One big piece of news this week is that encryption will be automatically included in hard drives starting in the spring. You'll learn all about it in a case study of a Navy site that implemented on-drive, hardware encryption and also learn about the other new developments in encryption and protecting data at rest. All at the Secure Storage and Encryption Summit in Washington December 6-7. http://www.sans.org/mclean06/
************************************************************************* SANS NewsBites November 07, 2006 Volume: VIII, Issue: 88 *************************************************************************
********************* Sponsored By Symark Software **********************
How do you guard against sabotage, theft or unauthorized access of data? Sudo doesn't provide the accountability for "privileged" accounts required by COBIT 4.0/ISO17799. Learn how PowerBroker, the most widely used solution for controlling Unix/Linux superuser privileges, helps you meet data privacy and compliance requirements. ALERT: Download the FREE White Paper " PowerBroker vs. sudo." http://www.sans.org/info/1768
Best Deal on the Nation's number One Rated Hands-On Security Training Tomorrow is the last day for big saving. The nation's top security teachers; 10 full tracks of hands-on, state of the art security and audit training, seven short courses; briefings on the 20 billion dollar cyber crime wave; a great expo, plus the top ten trends in cyber security for 2007. All in Washington, DC, December 9-16 http://www.sans.org/cdieast06/event.php
Ten Arrested in Credit Card Scam (3 November 2006)
Law enforcement authorities in Will County, Illinois have charged a dozen people with felony theft in connection with selling the credit card numbers of individuals who stayed in seven different Joliet-area motels. Four of those charged are motel owners; the rest are employees. The hotel staffers reportedly sold the credit card numbers for US$100 each; accounts with higher limits sold for as much as US$500. An informant says he has bought at least 10,000 credit card numbers from area motels in the last six years. Ten of the people have been taken into custody. The suspects allegedly targeted customers who were not from the area and waited up to a year after customers had stayed at the motels to sell the credit card information. -http://www.suntimes.com/news/metro/122699,CST-NWS-scam03.article
Classified Documents Found in Search of a Los Alamos Trailer (6, 4, 3 & 2 November 2006)
Seagate Technology Automatically Encrypts Data Written to Hard Disk (31 October 2006)
Seagate has developed technology that can automatically encrypt all data written to a hard-disk drive. The DriveTrust Technology is currently available in Seagate DB35 disk drives used in digital entertainment devices; the company expects to ship a hard-disk drive for notebooks that uses DriveTrust early next year. The drive for the notebook will use 128-bit Advanced Encryption Standard (AES) encryption. Users will be asked to create a password when they start up their notebook computers for the first time; the machine will require the password every time it boots up. -http://news.com.com/2102-1029_3-6130824.html?tag=st.util.print Editor's Note (Ullrich): sounds like a much 'saner' approach then self destruct hard drives under development by other companies. But comes back down to picking a hard to guess password (and not forgetting it). This will not eliminate more sophisticated solutions with features like key escrow for enterprise deployments. (Northcutt): Reminds me of the quote sometimes attributed to Gen. Forrest, Seagate got there "fustest with the mostest." A TCG standard is a long way away, but Seagate is here now and they are probably big enough to force the standard to interoperate with them. People are desperate for solutions right now. I wonder if I can back fit a drive onto my laptop. Most of the news stories appear to be based on their press release, which has some good information: -http://www.seagate.com/cda/newsinfo/newsroom/releases/article/0,1121,3347,00.htm l
Four Arrested in Chile for Cyber Intrusions (6 November 2006)
Four men have been arrested in Chile for breaking into the websites of NASA and the Chilean finance ministry as well as websites of governments in other countries, including Israel, Turkey and Venezuela. The men are accused of breaching the security of more than 8,000 web sites around the world. The arrests follow an eight-month investigation that saw Chilean police working with Interpol, and intelligence services from the US, Israel and a number of Latin American countries. -http://news.bbc.co.uk/2/hi/americas/6122706.stm [Editor's Note (Schultz): It is encouraging to see genuine evidence of international cooperation in pursuing computer crime, something that has in general been missing in dealing with incidents that have crossed international boundaries.]
Fourteen Arrested in International ID Fraud Investigation (3 November 2006)
A two-year investigation known as Operation Cardkeeper targeted an online black market for stolen financial account information used to commit identity fraud; at least 14 people have already been arrested. The FBI, together with Polish investigators, identified suspects in the case who were trading stolen information. Three Americans have been arrested and the arrests of two more were imminent last week. Eleven Polish nationals were also arrested in the scheme. "Warrants are also being served in Romania as part of a continuing investigation." -http://news.com.com/2102-7348_3-6132271.html?tag=st.util.print
CSIA Invites White Papers on Cyber Security R&D (31 October 2006)
The US federal government's Cyber Security Information Assurance (CSIA) Interagency Working Group (IWG) has issued an "invitation to submit white papers on developing a roadmap for cyber security and information assurance research and development." The papers are asked to address one or more of a series of eight questions and should be no more than five pages long. The deadline for submitting papers is January 31, 2007. "Papers submitted by November 30, 2006 will be used in planning workshops that will be held in 2007." -https://www.nitrd.gov/subcommittee/csia/CSIA_White_Papers_Final_103106.pdf -http://www.nitrd.gov/subcommittee/csia.html
SPYWARE, SPAM & PHISHING
Zango Agrees to Settle FTC Charges (3 November 2006)
The US Federal Trade Commission (FTC) has fined Zango, formerly known as 180Solutions, US$3 million for downloading adware onto computers in the US without permission and for failing to provide a way to remove the offending malware. The FTC estimates that Zango's programs were surreptitiously downloaded more than 70 million times, resulting in more than 6.9 billion pop-up advertisements. Zango says it will now ask consumers before downloading software onto their computers and will offer a method for removing the adware. -http://www.theregister.com/2006/11/03/ftc_fines_zango/print.html -http://www.ftc.gov/opa/2006/11/zango.htm [Editor's Note (Pescatore): Another example of the FTC doing very good work in this area. It is very refreshing to continually see a government agency in the news on the *asset* side of the security ledger. ]
Spear Phishers Target Medical Center Employees (1 November 2006)
Spear phishers targeted employees at Dekalb Medical Center in Decatur, GA, sending them emails with the sender's domain spoofed to appear to come from their employer. The emails told them they were being laid off and offered a link to what was purported to be a career counseling web site. People who clicked on the link had a keystroke logger downloaded to their computers. In spear phishing, messages _pically manipulated to appear to come from within the recipient's organization to evade filters. The messages are also sent to a small, targeted group of individuals. -http://www.networkworld.com/news/2006/110106-spam-spear-phishing.html?page=1 -http://www.theregister.co.uk/2006/11/03/dismissal_spyware_spam_scam/print.html [Editor's Note (Pescatore): Another common targeted phishing attack targets company employees saying "Sarbanes Oxley has required yet another password change - please enter your old password and choose a new one..." with the phishing site sometimes being located on a compromised internal PC or server. The newly released IE7 and Firefox browsers have much better protections for detecting and blocking known phishing sites, but these very targeted phishing attacks don't show up in the anti-phishing databases - enterprises need to be able to quickly detect unauthorized servers and processes on their internal networks. (Honan): Two steps you can take to help mitigate the risk of Spear Phishing, firstly user education on how to spot fraudulent emails and secondly configure your email server to reject any external emails purporting to come from your domain without the corresponding IP addresses. ]
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Remote Code Execution Flaw in Microsoft XML Core Services (3 November 2006)
Microsoft has acknowledged a remote code execution vulnerability in Microsoft XML Core Services. The flaw lies in the XMLHTTP 4.0 ActiveX Control and has already been targeted by "limited attacks." Users would have to be manipulated into visiting a specially crafted web site for the flaw to be exploited. Users running Windows Server 2003 and Windows Server 2003 with SP1 in default configurations, with the Enhanced Security Configuration turned on, are not at risk. Microsoft has suggested several workarounds to help protect users until a patch is available. -http://www.microsoft.com/technet/security/advisory/927892.mspx
-http://www.eweek.com/article2/0,1895,2052269,00.asp [Editor's Note (Boeckman): For Microsoft to suggest that a mitigating factor is "that an attacker would have to persuade a user to visit a malicious web site" is disingenuous. This is trivial to do with minimal effort, and should not be considered a mitigating factor. ]
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Stolen Laptop Holds Info. on 1,243 Villanova Univ. Students and Staff (3 November 2006)
A laptop computer stolen from an insurance firm in Plymouth Meeting, PA contains names, birthdates and driver's license numbers of 1,243 Villanova University students and staff who are insured to drive school vehicles. The computer was stolen in September; Villanova sent notification letters to the drivers on October 26. -http://cbs3.com/topstories/local_story_307104820.html
Scrubbed Laptop Still Held Sensitive Data (3 November 2006)
A laptop computer that used to belong to Intermountain Healthcare in Utah was scrubbed before it was donated to Deseret Industries. However, the man who bought the laptop discovered a file on the computer that contained personally identifiable information, including names and SSNs, of more than 6,000 people who worked for Intermountain Healthcare in 1999-2000. The affected employees have been notified. Intermountain stopped using SSNs as unique employee identifiers several years ago. Intermountain now has hard drives demolished when they are no longer in use. -http://deseretnews.com/dn/print/1,1442,650203974,00.html [Editor's Note (Ulrich): Note that the company has a contract with Dell to demolish the hard drives. How do they get them to Dell without losing them in the same black hole that sucks up backup tapes? Encrypt your data in the first place, and there is one worry less. Or how hard is it to hire a strong guy with a hammer (or a not so strong guy with a shot gun). (Schultz): Unfortunately, "scrubbed" has become an ambiguous term. Someone who claims that a hard drive has been "scrubbed" may not in reality have the slightest idea of what has actually become of the data residing on that drive. ]
Starbucks' Missing Laptops Hold Employee Information (3 November 2006)
UK Healthcare IT System Will Hold Citizens' Medical Records (6 & 2 November 2006)
According to a report in The Guardian, the medical records of as many as 50 million UK citizens will be placed in the new NHS IT system. The program is forging ahead with the assumption of "implicit consent." Patients may opt out of the system, although deciding to disclose medical information only with explicit consent each time could jeopardize one's health in the event of an accident. Opting out will not remove the information from the national database. An NHS spokesperson said "external access to its patient records [is not permitted ] unless ... explicitly required by law." The system was designed with the aim of helping healthcare professionals share information and provide better care for patients. -http://www.theregister.co.uk/2006/11/06/nhs_records/print.html
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.
Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/
I've been managing multi-million dollar projects for years but always felt muddled as to the formal activities required. Halfway through the SANS PM course, things are becoming clear at last. -Matt Harvey, US DOJ