And a great new book for Christmas on the real cost of insecure software, Geekonomics. You may not agree with author (and SANS faculty member) Dave Rice's prescription for fixing the problem, but the book is already getting noticed in the cyber policy centers in Washington. Alan
************************************************************************* SANS NewsBites December 07, 2007 Volume: IX, Issue: 96 *************************************************************************
*************************** Sponsored By Cenzic *************************
Get the 2007 Web Security Leadership Survey. See the thoughts and opinions of 475 C-level information security professionals and what they said about the ominous task of securing web applications in the Web 2.0 world. Everything from the fear of losing their jobs if there is a breach to whether application security is real or not. http://www.sans.org/info/20541
Hundreds of UK Government Laptops Lost or Stolen (December 3 & 4, 2007)
UK ministers have acknowledged that hundreds of government laptop and desktop computers have been lost or stolen in the last several years. Figures from the justice minister indicate that 26 laptops and one desktop were stolen from the department in 2007, although no security breaches had been reported. The Ministry of Defence reported 66 laptops and two desktops stolen in 2006, and 458 other machines were stolen between 1998 and 2005. The UK government does not keep a central record of its missing and stolen computers. -http://www.computerworlduk.com/management/government-law/public-sector/news/inde x.cfm?newsid=6506 [Editor's Note (Schultz): Keeping an inventory of computing assets is one of the most fundamental things an organization can do as far as IT governance goes. The fact that the UK government does not even keep a centralized record of its missing and stolen computers thus is very difficult to comprehend. (Cole): The initial response to laptop theft risk is full disk encryption. While this helps, you also need a strong password policy that is strictly enforced. ]
OMB Wants Federal Agencies to Limit Internet Gateways (December 3, 2007)
The Office of Management and Budget (OMB) is directing US government agencies to limit the number of their Internet connections. The OMB's Trusted Internet Connections Initiative aims to reduce the number of Internet connections from the more than 1,000 that are presently in use to just about 50. The initiative also requires that agencies deploy realtime gateway monitoring, and requires agency CIOs to establish action plans and measurable goals for implementing and participating in the Einstein Initiative, that provides 24x7 monitoring of all traffic entering or leaving agencies. -http://www.fcw.com/online/news/150964-1.html?type=pf
European Commission Wants Breach Notification Requirement (December 5, 2007)
The European Commission has published a proposal that would require telecommunications companies to inform customers when their personal information has been compromised as a result of a data security breach. The proposal says that the rule should not interfere with police work, e.g. breach notification could be delayed if the publicity would hinder an investigation. The proposal would also allow telecommunication services providers to sue spammers for costs they incur as a result of unsolicited commercial email being sent over their networks. -http://www.out-law.com/page-8741 [Editor's Note (Pescatore): While European data privacy laws have generally resulted in better data protection there, the lack of a strong breach disclosure law in EU does hurt efforts to make some needed improvements to deal with the targeted threats we are dealing with today. (Honan): While this legislation is initially only aimed at telecommunications companies here's hoping that it will not be watered down in response to lobbying by industry and that future breach disclosure legislation will encompass other business sectors. (Northcutt): A quick Google search shows that similar legislation is being considered in Canada, New Zealand, and the UK. It would be a good idea for these various legislative bodies to share and see if there are common elements they can use. This is the moment the World Privacy Forum needs to put it in gear if they want to be relevant: -http://www.worldprivacyforum.org/]
Study: Security Policies Often Go Unheeded (December 6, 2007)
A survey of nearly 900 IT security professionals conducted by the Ponemon Institute found that many workers do not abide by established security policies, either because they are unaware of the policies or because they find them inconvenient. More than half of respondents admitted to having copied confidential company data onto USB drives although 87 percent said they knew the practice violated company policy. Nearly half of respondents said they share passwords with colleagues; two-thirds said sharing passwords violates policy at their organizations. One-third of respondents said they had sent work documents as attachments; almost half of respondents were unsure whether doing so violated their companies' policies. Sixty percent of respondents said their companies had no formal policy that prohibits installation of personal software on work machines. Almost half said they had downloaded software, including P2P programs, onto company computers. -http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti cleId=9051483&source=rss_topic17 [Editor's Note (Ullrich): And who is surprised by this? ]
Canadian Passport Site Data Leak (December 4, 2007)
The Passport Canada website was found to be leaking applicant data last week. One site visitor discovered that by altering a character in the URL, he could view other applicants' social insurance numbers, driver's license numbers, and other sensitive personal information. Passport Canada learned of the data leak last week. The site was unavailable through Monday of this week due to "problems of a different nature," according to a spokesperson. Passport officials said the data leak was "an isolated anomaly," but evidence proves otherwise. When the site was once again available, it was discovered that other applicants' personal data could still be viewed. -http://www.theregister.co.uk/2007/12/04/canadian_passport_site_breach/print.html -http://www.theglobeandmail.com/servlet/story/RTGAM.20071204.wpassport1204/BNStor y/National/?page=rss&id=RTGAM.20071204.wpassport1204 [Editor's Note (Skoudis): These session cloning vulnerabilities due to weak session management have been known for a long time, but they still crop up on a regular basis, as do SQL Injection, directory traversal flaws and several others. While some web developers are security grand-masters, coding consistently solid and secure applications, many other web app developers still lack the skills needed to avoid these common mistakes. Make sure you have your web app folks read the OWASP Guide to Building Secure Web Applications ( -http://www.owasp.org/index.php/Category:OWASP_Guide_Project) to help alleviate this kind of problem. (Paller): Ed's advice is sound. If you are not certain that your developers have mastered all the secure coding essentials. encourage them to use the GSSP assessment to find any gaps. If your organization writes software that others use, either directly or embedded in hardware, by mid 2008, many of your customers will be asking for evidence, as part of the procurement process, that all developers working on their products have the skills and knowledge to write secure code. -http://www.sans.org/gssp (Ullrich): Missing authentication and access control for individual pages is one of the very common problems with web applications. A consistent and centralized access control scheme is required to fix this problem and a "quick fix" is unlikely successful. (Cole): Internet facing systems are so complex that many vulnerabilities go unnoticed. Most corporate test programs focus in on making sure the system works, but it is critical that test plans address the unexpected so they can be found before a malicious user finds them. ]
House Committee Urges FERC Chair to Establish Grid Security Requirements (October 19, 2007)
In October, members of the House Committee on Homeland Security wrote a letter to Federal Energy Regulatory Commission (FERC) chairman Joseph Kelliher urging him to look into security measures to protect the nation's power grid. The letter was prompted by the committee members' reaction to a Department of Homeland Security (DHS) experiment in which a cyber attack destroyed a generator; video of the attack was released earlier this year. In response to the experiment, the Department of Energy and DHS worked together to develop "mitigation strategies" for electric sector owners and operators to implement to protect their plants from a similar attack. They asked the North American Electric Reliability Corporation (NERC) to require that the actions be implemented. NERC was denied the ability to require actions; FERC said that NERC may only issue recommendations. The letter from the House committee members asked that Kelliher look into whether the recommendations have been as widely implemented as information from NERC indicates and clarify who has the authority to issue required actions. -http://uaelp.pennnet.com/display_article/313026/22/ARTCL/none/none/1/House-Commi ttee-on-Homeland-Security-urges-FERC-chairman-to-investigate-grid-security/ Letter to Chairman Kelliher: -http://hsc.house.gov/SiteDocuments/20071019105930-24294.pdf Chairman Kelliher's response: -http://hsc.house.gov/SiteDocuments/20071203162113-76466.pdf
Cyber Intruders Access National Lab Visitor Database (December 6, 2007)
A phishing attack is being blamed for the compromise of a visitor database at the Oak Ridge National Laboratory in Tennessee. The laboratory director said the attack on the US Department of Energy facility may "be part of a coordinated attempt to gain access to computer networks at numerous laboratories and other institutions across the country." Though no classified data were compromised, the names, birth dates, and Social Security numbers (SSNs) of all laboratory visitors between 1990 and 2004 were in the accessed database. The phishing emails appeared legitimate; they asked recipients to open attachments for additional information about conferences or an FTC complaint. The attachments were actually malware that infected the laboratory's computer system. Approximately 1,100 phishing emails entered the lab's network; in 11 instances, employees opened the malicious attachments. The Oak Ridge National Laboratory is home to the second-fastest supercomputer in the world. -http://seattlepi.nwsource.com/business/1700ap_cyber_attack.html [Editor's Comment (Northcutt): And if only 11 employees opened the notes and they were sent to 1,100 valid addresses that is pretty good; bully for their awareness training folks. I know it doesn't seem possible, but I keep wondering if email may start to fall out of favor as a business tool. Honestly, I have days where it seems all I do is answer email and when I knock off work, it just doesn't feel like I accomplished much. ]
Stolen Laptop Holds Forrester Employee Data (December 5, 2007)
A laptop computer stolen from the home of a Forrester Research employee contains personally identifiable information of an unspecified number of current and former Forrester employees and directors. The theft took place during the latter part of November and notification letters were sent to affected individuals on December 3. The notification letters indicated that the computer's hard drive was password protected, but no mention was made of encryption. When contacted for additional information, Forrester's press hotline was apparently unaware of the incident. -http://www.eweek.com/print_article2/0,1217,a=221033,00.asp
Twin Cities Blood Donor Data on Stolen Laptop (December 5, 2007)
A laptop computer stolen from a Minneapolis-St. Paul area bloodbank contains the names and SSNs of 268,000 blood donors. The computer was stolen on November 28; Memorial Blood Centers has started to notify donors of the data security breach. A Memorial Blood Centers spokesperson said they have to check donors' SSNs to ensure they are eligible to give blood. -http://wcco.com/local/stolen.laptop.social.2.603413.html
Laptop Stolen From Auditor's Car (December 1, 2007)
A laptop computer stolen from an auditor's car contains 401K plan information for Springfield (Ohio) Community Blood Center employees. Batelle & Batelle LLC was performing an audit of the organization's retirement plan. The computer did not hold donor information. The October theft affects as many as 600 individuals. Other organizations, including the Ohio Masonic Home, have also been affected by the theft. -http://www.springfieldnewssun.com/hp/content/oh/story/news/local/2007/11/30/sns1 20107laptop.html
Facebook Apologizes For Beacon and Changes Policy (December 5 & 6, 2007)
That's Not Exactly What We Meant By Scrub (December 6, 2007)
Kroll Ontrack lists the ten most unusual data recovery projects it encountered during the past year. -http://www.zdnet.co.uk/misc/print/0,1000000169,39291331-39001058c,00.htm [Editor's Note (Northcutt): That was a great read. If you are having a bad day, take a second to check this out. Also, it is a great reminder how important backups are. People keep telling me backups on laptops, backups on the local drive are the user's responsibility. However, in all my days, I haven't yet met a responsible user, so I don't see making it the users' responsibility makes sense. ]
In our last issue we said that the North Carolina man sentenced to 110 years for cyber harassment and extortion had targeted girls in Brevard County, North Carolina. The victims were, in fact, in Florida. We regret the error and apologize for any confusion it may have caused.
LIST OF UPCOMING FREE SANS WEBCASTS
SANS Special Webcast: Pinpointing and Proving Web Application Vulnerabilities with Eric Cole WHEN: Monday, December 10, 2007 at 1:00 PM EST (1800 UTC/GMT) FEATURED SPEAKER: Dr. Eric Cole -http://www.sans.org/info/20057 Sponsored By Core Security
The September "Internet Security Threat Report" from Symantec reported that 61% of all vulnerabilities disclosed in the first half of 2007 were web application vulnerabilities. It's no wonder, since web apps are often highly customized and can be rife with potential security holes. Fortunately, recent advances in penetration testing products can help you to pinpoint and prove web application security weaknesses - even in customized apps.
Internet Storm Center: Threat Update WHEN: Wednesday, December 12, 2007 at 1:00 PM EST (1800 UTC/GMT) FEATURED SPEAKER: Johannes Ullrich -http://www.sans.org/info/20062 Sponsored By: Cenzic
This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period. Internet Storm Center: Threat Update WHEN: Wednesday, January 9, 2008 at 1:00 PM EST (1800 UTC/GMT) FEATURED SPEAKER: Johannes Ullrich -http://www.sans.org/info/20067 Sponsored By: Core Security
This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.
SANS Special Webcast: Things That Go Bump in the Network: Embedded Device Security WHEN: Thursday, January 24, 2008 at 1:00 PM EST (1800 UTC/GMT) FEATURED SPEAKER: Paul Asadoorian -http://www.sans.org/info/20087 Sponsored By: Core Security
Embedded devices come into your network and appear in many different forms, including printers, iPhones, wireless routers and network-based cameras. What you might not realize is that these devices offer unique opportunities for attackers to do damage and gain access to your network - - and to the information it contains. This webcast will review known embedded device vulnerabilities and cover how these vulnerabilities can be used to gain control of devices, networks, and data - and, more importantly, what can be done about it.
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/
This course, on the first day, made clear several topics that I had questions on for years. The explanations provided were unlike other information contained on websites and in books -M. Cook, Arrowhead International