Learn practical cyber security skills during SANS 2021 - Live Online. Choose from 30+ courses and three types of NetWars!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume X - Issue #17

February 29, 2008

If you are relying on full disk encryption, see the last story for pointers to all the vendor white papers on how they are dealing with the attack. Before you fully trust their assurances you may find value in reading the Swa Frantzen's Internet Storm Center entry on this topic at http://isc.sans.org/diary.html?storyid=4043 . Also, we have scheduled a web cast on what to do about the cold boot problem: next Thursday (March 6). In fact, take a look at the list of webcasts at the end of this issue - they are much more useful than most of the security web casts being promoted by the publishing companies.

Note for people planning to attend security training this spring: The deadline for savings on SANS08 in Orlando is next Wednesday, March 5. More information: http://www.sans.org/sans2008,

Safer Web Applications: If you are buying or building any important web applications, there's a special class in Orlando that enables your developers to ensure they have mastered the essentials of secure coding in Java. It's the only prep course so far for the now-mandatory GSSP secure programming examination for developers. We are offering a 35% discount on that course (April 22- 25) if the person agrees to give us detailed feedback on how to improve the course further. Email ccalhoun@sans.org for the discount code.


Google Health Privacy Concerns
German Court Overrules Blanket Covert PC Surveillance
Alaska House Passes Personal Information Protection Act


Civil Liberties Groups Come to Wikileaks Defense
Home Office Disk Found Hidden in Laptop Sold on eBay
Mozilla Releases Thunderbird Update
US-CERT Warns of Windows CE Trojan
FTP Database Contains Thousands of Account Credentials
More Than 50% of Companies Have Fired Workers for eMail and Internet Misuse
ICO: Lost Laptop with Irish Blood Donor Info Not a DPA Breach
Experts Weigh in on Cold Boot Attack Defenses

*********** Sponsored By Digital Persona Inc. ***********

Free Fingerprint Biometrics Test Drive - DigitalPersona's fingerprint authentication links actual people to individual actions. You know for sure, who does what, where and when. Implement strong security policies and make you and your users' lives easier. Eliminate password pain, simplify compliance and make auditors happy with DigitalPersona's fingerprint authentication. Get started: http://www.sans.org/info/24893


Where can you find the newest Penetration Testing techniques, Application Pen Testing, Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, CISSP, and SANS' other top-rated courses? - - SANS 2008 in Orlando (4/18-4/25) SANS' biggest program with myriad bonus sessions and a huge exhibition of security products: http://www.sans.org/sans2008 - - Washington DC (Tyson's) 3/24-3/31 http://www.sans.org/tysonscorner08 - - San Diego (5/9-5/16) http://www.sans.org/securitywest08 - - Toronto (5/10-5/16) http://www.sans.org/toronto08 - - and in 100 other cites and on line any-time: www.sans.org



Google Health Privacy Concerns (February 27 & 28, 2008)

The emergence of personal health record management services has raised privacy concerns. Google is piloting one such product - Google Health - - with the Cleveland Clinic. While the online dossiers offer the convenience of being able to merge health data, they are controlled by consumers, not physicians, and are therefore not protected by the Health Insurance Portability and Accountability Act (HIPAA). Although Google and other entities developing similar products maintain they will offer even more stringent protections than HIPAA's, "the very existence of a detailed health dossier accessible in an instant can make control difficult."

[Editor's Note (Schultz): The issue described in this news item introduces a new dimension to data security protection woes. Count on the fact that if users are in the loop, security risk will skyrocket.
(Pescatore): It is not a given that there will be huge demand from consumers for these personal heath records, as the financial information aggregation services that are the finance record equivalent of this really didn't explode. However, it is inevitable that some consumers will want to aggregate and control their own medical information to have some increased level of control of their medical care and some increased leverage in reducing costs through competition and second opinions and the like. The real key issues here are (1) making sure that all such services have external security audits and (2) *most importantly* that they be required to make any and all third party use of consumer health be purely opt-in with full audit and accountability. It is one thing for the Googles and the Microsofts or others to make some money by selling advertising around medical record access; it's a whole different issue to be able to resell medical-related information, even if it is only at the aggregate or metadata level. ]

German Court Overrules Blanket Covert PC Surveillance (February 28, 2008)

Germany's Federal Constitutional Court, which reviews laws passed in that country, has overruled provisions of the State of North Rhine-Westphalia's Constitutional Protection Act that allowed investigators to conduct covert searches of PCs over the Internet. The judges found that the blanket searches severely violated privacy, and restricted covert PC surveillance to instances when "there is evidence that an important overriding right would otherwise be violated."

Alaska House Passes Personal Information Protection Act (February 28, 2008)

With a vote of 35-0, Alaska's House of Representatives has passed HB 65, the Personal Information Protection Act. The bill would require organizations to notify citizens when their personal data are compromised in a security breach. Other provisions in the bill include banning the sale and disclosure of Social Security numbers (SSNs), and allowing consumers to freeze their credit reports. The bill now goes to the Senate. If the legislation passes, Alaska will become the 31st state to have an identity theft law.

************************** Sponsored Links: ***************************

) Full Disk without the Risk
Full Data Encryption2: tighter security without compromising IT operations. Protect what matters. Download overview. http://www.sans.org/info/24898

2) Come to the Penetration Testing and Ethical Hacking Summit June 2-3 - - Las Vegas. Come hear what works. http://www.sans.org/info/24903

3) How can I address Application Security? Find out at the Application Security Summit June 2-3 in Las Vegas. http://www.sans.org/info/24908




Civil Liberties Groups Come to Wikileaks Defense (February 28, 2008)

The American Civil Liberties Union, the Electronic Frontier Foundation, the Project on Government Oversight (POGO) and a Wikileaks.org user are seeking permission to intervene in a case in which a judge ordered the whistleblower site shut down. The groups maintain the judge's ruling violated the First Amendment right to receive information and ideas. In addition, Harvard law School's Berkman Center for Internet & Society's Citizen Media Law Project has filed an amicus brief asking that the court reverse its decision.

[Editor's Note (Grefer): Even though the court has barred Wikileaks from using the wikileaks.org domain name, the site is still alive, both at its IP address
and via various other top level domain extensions listed at


Home Office Disk Found Hidden in Laptop Sold on eBay (February 28 & 29, 2008)

A laptop computer purchased on eBay contained a surprise - a disk hidden beneath the keyboard and labeled "Home Office" and "Confidential." The disk was discovered when the buyer took it to a repair shop; both the disk and the computer were encrypted. The Home Office has launched an investigation into the matter.
[Editor's Note (Pescatore): This is an oddball one (I've never even *seen* a laptop where you could hide something under the keyboard) but it is very common to see sensitive business information show on computers and PDAs (and likely smartphones in the future) on eBay or other sites where decommissioned business IT gear is resold. Businesses should have a policy and process for cleansing all memory and storage before surplussing IT equipment, or have services built into surplussing contracts that make sure it happens.




Mozilla Releases Thunderbird Update (February 27, 2008)

Mozilla has released an updated version of its Thunderbird email client, Thunderbird, to address several flaws that could be exploited to take control of vulnerable computers. The most serious of the flaws is a critical heap buffer overflow vulnerability in external MIME bodies that could allow remote code execution with current user privileges. The flaw affects Windows and Linux versions of Thunderbird. The other flaws include information disclosure, directory traversal, privilege escalation, cross-site scripting, and remote code execution. Users are urged to upgrade as soon as possible.



US-CERT Warns of Windows CE Trojan (February 26, 2008)

The US Computer Emergency Readiness Team (US-CERT) has issued a warning about malware that attacks devices running Microsoft Windows CE. The WinCE/InfoJack Trojan horse program steals mobile devices' serial numbers, operating system information and other data and uploads them to a website controlled by the attacker. It also disables Windows Mobile application installation security to allow other malware to be loaded onto the infected device without the user's knowledge.

[Editor's Note (Grefer): Given that WinCE has become quite prevalent in various hospital and other medical settings, this is not good news for patients' safety and wellbeing. ]


FTP Database Contains Thousands of Account Credentials (February 27, 28 & 29, 2008)

Finjan says it has discovered a database of 8,700 FTP (file transfer protocol) server credentials that are being sold online. The information can be used to attack computer systems. The credentials belong to thousands of companies around the world, including many top level domains.




[Editor's Note (Grefer): Regular FTP, SMTP-Auth, POP3, IMAP and Telnet credentials can easily be intercepted in transit, because they are clear text transmissions. Whenever possible, use their respective secure equivalents or establish a secure tunnel to protect the data in transit. ]


More Than 50% of Companies Have Fired Workers for eMail and Internet Misuse (February 28, 2008)

More than half of 304 US companies surveyed said they had fired employees for email and Internet misuse. Of those managers who fired employees for Internet misuse, 84 percent said the employees were viewing inappropriate content, and 34 percent said they had fired people for excessive personal use of the Internet on the job. Of managers who fired workers for email misuse, 64 percent said workers had violated company policy and 62 percent said the emails contained inappropriate or offensive language. Twenty-two percent said they fired people for breaching confidentiality rules in email, and more than 25 percent said they had fired workers for excessive personal use of email.


Irish Data Commissioner: Lost Laptop with Irish Blood Donor Info Not a DPA Breach (February 27, 2008)

Following an investigation, the Irish Data Protection Commissioner has determined that the theft of a laptop computer containing personal information belonging to approximately 175,000 Irish citizens was not a violation of the Data Protection Act. The laptop computer was stolen in New York from an employee of a company that had been hired by the Irish Blood transfusion Service (IBTS) to develop a query tool. The encryption used to protect the data was determined to be sufficient, as the key was not stored on the laptop itself.

Experts Weigh in on Cold Boot Attack Defenses (February 22, 2008)

In response to the recently published research paper describing how encryption key algorithms can be extracted from DRAM chips for a period even after PCs have been powered off, encryption experts have come forward to say that the attack can be thwarted by holding keys in hardware instead of software and fully deploying the Trusted Platform Module (TPM) authentication specification. Internet Storm Center Entries:
(read this before you talk with your full disk encryption vendor)

[Editor's Note (Frantzen): Any cryptographic software can lose control of its keys in this manner, not just full disk encryption.
(Cole): The cold boot attack has a cool factor to it, but remember that full disk encryption will protect a system only if it has a strong password (two factor recommended) and if the system is completely turned off. Use of a USB token stops the attack. If you turn your system completely off (and hold on to it for more than 5 seconds) the attack is not successful. If you do not follow either of these rules, than full disk encryption can potentially be broken even without this attack. ]

Cold Boot Attack Response

The following vendors have responded with URLs to their position papers on the Cold Boot crypto attack. If you see a vendor position paper on this topic, please forward the URL to stephen@sans.edu:




(it has been updated since last week)











SANS Special Webcast: How to Win Friends and Influence People (for Penetration Testers)
WHEN: Tuesday, March 4, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Lenny Zeltser

Sponsored By: Core Security

The success of a security test is often determined in the planning stage, when the "human element" plays a critical role. This is especially true for penetration testing projects, which sometimes encounter political hurdles before they even begin. Please join us to learn how, with a little transparency and tact, you can not only get approval for pen testing projects but also help colleagues use the results to improve your overall security.

Tool Talk Webcast: The ABC's of Dealing with Unique Network Security Risks in a World of Open Campus Networks
WHEN: Wednesday, March 5, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Brian Mehlman

Sponsored By: Q1 Labs

Universities continue to face a challenge in the balancing act of two diametrically opposed networking requirements. On one hand, IT services have must meet the requirements of delivering an open campus network with minimal restriction on use. And, on the other hand, you have networks and systems that maintain sensitive information that requires tight security controls, often under the scrutiny of specific regulatory mandates.

SANS Special Webcast: The Little Hybrid Web Worm That Could
WHEN: Thursday, March 6, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Billy Hoffman

Sponsored By: HP

The past year has seen several wed worm attacks agasint various online applications. While these worms have gotten more sophisticated and made us of additional technologies like Flash and media formats, they all have had some basic limitations such as infecting new domains and injection methods. These worms are fairly easily detected using signatures and these limitations have made web worms annoying, but ultimately controllable. Ths paper examines the possibility of hybrid web worms which use several methods to overcome the limitations of current web worms. Specifically the authors examine how a hybrid web worm: mutates itself to evade defenses; updates itself with neew attack vectors while in the wild; and finds and exploits targets regardless of whether they are cliet web browsers or web servers.

SANS Special Webcast: A Response to the "Cold Boot Attack" Announcement
WHEN: Thursday, March 6, 2008 at 1:00 PM EST (1800 UTC/GMT)

A certified SANS instructor will host this webcast and provide attendees with actionable advice on how to reduce their organization's risk against the Cold Boot Attack using encryption tools and real-world best practices. Hear responses from leading providers in the encryption market to gain better understanding of how these solutions can help mitigate or avoid the vulnerabilities associated with the Cold Boot Attack. Attendees will walk away with actionable advice on how this vulnerability can impact their organization and which encryption solutions can provide best-in-class protection from this and other security risks.

ISC Threat Update: March 2008
WHEN: Wednesday, March 12, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Johaness Ullrich and Tony Magallanez

Sponsored By: F-Secure

The SANS Internet Storm Center (ISC) uses advanced data correlation and visualization techniques to analyze data collected from thousands of sensors in over sixty countries. Experienced analysts constantly monitor the Storm Center data feeds searching for trends and anomalies in order to identify potential threats. When a threat is identified, the team immediately begins an intensive investigation to gauge the threat's severity and impact. This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.

WhatWorks Webcast: PaulDotCom's Penetration Testing Dojo: Core IMPACT Style
WHEN: Tuesday, March 18, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Alan Paller and Paul Asadoorian

Sponsored By: Core Security Technologies

When beginning a security process at a consortium of non-profits, a senior network security engineer began looking for a penetration testing tool that did web application assessments and aided in automated social engineering attacks. The tool he purchased is low on manpower use, is mostly self-maintaining and reliably proves the existence of network vulnerabilities.

SANS Special Webcast: Monthly Series: Security Insights with Dr. Eric Cole
This Month's Topic: Encryption
WHEN: Wednesday, March 19, 2008 at 1:00 PM EDT (1700 UTC/GMT)

Based on first-hand experience, this talk will look at areas where encryption should be used and how to avoid common mistakes. Dr. Cole will also identify areas where encryption should not be deployed. Overall, this talk will provide expert knowledge of the landscape of encryption, proper uses and common pitfalls. Register now for this free webcast!

Ask the Expert: Malcode Analysis and Response: Proficiency vs. Complexity
WHEN: Thursday, March 20, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Matt Allen and Russ McRee

Sponsored By: Norman Data Defense Systems

The threat landscape changes constantly, driven in part by the "bot economy" and changing malcode techniques. In response, incident handler techniques must keep pace. This presentation will cover the use of RAPIER, a security tool built to facilitate first response procedures for incident handling. It is designed to acquire commonly requested information and samples during an information security event, incident, or investigation. RAPIER automates the entire process of data collection and delivers the results directly to the hands of a skilled security analyst. From detection and discovery, capture and containment, count on a useful discussion meant to further your incident response practices.

Tool Talk Webcast: Are You Naked? Why virtualization and service processors are leaving traditional log management customers naked.
WHEN: Tuesday, March 25, 2008 at 1:00 PM EDT (1700 UTC/GMT)

Sponsored By: Tdi

Virtualization and on board service processors are making log management systems obsolete and opening their customers to huge compliance issues. All existing log management systems are based on an 'inside out' agent based, SYSLOG and SNMP architecture. This model is obsolete in today's datacenter. Traditional log management systems do not log all events or watch the data center all the time, opening the door to Sarbanes Oxley, HIPAA and other compliance risks.


The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/