DFIRCON - Live Online: The ALL Digital Forensics, Threat Hunting and Incident Response Training Event. Save $300 thru 10/7.

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume X - Issue #24

March 25, 2008

The Excel story is number two in Top of the News this week because of the critical lesson it teaches: When you see your anti-virus package "scanning" a Word or Excel file, the odds are VERY high that it won't find any of the important new vulnerabilities nation states and rich criminals are using to get past the most sophisticated defenses. Don't open email attachments unless you were expecting them. Send a note back and ask the person to embed the text in a simple email. This matters to your career. The people who break this rule will be the reason their organization's data are stolen and they won't be able to hide.

2008 Short Lists of security products that actually work. Did we get them right? If you use any security products, please take a few minutes to complete the quick survey that lets you tell which security products matter and whether we have the right products in the short lists. If you can do it before Wednesday night (11 PM EDT), you'll be eligible for a $500 cash drawing. The survey is posted at http://www.surveymethods.com/EndUser.aspx?9BBFD3CA98DBCACB



Cyber Attacks Targeting Pro-Tibet Groups on the Rise
Exploit Code for Excel Flaw Released
State Dept. Names Contractors in Passport File Breaches
Stolen Laptop Holds NIH Clinical Trial Data


Former Employee Gets Probation for Destructive Cyber Intrusion
Beckstrom First to head Up National Cyber Security Center
Millions of Chinese Mobile Users Hit with Spam
Microsoft Acknowledges Flaw in Jet Database Engine
Stolen Computer Holds Unencrypted Agilent Employee Data
Lasell College Notifies 20,000 of Data Breach

******************* Sponsored By Credant Technologies *******************

FULL DATA ENCRYPTION2 = FULL DISK WITHOUT THE RISK. Outdated encryption methods require unwelcome compromises to IT operations, and can't provide the level of data security now needed. New Full Data Encryption2 is here! Protects What Matters: Your Data. Download overview. http://www.sans.org/info/26294


Where can you find the newest Penetration Testing techniques, Application Pen Testing, Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, CISSP, and SANS' other top-rated courses?
- - SANS 2008 in Orlando (4/18-4/25) SANS' biggest program with myriad bonus sessions and a huge exhibition of security products: http://www.sans.org/sans2008
- - San Diego (5/9-5/16) http://www.sans.org/securitywest08
- - Toronto (5/10-5/16) http://www.sans.org/toronto08
- - and in 100 other cites and on line any time: www.sans.org



Cyber Attacks Targeting Pro-Tibet Groups on the Rise (March 21 & 24, 2008)

Cyber attackers are targeting groups sympathetic to anti-China activists in Tibet. The attacks attempt to disrupt activity and obtain information about the groups and their supporters. The attacks have increased in intensity recently. The group Human Rights in China says it has been on the receiving end of more than 100 targeted attacks since the first of the year, up from an annual total of 40 in 2007. The Tibet Support Network reports receiving about 20 email attacks every day.

[Editor's Note (Ullrich): This news release is the result of several years of work. Up to now, the affected groups had been silent about these attacks to allow researchers to monitor the attacks. These attacks are very similar to the ones reported by defense contractors and government networks. In some cases, the same C&C server was used in attacks on political groups like the discussed here, and government contractors. The Internet Storm Center believes a large number of attacks against these groups and others have been prevented through moderated sharing of information among victims, security vendors, and potential victims.


Exploit Code for Excel Flaw Released (March 24, 2008)

Exploit code for a recently patched vulnerability in Excel has been made public; users are urged to apply the patch released earlier this month as soon as possible. The flaw has been exploited since mid-January, but the attack code was released just last week. It is the first exploit code for the batch of patches Microsoft released in its March 11 MS08-014 security bulletin. This is the same bulletin that Microsoft re-released just days after its original release to fix a regression error that produced incorrect calculations in one of the Excel fixes.

State Dept. Names Contractors in Passport File Breaches (March 21 & 22, 2008)

The US State Department has identified the contractors whose employees breached presidential candidates' passport files as Stanley and The Analysis Corporation. Stanley says it fired two employees for the unauthorized data access as soon as it learned of the incidents. The breaches were detected through software designed to catch unauthorized file access. An investigation will determine which laws were broken in the incidents. At first it was believed that only Barack Obama's file had been accessed, though it later came to light that the files of Hillary Clinton and John McCain were accessed as well. There are also reports that contract workers ignored warnings that files were being improperly accessed. Secretary of State Condoleezza Rice has apologized for the breaches.


[Editor's Note (Ullrich and Paller): A breach like this cannot easily be prevented. Employees need access to do their job. The nice thing about this story is that policy was backed up by monitoring. It allowed everybody to get their work done and the misbehaving employees were identified quickly.
(Pescatore): Authorized users taking unauthorized actions is the classic security incident because of how difficult it is to defined "authorized action" in computer readable form. The fact that it was detected is a major plus - most enterprises don't even have the security controls in place to detect such actions, as many recent incidents have pointed out. There has been way too much dependence on policies and claims of data classification and not enough actual access and data flow monitoring going on.
(Northcutt): What I like about this story is that they were detected by software designed to do just exactly that. Way to go State Department; gold star. Now for the rest of us, when will we ever learn? Britney Spears checks into the hospital, they end up firing people for looking at her records:
And the latest on the mother of all government sensitive information databases, the Bush administration is finally realizing they may not be able to shove Real ID down the state's throats:
(Schultz): This incident brings back memories of Watergate (although it obviously is not as serious). In the early 1970's, the American public was furious over sensitive election-related and other information being compromised the way it was. Tragically, now apathy concerning events of this nature abounds. It is like John Meyer sings--"Waiting for the world to change..." ]

Stolen Laptop Holds NIH Clinical Trial Data (March 24, 2008)

A laptop computer containing unencrypted personal information of 2,500 National Institutes of Health (NIH) study participants was stolen from a locked car trunk in February. NIH waited nearly a month before notifying affected individuals. The clinical trial information includes names, diagnoses, hospital medical record numbers and MRI data, but no Social Security numbers (SSNs) or financial information. Government policy requires that portable electronic devices have encryption software. An NIH statement indicates that the agency is taking steps to ensure that all devices have encryption and that personally identifiable information not be stored on laptops.


************************** Sponsored Links: ***************************

1) SANS Third Annual Log Management Survey What are the challenges in log management? Have perceptions changed since last year? Help us find out! Take the survey at http://www.sans.org/info/26299




Former Employee Gets Probation for Destructive Cyber Intrusion (March 20, 2008)

Joseph Patrick Nolan was sentenced to four years probation for breaking into his former employer's computer system and destroying data. Nolan destroyed records from Pentastar Aviation's personnel and payroll operations, costing the company more than US $50,000. Nolan was also ordered to pay Pentastar US $1,158. Nolan resigned from Pentastar in January 2007; the intrusion occurred in February of that year. He was then employed by the city of Ann Arbor's Information Technology Department until May 2007.


Beckstrom First to head Up National Cyber Security Center (March 20 & 21, 2008)

Rod Beckstrom has been named the first director of the National Cyber Security Center. The center was created by a presidential directive in January 2008. A statement from Department of Homeland Security (DHS) Secretary Michael Chertoff says Beckstrom "will serve the department by coordinating cybersecurity efforts and improving situational awareness and information sharing across the federal government." Beckstrom is an author and entrepreneur. Most recently, he co-founded Twiki.net; he is also the author of "The Starfish and the Spider." Beckstrom will report directly to Secretary Chertoff.

[Editor's Note (Pescatore): This one is hard to figure. A political appointment less than a year before an administration change, of a person with no background in security or government, less than 18 months after appointing Greg Garcia as Assistant Secretary for Cyber Security and Communications at DHS but reporting much lower in DHS.
(Paller): Perhaps the reason for this decision is that the Director of National Intelligence, White House, and the Secretary of DHS felt the need for a different type of leadership for the new Cyber Initiative. ]


Millions of Chinese Mobile Users Hit with Spam (March 21 & 24, 2008)

Chinese authorities are investigating a spam attack in which 200 million mobile phone users received unsolicited text messages from advertisers. China Mobile has apologized and says it will block messages from a number of online advertising companies. China's State council intends to conduct an investigation.
[Editor's Note (Ullrich): SMS spam is not new, but certainly on the rise. It is particular annoying if the recipient is charged for these messages. China Mobile last year installed a massive SMS filtering and monitoring infrastructure. It was not used in time to curb this spam. ]


Microsoft Acknowledges Flaw in Jet Database Engine (March 21, 22 & 24, 2008)

Microsoft has issued an advisory warning of a critical vulnerability affecting users of Word running on Windows 2000, XP and Server 2003 SP1 that is being actively exploited in targeted attacks. Microsoft says the buffer overflow flaw lies in the Microsoft Jet Database Engine. Reports of the flaws emerged three weeks ago, but Microsoft has not publicly acknowledged the problem until now. Users running Word on Windows Vista and Server 2003 SP2 are not at risk because those operating systems use a different version of Jet. A fix is not yet available; Microsoft recommends disabling Jet or blocking .mdb files at the gateway. Internet Storm Center:





Stolen Computer Holds Unencrypted Agilent Employee Data (March 22, 2008)

Agilent Technologies has sent letters to 51,000 current and former employees notifying them that their personally identifiable information was on a laptop computer that was stolen on March 1. The unencrypted data include names, addresses, SSNs, and stock option information. The laptop was stolen from a vendor's car; Agilent's letter places the blame on that vendor - Stock & Option Solutions - for not encrypting the data. A former employee who received a notification letter said, "Agilent should have put all of the data into an encrypted format to begin with."
Editor's Note (Northcutt): We keep building these databases with sensitive information. Two governance tips, information is a potential asset, but it is also a potential liability. I try to make myself look at the chronology page at privacyrights.org at least once a month to see who else is going to be party to a class action lawsuit (Welcome to the club Rhode Island and Agilent Technologies):
The second suggestion is to quit thinking of this as a technology problem. Think of sensitive personal information as money! Each record you store is worth a certain amount, say $10.00 when you average across all the businesses that store these records. But as we said, these records have a liability value as well, if losing the information takes you into litigation. And that liability value is much higher than $10. If we think of the records we store as money and treat those records as we treat money, then we put significant controls in place. Many of the data breaches are due to lost laptops. How much of your company's cash would you allow an employee to put in a laptop case that they store in their automobile trunk, front seat of the car, home, or hotel room? I would bet most companies would not allow more than $100 to be carried by an employee without some form of controls. Yet, we put thousands of records on laptops. ]

Lasell College Notifies 20,000 of Data Breach (March 12 & 19, 2008)

Lasell College in Newton, Massachusetts has notified 20,000 people that their personally identifiable information was compromised in a cyber intrusion. The breach occurred on February 6, 2007. The data include names and SSNs; the breach affects students and alumni as well as current and former faculty and staff. Local law enforcement authorities are conducting an investigation. The college has also notified Attorneys General and other officials in the states where those affected reside.



Al Hill writes "80+ patches for the Apple OS, 13 patches for their browser, and not one admonishment by the SANS editors? Very interesting..."


Tool Talk Webcast: Are You Naked? Why virtualization and service processors are leaving traditional log management customers naked.
WHEN: Tuesday, March 25, 2008 at 1:00 PM EDT (1700 UTC/GMT)
Sponsored By: Tdi

Virtualization and on board service processors are making log management systems obsolete and opening their customers to huge compliance issues. All existing log management systems are based on an 'inside out' agent based, SYSLOG and SNMP architecture. This model is obsolete in today's datacenter. Traditional log management systems do not log all events or watch the data center all the time, opening the door to Sarbanes Oxley, HIPAA and other compliance risks.

Tool Talk Webcast: Analyzing Pen Testing Tools: Shootout at the Blackbox Corral
WHEN: Wednesday, March 26, 2008 at 1:00 PM EDT (1700 UTC/GMT)
Sponsored By: Fortify Software

All black box testing tools are not created equal. In the Fall of 2007, security consultant Larry Suto published a report that evaluates the coverage and balance between false positives and false negatives of three popular penetration testing tools. His findings, which some found surprising, prompted official responses from a number of tool vendors that called into question areas of the experiment that could have led to shaky results.

SANS Special Webcast: Stephen Northcutt Presents: Managing Vulnerability Situational Awareness
WHEN: Wednesday, April 2, 2008 at 2:00 PM EDT (1800 UTC/GMT)
FEATURING: Stephen Northcutt
Sponsored By: Core Security Technologies

Stephen Northcutt challenges leaders to move past "Security Theater", practices like confiscating nail files in airport security or running vulnerability scans and taking no action or pretending a SIEM "partial implementation" actually helps create effective security. If we want to get better and actually implement security well one of the atomic keys is to configure the system correctly and maintain that configuration. Stephen will discuss the three views, the inside view, outside view and user view that give us the information we need to assess the configuration of our system. We can use tools like the Center for Internet Security toolsets to create the inside view, vulnerability scanners and exploitation tools like CORE for the outside view and to get the user view we need to run a number of tests to determine the level of awareness and practice. The data from all three views gives us the ability to accurately assess our exposure to threat.

SANS Special Webcast: Data Leakage Landscape
WHEN: Thursday, April 3, 2008 at 1:00 PM EDT (1800 UTC/GMT)
FEATURED SPEAKERS: Barb Filkins, Robert Hemeryck and Malte Pollmann
Sponsored By: TrendMicro and Utimaco Software

Data leakage occurs everywhere computing is conducted - whether it be hand-helds, USB tokens or even protected internal computers where cut, copy and paste functions are difficult to control. Organizations need a map of these leakage points so they can plug them and protect themselves against regulatory violations. This Webcast discusses where and how data leaks, what types of privacy violations these leakage points present, and what to do about them.

Tool Talk Webcast: A Blueprint for Successful NAC Deployments
WHEN: Wednesday, April 16, 2008 at 1:00 PM EDT (1800 UTC/GMT)
Sponsored By: StillSecure

This webinar will discuss the challenges associated with NAC deployments and provide organizations with a blueprint on how to cost-effectively take advantage of this critical technology. Learn first hand how your organization can benefit from this ground-breaking technology.


Be sure to check out the following FREE SANS archived webcasts:

Tool Talk Webcast: The ABC's of Dealing with Unique Network Security Risks in a World of Open Campus Networks
WHEN: Wednesday, March 5, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Brian Mehlman
Sponsored By: Q1 Labs

SANS Special Webcast: A Response to the "Cold Boot Attack" Announcement
WHEN: Thursday, March 6, 2008 at 3:00 PM EST (1900 UTC/GMT)
FEATURING: John Strand



The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/