Final Week to Get a MacBook Air or Surface Pro 7 with Online Training - Best Offers of the Year!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume IX - Issue #82

October 16, 2007

Application Security is hot. The attackers are increasingly targeting application vulnerabilities. Two useful responses:

1. Scholarships are available for all programmers who work for government agencies in the US and UK who want to earn the new GSSP (Secure Software Programmer) certification. These scholarships are elements of the partnerships with the US and UK governments designed to improve application security and protect national infrastructures. As part of SANS partnerships with the US and UK governments to improve application security and protect national infrastructures, exams are in London in November, in Washington in December, and in many other cities early in 2006. Email for information in the scholarships. (include the agency for which you work.)

2. Programmers and testers are looking for ways to implement security throughout the development lifecycle and establish security at every stage. SANS Software Security Series offers courses specifically designed to teach anyone responsible for securing software and web applications the best ways to implement security during the software development lifecycle. More data:


PS If you are coming to the SANS classes in two weeks in Houston, you'll have 4 great free evening sessions as well: one with the FBI, one on wireless mapping with Google, one on the top five firewall leaks, and one on Windows PowerShell. Information:


Schwarzenegger Vetoes Proposed Data Protection Legislation
SWIFT to Move EU Transaction Processing Out of US
California Bans Mandatory RFID Implants


Six-Week Suspension for "Disregard of Sensitive Data"
Pair Gets Jail Time for Spam
Former Employee Convicted of Destroying Company Data
New National Strategy for Homeland Security is Vague
Air Force Looks to Stepping Up Cyber Attack Response
Oracle Quarterly Patch Release Scheduled for October 16
Missing TSA Computers Contain Driver Data
Stolen Laptops Hold Carnegie Mellon Univ. Student Data
Just 10 Percent of UK Councils and Police Encrypt All Data

*********************** Sponsored By Sunbelt Software *******************

Is Your Network Protected Against Blended Malware Threats?

CounterSpy Enterprise gives you protection against malware using a new hybrid technology that merges the 'system cleaning' properties of traditional antispyware products with the efficiency of powerful antivirus-based technology.

Find out how many machines on your network are infected! Download the free trial now!


Where can you find Hacker Exploits and SANS other top-rated courses?
London (11/26 - 12/1):">
Washington DC (12/13-12/18):">
New Orleans (1/12-1/17):
Chicago (11/2-11/7):
Tokyo (11/5-11/10):

How good are the courses? Here's what past attendees said:
"An extraordinary amount of information covered in a week, backed up with excellent documentation for those long winter nights." (Keith Mellism, Canada Life)
"This course has valuable information that can be implemented immediately in the work place." (Christopher O'Brien, Booz Allen Hamilton)
"You will never ever find anything more valuable than SANS super knowledge. Worth the price!!" (Carlos Fragoso, CESCA)



Schwarzenegger Vetoes Proposed Data Protection Legislation (October 15, 2005)

California Governor Arnold Schwarzenegger has vetoed a proposed law that would have held retailers liable for losses incurred by financial institutions as a result of security breaches. The law would have required retailers to implement stringent security measures to protect transaction data and would have prohibited them from storing certain types of transaction information. Schwarzenegger said that the bill could potentially conflict "with private sector data security standards," but did not dismiss the proposal entirely; he would like to see "the author and the industry work together on a more balanced legislative approach."

SWIFT to Move EU Transaction Processing Out of US (October 4, 10 & 15, 2007)

International payment processing organization SWIFT plans to restructure its systems architecture so that it will no longer process European banking transactions in the US. By 2009, the organization will have a data processing center in Switzerland and a command center in Hong Kong. In addition to improving the system's capability and reliability, SWIFT also aims to take some data out of the hands of the US. Belgium-based SWIFT has met with harsh criticism for allowing US intelligence agencies access to European citizens' transaction data. SWIFT said that because it processed the data in the US, it had to comply with the agencies' requests for access. Data protection authorities in Europe have determined that in doing so, SWIFT violated data protection laws. EU-US transactions will continue to be processed in the US.
[Editor's Note (Honan): By moving the data processing centre to Switzerland, SWIFT will not be subject to the EU Data Protection Act as Switzerland is not part of the EU. However, SWIFT will be obligated to abide by Swiss data protection and privacy regulations. This is a very good example of how international companies can fall foul of local laws and regulations and highlights why it is important to have local legal expertise available in each of the jurisdictions you operate in. ]

California Bans Mandatory RFID Implants (October 15, 2007)

California joined Wisconsin and North Dakota in banning employers and other entities from requiring people to have RFID chips implanted beneath their skin. An Ohio surveillance company last year required certain employees to have RFID chips implanted. State Senator Joe Simitian (D-Palo Alto), who introduced the bill, calls forced tagging "the ultimate invasion of privacy." He also expressed disappointment that the companies that manufacture and sell the RFID devices remained silent about the legislation. Governor Schwarzenegger signed the law on Friday; it takes effect in January 1, 2008.

************************* Sponsored Links: ***************************

1) Attack Notification: "How Hackers Use SQL Injection to Steal Your Data and Bypass Authentication"- SPI Labs White paper

2) How are you utilizing sFlow to improve network security and performance?
Register for a FREE webinar "sFlow for Network Security and Traffic Analysis"

3) Learn about using/implementing automated DLP technologies at the Data Leakage and Insider Threat Summit December 3-4.




Six-Week Suspension for "Disregard of Sensitive Data" (October 15, 2007)

A Connecticut state Department of Revenue services supervisor has been suspended without pay for six weeks for violating confidential data protection handling policies. Jason Purslow's suspension follows an investigation into the August 17 theft of a laptop computer from his car. The computer held personally identifiable information of approximately 106,000 state taxpayers. The investigation determined that while Purslow "exhibited a disregard for sensitive data,
[his actions ]
did not unequivocally constitute willful neglect."

[Editor's Note (Schultz): It is becoming increasingly commonplace for individuals who have been responsible for personal and/or financial data that have been compromised or misplaced to receive a punishment similar to the one in this news item. In the long run this trend is likely to reduce the probability of data security breaches. (Northcutt): I think our last NewsBites issue reported a one week suspension; here we see six weeks. If you are of the "hanging is too good for them" camp, be patient. Accountability is rare, and we are starting to see it. Add a few more, and we have the awareness tools to start changing behavior. ]

Pair Gets Jail Time for Spam (October 12, 14 & 15, 2007)

Jeffrey A. Kilbride and James R. Schaffer have received prison sentences for their roles in a spam operation. Kilbride and Schaffer were prosecuted for CAN-SPAM violations as well as fraud, money laundering, and obscenity charges. They launched their spam operation in 2003; when the CAN-SPAM Act was passed later that year, the men tried to make it appear their business was located overseas by logging into servers in Amsterdam remotely, and directing income from their scheme to bank accounts in the Republic of Mauritius and the Isle of Man. Kilbride was sentenced to six years in prison, while Schaffer received a sentence of slightly more than five years. They were also fined US $100,000, ordered to pay US $77,5000 in restitution to AOL, and must forfeit more than US $1 million in proceeds from their scheme.


Former Employee Convicted of Destroying Company Data (October 11 & 12, 2007)

A disgruntled former Pentastar Aviation employee has been convicted of breaking into company computers and destroying data. Joseph Patrick Nolan failed to sign a separation agreement by the deadline given him after he resigned from the company. He assumed he would be paid for his final two weeks, but the absence of a signed agreement meant no paycheck, which angered him. Nolan later gained access to Pentastar's computer system and destroyed payroll and personnel data. He faces up to 10 years in prison and a US $250,000 fine when he is sentenced in January.



New National Strategy for Homeland Security is Vague (October 11, 2007)

The Bush Administration has published a new National Strategy for Homeland Security. While the document acknowledges that many services Americans consider essential depend on the Internet, it does not offer a specific plan of action for securing cyberspace. The document also argues that authorities need broader surveillance powers because of the ubiquity of Internet-connected services. The strategy has been criticized for being vague and "squishy."

Air Force Looks to Stepping Up Cyber Attack Response (October 11 & 12, 2007)

US Air Force Maj. Gen. William Lord, incoming commander of the provisional Air Force Cyber Command, says the US military needs new rules of engagement to determine appropriate responses to cyber attacks. Lord also said that members of the US Air Force will be issued "cyber sidearms" so they can relay information about security breaches or Air Force computers quickly. It has not yet been decided which technology will be used to send the necessary information to security experts. Air Force service members given the "cyber sidearms" will be tested with phony cyber threats.
[Editor's Note (Ullrich): While the "cyber sidearms" sound like little more than a virus scanner, the focus on cyber security is certainly well advised. The note about regularly testing this new protection is especially refreshing.
(Northcutt): Normally I would try to stop NewsBites from covering this "news" story, but about a dozen news sources have already picked this up. It has ZERO content. ]


Oracle Quarterly Patch Release Scheduled for October 16 (October 13 &, 2007)

Oracle will release patches for 51 security flaws in a variety of products on Tuesday, October 16. There are 27 vulnerabilities in Oracle database; five of those have the potential to be remotely exploited without authentication. There are 11 flaws in Oracle Application Server, seven of which are remotely exploitable without authentication. The maximum severity rating of this set of flaws is 6.8 on version 2 of the Common Vulnerability Scoring System (CVSS) scale of 1 to 10.

[Editor's Note (Skoudis): Fifty-one flaws! Ouch... I guess that's what happens when you only release patches quarterly, extending the exposure timeframe of your customers and making regression testing more complex. Be careful in testing all of these things before rolling them into production. Watching other vendors struggle through their patch process actually makes me realize that Microsoft has gotten really good at this. Oracle, VMware, and most other vendors could learn a lot from Microsoft in issuing security patches.


Missing TSA Computers Contain Driver Data (October 15, 2007)

Two Transportation Safety Administration (TSA) laptop computers are missing from a contractor's office. The computers, which officials presume were stolen, contain information about commercial drivers who transport hazardous materials. The data include names, addresses, birthdates and commercial driver's license numbers of 3,930 individuals; some Social Security numbers (SSNs) are included as well. The contractor said the information had been deleted from the computers before they disappeared, but TSA investigators have determined that the data could still be recovered from the machines. In the wake of the theft, the TSA has instructed the contractor to encrypt hard drives.

[Editor's Note (Ullrich): Corporate and government data collection efforts frequently overlook the fact that they create new vulnerabilities. Collecting data in a single place makes it easier for an attacker to access it, as well.
(Ranum): Once you look beyond the game of "blame the contractor" you're left with the more interesting question why the contractors were given access to this information in the first place. Why do they need to carry it around on laptops? How does TSA get the permission to simply give this stuff out to contractors? ]

Stolen Laptops Hold Carnegie Mellon Univ. Student Data (October 9 & 10, 2007)

Two laptop computers stolen from the locked office of a Carnegie Mellon University computer science professor hold personally identifiable information of approximately 400 students. While the theft occurred on or around September 2, affected individuals were not notified of the breach until September 29. The breach is believed to affect students who took courses from the professor between summer 2004 and spring 2006.



Just 10 Percent of UK Councils and Police Encrypt All Data (October 12, 2007)

A survey of local authorities in the UK found that only 10 percent encrypt all sensitive data. Of the 60 local councils and police authorities, 45 percent encrypt some data. Forty-three percent of those responding said they never encrypt data. However, 38 percent of the organizations acknowledged they had experienced lost or stolen laptops within the last year. Just eight percent of the organizations have disaster recovery plans in place. Thirty percent said they have no policies for the use of USB devices; two percent have completely banned USB devices.


Ask the Expert: The Evolution of Access Management
WHEN: Wednesday, October 17, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and Howard Ting
Sponsored By: Securent

In this webcast, learn how access control technologies have evolved over the years, the types of access management solutions organizations are evaluating today, and the challenges they face in design and implementation.

SANS Special Webcast: Building Brick Houses
WHEN: Wednesday, October 24, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Gary W. Longsine and Jonathan Ham
Sponsored By: Watchfire

With the advent of Web 2.0 interactive applications and demand for financial, shopping and other applications for hand held devices, never has secure lifecycle of Web applications been more critical. Leveraging the same agile application methodologies in use today, Gary W. Longsine and Jonathan Ham unveil a flexible framework called Scalable and Agile Lifecycle Security for Applications - or SALSA for short.

Ask the Expert: Log Heaven: How to Simplify Log Management for Compliant, Secure Operations
WHEN: Thursday, October 25, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and Dave Steidle
Sponsored By: netForensics

Join this webcast to learn:
- What to consider when evaluating log management solutions
- How to use log management to address compliance audits
- How to get better security intelligence from existing data
- Tips for streamlining log management operations

Tool Talk Webcast: Eenie-Meenie-Minie-Mo: No Way to Choose a Log Management Solution
WHEN: Tuesday, October 30, 2007 at 1:00 PM EDT (1700 UTC/GMT)
Sponsored By: ArcSight

Join this Webcast to learn:
- How to evaluate and select the right log management solution for your environment
- What big log management mistakes can be avoided, and how to avoid them
- Why the compliance, security, IT operations, forensics, and helpdesk teams will all applaud you for making the right choice

Tool Talk Webcast: Guidelines for Implementing Role-Based Security Policies in Unix/Linux Environments
WHEN: Wednesday, October 31, 2007 at 1:00 PM EDT (1700 UTC/GMT)
Sponsored By: FoxT

In this webinar, you will discover how FoxT's IT Controls solution suite is helping organizations, including five of the top ten banks, resolve access control challenges and achieve unprecedented speed in adopting role-based security policies across multi-vendor Unix/Linux infrastructures.


The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College,

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit