Final Week: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training - Ends Jan 27

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume VIII - Issue #20

March 10, 2006


Chinese Cyber Invaders May be After Defense Logistics
Security Companies Join Forces to Close Trojan-Related Sites


Survey: Operational Incidents and Staffing Issues Top CIO's List of Concerns
Security and Privacy Top Federal CIO's List of IT Concerns
Attackers Sidestepping Phishing Site Closures
Apple Patch Has Limitations
Debit Card Fraud May be Linked to OfficeMax-Related Breach
Citibank Takes Steps to Stanch Fraudulent Cash Withdrawals
Google Settles Fraudulent Clicks Suit
Oxford Shops Test Pilot Fingerprint Payment System
Microsoft Says it Did Not Provide Info Leading to Chinese Web Journalist's Arrest
Lloyds TSB Pleased with Two-Factor Authentication Trial

************************* Sponsored by CipherTrust **********************

Do you have PC zombies in your network? Protect yourself - get a free evaluation using CipherTrust RADAR - Inside.


Upcoming Security Training in Monterey, San Diego and Washington DC

Turbo charge your security career or the careers of any of your coworkers this spring in San Diego in early May: a dozen of SANS most popular courses and a vendor exposition right on the harbor in San Diego.

Or to come to Washington in July right after July 4 for the biggest SANS Fire ever: with all 17 SANS immersion tracks and more than a dozen special courses, a big exposition, and an inside look at how the Internet's Early Warning System (Internet Storm Center) actually works Bring your family for the national fireworks show.



Chinese Cyber Invaders May be After Defense Logistics (1 March 2006)

China may be funding intrusions into US Defense Department computer systems to ferret out logistical data. Former Air Force CIO John Gilligan says that the Defense Department's unclassified network, the Nonsecure Internet Protocol Router Network (NIPRNet), holds a great deal of defense logistical data. (Gilligan is now the deputy director of SRA International's defense sector.) James Mulvenon, director of Defense Group Inc.'s Center for Intelligence Research and Analysis, says cyber attackers are "burrowing into really boring logistics networks" indicating they have support from a foreign state. NIPRNet is not a classified network; classified networks are expensive and do not allow easy communication with the "outside world." Michael O'Hanlon, senior fellow in foreign policy studies at the Brookings Institution says "If there's any good news here, it's that computers are getting attacked all the time;". In other words, network security should improve as attacks are recognized and holes are repaired.

[Editor's Note (Ranum): Many "old school" practitioners have pointed out for years that "sensitive but unclassified" networks wind up carrying data that, in the aggregate is often more interesting than classified data. The fact that this particular turkey is coming home to roost is no cause for amusement, however. The DOD persists in treating information security like a game for amateurs; it is not. ]

Security Companies Join Forces to Close Trojan-Related Sites (8 March 2006)

RSA Security and Panda Software have teamed up to shut down web sites related to Trojan horse programs designed to help users steal sensitive data that could be used to commit identity fraud. Of the five sites the companies have shut down thus far, three sold the programs and two allowed the programs' users to monitor the spread of the malware. The Trojans would send the purloined data back to the attackers.

************************* Sponsored Links: ******************************

1) ALERT: PENETRATION TEST your Web Applications for FREE!- WebInspect Trial Offer

2) SANS OnSite InfoSec Training
Your Location! Your Schedule! Lower Cost!

3) Two Free Webcasts Next Week
- WhatWorks in Intrusion Prevention Tuesday, March 14 at 1:00 PM EST (1800 UTC/GMT)
- Internet Storm Center: "Threat Update" Wednesday, March 15 at 1:00 PM EST (1800 UTC/GMT)




Survey: Operational Incidents and Staffing Issues Top CIO's List of Concerns (9 March 2006)

(Reader beware: This story, as you'll see from John Pescatore's note below, mischaracterizes the study.)
The IT Governance Institute's (ITGI) IT Governance Global Status Report 2006 found the most pressing IT concerns among chief executives and chief information officers (CIOs) are operational incidents and staffing issues; security and compliance were at the bottom of the list. This may be due to the fact that companies have been deploying technologies to ensure compliance with Sarbanes-Oxley and other regulations. The nearly 700 respondents represent 22 countries.

[Editor's Note (Pescatore) This paragraph misstates the survey. When asked what is the most important problem to address in the next 12 months, the number one response was security - and security made the top three when CIO's ranked their problems by severity. It was only when asked about the past 12 months problems that security was at the bottom on the list. It is good to see compliance dropping down the list - it was *lowest* rated by CIOs in importance of addressing the problem. Good to see the recognition by CIOs that compliance does not equate to security.
(Paller) What is depressing about the journalist's mischaracterization of the study is that the IT Governance Institute's own executive summary of its study got it wrong, too. ]

Security and Privacy Top Federal CIO's List of IT Concerns (7 March 2006)

The IT Association of America's 16th Annual Federal CIO Survey found that federal CIOs rate IT security and privacy as their most pressing concerns. Though they believe they have made progress in these areas, they also say protecting information and allowing people access to that information is a stressful balancing act that consumes their budgets. ITAA interviewed 36 CIOs and assistant CIOs and three government oversight officials during the last five months of 2005.
[Editor's Note (Pescatore): A stressful balance, sure. But "consumes their budgets"? Federal agencies spend (on average) a lower percentage of their IT budgets on security than the typical private sector business. ]


Attackers Sidestepping Phishing Site Closures (8 March 2006)

Phishers have begun using a new technique to ensure a higher rate of victims reaching fraudulently constructed web sites. Because anti-phishing vendors are taking more aggressive steps to close phishing sites, some phishing email now directs recipients to one IP address that hosts a "smart redirector" that checks to see which web sites are still live before deciding where to send the intended victim. Smart redirector attacks have been detected at two banks.


Apple Patch Has Limitations (7 March 2006)

Apple's recently released security update for Mac OS X does not adequately address a serious flaw that allows malicious code execution. While Apple has added a function to Safari, Apple Mail and iChat that informs users that downloads could be malicious, attackers could still create malicious files that appear to be safe. Rather than addressing the flaw head on, the fix acts as a checkpoint. The warning does not appear for users who have disabled the "open safe files after downloading" option, nor does it appear in applications other than those listed above.


Debit Card Fraud May be Linked to OfficeMax-Related Breach (8 March 2006)

Investigators say that debit card fraud affecting members of credit unions in Leominster and Fitchburg, Massachusetts may have been linked to a security breach related to OfficeMax; all affected customers had used Visa debit cards at OfficeMax. Fraudulent account withdrawals have been made in Spain, Turkey, Greece, Switzerland, the UK, as well as in the US and Canada, suggesting that the information is being sold on the Internet. The thieves used cloned debit cards constructed with the use of stolen PIN numbers, either from OfficeMax or from a transaction processor. An OfficeMax spokesperson said there is no evidence of a security breach of their network.
[Editors' Note (Schultz, Honan, Paller): When a company claims "no evidence of a security breach," one should ask three questions: whether:
1) an adequate level of system logging was turned on and inspected regularly,
2) adequate intrusion detection measures were in place, and
3) the "no evidence" verdict was independently verified by a technical expert.
(Weatherford): One of the more important pieces of information in this article may be the fact that debit card accounts are less well-protected by anti-fraud technology than traditional credit card accounts. This might be an issue the banking industry should be addressing. ]

Citibank Takes Steps to Stanch Fraudulent Cash Withdrawals (7 March 2006)

Citibank has reissued "an unspecified number of credit and debit cards" and "blocked PIN-based transactions of Citi-branded MasterCard cards in the UK, Russia and Canada" due to a rash of fraudulent ATM withdrawals in those three countries. Citigroup says the cards may have been "compromised following an unspecified breach of its network."



Google Settles Fraudulent Clicks Suit (9/8 March 2006)

Google will pay as much as US$90 million to settle a lawsuit brought by advertisers who allege the company overcharged them for phony sales referrals generated by "click fraud." The settlement applies to all companies that advertised on Google over the past four years. Google has offered to provide the companies with credit for the fraudulent clicks since 2002. Google will also pay legal costs. The court has not yet approved the settlement, however.

[Editor's Note (Pescatore): The entire area of clickstream data and search string data used to set advertising rates is wide open to Internet-based fraud. In the TV and publication world, the companies selling advertising space have to pay into services that verify circulation or viewership numbers used to determine advertising prices. Companies selling Internet ads need to invest in similar assurance that the clickers or searchers are real people, not automated bots.
(Northcutt): Hmmm, according to The Age, Click Fraud is when users click on links when they have no intention of buying. I hope this does not lead to browser hard sell, where you click on a link and a dialog box pops up asking if you are prepared to buy *right now*. ]

Oxford Shops Test Pilot Fingerprint Payment System (8 March 2006)

Three branches of the Co-op in Oxford, UK are running a trial biometric fingerprint payment system. The free service is reportedly a response to shoppers' worries about having to remember PIN numbers. The pilot is scheduled to run for 16 weeks; customers will be asked to provide feedback to help the store decide if the system will become permanent.

Microsoft Says it Did Not Provide Info Leading to Chinese Web Journalist's Arrest (8/7 March 2006)

A Microsoft spokesperson said the company did not provide Chinese authorities with information leading to the arrest of journalist Li Yuanlong, who was charged in February with incitement to subversion for posting articles on a website. Li apparently used a Hotmail account to post his articles anonymously.

Lloyds TSB Pleased with Two-Factor Authentication Trial (6 March 2006)

A five-month trial of two-factor authentication technology at Lloyds TSB has proven successful; none of the 23,5000 participating customers experienced online banking fraud. Seventy percent of the customers using the keychain-sized device rated it "very good" or "excellent." The device generates a one-time password.
[Editor's Note (Weatherford): I'm not sure that quoting "a lack of on-line banking fraud by 23,500 customers" is the right metric to measure success because it almost sounds like they expected a certain amount of fraud. However, if this pilot convinces people that two-factor authentication is worth the effort and expense, it may help move industry in the right direction.


NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan, Mark Weatherford

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit