Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume X - Issue #42

May 27, 2008

TOP OF THE NEWS

Gartner: Many Data Security Breaches Still Not Reported
Deutsche Telekom Accused of Accessing Retained Call Data

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Phisher Who Stole US $288,000 Draws Three-Year Sentence
Connecticut Bank Customers File Lawsuit Over Missing Backup Tapes
Significant Player in Software Piracy Scheme Convicted of Conspiracy
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
AusCERT Attendees Receive Malware-Infected USB Drives
Cross-Site Scripting Flaw in Facebook
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Stolen Bank of Ireland Laptops Held Other Banks' Info, Too
Doctor Resigns After Donated Computer Compromises Patient Data
MISCELLANEOUS
TJX Fired Employee for Making Posts About Lax Security
LIST OF UPCOMING FREE SANS WEBCASTS


********************** Sponsored By HP (SPI Dynamics) *******************

Top 4 AJAX Security Dangers - Free White Paper!
Are you ready for AJAX? Hackers definitely are!
With the growth of Web 2.0 and Rich Internet Applications (RIA), developers are rapidly adopting AJAX and unknowingly exposing serious security risks. This free whitepaper, from HP Software, 'AJAX Security Dangers', provides more information about AJAX and its risks.
http://www.sans.org/info/29259

*************************************************************************

TRAINING UPDATE
Where can you find the newest Penetration Testing techniques, Application Pen Testing, Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, both new Pen Testing courses, CISSP, and SANS' other top-rated courses plus evening sessions with Internet Storm Center handlers.
- - SANSFIRE 2008 in Washington DC (7/22-7/31) SANS' biggest summer program with many bonus sessions and a big exhibition of security products: http://www.sans.org/info/26774
- - London (6/2-6/7) and Amsterdam (6/16-6/21) and Brussels (6/16-6/21) http://www.sans.org/secureeurope08
- - Denver (6/7-6/13) http://www.sans.org/rockymnt2008/
- - Singapore (6/30-7/5) http://www.sans.org/singapore08/
- - Boston (8/9-8/16) http://www.sans.org/boston08/
- - and in 100 other cites and on line any time: www.sans.org

*************************************************************************

TOP OF THE NEWS

Gartner: Many Data Security Breaches Still Not Reported (May 23, 2008)

A recent study from Gartner found that many retail data security breaches in the US are not being reported to customers. Of 50 US retailers surveyed, 18 said they knew they had experienced a data breach, but just three of the retailers had publicly disclosed the breach. While the small sample precludes drawing hard conclusions, the trend suggests that "there are a lot more breaches than we hear about," according to Gartner analyst Avivah Litan. Four of the retailers participating in the survey had been fined for failing to comply with Payment Card Industry (PCI) standards, and 11 more were threatened with fines.
-http://www.pcworld.com/businesscenter/article/146278/most_retailer_breaches_are_
not_disclosed_gartner_says.html

[Editor's Note (Schultz): The Gartner Group is almost without a doubt correct. Cover-ups of data security breaches are much more frequent than most people suspect, and many organizations do not take statutes concerning mandatory reporting of these breaches to potential victims very seriously.
(Paller) A similar situation exists in federal agencies where agencies report thousands of limited compromises and minor data breaches to US-CERT, but conveniently forget to report the really important ones. You'll hear about one important government (very senior official's) laptop loss on Friday. ]

(Honan): PCI could be strengthened if the names of retailers that are and are not compliant were made public. That would significantly raise the value of compliance for the retailer. ]

Deutsche Telekom Accused of Accessing Retained Call Data (May 24 & 26, 2008)

In a situation reminiscent of the Hewlett-Packard scandal a few years back in the US, Deutsche Telekom is suspected of having snooped on communications to determine the source of leaks to the media involving sensitive information. The Deutsche Telekom internal security unit allegedly used stored information, including numbers dialed, dates and durations of calls to look for connections between Telekom executives and media reporters. The breaches allegedly took place three years ago, and both public prosecutors and a private law firm are investigating. No calls were tapped, according to Telekom, but the stored data were accessed without authorization. The German government is urging Deutsche Telekom to be forthcoming with information about how investigators obtained the information.
-http://www.dw-world.de/dw/article/0,2144,3357090,00.html
-http://www.topnews.in/law/berlin-urges-telekom-disclose-how-snoopers-got-phone-d
ata

-http://www.spiegel.de/international/business/0,1518,555363,00.html
-http://www.allheadlinenews.com/articles/7011066534
[Editor's Note (Honan): This story is a prime example of how EU Data Retention legislation can be used for purposes other than intended. ]


************************* SPONSORED LINK ******************************

1) Where Is Your Confidential Data and How Do You Protect It? A Customer Success Story
https://ww.sans.org/info/29254

*************************************************************************

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Phisher Who Stole US $288,000 Draws Three-Year Sentence (May 23, 2008)

The High Court in Auckland, New Zealand has sentenced Thomasz Grygoruk to three years in jail for blackmail and document and computer fraud. Grygoruk used a sophisticated phishing scheme to steal people's financial information that he then used to create phony ATM cards. He stole as much as AU $300,000 (US $288,000) from their accounts. Grygoruk also attempted to blackmail a man in the US; that man called the FBI, which ultimately became involved in the investigation and helped to bring Grygoruk to justice. Justice Lyndon Stevens also ordered that the computer equipment Grygoruk used to commit the crimes be destroyed.
-http://www.nzherald.co.nz/feature/story.cfm?c_id=1501833&objectid=10512131

Connecticut Bank Customers File Lawsuit Over Missing Backup Tapes (May 23, 2008)

Some customers of Peoples United Bank of Bridgeport (Connecticut) have filed a lawsuit regarding the loss of backup tapes containing personally identifiable sensitive information. The suit, which seeks class action status, was filed against both Peoples and Bank of New York Mellon, the institution that lost the tapes. The plaintiffs are seeking extended credit monitoring, credit insurance and punitive damages. Connecticut Governor M. Jodi Rell says Bank of New York Mellon did not inform Peoples of the breach in a timely manner; Connecticut state law requires that customers affected by a data security breach be notified immediately.
-http://www.fayobserver.com/article_ap?id=123206

Significant Player in Software Piracy Scheme Convicted of Conspiracy (May 22, 2008)

Barry Gitarts has been convicted of conspiracy to commit criminal copyright infringement. Gitarts played a significant role in an Internet piracy group known as the Apocalypse Production Crew (APC). According to court records, Gitarts funded and administered a server that was used to upload and download pirated content, including music, software and movies. APC appears to have been a "first-provider," meaning it was the original source for much pirated content on the Internet. Gitarts' conviction is the 15th for members of APC. He is scheduled for sentencing on August 8, 2008, when he will face as many as five years in prison, a US $250,000 fine, and three years of supervised release. In addition, he could be required to make full restitution for his actions.
-http://www.cybercrime.gov/gitartsConvitct.pdf

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

AusCERT Attendees Receive Malware-Infected USB Drives (May 23, 2008)

Attendees at the recent AusCERT conference on Australia's Gold Coast received USB drives from Telstra that were inadvertently infected with malware. The malware exploits autorun to install itself onto devices into which they were plugged. The USB drives were "certified pre-owned." Telstra recalled the drives as soon as it learned of the problem.
-http://blogs.zdnet.com/security/?p=1173
-http://searchsecurity.techtarget.com.au/articles/24758-Telstra-distributes-malwa
re-infected-USB-drives-at-AusCERT

[Editor's Note (Ullrich): Handing out free USB drives is very popular. At this year's RSA conference, each attendee received a USB drive which included the conference proceedings. This particular USB drive was equipped with 'U3' technology to make it auto-run enabled. Please take a minute and check that you disabled auto-run.
(Paller): Last month HP Australia reported some of the USB keys shipped with its ProLiant servers were infected with Fakerecy and SillyFDC viruses. And last summer, attendees at a national security conference sponsored by a public-private partnership were also given infected usb thumb drives. These events are just the tip of the iceberg. Supply chain attacks where infections are embedded in usb devices have already ruined Christmas for a bunch of people who got infected digital picture frame from their relatives or friends. ]

Cross-Site Scripting Flaw in Facebook (May 23, 2008)

A cross-site scripting vulnerability in Facebook could be exploited to steal users' login credentials and take control of their accounts.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9088940&source=rss_topic17

-http://www.informationweek.com/blog/main/archives/2008/05/facebook_vulner.html
[Editor's Note (Skoudis): Cross-Site Scripting (XSS) flaws are a plague. I've been working a lot lately on analyzing how network penetration testing and web app pen testing can be folded together to exploit vulnerabilities in a much more powerful way than either could separately. In this work, I've seen that XSS and SQL injection are incredible vectors for such combined attacks. Although a flaw in Facebook or related sites may seem less than important to most enterprises, if unpatched, it could lead to bigger attacks inside your enterprises by exploiting browsers that access such sites. (Ullrich): Preventing cross site scripting in sites like Facebook is hard work, in part because preventing cross site scripting also stops users from taking advantage of the html markup capabilities they are used to and which are part of the site. ]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Stolen Bank of Ireland Laptops Held Other Banks' Info, Too (May 25, 2008)

It has recently come to light that the four Bank of Ireland laptop computers reported stolen in April contained not only account details for 31,500 of its own Bank of Ireland Life customers, but also of 1,500 customers of other banks. Those banks include AIB, Ulster Bank and National Irish Bank. It is not uncommon for the bank to have account information from other banks, as some customers make payments with direct debits from other accounts.
-http://www.thepost.ie/ezineSBP/story.asp?storyid=33180

Doctor Resigns After Donated Computer Compromises Patient Data (May 20 & 25, 2008)

A Jacksonville, Florida physician has resigned from his position after learning that a used computer he gave to a family he was acquainted with contained sensitive patient data. Dr. Francis D. Ong was an assistant professor of plastic surgery at the University of Florida College of Medicine's Jacksonville campus; he had used the machines to store patient pictures and identifying data, including names and Social Security numbers (SSNs). The computer has been recovered and all affected patients have been notified of the incident. The family that received the computer says they never viewed the information. They also replaced the operating system, resulting in the loss of most of the data.
-http://www.theledger.com/article/20080525/NEWS/805250381/0/FRONTPAGE
-http://www.bizjournals.com/jacksonville/stories/2008/05/19/daily9.html

MISCELLANEOUS

TJX Fired Employee for Making Posts About Lax Security (May 23 & 26, 2008)

TJX Companies has fired an employee from a Lawrence, Kansas TJ Maxx store for making posts to a forum about the company's lax security practices, even after the notable breach. The employee, Nick Benson, said in several posts that except for a period of time following the breach disclosure when a strong password policy was enforced, the employee password at his store's server was set to blank. In addition, at one point a store server was running in administrator mode. When Benson began work at TJX, his password was the same as his user name. TJX says Benson was fired for disclosing confidential company information.
-http://www.theregister.co.uk/2008/05/23/tjx_fires_whistleblower/print.html
-http://computerworld.co.nz/news.nsf/scrt/3A2C5453A05F8C31CC257454006CE111
[Editor's Note (Schultz): Once again TJX is proving itself to be a villain. Interestingly, I still sometimes shop at a TJ Maxx or Marshalls store, but I always pay cash--I would never use a credit card because of TJX's huge security deficiencies. And if Nick Benson reads this comment, I would encourage him to contact me, because I will do everything in my power to help him find another job. ]

UPCOMING SANS WEBCAST SCHEDULE

WhatWorks in Intrusion Prevention and Detection: Peering Deeply into the Network at Weill Cornell Medical College
WHEN: Wednesday, May 28, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Ben Nathan & Weill Cornell Medical College
-http://www.sans.org/info/27129

Sponsored By: Sourcefire
-http://www.sourcefire.com/

An inability to see deep inside its network to determine security weaknesses and other potential concerns prompted Weill Cornell Medical College to seek an intrusion detection system. The SNORT rules community helped to put Sourcefire at the top of the pile, but it was the RNA (Real-time Network Awareness) option, which provides even greater insight and reduces false positives, that closed the deal.

SANS Special Webcast: Virtual Roundtable with Eric Cole, Mike Poor, and Ed Skoudis
WHEN: Thursday, May 29, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Dr. Eric Cole, Mike Poor, and Ed Skoudis
-http://www.sans.org/info/27139

Sponsored By: Core Security
-http://www.coresecurity.com/

Ever want to pull a chair up to the SANS lunch table? Here's your chance to get some virtual face time with three of the "cool kids" from SANS as they discuss the latest topics on the information security threat horizon, including new attacks to look out for and what to do about them.

Tool Talk Webcast: Log Management: No Longer Optional How to Choose the Right Tool for the Job
WHEN: Tuesday, June 3, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Andrew Hay
-http://www.sans.org/info/28704

Sponsored By: Q1 Labs
-http://www.q1labs.com/

Both network and security professionals agree - a log management solution is no longer optional. It's now a required tool in their arsenal. Unfortunately, many of their log management projects have failed because the solution they chose was unable to support the size and scope of the deployment and/or effectively deliver useful results. During this webcast Andrew Hay will discuss important considerations when selecting and deploying a log management solution for your organization and how to avoid some of the pitfalls.

SANS Special Webcast: Fourth Annual Log Management Survey
WHEN: Thursday, June 5, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Jerry Shenk and Anton Chuvakin
-http://www.sans.org/info/28709

Sponsored By: LogLogic
-http://www.loglogic.com/

The fourth annual Log Management Survey will compare and contrast how respondents use their log data, their challenges, and what they hope to derive out of their log data in the future.

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/