exploit Zero-Day Word 2000 Flaw (5 September 2006)
Microsoft Word 2000 users are urged not to open untrusted files following reports of a zero-day flaw that could be exploited to allow remote code execution. The flaw affects Microsoft Word 2000 running on a variety of Windows systems. The flaw can be exploited when vulnerable versions of Microsoft Word 2000 open documents that contain the malicious code. An exploit for the vulnerability is actively spreading. Trojan.Mdropper.Q places two pieces of malware on computers it infects, both of which are "linked to Backdoor.Femo, a Trojan horse with process injection capabilities." The backdoor allows attackers to take remote control of the computer. -http://news.com.com/2102-7349_3-6112265.html?tag=st.util.print -http://www.eweek.com/print_article2/0,1217,a=187891,00.asp -http://www.theregister.co.uk/2006/09/05/ms_office_trojan/print.html [Editor's Note (Ullrich): Every day is 0-day. Luckily, Microsoft is making enormous progress when it comes to patches. An exploit used to bypass its digital rights management scheme was patched last week in only 3 days. Now one has to wonder when this speed will be applied to safeguard customers. (Boeckman): If the security of your infrastructure is dependant on a user knowing the difference between a "trusted" and an "untrusted" attachment, you really don't have any security. ]
Spammer's Conviction Upheld (7 & 6 September 2006)
The Virginia Court of Appeals has upheld the conviction of Jeremy Jaynes on charges of flooding AOL customers and deluging the company's servers with unsolicited commercial email. Jaynes, who was convicted two years ago of violating Virginia's anti-spam law, was sentenced to nine years in prison, but remained free on bond while his case was appealed. Jaynes's attorney says he plans to file another appeal; Virginia's Attorney General plans to ask the judge to revoke the bond and order Jaynes to prison. Defense attorneys argued that the Virginia court had no jurisdiction in the case because the emails were sent from a computer in North Carolina; AOL servers are housed in Virginia. Defense attorneys also argued that the anti-spam law violated free speech rights. -http://www.timesdispatch.com/servlet/Satellite?pagename=RTD/MGArticle/RTD_BasicA rticle&c=MGArticle&cid=1149190442757 -http://www.washingtonpost.com/wp-dyn/content/article/2006/09/05/AR2006090501166_ pf.html Here's the opinion of the three judge panel, explaining why free speech doesn't apply... -http://www.courts.state.va.us/opinions/opncavwp/1054054.pdf Interesting that the ACLU filed an amicus brief in favor of the appeal. [Editor's Note (Schultz): Once again using a defense that anti-spam laws violate free speech did not work in a court of law. One would think that defense attorneys would by now grasp this and instead use a different approach. (Northcutt): Jaynes was the guy they found with 176 million email addresses in his home in addition to 1.3 billion user names. One of the arguments for the appeal was free speech. I have to say I side with Judge Haley: "The First Amendment gives no one the right to trespass on the property of another," he wrote. "And if the Commonwealth can criminalize the trespass, then certainly it can criminalize falsification to facilitate it." And as a reminder of the history of this story, originally his sister, Jessica DeGroot was also convicted though her conviction was later overthrown: -http://www.washingtonpost.com/wp-dyn/articles/A64551-2005Mar1.html]
IRS Pays US$318 Million in Fraudulent Refunds Due to Software Problem (5 September 2006)
According to a report from the Treasury Department inspector general for tax administration, the US Internal Revenue Service (IRS) paid out in excess of US$318 million in refunds on phony returns last year. The error has been blamed on a software problem. The IRS had begun implementing a web-based electronic fraud detection system, but when that did not appear to be proceeding as planned, the IRS decided to return to its previous fraud detection system. The agency was not able to get that system up and running in time for the returns filed this year. -http://www.techweb.com/wire/192501772 -http://www.treas.gov/tigta/auditreports/2006reports/200620108fr.pdf [Editor's Note (Pescatore): This points out that the biggest business impacts are from software that doesn't work at all, not from software that allows attacks. Back in 1999, a failed ERP project meant Hershey didn't get is candy into stores in time for Halloween and they report a drop of 19% in 4th quarter profits because of that - much larger impact than any worm or phishing attack. What's really interesting is that these types of risk are much easier to measure - they have a time profile and a deadline, which most security risks don't have. Optimistic estimates of when the project will finish (or how well our existing security processes actually work) usually make risk projections totally disconnected from reality. (Kreitner): I hope I live long enough to see the day when the words "software" and "quality" can legitimately be used in the same sentence. (Weatherford): Software development projects being inherently complex, require a lot of planning, oversight, and program management. IT folks understand that and plan for it....politicians and bureaucrats don't! So when the inevitable unexpected and unplanned glitch occurs, the wrong people start making decisions. I'm not making excuses for anyone but there's probably a lot more to this story. The ultimate culprit is obviously poor program management but I suspect the real IT guys tried to make the right decisions but were over-ruled at critical times. ]
POLICY & LEGISLATION
Russian Legislation Would Jail Pirates for Up to Five Years (5 September 2006)
New legislation in Russia would see Internet pirates serving sentences of up to five years. The law was approved in July 2004, but took effect just last week. Russia is hoping to join the World Trade Organization (WTO), but concerns have arisen over the country's stance on intellectual property protection. The legislation is seen as a way to demonstrate that Russia is taking digital piracy seriously. -http://australianit.news.com.au/articles/0,7204,20351926%5E15319%5E%5Enbv%5E1530 6,00.html [Editor's Note (Shpantzer): I'm all for IP protection, however the big picture economics question remains: If the vast majority of the IP to be protected is produced outside of Russia, what good does protecting European/American/Japanese IP do for Russia and Russians? Other than joining WTO as a respectable member of world society? Taxation of legitimate businesses selling authentic merchandise is good for Russia's treasury, but does it stand up to black market payoffs as a market driver?]
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Microsoft to Release Three Security Bulletins on Sept. 12 (7 September 2006)
NIST Establishes Vendor Forum in National Vulnerability Database (7 September 2006)
The National Institute of Standards and Technology (NIST) has launched a public forum for vendors to comment on software vulnerabilities. Previously, vendors were not permitted to make posts to the site. The forum is part of NIST's National Vulnerability Database (NVD), which acts as a central repository for information on vulnerabilities using the Common Vulnerabilities and Exposures (CVE) dictionary. The NVD typically holds information about flaws submitted by researchers, but has not had a place for vendors to discuss the vulnerabilities. There is a web portal for vendors with accounts. They may post statements about software flaws, including information about which products are affected and advice on configuration and remediation. Accounts are available to NIST verified, vendor officials; users are authenticated before being permitted to post information. -http://www.gcn.com/online/vol1_no1/41907-1.html?topic=security -http://news.com.com/2102-1002_3-6113232.html?tag=st.util.print [Editor's Note (Weatherford): As long as this doesn't become a forum for vendors to minimize reported vulnerabilities or market their products it's probably a good idea. Misinformation in a forum like this sometimes takes on a life of its own and this will give vendors and avenue to address these issues. (Pescatore): This can be a good thing, as long as NIST has a rigorous registration process for those vendor accounts. ]
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Wells Fargo Employee Data on Stolen Computer (1 September 2006)
Wells Fargo is notifying an unspecified number of employees that their personal data, including names, Social Security numbers (SSNs), as well as some health insurance and prescription drug information, may have been compromised following the theft of a laptop computer and hard disk from an audit company employee's car trunk. The audit company was reviewing Wells Fargo's health plan information in accordance with Internal Revenue Service (IRS) requirements. A Wells Fargo spokesperson said that in this case, the auditor did not comply with established policies for safeguarding sensitive data. The company no longer works for Wells Fargo. -http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti cleId=9002944&source=NLT_FIN&nlid=56 [Editor's Note (Shpantzer): "The company no longer works for Wells Fargo." A cautionary tale for auditing firms that violate their customers' policies and don't follow best practices (i.e. disk encryption) for protecting their customers.]
Investigations Underway in HP Phone Records Scandal (7 & 6 September 2006)
After confidential information about Hewlett Packard's (HP) long-term strategy was leaked to the media, HP chairwoman Patricia Dunn hired a consultant to investigate board of directors members' communications and determine the source of the leak. The directors were unaware of the investigation. The consultant obtained the directors' home and private cell phone records through "pretexting," or deceiving the phone company into believing he was the account holder. The source of the leak was determined to be HP board member Dr. George A. Keyworth II. When Dunn disclosed her activities, another board member, Tom Perkins, resigned in protest. When a director from any US public corporation resigns, that company is required to inform the Securities and Exchange Commission (SEC) in an 8-K filing; if the director resigned over "disagreement [regarding company ] operations, policies or practices," that fact must be disclosed as well. The 8-K filing regarding Tom Perkins's resignation omitted any such additional information. Keyworth has not resigned, but board members have agreed that he should not be nominated to serve again. HP has filed another report with the SEC acknowledging an internal investigation into the matter. Meanwhile, the California Attorney General is investigating whether the actions violated state laws against identity theft or theft of computer information. -http://www.msnbc.msn.com/id/14687677/site/newsweek/ (please note this site requires free registration) -http://www.washingtonpost.com/wp-dyn/content/article/2006/09/06/AR2006090600590_ pf.html -http://www.securityfocus.com/brief/296 [Editor's Note (Schultz): This is a very ugly set of incidents apparently triggered by an individual or individuals who felt that the ends justified the means. I predict that criminal charges will result. (Northcutt): Oh my, great, though sad, story, I would dump any HP stock at this point. Talk about violating the historical management philosophy of HP! I realize Dunn claims that "pretexting" is not illegal and I am certainly not an expert, but I did find this: -http://www.ncua.gov/reg_alerts/Prior2003/99-RA-3.pdf#search=%22pretext%20telepho ne%20call%22]
Georgia Students to Use Biometrics in Lunch Lines (5 September 2006)
Schools in Rome, Georgia are implementing biometric technology to speed up lunch lines. Fingerprint readers will allow students to pay for their school lunches without having to enter PINs, the method previously used. Some parents are skeptical about having their children's fingerprints scanned because they do not know how the information will be stored. Use of the scanners will not be mandatory. -http://www.msnbc.msn.com/id/14678017/
GAO Report: Healthcare Records Need Stronger Privacy Protections (5 September 2006)
A report from the Government Accountability Office (GAO) titled "Domestic and Offshore Outsourcing of Personal Information in Medicare, Medicaid and TRICARE" says that more than "40 percent of federal health insurance contractors and state Medicaid agencies reported experiencing a privacy breach involving personal health information in the past two years." The report also indicates that services involving healthcare data are commonly outsourced. The report suggests that there is inadequate privacy protection for health care records. The GAO report recommends that privacy breach notifications that cover "TRICARE and Medicare FFS contractors should be extended to other Medicare contractors that deal with personal health information and to state Medicaid agencies." -http://www.informationweek.com/story/showArticle.jhtml?articleID=192501900 -http://www.gao.gov/new.items/d06676.pdf [Editor's Note (Shpantzer): Some of this stuff ends up going overseas as well, google 'outsourcing medical coding' just for fun. ]
******************* The Editorial Board of SANS NewsBites ***************
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center, to the Editorial Board
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.
Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/
As a SysAdmin, I found this course invaluable. It not only gave me the skills I need to audit my own systems, but also gave me some insight on how to better work with external auditors. -Christoper O'Keefe, CPC