SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume X - Issue #25
March 28, 2008
Note: Hundreds of millions of devices are being placed on networks with built-in back doors. Printers, routers, computers, control systems, storage systems, medical devices, nearly every automated device has them. The manufacturers of these systems never told you how vulnerable you are. One victim said "It's as if the people who are supposed to help me put a big sign on my door saying 'the key is under the mat by the back door,' and anyone can come in and violate me and my family." These vulnerable back doors were installed to allow remote management; they are fully functioning processors with network connections, operating systems, and memory. In addition to being able to disable the device, in many cases they provide remote back-door access to the main CPU and storage of the computer or other device. A research program is being launched to find and close the secret back doors. This is one of the most critical technical research projects we've announced in NewsBites - and SANS has allocated $20,000 in immediate grants for people (anywhere in the world) who can help develop answers quickly. If you think you have data or skills that can help, please read the last story in this issue.
PS If you are involved in web application security and/or penetration testing, you can find extraordinary solutions to some of the newest and hardest problems at the two simultaneous Summits in Las Vegas: Web Application Security: http://sans.org/appsec08_summit/ Penetration Testing: http://sans.org/pentesting08_summit
TOP OF THE NEWSFTC Reaches Settlements with TJX, Reed Elsevier and Seisint
Indiana Breach Notification Law Gets Toughened Up
Delinquent Tax Collection Contractors Protected Data
THE REST OF THE WEEK'S NEWSLEGAL MATTERS
42 Months in Prison for Data Theft and Card Fraud
Washington State AG Sues Alleged Software Scammer
Man Gets Five Years Probation for Planting Logic Bomb
POLICY & LEGISLATION
Putin Signs Orders to Segregate Networks with Access to Secrets
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Firefox Update Addresses 10 Vulnerabilities
Comcast Will Alter Traffic Management Practices
Guardian Backs Off Deal with Phorm
Canadian Univ. Faculty Unhappy with Decision to Use Google Apps
Hannaford was PCI Compliant During Breach
Closing the Back Doors in Printers, Computers, and Appliances
LIST OF UPCOMING FREE SANS WEBCASTS
********************** Sponsored By PacketMotion ************************
How do you safeguard intellectual property, sensitive information and compliance-relevant data without hampering employee and contractor productivity? Find the facts, blind spots and new technology regarding real-time visibility and control of network user transactions and information assets. Download the FREE, must-read whitepaper "TRUST BUT VERIFY: 24/7 User Activity Monitoring to Protect Business Critical Information" now. http://www.sans.org/info/26658
Where can you find the newest Penetration Testing techniques, Application Pen Testing, Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, CISSP, and SANS' other top-rated courses?
- - SANS 2008 in Orlando (4/18-4/25) SANS' biggest program with myriad bonus sessions and a huge exhibition of security products: http://www.sans.org/sans2008
- - San Diego (5/9-5/16) http://www.sans.org/securitywest08
- - Toronto (5/10-5/16) http://www.sans.org/toronto08
- - and in 100 other cites and on line any time: www.sans.org
TOP OF THE NEWS
FTC Reaches Settlements with TJX, Reed Elsevier and Seisint (March 27, 2008)The Federal Trade Commission (FTC) says it has reached a settlement with TJX regarding the data breach that exposed millions of customer records resulting in significant payment card fraud. According to an FTC statement, TJX did not have basic data protection mechanisms, such as firewalls and wireless security, in place, and it had not kept its software patching and anti-virus signatures up to date. The terms of the settlement demand that TJX develop a "comprehensive security program reasonably designed to protect the security, confidentiality, and integrity of personal information it collects from or about consumers." The program will be audited by a third-party every two years for the next twenty years. The settlement does not impose any fines on TJX. The FTC also reached settlements with data brokers Reed Elsevier and Seisint.
[Editor's Note (Schultz): The FTC did not go far enough--it should also have fined TJX. (Shpantzer): Basically TJX got a settlement from the government that forces them to have information security and audit processes that should have been in place before the breach. Is this really going to be a deterrent to other companies that don't have current antivirus in place? ]
Indiana Breach Notification Law Gets Toughened Up (March 25, 2008)Indiana will have a stronger data protection and breach notification law as of July 1, 2008 thanks to Indiana University graduate student and blogger Chris Soghoian. Soghoian asked his state representative Matt Pierce to look more closely at the state's breach notification law, which said companies did not have to report data breaches involving "unauthorized acquisition of a portable electronic device on which personal information is stored, if access to the device is protected by a password that has not been disclosed." With input from Soghoian, Representative Pierce submitted a bill to address weaknesses in the current law. After some finagling in the state Senate, both houses unanimously passed the bill and Governor Mitch Daniels signed it into law on March 25. Now companies will be exempt from reporting breaches only if all the data on the stolen device are "protected by encryption and the encryption key has not been compromised or disclosed, and is not in the possession of or known to the person who, without authorization, acquired or has access to the portable electronic device."
[Editor's Note (Schultz): Not too long ago, there was considerable doubt whether a better breach notification law would be passed in Indiana. Many kudos go to Mr. Soghoian and Rep. Pierce! ]
Delinquent Tax Collection Contractors Protected Data (March 26 & 27, 2008)A report from the Treasury Inspector General for Tax Administration (TIGTA) found that the two private collection agencies hired by the Internal Revenue Service (IRS) to pursue delinquent tax payments have done a good job of ensuring that taxpayer data are protected. Pioneer Credit Recovery and CBE Group kept the files secure on their systems and restricted file access to employees who needed to access those files. In addition, they configured their workstations to prevent files from being copied to the workstations or removable media. The IRS has met with criticism for outsourcing the collection work.
[Editor's Note (Schultz): It is good to learn of success stories such as this one--they tend to be few and far between in the struggle to protect financial and personal data. ]
************************** Sponsored Links: ***************************
1) Attend the Application Security Summit June 2-3 in Las Vegas and hear what others are saying about application security. http://www.sans.org/info/26663
THE REST OF THE WEEK'S NEWS
42 Months in Prison for Data Theft and Card Fraud (March 26, 2008)Former Compass Bank programmer James Kevin Real was sentenced to 42 months in prison for stealing a hard drive containing customer data and using them to commit identity fraud. Real was also ordered to repay more than US $32,000 that he and an accomplice stole from customers' accounts. Real used the stolen data to create 250 phony debit cards; he used 45 of them to commit fraud. Court documents indicate the data were stolen in May 2007 and that the fraud occurred in June and July 2007. Alabama is just one of 11 states that do not require consumer notification of personal data breaches.
Washington State AG Sues Alleged Software Scammer (March 26, 2008)The Washington state attorney general has filed a civil lawsuit against Ron Cooke, owner of Messenger Solutions, for allegedly violating the state's Computer Spyware Act and Consumer Protection Act by running a scheme that encouraged people to purchase bogus security software. First, users' computers would be inundated with pop-up advertisements through the Windows Messenger Service. Then they would start to receive messages telling them their computers were infected with malware and that they should try installing one of the software programs the company offered, for which they were ultimately charged US $20. That software actually sent messages to other computers to start the cycle over again. The complaint seeks an injunction to stop Cooke from continuing the scheme as well as civil penalties and consumer refunds.
Man Gets Five Years Probation for Planting Logic Bomb (March 20, 2008)Jeffery Howard Gibson, who formerly worked for and created a computer-based training program for St. Cloud (Minnesota) Hospital, has been sentenced to five years of probation for infecting hospital computers with malware. Gibson was employed by the hospital between July 2005 and June 2006; he placed a logic bomb on the system during the spring and summer of 2006. He was also ordered to pay more than US $28,000 in restitution and serve 120 hours of community service by helping develop a cyber ethics presentation for St. Cloud University students.
POLICY & LEGISLATION
Putin Signs Orders to Segregate Networks with Access to Secrets (March 21, 2008)Russian President Vladimir Putin has signed executive orders that would restrict connections between computers containing state or official secrets and networks that reach beyond the country's borders. The Federal Security Services (FSB) will grant special permission when government organizations want to connect networks that access secrets, with foreign networks. If permission is granted, those computers will be equipped with encryption software provided by the FSB.
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Comcast Will Alter Traffic Management Practices (March 27 & 28, 2008)After coming under fire for slowing down traffic from filesharing sites, Comcast says it will now treat all Internet traffic equally. Comcast maintained that it gave the filesharing traffic lower priority because it would overwhelm local cable lines; however, now the company plans to work with BitTorrent to develop ways to send large files. Comcast new traffic management technique involves slowing download speeds for those who are using the most bandwidth when traffic gets heavy.
Guardian Newspaper Backs Off Deal with Phorm (March 26, 2008)The Guardian Newspaper says it will not use Phorm, the controversial targeted advertising company. In mid-February, the newspaper had said it was working with Phorm, which would customize advertisements for users based on sites they have visited. In an email message to a concerned reader, Guardian advertising manager Simon Philby wrote "We have concluded at this time that we do not want to be part of the
network. Our decision was in no small part down to the conversations we had internally about how this product sits with the values of our company."
Canadian Univ. Faculty Unhappy with Decision to Use Google Apps (March 24 & 26, 2008)The faculty association of Lakehead University in Thunder Bay, Ontario, has filed a grievance against the university administration for using Google Apps to replace the old and faltering computer system. Although the move saved the university money (the tools are free), because the data are held in the US, they are subject to US laws, which are at odds with Canadian privacy laws. Any data hosted on US servers are deemed searchable by authorities under the US Patriot Act. Canadian law guarantees individuals the right to privacy of their information and to inform them when the information is shared. The faculty was told not to transmit private data over the system.
[Editor's Note (Pescatore): There are other issues, like e-Discovery, that have to be addressed if business data is stored on public servers like Google Apps and the like. There are certainly ways to use such public applications securely but it doesn't come for free. ]
Hannaford was PCI Compliant During Breach (March 21 & 22, 2008)What differentiates the Hannaford Bros. supermarket chain data breach from other large breaches is that the company was found to be in compliance with the Payment Card Industry (PCI) Data Security Standard even while the attack was underway. The card information was stolen during the authentication process of the transactions. The attack compromised as many as 4.2 million cards. The PCI standards are ambiguous about exactly when data need to be encrypted.
[Editor's Note (Pescatore): First off, PCI compliance (any compliance, really) just means you were deemed compliant at the time of the audit. It says nothing about what you are like 15 minutes later. However, the bigger point is the focus always has to be on protecting customer and business data from attack, not on just gaining compliance. There has been no shortage of security incidents at companies that were SarBox and PCI compliant, or government agencies that were FISMA compliant. The ones you *don't* read about because they *don't* have incidents are the ones that focus first on securing critical data, *then* demonstrate compliance. Too many only focus on the latter.]
Closing the Back Doors in Printers, Computers, and AppliancesHundreds of millions of devices are being placed on networks with built-in back doors. Printers, routers, computers, control systems, storage systems, medical devices, nearly every automated device has them. The manufacturers of these systems never told you how vulnerable you are. One victim said "It's as if the people who are supposed to help me put a big sign on my door saying 'the key is under the mat by the back door,' and anyone can come in and violate me and my family." These vulnerable back doors were installed to allow remote management; they are fully functioning processors with network connections, operating systems, and memory. In addition to being able to disable the device, in many cases they provide remote back-door access to the main CPU and storage of the computer or other device. They may not be logged or monitored and therefore can be attacked repeatedly without fear of being caught. In Intel-based PCs and servers they are usually called BMCs, or baseboard management controllers and are used as intelligent controllers for inventory, monitoring, logging, and recovery control functions available independent of the main processors, BIOS, and operating system. Similar functions are provided on UNIX systems, and on printers and medical devices and other appliances but are often not called BMCs. This research project is designed to develop detailed technical procurement language that organizations can use to ensure these back doors are "closed and locked" when the devices are delivered. These back doors have already been implicated as attackers in successful denial of service tools and can be used to access and change the data being processed by the devices.
Here are initial research questions that need to be answered. If you think of other important questions, please propose them.
1. What are the vulnerabilities of these back doors (Telnet, FTP, hard coded passwords, etc.) and how can they be exploited. This should be done within device family - for smart printers for example
2. What types of damage can be done by an attacker who gains a foothold through these back doors.
3. How could an attacker jump from the back door processor to the main processor, or extract or change data being processed by the main processor or storage systems of the computer or appliance?
4. What are the most important security controls that must be engineered into every such device to protect them from remote or local exploitation?
If you have run tests on these back doors or have the access, tools and willingness to do so quickly, email email@example.com We can provide funding for the work.
LIST OF UPCOMING FREE SANS WEBCASTSSANS Special Webcast: Stephen Northcutt Presents: Managing Vulnerability Situational Awareness
WHEN: Wednesday, April 2, 2008 at 2:00 PM EDT (1800 UTC/GMT)
FEATURING: Stephen Northcutt
Sponsored By: Core Security Technologies
Stephen Northcutt challenges leaders to move past "Security Theater", practices like confiscating nail files in airport security or running vulnerability scans and taking no action or pretending a SIEM "partial implementation" actually helps create effective security. If we want to get better and actually implement security well one of the atomic keys is to configure the system correctly and maintain that configuration. Stephen will discuss the three views, the inside view, outside view and user view that give us the information we need to assess the configuration of our system. We can use tools like the Center for Internet Security toolsets to create the inside view, vulnerability scanners and exploitation tools like CORE for the outside view and to get the user view we need to run a number of tests to determine the level of awareness and practice. The data from all three views gives us the ability to accurately assess our exposure to threat.
SANS Special Webcast: Data Leakage Landscape
WHEN: Thursday, April 3, 2008 at 1:00 PM EDT (1800 UTC/GMT)
FEATURED SPEAKERS: Barb Filkins, Robert Hemeryck and Malte Pollmann
Sponsored By: TrendMicro and Utimaco Software
Data leakage occurs everywhere computing is conducted - whether it be hand-helds, USB tokens or even protected internal computers where cut, copy and paste functions are difficult to control. Organizations need a map of these leakage points so they can plug them and protect themselves against regulatory violations. This Webcast discusses where and how data leaks, what types of privacy violations these leakage points present, and what to do about them.
Internet Storm Center: Threat Update Webcast
WHEN: Wednesday, April 9, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Johannes Ullrich
This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.
WhatWorks in Event Log Management: Solving FISMA Compliance Demands
WHEN: Thursday, April 10, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Elvis Shields-Moreland and Alan Paller
Sponsored By: LogLogic
A need to meet the vague requirements of FISMA compliance prompted Lockheed to look for a new log management product to replace a recently acquired tool with one more suited to its manpower and skill level requirements. The company found a solution that had lower total cost of ownership, could process all logs and had correlation capabilities to show attack indicators.
Tool Talk Webcast: A Blueprint for Successful NAC Deployments
WHEN: Wednesday, April 16, 2008 at 1:00 PM EDT (1800 UTC/GMT)
FEATURING: John Curry
Sponsored By: StillSecure
This webinar will discuss the challenges associated with NAC deployments and provide organizations with a blueprint on how to cost-effectively take advantage of this critical technology. Learn first hand how your organization can benefit from this ground-breaking technology.
Be sure to check out the following FREE SANS archived webcasts:
Tool Talk Webcast: The ABC's of Dealing with Unique Network Security Risks in a World of Open Campus Networks
WHEN: Wednesday, March 5, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Brian Mehlman
Sponsored By: Q1 Labs
SANS Special Webcast: A Response to the "Cold Boot Attack" Announcement
WHEN: Thursday, March 6, 2008 at 3:00 PM EST (1900 UTC/GMT)
FEATURING: John Strand
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/