SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume IX - Issue #21
March 13, 2007
The long awaited hard drive with encryption built in was finally released this week, making laptop encryption easier for users. At the same time Windows Vista is coming with BitLocker built in. To really understand where these tools fit and how you might integrate enterprise encryption solutions, come to San Jose in April for the Mobile Encryption Summit.
TOP OF THE NEWSBill Would Exempt Texas County Clerks from Data Privacy Laws
Three Men Indicted for Online Stock Manipulation
US $3 Million Frozen in Pump-and-Dump Case
Hard Drives With Embedded Encryption to Debut
THE REST OF THE WEEK'S NEWSHOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Real ID Act Irks Legislators
Stolen Hard Drive Holds California National Guard Data
NZ Revenue Dept. Employees Fired for Unauthorized File Access
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
WGA Always Sends Info to Microsoft
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
U of Idaho Employee Data Inadvertently Posted to Web
STANDARDS & BEST PRACTICES
Laptop Theft Prompts Data Security Rules
ICANN Issues Factsheet on February DNS Attack
Scotland Yard Thwarted Plan to Attack Internet Hub in UK
Outsourcer Apologizes for Laptop Theft
SANS Security Tip of the Day
******************** Sponsored By ArcSight, Inc. ************************
Free Whitepaper: Achieving IT Compliance, Automation and Efficiency IT organizations have a dual role. They make strategic decisions about implementing a network. Then they shift to a tactical focus, changing the network to support evolving day-to-day needs. Learn how to automate and streamline network configuration management with this free whitepaper. Brought to you by ArcSight, the ESM leader that turns data into action.
How Good Are SANS Courses?
++ "I have attended courses by several of SANS rivals, and SANS blew them away." - Alton Thompson, US Marines
++SANS has the highest quality instructors and the most relevant, current information of any training I have attended. Melodee McHone, Hallmark
++ "This is the only conference/training I've ever attended at which I learned techniques and found tools I could apply immediately." - Dwight Leo, Defense Logistics Agency, DLA
| ++ "The SANS classes have been uniformly excellent. To learn as much through traditional classes would have entailed weeks away from work." - - David Ritch, Department of Defense
In addition to the big conference in San Diego, programs are scheduled in more than 40 cities in the next few months or you can attend live classes (or on-demand courses) without leaving your home, or you may even study online. Schedule: http://www.sans.org/index.php
TOP OF THE NEWS
Bill Would Exempt Texas County Clerks from Data Privacy Laws (March 12, 2007)The Texas House of Representatives last week passed emergency legislation that would absolve county clerks of civil or criminal liability for exposing SSNs in public documents "in the ordinary course of business." The bill now goes to the state Senate, where it needs approval of a two-thirds majority to become law. The legislation comes in response to a ruling late last month from Texas Attorney General Greg Abbot that exposing SSNs in public documents violates state and federal laws. Furthermore, according to Abbot's opinion, county clerks in Texas could be held criminally liable for exposing SSNs when documents are made public; violators could face prison time and fines. The ruling would require that clerks check each document for SSNs and remove them before making the documents public. Daunted by the task and fearful of running afoul of the law, county clerks asked state legislators to come to their aid. The bill would also require that SSNs no longer be included in public records filed with county governments and allows Texans to request that their SSNs be removed from existing documents, though it is up to the individuals to identify the documents from which they want the information redacted.
[Editor's Note (Kreitner): If not the County Clerks, who will be accountable for ensuring that exposing SSN's in public documents does not occur? Laws without accountability for enforcing the intent of the law are impotent.]
Three Men Indicted for Online Stock Manipulation (March 12, 2007)Three Indian nationals have been indicted on federal charges of manipulating stock prices by breaking into people's online brokerage accounts and artificially inflating the prices of certain stocks. The "hack, pump, and dump" scheme used an estimated total of 60 customer accounts at nine online brokerages. The suspects bought stocks through their own accounts, used the hacked accounts to drive up the prices and sold the stocks at a profit. The US Securities and Exchange Commission (SEC) has filed separate civil charges against all three men. Two of the men have been arrested in Hong Kong; one remains at large.
US $3 Million Frozen in Pump-and-Dump Case (March 8 & 12, 2007)A federal judge has granted the SEC's request to freeze US $3 million in a brokerage account under the name of a Latvian bank. The money is believed to have been generated by a ring of cyber thieves in Russia, Latvia, Lithuania and the British Virgin Islands. The scammers allegedly ran a stock manipulation scheme that netted them more than US $730,000 in just one year. Investigators believe the perpetrators broke into online brokerage accounts, sold the customers' holdings and used the profits to manipulate prices of stocks they had bought earlier. They then allegedly sold those stocks at artificially inflated values.
[Editor's Note (Northcutt): This pump and dump attack isn't exactly new, but it is very scary. Many people are counting on their stock funds as part of their retirement, and online brokerages have no legal responsibility to cover these losses. If anyone knows of an online trading service that offers two factor authentication drop me a note, and we can check it out and pass that on as a service to our readers (Stephen@sans.edu). Here are a few good links on this topic:
Hard Drives With Embedded Encryption to Debut (March 12, 2007)Seagate has announced that its hard drives with built-in encryption will debut in laptops some time in the next few months. The laptops will have a chip that will make it impossible for anyone to read data from the disk or boot up without some sort of authentication.
[Editor's Note (Kreitner): Kreitner -- A good use of technology to reduce exposures attributable to careless human behaviors.]
************************** Sponsored Links: ***************************
1) Webcast March 15th 11am PT Using Log Management to Drive Operational Insight, Mitigate Risk and Automate Compliance
2) 'Storm Worm' wreak havoc on your network? Download FREE White Paper "Enterprise Network Security Does Not End with IPS" and learn why IPS is insufficient for securing the network core.
| 3) The SANS Encryption Summit, April 23-25, provides concrete, actionable information you can deploy as soon as you return to work.
THE REST OF THE WEEK'S NEWS
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Real ID Act Irks Legislators (March 2 & 12, 2007)On March 1, the Department of Homeland Security (DHS) issued proposed regulations for compliance with the Real ID Act, which aims to establish minimum standards for state-issued driver's licenses and identification cards. Despite the fact that the requirements appear to be less stringent than first indicated, US lawmakers are expressing concerns about citizens' privacy and the costs associated with implementing the Real ID requirements. DHS Secretary Michael Chertoff said that the states would hold the data from the cards; the information will not be held in a national database. The idea is to make driver's licenses very difficult to forge or alter. The compliance deadline has been extended from May 2008 to May 2013. While the government is not mandating that states include biometrics on the cards, it does not discourage their use. There is a 60-day period for public comment on the proposed regulations. Two legislators have introduced bills that would repeal the act.
Stolen Hard Drive Holds California National Guard Data (March 9 & 10, 2007)A stolen hard drive contains personally identifiable information of approximately 1,300 California National Guard troops who have been deployed to the US-Mexico border. The compromised data include addresses, dates of birth and Social Security numbers (SSNs). The drive was reported missing in late February from the California National Guard's border mission headquarters at San Diego Naval Base. Guard members affected by the breach were notified on February 28. The case has been turned over to the Navy's Criminal Investigative Division.
NZ Revenue Dept. Employees Fired for Unauthorized File Access (March 6, 2007)New Zealand's Inland Revenue Department (IRD) has fired nearly 80 employees in the last four years for accessing files inappropriately. A number of the people who lost their jobs had accessed their own files or those of family members outside the bounds of their duties. In 2003, a minor scandal erupted when it was discovered that IRD employees had accessed files of a number of celebrities as well as those of their own families; 75 people were fired as a result. The number of people caught snooping has decreased each year since 2003 to just 13 in 2006; there were no instances of employees accessing celebrities' files within the last year. Inland Revenue Deputy Commissioner Colin MacDonald defends the IRD's strict codes, saying they are entrusted with ensuring taxpayers' secrecy.
[Editor's Note (Honan): Having policies in place that are not enforced rigorously and consistently undermines the effectiveness of these policies and ultimately the security of your systems. The New Zealand Revenue Department's approach to policy breaches demonstrates that making people accountable for their actions significantly improves security.
(Kreitner) An excellent example of resolute management attuned to security. Also a situation where instituting role-based access would be helpful. If each agent had access to only his/her assigned accounts, snooping in other accounts would require human collusion.]
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
WGA Always Sends Info to Microsoft (March 8 & 9, 2007)Microsoft has acknowledged that its most recent Windows Genuine Advantage (WGA) update sends some information back to the company's Redmond, WA headquarters even if users decline to install the update. A statement from Microsoft's UK anti-piracy manager says the information sent back does not identify individuals. WGA communicates to Microsoft the computers' globally unique identifiers (GUIDs), user and machine language settings and whether or not the machine was connected to a domain.
[Editor's Note (Schultz): WGA amounts to little more than spyware, something that sooner or later Microsoft will have to contend with in court. ]
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
U of Idaho Employee Data Inadvertently Posted to Web (March 10, 2007)For the second time in three months, the University of Idaho has experienced a data security breach. UI is notifying 2,700 employees that their personal information was accessible on the school's web site for 19 days in February. The file was removed on February 27 as soon as the Information Technology Services became aware of the situation. UI is investigating the incident. An authorized user inadvertently uploaded the file containing the data along with a report. The data include names, birth dates and SSNs, but no financial account information. The data were "in a proprietary binary data file, that require a special program if they are to be read," according to UI Provost Doug Baker. In November 2006, three desktop computers were stolen from UI's fundraising office in Moscow, ID. That incident prompted the school to "announce it was revamping its policies and procedures for handling sensitive information." The school also plans to move away from using SSNs as unique identifiers.
STANDARDS & BEST PRACTICES
Laptop Theft Prompts Data Security Rules (March 8, 2007)Ontario (Canada) privacy commissioner Ann Cavoukian has issued a report that orders Toronto's Hospital for Sick Children to implement policies and procedures to protect the security of patient data. The report is the outcome of an investigation prompted by the January 4, 2007 theft of a laptop from a physician's car. The computer held personally identifiable, sensitive information of 2,900 of the hospital's patients. The physician had been planning to use the information to work on a research project at home. The hospital must now prohibit the removal of patient data from the premises unless doing so would interfere with providing proper patient care. If a situation arises in which data must be removed, they must first be encrypted. Furthermore, data loaded onto mobile devices must be encrypted and be limited to data essential to the research being conducted. The hospital has until June 15 of this year to demonstrate compliance with the order.
ICANN Issues Factsheet on February DNS Attack (March 12, 2007)A factsheet from the Internet Corporation for Assigned Names and Numbers (ICANN) says DNS servers came through February's attack relatively unscathed because of the Anycast load-balancing technology put in place after the last major attack in 2002. The attack targeted six of the 13 root servers. The two servers that fared the worst during the attack did not yet have the technology installed. The root server operators also played a significant role in preventing the attack from having a noticeable effect on Internet users worldwide by staying in constant communication. The operators noticed that all the attack packets were larger than 512-bytes and consequently blocked packets that met that criterion. That step alone managed to stop the attack in its tracks.
[Editor's Note (Skoudis and Paller): The ICANN fact sheet is really good, and we strongly encourage you to read it. It describes not only the attack and defenses, but the overall architecture of the root DNS infrastructure in terms that even a newbie can understand and appreciate. It explains interesting things, like why there are 13 root name servers and not more (it's associated with the 512 byte query size), and how Anycast technology helped to thwart the attack. Kudos to ICANN for not only producing this fascinating and useful document, but for their openness in describing what happened.
(Pescatore): The DNS root servers have proven to be pretty resilient against these large-scale DoS attacks that get a lot of publicity. However, a lot of enterprises have been hit by targeted DoS attacks and have found they have to upgrade their defenses - usually by paying their ISP extra to get filtered bandwidth. The ISPs need to take some of that revenue and take steps to make it much harder for DDoS attacks to succeed. ]
Scotland Yard Thwarted Plan to Attack Internet Hub in UK (March 11, 2007)Scotland Yard has foiled an alleged Al-Qaeda plot to "bring down the Internet" in the UK. In raids carried out last year, detectives discovered computer files indicating suspects were targeting an Internet hub in London. The plots considered by the suspects included blowing up the facility that houses the hub.
[Editor's Note (Honan): Security of our networks is not simply about electronic defences. One of the key goals of terrorism is to create fear and uncertainty which is often best achieved by the physical destruction of key targets. Targeting Internet hubs with physical attacks is an effective method for terrorists to achieve their goals by creating the publicity and media attention terrorism craves while also damaging the Internet infrastructure. If you host sites or infrastructure that would be attractive to a terrorist attack you should constantly ensure your threat models and risk profiles include threats posed by motivated and determined physical terrorist attacks. ]
Outsourcer Apologizes for Laptop Theft (March 8, 2007)A company that owned a stolen laptop containing personally identifiable information of more than 16,000 Worcestershire County (UK) Council employees has apologized for the incident and says it will pay costs associated with the data breach. Serco is developing an integrated human resources and payroll system for the council. An investigation conducted jointly by the council and Serco found that the Serco employee should not have had the sensitive data on the computer.
SANS Security Tip of the Day
Read error messages and checkboxesWhen you see an error message pop up on the screen, read it! You may not understand everything, but if you look through the message, you can get the gist. Hackers can sometimes generate errors to collect everything you type and everything that comes up on your screen. If you don't understand the error, at least capture the screen. To do that, hold down the shift key and press the key labeled "Print Screen" or "PrtSc". That will put the screen into short-term storage called the clipboard. Then open an e-mail message, right click on the message body and select "paste". Now you can print it or send it to tech support for further analysis.
If you work for a company of 1,000 or more and would like to help distribute SANS Security Tips, please email firstname.lastname@example.org.
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.
Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit