SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume IX - Issue #59
July 27, 2007
If your organization has web applications, either internal or external, you'll want to listen in to the free webcast on Thursday August 2 at 1 PM (EDT) on the major changes in the Top 10 Web Application Security Vulnerabilities developed by OWASP. Many vulnerabilities are the same, but some new ones have emerged. We'll bring you up to date on the changes and on how you can determine whether your programmers actually know how to write web applications that don't include those vulnerabilities. Sign up at
TOP OF THE NEWSFBI Wants Telecoms to Retain Internet and Call Data
GAO Audit Finds VA IT Equipment Missing
GAO Report on Challenges in Addressing Cyber Threats
Cox Tries to Erase Bots
THE REST OF THE WEEK'S NEWSHOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
House Committee Hears Testimony on P2P Technology
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
FBI, Chinese Police Arrest 25, Seize Pirated Software Worth Half a Billion
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Storm Worm Skips Attachments This Time
Zero-Day URI Flaw in Firefox on Windows
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Newcastle City Council Data Breach Exposes Credit Card Data
County Website Closes Access to Sensitive Data
Number Affected by Fidelity National Breach Grows
NZ Consumer Groups Seek Online Banking Code Clarification and Changes
LIST OF UPCOMING FREE SANS WEBCASTS
******************** Sponsored By Seagate Technology *****************
What Seagate knows about secure storage could affect--perhaps materially improve--your company's security decisions, at a time when regulations and rising threats have made security decisions more and more critical. Find expert information about security planning, technologies, legislation, standards and news at http://www.sans.org/info/12106. Don't wait till tomorrow. One piece of information could change everything.
SECURITY TRAINING UPDATE
SANS Network Security 2007 (September 22-30, in Las Vegas) is the largest fall conference on cybersecurity with more than 40 courses and wonderful evening sessions and a big vendor exposition. Most importantly, it brings together the top rated teachers in cybersecurity in the world. How good are they? Here's what past attendees said:
"This course has valuable information that can be implemented immediately in the work place." (Christopher O'Brien, Booz Allen Hamilton)
"The quality of teachers, speakers, and even attendees is far superior to any other training event I've attended." (Corinne Cook, Jeppesen)
"SANS provides by far the most in-depth security training with the true experts in the field as instructors." (Mark Smith, Costco Wholesale)
Registration information: http://www.sans.org/ns2007/
TOP OF THE NEWS
FBI Wants Telecoms to Retain Internet and Call Data (July 25, 2007)The FBI is reportedly seeking US $5 million annually from Congress to pay telecommunications companies to retain Internet use and phone call records. The plan would not give the FBI unfettered access to the data; the agency would be required to present national security letters or subpoenas before the data are released. The request and plan have raised some warning flags due to a recent Justice Department inspector general's (IG) report indicating the FBI has abused national security letters. It has been pointed out that the plan circumvents "the Fourth Amendment by paying private companies to" retain information the FBI cannot itself retain.
[Editor's Note (Schultz): Having money to pay telcom companies to retain records that the FBI wants is likely to reduce the telcom companies' resistance to FBI access to their records. At the same time, however, USD 5 million seems paltry compared to the potential cost of having to store and retrieve such records. ]
GAO Audit Finds VA IT Equipment Missing (July 24, 2007)A Government Accountability Office (GAO) audit of equipment inventories at four Veterans Affairs (VA) medical centers found that more than 25 percent of IT equipment at the Washington DC center was unaccounted for. The three other medical centers examined in the audit could not account for between six and 11 percent of their equipment. In all, more than 2,400 pieces of equipment, with an original value of US $4.6 million, could not be accounted for. Not only did the findings of the audit raise concerns about wasteful spending, but they accentuate an already damaged data security profile at the agency. The VA says that in the three months since the audit was completed, they have located most of the missing equipment.
[Editor's Note (Schultz): There is no excuse for this kind of negligence--one or more individuals within the VA should face criminal charges for this. ]
GAO Report on Challenges in Addressing Cyber Threats (July 23, 2007)A Government Accountability Office (GAO) report lists four major challenges faced by public and private entities addressing cyber crime. First, cyber crime is not always reported. Second, law enforcement agencies do not always have adequately trained employees, due in part to staff rotation policies. Third, cyber crime occurs in borderless environments and prosecution becomes complicated because it involves multiple jurisdictions. Finally, awareness and implementation of strong security practices are not widespread.
[Editor's Note (Schultz): I'd add something to the second point--the best and brightest individuals within law enforcement who are computer savvy often leave because they are offered lucrative jobs within the commercial sector.]
Cox Tries to Erase Bots (July 23 & 26, 2007)In an attempt to thwart botmasters, Internet service provider (ISP) Cox Communications has configured their DNS to redirect traffic trying to reach certain IRC channels to its own IRC server. This is an attempt to prevent computers that are part of botnets from receiving instructions. When the computers have been redirected, Cox's server attempts to remove the bot software. The practice has raised ethical concerns.
[Editor's Note (Pescatore): There does need to be some formalization about this kind of practice and there definitely needs to be up front notification to customers, but more of this needs to be done by ISPs. Most ISP contractual agreements contain terms of service clauses or acceptable use policies that essentially prohibit customers from participating in botnets. So, ISPs could simply terminate connectivity for any customers who are infested with botnets, but that is pretty much lose-lose for the ISP and their customers - most customers don't even know they have bots installed. More security services routinely built into the cloud is a good and needed thing - but up front notification to customers in advance is definitely required to give users choice to select an ISP who doesn't do so, if for some strange reason they prefer to be an active part of a botnet. ]
*********************** Sponsored Links: *****************************
1) **FREE** Log Management Trial. Easily collect, archive and report on event from any data source.
2) FREE WEBINAR featuring independent Forrester Research Analysts: The Next Wave in Identity and Access Management.
3) Attention! 2 more weeks Left to Enter to Win a Trip for 2 to SANS Network Security in Las Vegas in September!
THE REST OF THE WEEK'S NEWS
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
House Committee Hears Testimony on P2P Technology (July 24 & 26, 2007)The House Oversight and Government Reform Committee heard testimony earlier this week about the risks associated with using peer-to-peer (P2P) filesharing programs. Experts testified that sensitive government documents have been inadvertently leaked to the Internet through such programs. One document included a diagram of a Pentagon computer network and defense contractors' systems passwords. Both committee chairman Rep. Henry Waxman (D-Calif.) and ranking member Republican Rep. Tom Davis (R-Va.) introduced legislation "in 2003 that would have required government agencies to clamp down on filesharing," but the bill did not pass. LimeWire's Mark Gorton was the target of harsh criticism during the hearing for enabling inadvertent but damaging disclosure of sensitive miitary information.
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
FBI, Chinese Police Arrest 25, Seize Pirated Software Worth Half a Billion (July 24 & 26, 2007)The FBI and Chinese police have seized millions of dollars worth of counterfeit Microsoft software. The FBI estimates the seized pirated software is worth approximately US $500 million; Microsoft estimates the group sold US $2 billion worth of pirated software. Twenty-five people have been arrested in raids on the group's production plants in the southern Chinese province of Guangdong. Information crucial to tracking down the pirates was obtained through Microsoft's Windows Genuine Advantage (WGA) program, which "forces users of some versions of Windows to validate their copy of the operating system with Microsoft when updating their software." The pirated software was being manufactured in China and distributed worldwide. The operation, dubbed "Summer Solstice," began in 2005 and resulted in the takedown of "the biggest software counterfeiting organization we have ever seen by far," according to David Finn, Microsoft associate general counsel for worldwide piracy and counterfeiting issues.
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Storm Worm Skips Attachments This Time (July 24 & 26, 2007)The level of activity of the Storm worm is on the upswing. More than 140 million email messages containing links to malicious web pages have been sent out. The pages attempt to infect the computers of those who visit them with the Storm worm. The email messages generally tell the recipients that someone has sent an e-card and provides a link that will purportedly allow them to view it. A Storm attack earlier this month sent the malware in an attachment; this attack is web-based. Internet Storm Center Coverage:
Zero-Day URI Flaw in Firefox on Windows (July 25, 2007)A zero-day flaw in the way Firefox handles uniform resource identifiers (URIs) could be exploited to take control of vulnerable PCs. The flaw affects Firefox running on Windows-based PCs. Attackers would need to lure users to maliciously crafted web pages to carry out the attack. Just last week, Mozilla patched a different URI handling flaw in Firefox. In that situation, IE could have been manipulated to pass malicious URIs to Firefox. Firefox maintained the browser should validate the URI before passing it along; Microsoft argued that the responsibility for input validation lies with the program that receives it. Mozilla has acknowledged that its Firefox browser is vulnerable to the same problem that Internet Explorer was found to have recently.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Newcastle City Council Data Breach Exposes Credit Card Data (July 26, 2007)As many as 54,000 people who made payments to the Newcastle (UK) City Council with credit or debit cards could be affected by a data security breach. The incident affects people who made payments over a 15-month period between February 2006 and April 2007. A file on an unsecure server was reportedly downloaded to an Internet address that appears to be in the Middle East. The council has informed banks, police and the Information Commissioner. The council, which learned of the breach on July 19, says the credit card numbers are encrypted and do not include security codes.
County Website Closes Access to Sensitive Data (July 25, 2007)The Franklin County (Ohio) Municipal Court clerk has halted access to Social Security numbers (SSNs) and driver's license numbers on the court's public website. Identity thieves allegedly used information gleaned from the site to obtain credit cards in a local woman's name. The cards have been used to make fraudulent purchases. Two people are being investigated in connection with the fraud.
Number Affected by Fidelity National Breach Grows (July 25, 2007)Fidelity National Information Services is now saying that the number of consumer records stolen by a former employee is closer to 8.5 million. When the check authorizing company acknowledged the theft earlier this month, the initial estimate of affected consumers was 2.3 million. William G. Sullivan, the former Fidelity employee, allegedly sold the information to a data broker, who in turn sold the data to direct marketers. Fidelity National is not related to Fidelity Investments.
NZ Consumer Groups Seek Online Banking Code Clarification and Changes (July 25, 2007)Consumer advocacy groups in New Zealand have made clear their intent to fight the New Zealand Bankers Association's (NZBA) decision to hold online banking customers liable for losses in certain cases. The banking Code of Practice would hold customers responsible for online theft if their computers do not meet certain security requirements. The wording of the Code suggests banks will be allowed to examine the computers of fraud victims, and if the victims refuse, they would be held liable for the losses.
LIST OF UPCOMING FREE SANS WEBCASTSJuly 31, 2007 - WhatWorks in Intrusion Prevention and Detection: PCI, Global Compliance and Log Management at a Large Financial Firm
Sponsored By: Sourcefire
August 1, 2007 - Host Based Intrusion Prevention (HIPS), what does it do for me?
Sponsored By: CA
August 8, 2007 - Internet Storm Center: Threat Update
August 9, 2007 - The Service/Help/Support Desk Implications of Migrating to 802.1x Standards
Sponsored By: AirWave
August 22, 2007 - Encryption Face-Off: Software Encryption vs. DriveTrust Technology
Sponsored By: Seagate
August 23, 2007 - Full Disk Encryption - The Reasons, Options and Deployment Issues
Sponsored By: Seagate
****Be sure to check out the following Archived SANS Webcasts****
July 19, 2007 - Next-Gen Log Monitoring: Who's Minding the Applications?
Sponsored By: ArcSight
July 24, 2007 - Validating the Vault: Penetration Testing for Financial Institutions
Sponsored By: Core Security
July 25, 2007 - Meeting PCI Data Security Standards: It's more than log collection
Sponsored By: Q1 Labs
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.
Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/