Final Week: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training - Ends Jan 27

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume IX - Issue #73

September 14, 2007

In the past three months, more than 35 software and service vendors have begun promoting themselves as data leakage protection (DLP) providers. Some did it without even changing their product while others actually at least made an effort to make their products useful for DLP. These vendors are responding to a massive buying surge that has begun in data leakage protection, and that is continuing in data encryption. If you are going to spend money in either of these areas, please come listen to other users who have actually deployed the tools as they tell what works and what doesn't, the errors they made and the lessons they learned. I've been interviewing a lot of these users and they have GREAT stories to tell - stories that will save you a lot of pain if you are implementing DLP or encryption. The meetings are December 3-4 in Orlando on the Disney property. Whichever one you decide to attend, you may mix and match sessions between the two meetings.
***WhatWorks in Stopping Data Leakage and Insider Threat Summit
***WhatWorks in Mobile Encryption Summit


DoJ Mobile Workers May Not Use Own PCs or PDAs
Calif. Breach Liability Bill Awaits Gov's Signature
BofA Deploys Additional Online Banking Security Layer
Customers Come First in Successful Breach Navigation


Ringleader of ID Fraud Gang Gets Five Year Sentence
Man Charged with Hacking UN Employee's Private eMail
German Police Arrest 10 in Connection with Phishing Scheme
Man Faces Prison for ID Fraud
CT to Hold Hearing on Stolen Revenue Dept. Laptop
Chinese Official Makes Cyber Espionage Allegations
Exploit Code Posted for Critical Microsoft Agent Flaw
Stolen Computers Hold Mental Health Histories
Gander Mountain Computer Theft Exposes Transaction Data
Microsoft Responds to Stealth Update Reports

*********** Sponsored By netForensics, Inc. ***********

*NEW* Whitepaper. Technology now exists to keep track of internal user activity amidst massive amounts of data - without compromising performance. Learn how to prevent data breaches, identify user threats and see who is accessing critical, compliance related data. This whitepaper reveals 10 proven strategies for rapidly responding to and stopping threats, no matter where they originate.


Where can you find Hacker Exploits and SANS other top-rated courses? Las Vegas (9/23-9-28): Chicago (11/2-11/7): Tokyo (11/5-11/10): London (11/26 - 12/1):"> Washington DC (12/13-12/18):"> New Orleans (1/12-1/17): How good are the courses? Here's what past attendees said:
"An extraordinary amount of information covered in a week, backed up with excellent documentation for those long winter nights." (Keith Mellism, Canada Life)
"This course has valuable information that can be implemented immediately in the work place." (Christopher O'Brien, Booz Allen Hamilton)
"You will never ever find anything more valuable than SANS super knowledge. Worth the price!!" (Carlos Fragoso, CESCA)



DoJ Mobile Workers May Not Use Own PCs or PDAs (September 13, 2007)

Due to concerns over data security, US Department of Justice employees are no longer permitted to use their own computers or PDAs to access agency email and files. Teleworkers must now use department-issued laptops, docking stations, or BlackBerries so the devices can be properly monitored and equipped with encryption.
[Editor's Note (Kreitner): This is such a common sense policy that one wonders why it isn't more common. Let's hope DOJ is also using a "comply to connect" process to dynamically check the configuration status of remote devices before connection to enterprise networks is allowed.
(Pescatore): While this is a prudent decision for many enterprises who don't have security solutions for allowing use of non-managed devices, just saying no to use of personally owned devices isn't going to last forever - just the way saying no to the Internet or wireless LANs didn't last. There are security approaches to allowing remote access from unmanaged devices (ranging from thin clients to virtualization, combined with Network Access Control) and most enterprises are finding that business demands and a changing workforce are requiring them to move in the direction of supporting this. Plus, remember: mechanisms like Outlook Web Access, GoToMyPC and others have provided means for employees to use their own devices - if you are saying no, you better be investing in ways to find and stop these mechanisms.]

Calif. Breach Liability Bill Awaits Gov's Signature (September 12, 2007)

All that now stands between Californians and a new data breach law is the governor's signature. AB 779, known as the Consumer Data Protection Act, would make retailers responsible for the costs incurred by banks and credit unions that have to notify consumers and issue new cards as a result of a data security breach. Breached entities would also have to be forthcoming with information about the types of data exposed and would also have to refrain from storing certain types of financial transaction data. Retailers who suffer a breach but have proof that they had followed certain security guidelines would be exempt from the law. Governor Schwarzenegger is expected to sign the bill. Privacy legislation in California has been known to have a "ripple effect" across the rest of the country.

[Editor's Note (Schultz): If this act is signed into law, California customers of retailers will win big. Not only would retailers be liable for data security breaches, but they would also have virtually no choice but to put higher levels of security in place. ]

BofA Deploys Additional Online Banking Security Layer (September 11, 2007)

This week, Bank of America (BofA) is debuting an added security feature for its online banking customers. The optional service, called SafePass, will send a six digit code to customers' mobile phones that can be used to authenticate banking transactions. The code can be used once and is valid for 10 minutes. BofA customers can choose to require SafePass authentication for various types of transactions. SafePass is being rolled out for most customers this week; customers in California and the northwestern US will have the service in the next few months.
[Editor's Note (Pescatore): The use of mobile phones as the authentication token has worked pretty well outside the US, as in most other countries babies come out of the womb with a tiny little cellphone grasped in their hand and workers' mobile phone numbers are on their business cards and an attribute in Active Directory. It is an underutilized approach in the US, mainly because the US cellular phone system is such a hodge podge. But watch anyone under 30 and see how rarely they are without their cellphone in coverage and see how often they text message.
(Ullrich): Very nice idea, and worthwhile trying. I used a similar system while visiting China a few years back to get access to WiFi access points operated by China Telecom. Before this announcement, BofA used only a somewhat flawed "1 1/2 factor" authentication scheme. ]

Customers Come First in Successful Breach Navigation (September 10 & 11, 2007)

David Escalante, Boston College's director of computer policy and security, described how his institution managed a data security breach that compromised the personal information of approximately 100,000 alumni without alienating people affected by the breach. Within two weeks of discovering the breach, Escalante had assembled an incident response team from departments across the school, including legal and PR, and had sent notification letters to the 100,000 potentially affected alumni. Escalante said it was important to be up front about the incident with those it affected, and to apologize. BC also established phone lines for concerned alumni to call and have questions answered. College police reports were available to alumni who requested them and though the response team chose not to make an announcement to the press about the breach, the PR department responded to press inquiries. In contrast, TJX failed to be forthcoming with information abut the breach of their systems that exposed millions of credit and debit card details.


[Editor's Note (Schultz): Boston College's response to this incident was not perfect, but it was so much better than the norm that I predict it will serve as a model of how to deal with incidents of this nature for years to come.
(Honan): One aspect done well by BC in their preparation was engaging with law enforcement before any breach occurred. Establishing a relationship with law enforcement before you suffer a breach allows you to better respond to the incident knowing in advance what is expected of you.]

************************* Sponsored Links: ***************************

1) Find out what Seagate knows about secure storage. It could improve your company's security.

2) The SANS Software Security Series in Tysons Corner, Virginia October 9-10 will feature two new courses on the importance of security in the software development lifecycle!
To find out more or register, go to
Seating is limited so register today.




Ringleader of ID Fraud Gang Gets Five Year Sentence (September 13, 2007)

The ringleader of an identity theft group has been sentenced to five years in prison. Irving Escobar will also pay US $600,000 in restitution. Some of the data used in the scheme were stolen in the TJX data breach, but Escobar and his cohorts are not believed to have been responsible for that attack; they bought the data they used from other people. Five other people involved in the scheme are now serving probation and a fifth person was deported. The gang used the data to create clone credit cards that they used to purchase gift cards at Wal-Mart and Sam's Club; losses from the scheme were estimated to be US $3 million.

Man Charged with Hacking UN Employee's Private eMail (September 13, 2007)

An Egyptian man is on trial in Dubai for allegedly hacking into the email account of a United Nations employee and attempting to blackmail her. The suspect allegedly accessed her private files and pictures. He has been charged with breaking into her email account, stealing her password and threatening to divulge her personal information through email.
[Editor's Note (Ullrich): This is not the first time that a hacker has used personal information found on a hacked system against the victim. Like most blackmail schemes, the victim is frequently too embarrassed to come forward, and even if they do, local law enforcement may not be able to offer much help. ]

German Police Arrest 10 in Connection with Phishing Scheme (September 13, 2007)

Police in Germany have arrested 10 people believed to be involved in a phishing scheme. The arrests are the culmination of an 18-month investigation into a scam in which people received phony emails purporting to be from eBay and Deutsche Telekom. Those email messages contained malware that collected sensitive banking account login data from infected computers.
[Editors' Note (Ullrich, Paller): German law enforcement has had a number of successes in computer fraud cases over the last couple years. Several involved east European criminals who were arrested while visiting or passing through Germany. The German law enforcement organizations have, up to this point, not gotten all the recognition they deserve, and it is great to see them getting credit for their impressive successes. ]

Man Faces Prison for ID Fraud (September 11, 12 & 13, 2007)

Max Ray Butler, who sometimes used the online moniker "Iceman," was arrested on September 5 and indicted on three counts of wire fraud and two counts of transferring stolen identity information. Butler allegedly broke into computer networks at several financial institutions and credit card processing centers, stole sensitive data, and sold them to others. If he is convicted of all charges against him, Butler could face up to 40 years in prison and a US $1.5 million fine. Butler also allegedly operated a website where cyber criminals traded data that could be used in identity fraud. Witnesses allege Butler used a high-powered antenna to intercept wireless communications. Butler previously served prison time for breaking into government computers.




[Editor's Note (Ullrich): Max Butler is also known as "Max Vision" and has been convicted of computer crimes before. He appears to be one of the first career cyber criminals. ]


CT to Hold Hearing on Stolen Revenue Dept. Laptop (September 8 & 13, 2007)

The Connecticut legislature's finance, revenue, and bonding committee will hold a hearing about the stolen laptop that contains personally identifiable information of 106,000 state taxpayers. The committee hopes to hear testimony from representatives from the Department of Revenue Services, the Department of Information and Technology, and the Office of the Attorney General. In the last fiscal year alone, more than 30 state-owned laptops were stolen or reported missing; Connecticut Governor M. Jodi Rell has ordered the state to develop more stringent measures to protect the state's laptop computers and other portable devices and the data they contain.

Chinese Official Makes Cyber Espionage Allegations (September 12 & 13, 2007)

In a Communist Party magazine, Chinese Information Industry Vice Minister Lou Qinjian alleges that "hostile" foreign governments, including the US, have successfully infiltrated Chinese government, military and scientific research computers and stolen "massive" amounts of sensitive information. The counter accusations appear to be a response to recent allegations that China has broken into government computers in Germany, France, the UK, and the US, among others.

[Editor's Note (Pescatore): It is silly to hyperventilate about which countries attacks are coming from. Every country, including the US, has the knowledge and the capacity to hack computer systems and every country has used it.
(Ullrich): I hope this is true. It's always hard to validate these claims, but I would think that any self-respecting national intelligence service includes cyber attacks as part of their standard toolkit. ]


Exploit Code Posted for Critical Microsoft Agent Flaw (September 13, 2007)

Less than a day after Microsoft released a patch for a critical remote code execution flaw in Windows 2000 Service Pack 4, exploit code for that vulnerability has appeared on the Internet. The flaw lies in the Windows Agent Active X control; ActiveX controls are "a pretty common attack vector," according to one advisory. Users are advised to apply the patch immediately, or if unable to do that, "disable support for active content in their browsers" until they can apply the patch.

[Editor's Note (Ullrich): "Hacktive X" as it is sometimes called by critics has probably been one of the largest architectural mistakes made by Microsoft. Not supporting Active X is one critical advantage alternative web browsers have over Internet Explorer. ]


Stolen Computers Hold Mental Health Histories (September 11, 2007)

Two computers stolen from a welfare office in Harrisburg, Pennsylvania contain mental health histories of more than 300,000 people, as well as names and Social Security numbers (SSNs) of approximately 2,000 people. The patients whose mental health histories are on the computers are not identified by name, and their treatment is recorded in coded form. The theft occurred on August 22, 2007. The Department of Public Welfare has begun notifying affected patients of the data security breach.

Gander Mountain Computer Theft Exposes Transaction Data (September 10, 2007)

Computer equipment stolen from a Gander Mountain Company store in Greensburg, Pennsylvania contains records of transactions that took place between July 2002 and June 2007 at that particular store, including 112,000 credit card number and expiration date alone, approximately 10,000 credit card numbers and expiration dates along with a name, and approximately 5,750 records with credit card number, expiration date, name and driver's license numbers. Gander Mountain has notified the customers for whom it has address information, as well as credit card companies and their card-processing bank. A toll-free number for affected customers has been established.


Microsoft Responds to Stealth Update Reports (September 13, 2007)

Nate Clinton, Microsoft program manager in the Windows Update (WU) group, acknowledged that the company was not "as transparent as
[it ]
could have been" regarding WU's updates. Clinton was responding to a report that Microsoft's WU service had made modifications to users' computers in the middle of the night, even if those users had set the program not to install updates without their permission. Clinton says the changes that were installed without permission were changes in the WU software itself, and that those using the service have implied by doing so that they expect to be notified of updates, so the service itself must be kept in good working order.


Ask the Expert: One Team, Two Team, Red Team, Blue Team
WHEN: Tuesday, September 18, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKER: Dave Shackleford

Sponsored By: Core Security

When you want to find out if a process or technology is really working, what do you do? Test it! This applies to auditing, disaster recovery, and certainly information security. In this webcast, learn how to build a penetration testing team to assess your organization's security posture, as well as an incident response team to detect and respond to the attacks.

Ask the Expert: Encryption Face-Off: Software Encryption vs. DriveTrust Technology
WHEN: Thursday, September 20, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Jim Hietala and Joni Clark

Sponsored By: Seagate Technology

The stakes have never been higher for organizations that process and store sensitive information on customers and employees. This webcast will explore the business drivers for encryption of system disks and provide the results of a hands-on evaluation comparing SeagateR DriveTrustT against a software-based approach.

Ask the Expert Webcast: Separated at Birth - Identity and Access Reunited!
WHEN: Tuesday, September 25, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Andrew Hay and Stuart Rauch

Sponsored By: Secure Computing

This webcast will focus on the trend toward reuniting Access and Identity and why it is important to consider strong authentication right from the planning phase of a remote access project. We will also review key criteria associated with choosing and deploying two-factor authentication in an enterprise environment.

Ask the Expert Webcast: Curing The Common Cold With Log Management
WHEN: Wednesday, September 26, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and A.N. Ananth

Sponsored By: Prism MicroSystems EventTracker

Well, perhaps that is a stretch, but Log Management is incredibly valuable to help solve a host of other real problems in IT beyond simple compliance. Compliance drives most log management purchases but IT Managers are constantly challenged to maximize investments in technology.


The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College,

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit