*********************** Sponsored By Imperva Inc. ***********************
Unwanted Activity Undermining Web Apps? ID Thieves Carting off Customer Data? Learn how to thwart the Top 5 online attacks. Get the latest information for protecting your Web applications against SQL Injection, XSS, cookie tampering, and others. Don't let someone else be you - or your customers. Download white paper now: "Top 5 On-line Identity Theft Attacks". http://www.sans.org/info/4661 ************************************************************************* SANS Expands Security Training Opportunities SANS award winning training is available in more than 70 cities in nine countries just in the next four months. Better still, you can schedule SANS training on-site or even take it live online or on demand. Complete schedule: http://www.sans.org/training/bylocation/index_all.php SANS courses on site at your facility: http://www.sans.org/onsite/ *************************************************************************
TOP OF THE NEWS
Most Data Breaches Traced to Company Errors (March 13 & 14, 2007)
NIST Bans Vista From its Networks (March 12, 13 & 15, 2007)
The US National Institute of Standards and Technology (NIST) has joined the Department of Transportation (DOT) in banning the use of Microsoft's Windows Vista operating system on internal networks. Both NIST and DOT have concerns about the new operating system's security and its compatibility with other software they use. NIST plans to begin testing Vista in several months, after it has finished encrypting all its laptop computers to comply with government policy. If the operating system meets with approval, NIST may lift the Vista ban. -http://www.informationweek.com/news/showArticle.jhtml?articleID=198000229 -http://www.informationweek.com/shared/printableArticle.jhtml?articleID=198001185 -http://news.com.com/2102-1002_3-6166868.html?tag=st.util.print [Editor's Note (Pescatore): It will take the typical enterprise 12-18 months to complete the planning and evaluation to move to Vista in any event. Once determining that their applications will run and be supported on Vista, PCs and laptops will transition to Vista as part of natural attrition (vs.. early replacement), so that planning needs to include living in a mixed PC environment for quite some time. ]
(Northcutt): Ban? Why are they calling it a ban? It sounds like fundamental configuration management to me: don't make a change to the system until you have an urgent operational or security need to do so. The most interesting statement in any of the articles came from FAA spokesperson Jones, "We're trying to see what the cost impact would be to the FAA to convert to the new Microsoft products," Jones said. "We want to explore what some of the alternatives are. Google is one that we're looking at, so is Linux." (That apparently would mean running Google Apps on a Linux platform) ]
FTC Investigating TJX (March 13, 2007)
The US Federal Trade Commission (FTC) has confirmed that it is investigating TJX, the parent company of Marshalls, T.J. Maxx and other stores; the company acknowledged a major security breach that may have exposed millions of customers' credit and debit card information, putting those accounts at risk for fraud. The breach was discovered in January; evidence suggests intruders had been accessing the system as far back as July 2005. There is also evidence that TJX was not in compliance with the Payment Card Industry (PCI) data security standard. -http://www.boston.com/business/globe/articles/2007/03/13/tjx_faces_scrutiny_by_f tc?mode=PF -http://www.informationweek.com/shared/printableArticle.jhtml?articleID=198000608 [Editor's Note (Pescatore): The TJ Maxx (and other) incidents have shown that there is a wide variety of devices that store information that shouldn't be stored. Copiers and point of sale terminals and everything else should by default have those "security kits" built in as standard equipment. (Northcutt): This is not a surprise, nor will States like Mass. "helping us" by passing new regulation because of this be a surprise. Attorney Ben Wright has some interesting commentary on the topic: -http://www.sans.edu/resources/leadershiplab/tjx_security_comment.php Michael Rasmussen from Forrester pointed me to the document, Value Killers, a risk management study by Deloitte today. 3 takeaways Michael shared were: 1. Almost 50% of global 1000 companies lost 20% or more in share price in less than a month during the past 10 years - some never recovered. 2. 80% of losses were due to interaction of multiple risks. 3. Most major losses were as the result of a series of high-impact but low-likelihood events. TJX is a real candidate to be a poster child for value killers. -http://www.deloitte.com/dtt/cda/doc/content/us_assur_Value%20Killers%20Report%20 .pdf (Shpantzer): Relating this to the study on outsiders vs. management errors in this edition... outside hackers are still an important factor in security and always will be. ]
Google Will Anonymize Some Retained Data (March 14 & 15, 2007)
2) Don't miss SANS Ask the Expert Webcast: Sustainable Compliance through Host Access Management and Data Security Reviews on Thursday, March 22nd at 1:00 PM EDT (1700 UTC/GMT) Sign up now! http://www.sans.org/info/4671
3) Protect your company from phishing expeditions. New FREE report has the facts. http://www.sans.org/info/4676 *************************************************************************
THE REST OF THE WEEK'S NEWS
Microsoft Sues Cybersquatters (March 13 & 14, 2007)
Microsoft has filed two new lawsuits against cybersquatters to stop them from profiting from web surfers' misspellings and typographical errors. Microsoft said it has settled several other cybersquatting lawsuits in the UK and the US. A cybersquatter is usually defined as someone who "grabs" a domain name in anticipation that an organization or person who/that wants to use that domain name will be willing to pay the cybersquatter to give up the domain name. In this case the cybersquatting is used to mean the practice of registering domain names that are close to actual trade names; web surfers are tricked into visiting these sites where they are often greeted with advertisements. These cybersquatters usually aim to profit from surfers clicking on ads on their sites. In a separate story, the number of cybersquatting complaints filed with the World Intellectual Property Organization (WIPO) increased 25 percent last year for a total of 1,823 complaints in 2006. -http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti cleId=9013118&intsrc=hm_list WIPO: -http://www.computerworlduk.com/management/security/data-control/news/index.cfm?n ewsid=2201 [Editor's Note (Northcutt): Interesting story. I almost wish they would raise the price of domain names to a point where someone had to really want to infringe. Ten years ago it was good practice to register the .net, .org, .com variations on your domain name. Nowadays, you have to register all the similar names to practice due care, but that is usually cheaper than making one Uniform Domain Name Dispute Resolution complaint to WIPO. And the problem, as the related story points out, is getting worse. The WIPO information behind the related story and that discusses domain resolution can be found: -http://www.wipo.int/amc/en/domains/]
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Lawrence Livermore National Lab Not Following DOE Data Wiping Procedures (March 12, 2007)
A report from the Department of Energy's (DOE) inspector general's office indicates that the Lawrence Livermore National Laboratory in California is not "wiping sensitive data from ... computers it disposes of." When agencies get rid of extra or unneeded computers, that process is called "excessing." Although DOE policy requires that all memory devices on excessed machines be wiped clean of sensitive data or physically destroyed, the policy has not been fully implemented at Lawrence Livermore. In fact, the lab has its own policy for dealing with excessed computers, but it is "not always consistent with applicable Department [DOE ] policies." The lab is under the aegis of the National Nuclear Security Administration (NNSA) whose chief was fired in January after numerous security breaches at laboratories. Approximately 5,300 computers are excessed at LLNL every year. DOE-approved methods of wiping data include overwriting data a specified number of times, degaussing or physically destroying the memory device. -http://www.fcw.com/article97898-03-12-07-Web&printLayout -http://www.ig.energy.gov/documents/IG-0759_.pdf
US National Computer Forensic Institute (March 12 & 14, 2007)
Microsoft Investigating Report of Phishing Hole in IE 7 (March 14, 2007)
Microsoft is investigating a report of a cross-site scripting vulnerability in Internet Explorer 7 (IE 7) that could be exploited by phishers. Attackers could take advantage of error messages in IE 7 to redirect users to maliciously crafted web sites that appear to have trusted addresses. Attackers would need to convince users to click on links to sites they would normally visit, like online banking sites. The links would be crafted to return an error message saying the page loading has been aborted and asking if the user would like to try to load the page again. The reload link will direct the user to the phishing sites. Proof-of-concept code for the exploit code has been published. -http://news.com.com/2102-1002_3-6167410.html?tag=st.util.print -http://www.networkworld.com/news/2007/031407-new-ie-7-bug-could.html
Indonesia to Monitor Internet Use (March 14, 2007)
Indonesia plans to begin monitoring Internet use for criminal activity. The plan calls for monitoring all Internet users, whether they are at home, at work or at Internet cafes. Information collected will include when and where users log on and the sites they visit, but not surfers' identities. -http://asia.news.yahoo.com/070313/afp/070313174940hightech.html
Some new models of copiers have hard drives that store images of what has been copied. More often than not, the data are not encrypted and stay there until overwritten by new data. A survey commissioned by Sharp, one of the major copier makers, found that more than half of the people planned to copy their tax returns and associated documents; most intended to make those copies outside of their homes. About the same number of people did not know that photocopiers keep images of what they copy. Sharp and several other manufacturers offer security kits to encrypt and overwrite scanned images. -http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo nomyName=security&articleId= -http://www.kansas.com/mld/kansas/business/technology/16896436.htm [Editor's Note (Honan): This is not only an issue with photocopiers. Many modern printers and fax machines also contain storage facilities where sensitive data can remain. (Shpantzer): Add to this the fact that many printers are also wireless-enabled, and you have a hard-drive that's accessible to the outside. ]
Pump & Dump Revisited
From Editor Stephen Northcutt In our last issue we covered a story on three hackers indicted for breaking into online brokerage accounts and manipulating the victims stock buying activity to push stock prices higher so the criminals could make gains on their own stock holdings. We asked whether anyone was using an online brokerage that supported two-factor authentication. Eighteen readers mentioned E-Trade which uses RSA technology: -https://us.etrade.com/e/t/jumppage/viewjumppage?PageName=secureid_enter One reader wrote in to say that if you contact tech support at Schwab they have a Verisign solution but we were unable to verify the Schwab solution.
SANS Security Tip of the Day
Don't use unauthorized software
It may be tempting to use useful-looking software that you can get free on the Internet, but these tools may carry a hidden cost. Installing them may often cause other programs to stop working and it can take a long time for your IT teams to track down the problem. More seriously, they can display unwanted ads, slow your PC down or make it less secure by letting the PC download more ads from the Internet. Most seriously, they can be infected by viruses or spyware that are intended to damage your PC or steal confidential information.
If you work for a company of 1,000 or more and would like to help distribute SANS Security Tips, please email email@example.com.
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.
Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/
I've been managing multi-million dollar projects for years but always felt muddled as to the formal activities required. Halfway through the SANS PM course, things are becoming clear at last. -Matt Harvey, US DOJ