A little help, please. We are planning for the 2007 Top20 Internet Security Threats report. If you have any experience with Top20 reports over the past six years, could you tell us whether you think an annual or semi-annual or quarterly summary report is necessary or valuable? Do you think the current categorization is OK or can you think of improvements Are there any things we can do to improve the value of the Top20 for you to put it to use? Just reply to this email with your comments. And thanks. Alan
************************************************************************* SANS NewsBites May 08, 2007 Volume: IX, Issue: 37 *************************************************************************
********************* Sponsored By ArcSight, Inc. ***********************
Free Whitepaper: Guide to Selecting a SIM Solution for Insider Threat
An attack from a malicious insider can be just as devastating as a security breach from outsiders. But insider attacks are often more difficult to detect. Learn the top 10 best practices for selecting a software solution with this free whitepaper. Brought to you by ArcSight, the ESM leader that turns data into action. http://www.sans.org/info/6796 ************************************************************************* SANSFIRE 07 in Washington DC Features the Internet Storm Center Experts
No one knows the newest attacks better than the Internet Storm Center Incident Handlers, and they are sharing the newest attacks and defenses in evening sessions during SANSFIRE in Washington DC, July 25-August 7, 2007. Anyone who attends a course can also attend Internet Storm Center Threat Updates. For a list of courses http://www.sans.org/sansfire07/
If you cannot come to Washington or can't wait that long, SANS award winning security training is available in more than 70 cities in nine countries just in the next four months. Better still, you can schedule SANS training on-site or even take it live online or on demand.
Legislators Get Busy with Data Breach Notification Bills (May 3, 2007)
US Representative Tom Davis (R-Va.) has once again introduced legislation that would require organizations experiencing data breaches to notify affected individuals promptly. The bill would have the Office of Management and Budget (OMB) establish practices and policies to support timely notification. The Senate Judiciary Committee has also approved two bills that would require notification about data security breaches. -http://www.scmagazine.com/us/news/article/655110/davis-reintroduces-federal-brea ch-reporting-act-house/ -http://www.fcw.com/article102630-05-03-07-Web&printLayout [Editor's Note (Skoudis): I'm honestly surprised it's taking so long to get a law like this put into place at the federal level. The states have led the way, with considerably more than half of them having some form of breach notification law. And, even if you operate in a state that doesn't have such a law, chances are, you have business dealings (customers, employees, business partners, etc.) where such laws are on the books. Thus, if you have a breach, you need to work closely with your legal team to determine how to disclose appropriately, regardless of your own state's laws. Plan for this in advance, just in case something bad happens, so all the decision makers are known. ]
Royal Bank of Scotland Will Provide Customers with Chip-and-PIN Readers (May 2, 3 & 4, 2007)
1) SAVE BIG! Get 30% off of any of upcoming courses when you sign up for OnDemand's pre-paid program. Check out our full list of upcoming courses http://www.sans.org/info/6801. For more information or to request a pre-paid from please contact firstname.lastname@example.org. *************************************************************************
THE REST OF THE WEEK'S NEWS
Teen Gets Probation, Community Service for Cyber Intrusion (May 7, 2007)
A Golden (Co.) High School student was sentenced to one year of probation for breaking into the school's computer system and changing his grades. The 17-year-old was arrested earlier this year after breaking into the school through a skylight, then breaking into his counselor's office. He pleaded guilty this week to computer crimes, unlawful accessing and altering. He was also ordered to provide 80 hours of community service and to pay restitution. -http://www.thedenverchannel.com/news/13272734/detail.html
Russian Principal Fined for Using Pirated Software in School (May 7, 2007)
A Russian court has fined a school principal 5,000 rubles (US $194), roughly half his monthly salary, for using pirated copies of Microsoft software on a dozen of his school's computers. Alexander Ponosov maintains he did not know the computers contained pirated software when they were delivered; the software came pre-installed. Ponosov plans to appeal the ruling. The case was initially thrown out of court in February because the losses to Microsoft were considered to be insignificant, but both parties appealed that decision; Ponosov's reason for appealing was that he was not cleared of the charges. Microsoft says Russian authorities initiated the proceedings and that the company has no plans to file charges against the principal. Former Russian president Mikhail Gorbachev has asked Bill Gates to intervene on Ponosov's behalf. -http://www.eweek.com/article2/0,1759,2126686,00.asp?kc=EWRSS03119TX1K0000594 -http://www.usatoday.com/tech/news/techpolicy/2007-05-07-russian-principal-piracy _N.htm?csp=34 [Editor's Note (Grefer): There is a considerable discrepancy between the fine of 5,000 rubles and the losses, found by the court to be 266,000 rubles. If this case had been based on BSA proceedings, though, it might never have gotten to court, but rather ended with an obligation for the school to obtain proper licenses. Given the prices listed at -http://allsoft.ru/microsoft.php, the Russian pricing for the operating system, however, seems to be out of touch with Russian incomes and rather be based on the US pricing. Having to spend half their monthly gross salary on a copy of Windows is counter-intuitive. Relative to monthly income, US prices for Windows are at least one order of magnitude lower. ]
Michigan Man Sentenced for Selling Pirated Software on eBay
Student Arrested in Connection with Attacks on Estonian Government Web Sites (May 1, 5 & 7, 2007)
A 19-year-old student has been arrested in connection with a spate of attacks on Estonian government web sites. The suspect is identified only as Dmitri; he allegedly posted instructions for conducting denial-of-service attacks as well as calls for launching attacks against Estonian servers. The cyber attacks were spurred by civil unrest following Estonia's removal of several Soviet monuments in its capital city of Tallinn as well as the excavation of WWII Red Army graves. Authorities expect to arrest more suspects. -http://www.theregister.co.uk/2007/05/07/estonian_attacks_suspect/print.html -http://www.hs.fi/english/article/Organiser+of+Internet+DoS+attacks+arrested+in+E stonia+/1135227074182 -http://www.theregister.co.uk/2007/05/01/estonian_riots/print.html [Editor's Note (Skoudis): This case is an excellent example of politically motivated computer attacks, something that has fallen below the radar screen of some organizations with the huge rise in money-making computer attack schemes (spyware, phishing, etc.) In fact, given all the focus on thwarting malware-for-profit schemes, this attack seems almost old fashioned. But, we need to be diligent in fighting both kinds of threats, especially government agencies. Kudos to those who helped find the perpetrator of this attack. ]
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Missing TSA Hard Drive Holds Info. on 100,000 Employees (May 4 & 5, 2007)
Singapore Issues Guidelines for Protecting Biomedical Research Participant Data (May 7, 2007)
Singapore's Bioethics Advisory Committee has released guidelines to protect personal information of individuals participating in biomedical research. The researchers will bear the burden of protecting participants' personal data. If they violate the guidelines, they could face fines or jail time. There is similar legislation already in effect in other countries, including Sweden, Germany, the UK and the US. -http://www.channelnewsasia.com/stories/singaporelocalnews/view/274730/1/.html
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Russia and China Top US Trade Priority Watch List for Piracy (April 30 & May 1, 2007)
Trojan Pretends to be Windows Activation Program (May 4, 2007)
A Trojan horse program called "Kardphisher" pretends to be a Windows activation program in an attempt to elicit credit card details from unsuspecting users. After machines become infected, users get a screen telling them that someone else has activated their copy of Windows, and that "to help reduce software piracy, [they should ] reactivate their copy of Windows." They are told they will need to provide their billing information, but that their credit card will not be charged. Clicking "no," shuts down their computers; clicking "yes" pops up a second screen that asks for name and credit card information. PCs running Windows 95, 98, 2000, NT and Server 2003 are vulnerable to the attack. Kardphisher has been detected in the wild. -http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti cleId=9018645&source=NLT_SEC&nlid=38 [Editor's Note (Skoudis): Not to be evil or anything, but this just seems poetic. Microsoft pops up messages asking for personal information to help thwart piracy, so bad guys pretend to be Microsoft asking for personal information. In retrospect, I suppose it was inevitable. ]
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Stolen Laptop Holds Marks & Spencer Employee Data (May 5, 2007)
Portable Storage Devices Top List of Security Concerns (May 7, 2007)
A study of IT managers found that portable storage devices topping their lists of security concerns. It is all too easy for someone to quickly load sensitive data onto a flash drive or an MP3 player and walk out of an office undetected, or to lose a flash drive loaded with sensitive information. Eighty percent of respondents said their organizations do not have "effective measures" for preventing misuse of portable storage devices. Just 8.6 percent have imposed a ban on such devices in their workplaces. Despite their worries about the devices, 65 percent of IT managers say they use flash drives daily. -http://www.informationweek.com/shared/printableArticle.jhtml?articleID=199300021 -http://www.net-security.org/secworld.php?id=5103 [Editor's Note (Skoudis): Rather than just fretting about these, you need to either: 1) outlaw them in your organization... good luck on that, 2) provide training in how to encrypt such devices and offer encryption solutions that protect them (like at least the Encrypting File System if they are used with Windows machines and formatted NTFS), or 3) Require that people use corporate-approved devices that offer built-in encryption. The third solution is the nicest, but most costly. ]
Less than two years after it began accepting credit card payments, Indianapolis-based Steak n Shake Co. was thrust from Level 4 merchant classification under the Payment Card Industry (PCI) Data Security Standard into Level 1 merchant classification. With that move came added requirements to comply with the standard and protect customer data. The company's director of strategic technology services said the "PCI requirements and the difficulty of attaining them changed by a magnitude of sixfold to tenfold." Level 1 merchants "are required to undergo quarterly network security scans and an annual on-site security audit" in addition to implementing the 12 security controls required of all merchants. Steak n Shake has made a number of changes, including shifting to "a log-in system based on Active Directory that can be centrally monitored and managed... [so the company knows ] who is accessing what when and where;" deploying tools for central management of IT assets at the restaurants and for pushing out updates and patches; and "replacing VSAT satellite communication links with a T1 network that will tie each restaurant to headquarters via secure point-to-point virtual private network connections." Steak n Shake, which operates more than 450 restaurants in the Midwest and Southeast US, did not reveal what the changes would cost. -http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti cleId=291415&source=rss_topic17 [Editor's Note (Kreitner): Wonderful! This is exactly the kind of change the PCI standard is intended to effect in organizations handing our payment cards. Nobody said better security was free. (Schultz): After all the whining is over, Steak n Shake senior management will at some point in time realize that the resources it had to expend to conform to PCI DSS Level 1 requirements will have been wisely invested. The alternative is to run a high risk of having the same thing that happened to TJX occur; TJX has experienced mounting financial losses and severe damage to its reputation because of failure to secure its personal and financial information. Additionally, lawsuit-after-lawsuit has been filed against this company. (Grefer): Quarterly network security scans and adherence to the 12 security controls are required at all four levels. The primary differentiator is the number of transactions. -http://usa.visa.com/merchants/risk_management/cisp_merchants.html -http://www.mastercard.com/us/sdp/merchants/merchant_levels.html]
TJX Data Thieves Got In Through Wireless Network (May 4, 2007)
According to the Wall Street Journal, the TJX data thieves began their attacks outside a Minnesota Marshall's store; with the help of an antenna, they were able to access the store's wireless network and from there, gain access to the company's main server in Framingham, Massachusetts. TJX apparently secured its wireless network with nothing more than the Wired Equivalent Privacy protocol (WEP). The company had no firewalls in place and had not deployed available software patches. TJX is facing 21 lawsuits stemming from the breach. It is possible that some information was gleaned while customers were awaiting approval of their credit card purchases; TJX transmitted that information unencrypted, which violates the security guidelines set by the credit card companies. -http://www.theregister.co.uk/2007/05/04/txj_nonfeasance/print.html -http://online.wsj.com/article_email/article_print/SB117824446226991797-lMyQjAxMD E3NzA4NDIwNDQ0Wj.html
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.
Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/