SANS NewsBites - Volume: IX, Issue: 96

Two chances coming up to find SANS top-rated courses in the West: San Jose February 2-8 (http://www.sans.org/siliconvalley08/event.php) and Phoenix February 11-16 (http://www.sans.org/phoenix08/event.php) Auditing, Forensics, Hacking Tools, Securing Wireless, Securing Windows, Security Leadership, Firewalls, and CISSP test prep.

And a great new book for Christmas on the real cost of insecure software, Geekonomics. You may not agree with author (and SANS faculty member) Dave Rice's prescription for fixing the problem, but the book is already getting noticed in the cyber policy centers in Washington.
Alan

*************************************************************************
SANS NewsBites                     December 07, 2007                    Volume: IX, Issue: 96
*************************************************************************

TOP OF THE NEWS

   Hundreds of UK Government Laptops Lost or Stolen
   OMB Wants Federal Agencies to Limit Internet Gateways
   European Commission Wants Breach Notification Requirement
   Study: Security Policies Often Go Unheeded

THE REST OF THE WEEK'S NEWS

  HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
   Canadian Passport Site Data Leak
   House Committee Urges FERC Chair to Establish Grid Security Requirements
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
   December's Patch Tuesday to Offer Seven Security Bulletins
   Microsoft WPAD Flaw Affects Windows and IE
  ATTACKS, INTRUSIONS, DATA THEFT & LOSS
   HMRC Disks Contain Witness Protection Data
   Cyber Intruders Access National Lab Visitor Database
   Stolen Laptop Holds Forrester Employee Data
   Twin Cities Blood Donor Data on Stolen Laptop
   Laptop Stolen From Auditor's Car
  MISCELLANEOUS
   Facebook Apologizes For Beacon and Changes Policy
   That's Not Exactly What We Meant By Scrub
  CORRECTION
  LIST OF UPCOMING FREE SANS WEBCASTS


*************************** Sponsored By Cenzic *************************

Get the 2007 Web Security Leadership Survey. See the thoughts and opinions of 475 C-level information security professionals and what they said about the ominous task of securing web applications in the Web 2.0 world. Everything from the fear of losing their jobs if there is a breach to whether application security is real or not.
http://www.sans.org/info/20541

*************************************************************************

TRAINING UPDATE
Where can you find Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, CISSP, and SANS' other top-rated courses?
- - Washington DC (12/13-12/18): http://www.sans.org/cdi07
- - New Orleans (1/12-1/17): http://www.sans.org/security08/event.php
- - San Jose (2/2 - 2/8): http://www.sans.org/siliconvalley08/event.php
- - Phoenix (2/11 - 2/18) http://www.sans.org/phoenix08/event.php
- - Prague (2/18-2/23): http://www.sans.org/prague08
- - and in 100 other cites and on line any-time: www.sans.org

*************************************************************************

TOP OF THE NEWS

Hundreds of UK Government Laptops Lost or Stolen (December 3 & 4, 2007)

UK ministers have acknowledged that hundreds of government laptop and desktop computers have been lost or stolen in the last several years. Figures from the justice minister indicate that 26 laptops and one desktop were stolen from the department in 2007, although no security breaches had been reported. The Ministry of Defence reported 66 laptops and two desktops stolen in 2006, and 458 other machines were stolen between 1998 and 2005. The UK government does not keep a central record of its missing and stolen computers.
-http://www.computerworlduk.com/management/government-law/public-sector/news/inde
x.cfm?newsid=6506
[Editor's Note (Schultz): Keeping an inventory of computing assets is one of the most fundamental things an organization can do as far as IT governance goes. The fact that the UK government does not even keep a centralized record of its missing and stolen computers thus is very difficult to comprehend. (Cole): The initial response to laptop theft risk is full disk encryption. While this helps, you also need a strong password policy that is strictly enforced. ]

OMB Wants Federal Agencies to Limit Internet Gateways (December 3, 2007)

The Office of Management and Budget (OMB) is directing US government agencies to limit the number of their Internet connections. The OMB's Trusted Internet Connections Initiative aims to reduce the number of Internet connections from the more than 1,000 that are presently in use to just about 50. The initiative also requires that agencies deploy realtime gateway monitoring, and requires agency CIOs to establish action plans and measurable goals for implementing and participating in the Einstein Initiative, that provides 24x7 monitoring of all traffic entering or leaving agencies.
-http://www.fcw.com/online/news/150964-1.html?type=pf

European Commission Wants Breach Notification Requirement (December 5, 2007)

The European Commission has published a proposal that would require telecommunications companies to inform customers when their personal information has been compromised as a result of a data security breach. The proposal says that the rule should not interfere with police work, e.g. breach notification could be delayed if the publicity would hinder an investigation. The proposal would also allow telecommunication services providers to sue spammers for costs they incur as a result of unsolicited commercial email being sent over their networks.
-http://www.out-law.com/page-8741
[Editor's Note (Pescatore): While European data privacy laws have generally resulted in better data protection there, the lack of a strong breach disclosure law in EU does hurt efforts to make some needed improvements to deal with the targeted threats we are dealing with today.
(Honan): While this legislation is initially only aimed at telecommunications companies here's hoping that it will not be watered down in response to lobbying by industry and that future breach disclosure legislation will encompass other business sectors.
(Northcutt): A quick Google search shows that similar legislation is being considered in Canada, New Zealand, and the UK. It would be a good idea for these various legislative bodies to share and see if there are common elements they can use. This is the moment the World Privacy Forum needs to put it in gear if they want to be relevant:
-http://www.worldprivacyforum.org/]

Study: Security Policies Often Go Unheeded (December 6, 2007)

A survey of nearly 900 IT security professionals conducted by the Ponemon Institute found that many workers do not abide by established security policies, either because they are unaware of the policies or because they find them inconvenient. More than half of respondents admitted to having copied confidential company data onto USB drives although 87 percent said they knew the practice violated company policy. Nearly half of respondents said they share passwords with colleagues; two-thirds said sharing passwords violates policy at their organizations. One-third of respondents said they had sent work documents as attachments; almost half of respondents were unsure whether doing so violated their companies' policies. Sixty percent of respondents said their companies had no formal policy that prohibits installation of personal software on work machines. Almost half said they had downloaded software, including P2P programs, onto company computers.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9051483&source=rss_topic17
[Editor's Note (Ullrich): And who is surprised by this? ]



************************* Sponsored Links: ***************************

1) Link here to complete the SANS Database Security Compliance Survey and register to win a $250 AMEX Gift card.
http://www.sans.org/info/20546

2) Stop data leaks and sanitize your servers before they leave your premises. Blancco them today. http://www.sans.org/info/20551

*************************************************************************

THE REST OF THE WEEK'S NEWS

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

Canadian Passport Site Data Leak (December 4, 2007)

The Passport Canada website was found to be leaking applicant data last week. One site visitor discovered that by altering a character in the URL, he could view other applicants' social insurance numbers, driver's license numbers, and other sensitive personal information. Passport Canada learned of the data leak last week. The site was unavailable through Monday of this week due to "problems of a different nature," according to a spokesperson. Passport officials said the data leak was "an isolated anomaly," but evidence proves otherwise. When the site was once again available, it was discovered that other applicants' personal data could still be viewed.
-http://www.theregister.co.uk/2007/12/04/canadian_passport_site_breach/print.html
-http://www.theglobeandmail.com/servlet/story/RTGAM.20071204.wpassport1204/BNStor
y/National/?page=rss&id=RTGAM.20071204.wpassport1204
[Editor's Note (Skoudis): These session cloning vulnerabilities due to weak session management have been known for a long time, but they still crop up on a regular basis, as do SQL Injection, directory traversal flaws and several others. While some web developers are security grand-masters, coding consistently solid and secure applications, many other web app developers still lack the skills needed to avoid these common mistakes. Make sure you have your web app folks read the OWASP Guide to Building Secure Web Applications (
-http://www.owasp.org/index.php/Category:OWASP_Guide_Project)
to help alleviate this kind of problem.
(Paller): Ed's advice is sound. If you are not certain that your developers have mastered all the secure coding essentials. encourage them to use the GSSP assessment to find any gaps. If your organization writes software that others use, either directly or embedded in hardware, by mid 2008, many of your customers will be asking for evidence, as part of the procurement process, that all developers working on their products have the skills and knowledge to write secure code.
-http://www.sans.org/gssp
(Ullrich): Missing authentication and access control for individual pages is one of the very common problems with web applications. A consistent and centralized access control scheme is required to fix this problem and a "quick fix" is unlikely successful. (Cole): Internet facing systems are so complex that many vulnerabilities go unnoticed. Most corporate test programs focus in on making sure the system works, but it is critical that test plans address the unexpected so they can be found before a malicious user finds them. ]

House Committee Urges FERC Chair to Establish Grid Security Requirements (October 19, 2007)

In October, members of the House Committee on Homeland Security wrote a letter to Federal Energy Regulatory Commission (FERC) chairman Joseph Kelliher urging him to look into security measures to protect the nation's power grid. The letter was prompted by the committee members' reaction to a Department of Homeland Security (DHS) experiment in which a cyber attack destroyed a generator; video of the attack was released earlier this year. In response to the experiment, the Department of Energy and DHS worked together to develop "mitigation strategies" for electric sector owners and operators to implement to protect their plants from a similar attack. They asked the North American Electric Reliability Corporation (NERC) to require that the actions be implemented. NERC was denied the ability to require actions; FERC said that NERC may only issue recommendations. The letter from the House committee members asked that Kelliher look into whether the recommendations have been as widely implemented as information from NERC indicates and clarify who has the authority to issue required actions.
-http://uaelp.pennnet.com/display_article/313026/22/ARTCL/none/none/1/House-Commi
ttee-on-Homeland-Security-urges-FERC-chairman-to-investigate-grid-security/
Letter to Chairman Kelliher:
-http://hsc.house.gov/SiteDocuments/20071019105930-24294.pdf
Chairman Kelliher's response:
-http://hsc.house.gov/SiteDocuments/20071203162113-76466.pdf

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

December's Patch Tuesday to Offer Seven Security Bulletins (December 6, 2007)

According to Microsoft Advance Notification, the company will issue seven security bulletins on Tuesday, December 11. The bulletins will address security flaws in Windows and Internet Explorer (IE). Five of the updates will address flaws in Windows Vista. Three of the seven bulletins have a maximum severity rating of critical; the other four are rated "important." Five of the bulletins address vulnerabilities that could allow remote code execution. The other two address privilege elevation flaws.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9051484&source=rss_topic17
-http://www.microsoft.com/technet/security/bulletin/ms07-dec.mspx#EDFAC
[Editor's Note (Cole): Even more important than patching is proactive removal of unneeded services. ]

Microsoft WPAD Flaw Affects Windows and IE (December 3, 4, & 5, 2007)

An advisory from Microsoft warns of a vulnerability in its Web Proxy Auto-Discovery (WPAD) technology. The flaw could be exploited to "reroute traffic through a malicious server" to allow man-in-the-middle attacks. The vulnerability could affect "customers whose domain name begins in a third-level or deeper domain." Microsoft has provided several workarounds to protect users until a patch is available. There have been no reports of attacks exploiting the vulnerability. The flaw affects all current versions of Windows and IE.
-http://www.securityfocus.com/brief/638
-http://www.vnunet.com/vnunet/news/2204911/microsoft-warns-vulnerability
-http://www.microsoft.com/technet/security/advisory/945713.mspx

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

HMRC Disks Contain Witness Protection Data (December 5 & 6, 2007)

Among those affected by the loss of two disks by HM Revenue and Customs are as many as 350 people who have changed their identities as part of witness protection programs. The data include both the former and the new names of these people. A reward of GBP 20,000 (US $40,500) is being offered for the disks' return. At a Commons Treasury sub-committee, acting HMRC head David Hartnett said there have been seven data security breaches "of some significance" since April 2005; all have been reported to the Information Commissioner.
-http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2007/12/05/ndata105.xml
-http://www.guardian.co.uk/uklatest/story/0,,-7127496,00.html
-http://news.bbc.co.uk/2/hi/uk_news/politics/7128851.stm
[Editor's Note (Ullrich): One of the less widely reported, sad elements of this story is that the receiving agency requested much less detailed data then the sending agency provided on the CDs. The sending agency found it more convenient to just send all the data. (Northcutt): Bummer about the witness protection program loss. This looks like it will have the impact the VA loss did in the US. I sure hope they are right that the data is still on government property, because every single day the tools and process to use stolen identities get better:
-http://www.washingtonpost.com/wp-dyn/content/article/2007/03/13/AR2007031301522.
html
On the lighter side, it is starting to look like Jocelyn Kirsh (we wrote about the "Bonnie and Clyde" of identity theft in our last issue) is on track to become the most famous ID thief in the US. Yesterday, she was listed in the top 100 Google searches, Facebook now has a group called, "Jocelyn Kirsh is scandalous", where people are posting pictures of her (have to be a facebook member to view):
-http://www.facebook.com/photo_search.php?oid=8137160635&view=all]
and it looks like the couple intends to cop a plea:
-http://ap.google.com/article/ALeqM5gIGiwX_6-n_B-u1ipXyNzVBg1EGQD8TC81V80]

Cyber Intruders Access National Lab Visitor Database (December 6, 2007)

A phishing attack is being blamed for the compromise of a visitor database at the Oak Ridge National Laboratory in Tennessee. The laboratory director said the attack on the US Department of Energy facility may "be part of a coordinated attempt to gain access to computer networks at numerous laboratories and other institutions across the country." Though no classified data were compromised, the names, birth dates, and Social Security numbers (SSNs) of all laboratory visitors between 1990 and 2004 were in the accessed database. The phishing emails appeared legitimate; they asked recipients to open attachments for additional information about conferences or an FTC complaint. The attachments were actually malware that infected the laboratory's computer system. Approximately 1,100 phishing emails entered the lab's network; in 11 instances, employees opened the malicious attachments. The Oak Ridge National Laboratory is home to the second-fastest supercomputer in the world.
-http://seattlepi.nwsource.com/business/1700ap_cyber_attack.html
[Editor's Comment (Northcutt): And if only 11 employees opened the notes and they were sent to 1,100 valid addresses that is pretty good; bully for their awareness training folks. I know it doesn't seem possible, but I keep wondering if email may start to fall out of favor as a business tool. Honestly, I have days where it seems all I do is answer email and when I knock off work, it just doesn't feel like I accomplished much. ]

Stolen Laptop Holds Forrester Employee Data (December 5, 2007)

A laptop computer stolen from the home of a Forrester Research employee contains personally identifiable information of an unspecified number of current and former Forrester employees and directors. The theft took place during the latter part of November and notification letters were sent to affected individuals on December 3. The notification letters indicated that the computer's hard drive was password protected, but no mention was made of encryption. When contacted for additional information, Forrester's press hotline was apparently unaware of the incident.
-http://www.eweek.com/print_article2/0,1217,a=221033,00.asp

Twin Cities Blood Donor Data on Stolen Laptop (December 5, 2007)

A laptop computer stolen from a Minneapolis-St. Paul area bloodbank contains the names and SSNs of 268,000 blood donors. The computer was stolen on November 28; Memorial Blood Centers has started to notify donors of the data security breach. A Memorial Blood Centers spokesperson said they have to check donors' SSNs to ensure they are eligible to give blood.
-http://wcco.com/local/stolen.laptop.social.2.603413.html

Laptop Stolen From Auditor's Car (December 1, 2007)

A laptop computer stolen from an auditor's car contains 401K plan information for Springfield (Ohio) Community Blood Center employees. Batelle & Batelle LLC was performing an audit of the organization's retirement plan. The computer did not hold donor information. The October theft affects as many as 600 individuals. Other organizations, including the Ohio Masonic Home, have also been affected by the theft.
-http://www.springfieldnewssun.com/hp/content/oh/story/news/local/2007/11/30/sns1
20107laptop.html

MISCELLANEOUS

Facebook Apologizes For Beacon and Changes Policy (December 5 & 6, 2007)

Facebook members can now entirely switch off the new Beacon advertising system. Facebook founder Mark Zuckerberg has apologized for the way the service was introduced. At first, users could only opt out each time they made a purchase; now they can opt out entirely. More than 50,000 Facebook members had signed a petition in protest of Beacon. Users are still a bit wary, expressing concern that while they can choose that information about their purchases not be posted to their profiles, it is not clear if Facebook is still collecting the purchase information.
-http://www.computerworlduk.com/management/online/new-media/news/index.cfm?newsid
=6542
-http://news.bbc.co.uk/2/hi/technology/7130349.stm
(Note: this site requires free registration)
-http://www.nytimes.com/2007/12/06/technology/06facebook.html?ei=5088&en=c6ec
e5c40d913569&ex=1354597200&partner=rssnyt&emc=rss&pagewanted=pri
nt
-http://money.cnn.com/2007/12/05/technology/kirkpatrick_facebook.fortune/index.ht
m?postversion=2007120512?cnn=yes
[Editor's Note (Pescatore): Despite claims that privacy is dead or users don't care about privacy, every time some technology vendor goes too far and their users or companies fight back, the vendor has to back off. Consumers voting with their "clicks" and business voting with their software procurement or services budget are both pretty effective. ]

That's Not Exactly What We Meant By Scrub (December 6, 2007)

Kroll Ontrack lists the ten most unusual data recovery projects it encountered during the past year.
-http://www.zdnet.co.uk/misc/print/0,1000000169,39291331-39001058c,00.htm
[Editor's Note (Northcutt): That was a great read. If you are having a bad day, take a second to check this out. Also, it is a great reminder how important backups are. People keep telling me backups on laptops, backups on the local drive are the user's responsibility. However, in all my days, I haven't yet met a responsible user, so I don't see making it the users' responsibility makes sense. ]

CORRECTION

In our last issue we said that the North Carolina man sentenced to 110 years for cyber harassment and extortion had targeted girls in Brevard County, North Carolina. The victims were, in fact, in Florida. We regret the error and apologize for any confusion it may have caused.

LIST OF UPCOMING FREE SANS WEBCASTS

SANS Special Webcast: Pinpointing and Proving Web Application
Vulnerabilities with Eric Cole
WHEN: Monday, December 10, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Dr. Eric Cole
-http://www.sans.org/info/20057
Sponsored By Core Security

The September "Internet Security Threat Report" from Symantec reported that 61% of all vulnerabilities disclosed in the first half of 2007 were web application vulnerabilities. It's no wonder, since web apps are often highly customized and can be rife with potential security holes. Fortunately, recent advances in penetration testing products can help you to pinpoint and prove web application security weaknesses - even in customized apps.

Internet Storm Center: Threat Update
WHEN: Wednesday, December 12, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Johannes Ullrich
-http://www.sans.org/info/20062
Sponsored By: Cenzic

This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.
Internet Storm Center: Threat Update
WHEN: Wednesday, January 9, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Johannes Ullrich
-http://www.sans.org/info/20067
Sponsored By: Core Security

This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.

SANS Special Webcast: Things That Go Bump in the Network: Embedded Device Security
WHEN: Thursday, January 24, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Paul Asadoorian
-http://www.sans.org/info/20087
Sponsored By: Core Security

Embedded devices come into your network and appear in many different forms, including printers, iPhones, wireless routers and network-based cameras. What you might not realize is that these devices offer unique opportunities for attackers to do damage and gain access to your network - - and to the information it contains. This webcast will review known embedded device vulnerabilities and cover how these vulnerabilities can be used to gain control of devices, networks, and data - and, more importantly, what can be done about it.


=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/