SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume X - Issue #22
March 18, 2008
If you have purchased security products or services in the past six months or plan to purchase in the next year, we'd love your input on the new poster categories. The poster will have all the categories along with short lists of leading and emerging products in each. We list the draft categories in the last story in this issue. If you see elements that are misclassified, or can think of categories that should be added, please email me (firstname.lastname@example.org) by Friday. And if you want the detailed descriptions of the Five Walls and each category just ask.
P.S. Deadline for savings ($150) on SANS 2008 is tomorrow, March 19. http://www.sans.org/sans2008
TOP OF THE NEWSCanadian Firm to Offer Data Breach Insurance
US Lawmakers Pass FISA Amendment
BT Admits it Used Customer Data in Phorm Test Run
THE REST OF THE WEEK'S NEWSLEGAL MATTERS
Spammer Soloway Makes Plea Deal
Man Draws 30 Month Sentence for Spoofing Emergency Calls
Certegy Proposes to Settle Data Breach Class Action Lawsuit
POLICY & LEGISLATION
Proposed Washington State Law Would Criminalize RFID Skimming
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
iFrame Attack Infects Hundreds of Thousands of Web Pages
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Breach Exposes 4.2 Million Credit and Debit Card Numbers
Four Charged in Attempted Cyber Bank Theft
Microsoft Releases IE8 Beta Version 1
China Blocks YouTube, News Sites After Riots Erupt in Tibet
POSTER CATEGORIES FOR THE FIVE WALLS FOR DEFENSE IN DEPTH
LIST OF UPCOMING FREE SANS WEBCASTS
******************* Sponsored By Credant Technologies *******************
FULL DATA ENCRYPTION2 = Full Disk without the Risk Outdated encryption methods require unwelcome compromises to IT operations, and can't provide the level of data security now needed. New Full Data Encryption2 is here! Protects What Matters: Your Data. Download overview. http://www.sans.org/info/25968
Where can you find the newest Penetration Testing techniques, Application Pen Testing, Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, CISSP, and SANS' other top-rated courses?
- - SANS 2008 in Orlando (4/18-4/25) SANS' biggest program with myriad bonus sessions and a huge exhibition of security products: http://www.sans.org/sans2008
- - Washington DC (Tyson's) 3/24-3/31 http://www.sans.org/tysonscorner08
- - San Diego (5/9-5/16) http://www.sans.org/securitywest08
- - Toronto (5/10-5/16) http://www.sans.org/toronto08
- - and in 100 other cites and on line any time: www.sans.org
TOP OF THE NEWS
Canadian Firm to Offer Data Breach Insurance (March 13, 2008)As data security breaches appear more and more frequently in the news, at least one Canadian insurance company is starting to offer a product that would cover costs incurred by companies when they have suffered a data privacy breach. The policy would cover the cost of fixing computer damage as well as costs associated with customer notification and reimbursement and compensation paid to credit card companies for losses from fraud. The coverage is structured to address Canadian data privacy laws.
[Editor's Note (Schultz): Insurance against security incidents in general has not caught on all that well in the information security arena for a number of reasons. However, this new type of insurance is likely to fare much better because of the widespread concern about and high likelihood of data security breaches. ]
US Lawmakers Pass FISA Amendment (March 14, 2008)By a narrow margin, US legislators have passed a bill to revise the Foreign Intelligence Surveillance Act (FISA). The bill would allow intelligence officials up to a week after commencing surveillance to apply for a warrant. In addition, the bill would give telecommunications providers that cooperate with surveillance activities immunity from prosecution, but the immunity is not retroactive. The original FISA, passed in 1978, "requires that all government surveillance for intelligence purposes must first be sanctioned by a court order allowing the eavesdropping from the Foreign Intelligence Surveillance Court (FISC)."
BT Admits it Used Customer Data in Phorm Test Run (March 14 & 17, 2008)BT now admits that it used customer data to test the technology used in its controversial Phorm advertisement targeting product. Phorm tracks web user activity to tailor ads to surfers' online habits. BT acknowledged that when initially questioned about the use of customer data last summer, it lied. The company may face legal action. BT maintains that "absolutely no personally identifiable information was processed, stored or disclosed during this trial." An open letter from the Foundation for Information Policy Research says that Phorm is illegal in the UK because it violates the Regulation of Investigatory Powers Act (RIPA). BT says that Phorm does not run afoul of any UK laws. Security companies have differing opinions about whether or not to classify Phorm cookies as adware.
[Editor's Note (Skoudis): Using actual customer data in a test environment is of course a no-no. But, when people perform security assessments, it is incredibly common to use actual customer data. Such behavior should be avoided, and this article is a good example of the problems that could arise. ]
************************** Sponsored Links: ***************************
1) Fill the Gaps Left by Traditional Perimeter Defenses - Gain Network Visibility and Internal Security Using NetFlow Read More: http://www.sans.org/info/25973
2) PacketMotion delivers unprecedented visibility and real-time control of insider threats. Learn more and first 100 respondents receive a complementary Elsevier book "Insider Threat" - $35 value. http://www.sans.org/info/25978
THE REST OF THE WEEK'S NEWS
Spammer Soloway Makes Plea Deal (March 15 & 17, 2008)Robert Soloway has pleaded guilty to fraud and tax evasion charges in connection with a significant spam operation he ran. Although other plaintiffs have won civil judgments against Soloway for sending spam, he has never paid any fines. When he is sentenced on June 20, Soloway faces up to 26 years in prison. At question is where he stashed his earnings from his schemes. As part of Soloway's plea deal, prosecutors dropped aggravated identity theft and money laundering charges against him.
Indictment (from May 2007):
Man Draws 30 Month Sentence for Spoofing Emergency Calls (March 12 & 14, 2008)Guadalupe Santana Martinez of Washington state has been sentenced to 30 months in prison for spoofing telephone numbers and placing phony emergency calls to manipulate police SWAT teams to respond to the target's home. Martinez pleaded guilty to conspiracy to commit access device fraud and unauthorized access to protected computers. He was also ordered to pay nearly US $25,000 in restitution. Four other people involved in the "swatting" attacks are currently awaiting sentencing. In October, another Washington state man was charged with six felonies for a similar attack that brought a SWAT team to a California family's home.
[Editor's Note (Skoudis): This story brings up an important point for enterprise security personnel. In a world of VoIP and widespread PBX deployment, caller ID is not a reliable authentication mechanism. Enterprise security people should double check their internal procedures to make sure that they aren't solely dependent on caller ID for authenticating users to the help desk. And, beyond just checking written procedures, interview help desk personnel to see if you have a de facto procedure of using caller ID for authentication even if your procedures prohibit the practice.
(Ullrich): New technologies like VoIP and "spoof cards" make it easier to spoof caller ID information. Caller ID spoofing has been used in social engineering attacks where a "trusted" caller ID is spoofed to gain access to information or make requests plausible. Of course, "swatting" is far from a simple phone prank. Police will usually show up expecting the worst with weapons drawn; and a small mistake can have tragic consequences. ]
Certegy Proposes to Settle Data Breach Class Action Lawsuit (March 14, 208)Certegy check services has proposed to settle a class action lawsuit brought on behalf of 8.5 million individuals. Last summer, the company disclosed that a database administrator had accessed account information of 8.5 million people without authorization. The admin then sold the information to data brokers. The settlement would provide people whose data were compromised with one year of credit monitoring, US $10,000 of identity theft coverage, and up to two years of bank account monitoring. Individuals who can demonstrate that they experienced identity theft as a result of the data exposure could also be reimbursed for certain out-of-pocket costs. Certegy has placed a limit of US $4 million on the identity theft claims it will cover and people must file within 90 days of the incident. All claims must be made before March 31, 2011. Each individual can recover no more than US $20,000. A US District Court judge in Florida is currently reviewing the settlement proposal.
POLICY & LEGISLATION
Proposed Washington State Law Would Criminalize RFID Skimming (March 17, 2008)The Washington state Senate has passed a bill that would make it a crime to skim personal information from RFID cards with malicious intentions. As approved, the law would apply to any and all forms of the technology. It would be a Class C felony to gather personal information from an RFID chip without the individual's knowledge and consent. The bill has already passed the Washington state House and now goes to Governor Chris Gregoire for approval.
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
[Editor's Note (Skoudis): The phpBB software has quite a history of security vulnerabilities over the past couple of years. I remember back in mid-1990's when we used to say that sendmail was the poster child of security flaws, a pen tester's best friend. Its creators did a good job of cleaning it up. Arguably, IIS then took the title in 1999-2001. It's gotten better, thankfully. Now, it seems to me that phpBB has a good claim on the title. ]
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Breach Exposes 4.2 Million Credit and Debit Card Numbers (March 17, 2008)Another large-scale payment card data breach has been reported. The breach occurred during the card authorization process at the Maine-based Hannaford Bros. grocery chain. The card data were reportedly exposed between December 7, 2007 and March 10, 2008. The company estimates that 4.2 million account numbers were compromised. Eighteen hundred cases of fraud have been reported in connection with the breach. According to Hannaford president and CEO Ronald C. Hodge, the company "doesn't collect, know or keep any personally identifiable customer information from transactions." The breach affected all 165 stores in the northeast as well as 106 Sweetbay stores in Florida.
[Editor's Note (Grefer): Adherence to the PCI DSS Standard would help to avoid such incidents or at least minimize their impact.
The new self-assessment questionnaire is available at
Four Charged in Attempted Cyber Bank Theft (March 17, 2008)The UK's Serious Organized Crime Agency (SOCA) says that four men allegedly have been accused of breaking into the computer system of Japan's Sumitomo Matsui Banking Corporation and attempting to steal AU $475.47 million (US $437.4 million or 277.6 million Euros). The men targeted the bank's London offices. The scheme to transfer money to accounts around the world was discovered and halted before it was executed. The men, Hugh Rodley, David Nash, Kevin O'Donoghue, and Bernard Davies, have been charged with conspiracy to defraud, conspiracy to steal, conspiracy to transfer criminal property, and conspiracy to remove criminal property from England and Wales.
Microsoft Releases IE8 Beta Version 1 (March 17, 2008)Microsoft has released the first beta version of Internet Explorer 8 (IE8). The new browser reportedly protects users from phishing attacks and warns them when they visit web pages infected with malware. Of some concern is the fact that IE8 allows cross-domain requests. Gartner researchers observed that IE8's default mode "will result in pages that don't display correctly for some enterprise applications."
China Blocks YouTube, News Sites After Riots Erupt in Tibet (March 17, 2008)The Chinese government has blocked access to YouTube in that country in an attempt to prevent news of violent police reactions to protests and demonstrations in Tibet from reaching Chinese citizens. Google News, Yahoo News, CNN, and BBC sites have been inaccessible as well. China has also refused entry to foreign journalists and expelled those already in the country.
POSTER CATEGORIES FOR THE FIVE WALLS FOR DEFENSE IN DEPTHIf you have purchased security products or services in the past six months or plan to purchase in the next year, we'd love your input on the new poster categories. The poster will have all the categories along with short lists of leading and emerging products in each. Check the list below and tell us if you see elements that are misclassified, or can think of categories that should be added. Email comments at (email@example.com) by Friday. And if you want the detailed descriptions of the Five Walls and each category just ask.
Defensive Wall 1. Blocking Attacks: Network-Based
1.1 Intrusion Prevention (IPS) and Detection (IDS)
1.2 Wireless Intrusion Prevention (IPS)
1.3 Network Behavior Analysis and DDoS Monitoring
1.4 Firewalls, Enterprise Antivirus and Unified Threat Management
1.5 Secure Web Gateways
1.6 Secure Messaging Gateways and Anti-Spam Tools
1.7 Web Application Firewalls
1.8 Managed Security Services
Defensive Wall 2. Blocking Attack: Host-Based
2.1 Endpoint Security (Personal FW, AV, AS, HIPS)
2.2 Network Access Control
Defensive Wall 3. Eliminating Security Vulnerabilities
3.1 Network Discovery Tools
3.2 Vulnerability Assessment
3.3 Penetration Testing
3.4 Patch and Security Configuration Management and Compliance
3.5 Application Security Scanners
Defensive Wall 4. Safely Supporting Authorized Users
4.1 Identity and Access Management
4.1 Mobile Data Protection and Storage Encryption Products
4.3 Storage and Backup Encryption
4.4 Content Monitoring and Data Leakage Protection
4.5 Virtual Private Networks (VPNs)
Defensive Wall 5. Tools to Manage Security and Maximize Effectiveness
5. 1 Log Management and Security Information and Event Management
5.2 Security Skills Development for System and Network Professionals and for Programmers
5.3 Forensics Tools
5.4 Governance, Risk and Compliance Management Tools
LIST OF UPCOMING FREE SANS WEBCASTSSANS Special Webcast: Monthly Series: Security Insights with Dr. Eric Cole This Month's Topic: Encryption
WHEN: Wednesday, March 19, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Dr. Eric Cole
Based on first-hand experience, this talk will look at areas where encryption should be used and how to avoid common mistakes. Dr. Cole will also identify areas where encryption should not be deployed. Overall, this talk will provide expert knowledge of the landscape of encryption, proper uses and common pitfalls. Register now for this free webcast!
Ask the Expert: Malcode Analysis and Response: Proficiency vs. Complexity
WHEN: Thursday, March 20, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Matt Allen and Russ McRee
Sponsored By: Norman Data Defense Systems
The threat landscape changes constantly, driven in part by the "bot economy" and changing malcode techniques. In response, incident handler techniques must keep pace. This presentation will cover the use of RAPIER, a security tool built to facilitate first response procedures for incident handling. It is designed to acquire commonly requested information and samples during an information security event, incident, or investigation. RAPIER automates the entire process of data collection and delivers the results directly to the hands of a skilled security analyst. From detection and discovery, capture and containment, count on a useful discussion meant to further your incident response practices.
Tool Talk Webcast: Are You Naked? Why virtualization and service processors are leaving traditional log management customers naked.
WHEN: Tuesday, March 25, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKER: Bill Johnson
Sponsored By: Tdi
Virtualization and on board service processors are making log management systems obsolete and opening their customers to huge compliance issues. All existing log management systems are based on an 'inside out' agent based, SYSLOG and SNMP architecture. This model is obsolete in today's datacenter. Traditional log management systems do not log all events or watch the data center all the time, opening the door to Sarbanes Oxley, HIPAA and other compliance risks.
Tool Talk Webcast: Analyzing Pen Testing Tools: Shootout at the Blackbox Corral
WHEN: Wednesday, March 26, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Larry Suto
Sponsored By: Fortify Software
All black box testing tools are not created equal. In the Fall of 2007, security consultant Larry Suto published a report that evaluates the coverage and balance between false positives and false negatives of three popular penetration testing tools. His findings, which some found surprising, prompted official responses from a number of tool vendors that called into question areas of the experiment that could have led to shaky results.
SANS Special Webcast: Stephen Northcutt Presents: Managing Vulnerability Situational Awareness
WHEN: Wednesday, April 2, 2008 at 2:00 PM EDT (1800 UTC/GMT)
FEATURING: Stephen Northcutt
Sponsored By: Core Security Technologies
Stephen Northcutt challenges leaders to move past "Security Theater", practices like confiscating nail files in airport security or running vulnerability scans and taking no action or pretending a SIEM "partial implementation" actually helps create effective security. If we want to get better and actually implement security well one of the atomic keys is to configure the system correctly and maintain that configuration. Stephen will discuss the three views, the inside view, outside view and user view that give us the information we need to assess the configuration of our system. We can use tools like the Center for Internet Security toolsets to create the inside view, vulnerability scanners and exploitation tools like CORE for the outside view and to get the user view we need to run a number of tests to determine the level of awareness and practice. The data from all three views gives us the ability to accurately assess our exposure to threat.
SANS Special Webcast: Data Leakage Landscape
WHEN: Thursday, April 3, 2008 at 1:00 PM EDT (1800 UTC/GMT)
FEATURED SPEAKERS: Barb Filkins, Robert Hemeryck and Malte Pollmann
Sponsored By: TrendMicro and Utimaco Software
Data leakage occurs everywhere computing is conducted - whether it be hand-helds, USB tokens or even protected internal computers where cut, copy and paste functions are difficult to control. Organizations need a map of these leakage points so they can plug them and protect themselves against regulatory violations. This Webcast discusses where and how data leaks, what types of privacy violations these leakage points present, and what to do about them.
Tool Talk Webcast: A Blueprint for Successful NAC Deployments
WHEN: Wednesday, April 16, 2008 at 1:00 PM EDT (1800 UTC/GMT)
FEATURING: John Curry
Sponsored By: StillSecure
This webinar will discuss the challenges associated with NAC deployments and provide organizations with a blueprint on how to cost-effectively take advantage of this critical technology. Learn first hand how your organization can benefit from this ground-breaking technology.
SANS Special Webcast: Log Management Part II: Real-Time Event Management
WHEN: Thursday, April 17, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and Sunil Bhargava
Sponsored By: Intellitactics, Inc.
This Webcast discusses how logs and event correlation should be managed for compliance purposes and how auditors, working closely with security and operations teams, can help develop processes that leverage logging and event data to measure the effectiveness of their controls.
Be sure to check out the following FREE SANS archived webcasts:
Tool Talk Webcast: The ABC's of Dealing with Unique Network Security Risks in a World of Open Campus Networks
WHEN: Wednesday, March 5, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Brian Mehlman
Sponsored By: Q1 Labs
SANS Special Webcast: A Response to the "Cold Boot Attack" Announcement
WHEN: Thursday, March 6, 2008 at 3:00 PM EST (1900 UTC/GMT)
FEATURING: John Strand
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/