SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume X - Issue #41
May 23, 2008
TOP OF THE NEWSTVA Power Plants Vulnerable to Cyberattacks
Proposed UK law Would Expand Data Retention Requirements for Telecom Providers
IMPACT and SANS Will Work Together to Improve Global Cyber Security
NY Governor Introduces Stronger ID Theft Laws
THE REST OF THE WEEK'S NEWSLEGAL MATTERS
Lawsuit Filed Against LendingTree
Man Pleads Guilty to Selling Pirated Software
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Apple iCal Flaws Disclosed Before Fix is Available
Cisco Patches Three Vulnerabilities
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Bank of New York Mellon Backup Tape Lost
Used Server Held 5,000 SSNs
Moody's Share Price Drops After Rating Glitch is Disclosed
Thai Authorities May Shut Down Sites Deemed Offensive to King
LIST OF UPCOMING FREE SANS WEBCASTS
********************** Sponsored By StillSecure *************************
StillSecure specializes in commercial and open source secure network infrastructure solutions. Products include network access control (NAC), intrusion detection/prevention (IDS/IPS), vulnerability management and a unified networking/security platform. By converging networking and security, StillSecure provides innovative, intuitive and affordable solutions to operate secure networks. For more information call 303-381-3830 or visit our website at http://www.sans.org/info/29238
Where can you find the newest Penetration Testing techniques, Application Pen Testing, Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, both new Pen Testing courses, CISSP, and SANS' other top-rated courses plus evening sessions with Internet Storm Center handlers.
- - SANSFIRE 2008 in Washington DC (7/22-7/31) SANS' biggest summer program with many bonus sessions and a big exhibition of security products:
- - London (6/2-6/7) and Amsterdam (6/16-6/21) and Brussels (6/16-6/21)
- - Denver (6/7-6/13) http://www.sans.org/rockymnt2008/
- - Singapore (6/30-7/5) http://www.sans.org/singapore08/
- - Boston (8/9-8/16) http://www.sans.org/boston08/
- - and in 100 other cites and on line any time: www.sans.org
TOP OF THE NEWS
TVA Power Plants Vulnerable to Cyberattacks (May 21, 2008)According to a report from the US Government Accountability Office (GAO), Tennessee Valley Authority (TVA) power plants are vulnerable to cyberattacks. TVA is the largest US public power company, supplying electricity to more than 8.7 million people in seven southeastern states. The report found that the TVA's Internet connected corporate network had connections to power production systems, meaning vulnerabilities that affect the corporate network could be exploited to affect the power production side as well. The report also found that the corporate network was behind on software security updates and anti-virus protection, and that measures put in place to protect the network, such as firewalls and intrusion detection systems, were easy to circumvent. US Representative Jim Langevin (D-RI), chairman of the House Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, said he does "not get the sense that we are addressing cybersecurity with the seriousness that it deserves."
[Editor's Note (Ranum): Firewalls?? What kind of isolated network needs a firewall? Oh... wait... don't tell me... Let me try that again: what kind of idiot would hook a power plant's network to any other network?
(Schultz): Power plants are truly a time bomb waiting to explode in several ways. In contrast to not too many years ago, many of the special systems in these plants are now IP-based and capable of full network connectivity, thus making them as well as other systems on power plant networks potentially highly susceptible to a wide range of attacks. Worse yet, vendors of these systems have too often done little if anything to improve their security capabilities. ]
Proposed UK law Would Expand Data Retention Requirements for Telecom Providers (May 20, 2008)Proposed legislation in the UK known as the Communications Data Bill would extend the data retention requirements of the Regulation of Investigatory Powers Act (RIPA), which presently requires that telecommunications service providers must keep information about customers' phone calls and text messages for one year. The new law would expand the required information to include who initiated communication, when the communication occurred and the duration of the communication; the content of the communications would not be retained. The information would be held in one database, which has caused some concern in light of the recent problems government entities have had with data security. Police and other law enforcement officials would be allowed access to the database with permission from the courts.
[Editor's Note (Frantzen): This is an implementation in national law of a EU directive. It's causing concern in many countries in the EU, but people seem to not realize that their telcos already keep that data. One of those interested in using the data is marketing when they match up customers with products (plans) or when they devise new products. ]
IMPACT and SANS Will Work Together to Improve Global Cyber Security (May 21, 2008)The SANS Institute has made a US $1 million contribution to the International Multilateral Partnership Against Cyber-Terrorism (IMPACT). IMPACT and SANS will work together to help developing countries strengthen their online security through hands-on training in forensics, intrusion detection, penetration testing and other cybersecurity skills. The Malaysian Prime Minister hosted the meeting where SANS made the announcement. Dr Hamadoun Toure, Secretary General of the International Telecommunications Union of the United Nations, also announced support for IMPACT at the meeting.
NY Governor Introduces Stronger ID Theft Laws (May 22, 2008)New York Governor David Patterson has introduced legislation aimed at protecting citizens from identity fraud and theft. The bill would restrict how employers may use employee's personal information and allows residents of New York to put their names on "exclusion lists." In addition, the bill would make it a crime to possess a skimmer device when there is intent to use it to commit data theft.
[Editor's Note (Paller): This is important news and shows real leadership by the Governor and the Legislature. My niece, whose been a prosecutor in New York for the past half decade, tells me that the current laws allow the low level criminals to be incarcerated but essentially gives the high level criminals a "get-out-f-jail-free" card. This new legislation appears to be a first step toward making it more risky to commit identity theft in New York. Kudos to the new Governor and the Legislature. ]
THE REST OF THE WEEK'S NEWS
Lawsuit Filed Against LendingTree (May 20, 2008)A lawsuit seeking class action status has been filed against LendingTree LLC in US District Court in Manhattan. The suit alleges that LendingTree did not sufficiently protect sensitive data in its customer loan request forms. In April, LendingTree acknowledged that several employees provided a number of mortgage lenders with access to the data, which include names, Social Security numbers (SSNs) and income. LendingTree has filed a lawsuit against two former employees and several mortgage lenders.
[Guest Editor's Note (Veltso): As this case illustrates, there is more to a good password policy than setting minimum length and complexity requirements. Monitoring access to sensitive data by location and by user would have provided advanced warning of this type of behavior. Think of it as the ability to detect unauthorized personnel in your (paper) records room. ]
Man Pleads Guilty to Selling Pirated Software (May 15, 2008)Jeremiah Joseph Mondello has pleaded guilty to criminal copyright infringement, aggravated identity theft and mail fraud. Mondello sold more than US $1 million worth of counterfeit software through online auctions; he made more than US $400,000 in profits. Mondello also used keystroke loggers to steal sensitive information from his customers and used that information to establish online payment accounts. Mondello faces maximum penalties of 27 years in prison and a US $500,000 fine.
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Apple iCal Flaws Disclosed Before Fix is Available (May 22, 2008)Core Security Technologies has published details of three remotely exploitable vulnerabilities in Apple's iCal application. Core Security told Apple of the flaws in January and waited for nearly four months while Apple mulled over the issue. One of the flaws is a memory corruption vulnerability that can be exploited by tricking users into opening maliciously crafted .ics files. The others are null pointer vulnerabilities. The flaws could be exploited to execute arbitrary code or create denial-of-service conditions. Apple has not said when it will release patches for the flaws.
[Editor's Note (Ullrich): With its increase in market share, Apple has to make sure its vulnerability response process is keeping up with all the attention the platform is now receiving. This vulnerability is very similar to Windows vulnerabilities used for spear phishing.
(Skoudis): Since I upgraded to Leopard, I've absolutely hated the new iCal because its GUI is far harder to use than the earlier version, something surprising from Apple software. Now, these vulnerabilities make me even more leery of the product. I want my old iCal back. ]
Cisco Patches Three Vulnerabilities (May 22, 2008)Cisco Systems has issued patches for a trio of vulnerabilities that could be exploited to crash its products. Two are denial-of-service flaws that affect the Secure Shell (SSH) server implementation in Cisco IOS and the Cisco Service Secure Control Engine (SCE). The other is a privilege escalation flaw that affects the Cisco Unified Customer Voice Portal (CVP).
[Editor's Note (Skoudis): The SSH one concerns me because a lot of routers are accessible via SSH for management purposes. Most enterprises don't patch IOS well at all, so this one could linger for quite a while, exposing us to significant denial of service risk. Please consider testing and deploying these patches sooner rather than later. ]
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Bank of New York Mellon Backup Tape Lost (May 22, 2008)Connecticut Attorney General Richard Blumenthal wants to know how the Bank of New York Mellon lost unencrypted computer backup tapes that hold personally identifiable information of more than 4 million customers. The box of tapes was lost in February; the tapes contain names, addresses, SSNs and possibly account numbers and balances. The breach affects several hundred thousand Connecticut customers of People's United Bank; Bank of New York had the data because it was helping People's through a business transition. Blumenthal wants to know why Bank of New York waited until just six weeks ago to start notifying affected customers. Blumenthal himself did not learn of the breach until earlier this week. In a related story, Connecticut Governor M. Jodi Rell has directed the state's Consumer Protection Division to subpoena Bank of New York Mellon Corp. and People's United Bank.
[Editor's Note (Pescatore): In a perverse way, a lost backup tape is almost something to celebrate. There is almost never an actual identity theft incident that comes from the tape loss, but it catches management's attention and makes it a lot easier to get the funding to make process and technology (like encryption) improvements. Of course, always better if it happens to your competitor, so if you are in financial services make sure you are taking advantage of BoNY's woes.
(Ullrich): Erasing data is a time consuming process. While recent studies show, that a one pass overwrite is sufficient, it still can take many hours and verifying that the overwrite took place can take as long. It is best to physically destroy old hard drives because their retail value is very low. Many computer retailers now allow customers to keep damaged hard drives and no longer ask them to be sent back in case of a warranty claim. ]
Used Server Held 5,000 SSNs (May 21, 2008)A man who bought used computer equipment at an auction found that one of the servers contained 5,000 SSNs from the Oklahoma state Tax Commission and the Corporation Commission. Oklahoma state policy requires that the agency discarding computer equipment be responsible for erasing any data before the equipment is sold. The Oklahoma Corporation Commission has begun removing hard drives from equipment it sells at state auctions.
[Editor's Note (Pescatore): also make sure you realize that it is not just PCs and servers that have hard drives in them. Printers, copiers, and all kinds of other office machinery and appliances have hard drives or other non-volatile memory that needs to be cleansed before surplusing. ]
Moody's Share Price Drops After Rating Glitch is Disclosed (May 20, 21 & 22, 2008)The bond ratings company Moody's saw its share price drop nearly 16 percent on Wednesday after it was disclosed that a computer problem in 2007 gave AAA ratings to some financial products that did not deserve them. Although the glitch was discovered and fixed early last year, it was not made public until recently. Connecticut Attorney General Richard Blumenthal is investigating the possibility of fraud and a cover-up. According to a Financial Times article, some senior staff were aware of the problem but did not disclose it at the time.
Thai Authorities May Shut Down Sites Deemed Offensive to King (May 20, 2008)Authorities in Thailand are considering shuttering 29 websites for displaying content that insults the nation's King Bhumibol Adulyadej. Last year, Thailand banned YouTube for five months over similarly offensive videos; the ban was lifted only after YouTube put filters in place to block those videos from being seen in Thailand. The Commander of Special Branch Police said that websites that allow insulting messages to be posted could be prosecuted. The websites in question include some that are hosted outside of Thailand.
UPCOMING SANS WEBCAST SCHEDULE:WhatWorks in Intrusion Prevention and Detection: Peering Deeply into the Network at Weill Cornell Medical College
WHEN: Wednesday, May 28, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Ben Nathan & Weill Cornell Medical College
Sponsored By: Sourcefire
An inability to see deep inside its network to determine security weaknesses and other potential concerns prompted Weill Cornell Medical College to seek an intrusion detection system. The SNORT rules community helped to put Sourcefire at the top of the pile, but it was the RNA (Real-time Network Awareness) option, which provides even greater insight and reduces false positives, that closed the deal.
SANS Special Webcast: Virtual Roundtable with Eric Cole, Mike Poor, and Ed Skoudis
WHEN: Thursday, May 29, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Dr. Eric Cole, Mike Poor, and Ed Skoudis
Sponsored By: Core Security
Ever want to pull a chair up to the SANS lunch table? Here's your chance to get some virtual face time with three of the "cool kids" from SANS as they discuss the latest topics on the information security threat horizon, including new attacks to look out for and what to do about them.
Tool Talk Webcast: Log Management: No Longer Optional How to Choose the Right Tool for the Job
WHEN: Tuesday, June 3, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Andrew Hay
Sponsored By: Q1 Labs
Both network and security professionals agree - a log management solution is no longer optional. It's now a required tool in their arsenal. Unfortunately, many of their log management projects have failed because the solution they chose was unable to support the size and scope of the deployment and/or effectively deliver useful results. During this webcast Andrew Hay will discuss important considerations when selecting and deploying a log management solution for your organization and how to avoid some of the pitfalls.
SANS Special Webcast: Fourth Annual Log Management Survey
WHEN: Thursday, June 5, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Jerry Shenk and Anton Chuvakin
Sponsored By: LogLogic
The fourth annual Log Management Survey will compare and contrast how respondents use their log data, their challenges, and what they hope to derive out of their log data in the future.
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/