iPad Pro w/ Magic KB, Surface Go 2, or $350 Off with OnDemand Training - Register Now

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume X - Issue #6

January 22, 2008


Cyber Espionage is on the Rise
Customs Official Sentenced for Selling Access to Government Database
FERC Releases Electric Utility Cybersecurity Standards
Ireland Will Start Retaining eMail and Chat Data


RIAA Must Pay Defendant's Legal Fees
Stolen MoD Laptop Affects 600,000 Armed Forces Applicants
IRS Blames Kansas City Officials For Data Tape Loss
House to Hold Hearing on Missing White House eMails
Citrix Issues Fixes for Code Execution Flaw in Several Products
Missing Tape Holds Data on 650,000 Retail Consumers
Stolen Tennessee Election Commission Laptop Recovered
ICO to Question Facebook on Data Privacy Practices
Cyber Thieves Going After Americans' Healthcare Data

******************** Sponsored By Clearwell Systems *********************

What do the Security, Compliance, and Investigation teams at Constellation Energy and KLA-Tencor have in common? They all slashed the duration of corporate investigations and incident response time by 80%. Learn how - download the free Corporate Investigation Best Practices white paper.



Where can you find the newest Penetration Testing techniques, Application Pen Testing, Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, CISSP, and SANS' other top-rated courses?

- - Las Vegas (3/17 - 3/18) Penetration Testing Summit:
(this is an ultra cool program) http://www.sans.org/pentesting08_summit
- - San Jose (2/2 - 2/8): http://www.sans.org/siliconvalley08/event.php
- - Phoenix (2/11 - 2/18) http://www.sans.org/phoenix08/event.php
- - Prague (2/18-2/23): http://www.sans.org/prague08
- - SANS 2008 (4/18-4/25) SANS' biggest: http://www.sans.org/sans2008
- - and in 100 other cites and on line any-time: www.sans.org



Cyber Espionage is on the Rise (January 15, 18 & 21, 2008)

There is a growing body of evidence that cyber attackers are turning their attention to espionage in both the public and private sectors. The US government has reported what appear to be systematic attacks on computer systems at research laboratories across the country. Private companies have been targeted as well. Cyber espionage ranks third on the SANS Top Ten Cyber Menaces for 2008. Attackers appear to be using spear phishing, in which phony email messages that appear to come from a trusted source are tailored to a small group of individuals at an organization. The IP addresses used in the attacks make them appear to come from China; whether or not that is where the attacks are originating, China seems not to be taking any steps to thwart the attacks. Evidence indicates that the attackers are focused and persistent, attacking the same place hours after hour, day after day. The attacks are sophisticated as well - they do not contain the usual errors associated with small-time hacking groups. In addition, a recent New Yorker article profiling US Director of National Intelligence Mike McConnell reports that the US Defense Department detects approximately two million suspicious probes on its network every day; the State Department also detects approximately two million such probes every day.



[Editor's Note (Northcutt): Not exactly news! However, sometimes you have to hold the obvious before people. Needless to say a real key here is detection. In the course I author and teach, Security Leadership Essentials, I teach managers how to assess whether their folks have the ability to go beyond what their IDS consoles are reporting. Please forgive the ad, but the best detection training available anywhere is SANS Intrusion Detection in Depth and if you can schedule a class taught by Mike Poor or Johannes Ullrich, they are two of the best detection guys in industry. If your organization does not have at least a few GIAC Certified Intrusion Analysts you probably are being sliced wide open right now.:

Customs Official Sentenced for Selling Access to Government Database (January 21, 2008)

US Customs Service agent Rafael Pacheco has been sentenced to more than seven years in prison for selling access to information in the Treasury Enforcement Communications System (TECS) database. He was found guilty of receiving a bribe, hindering law enforcement, money laundering, obstructing justice, and unlawfully accessing restricted federal computer databases. The case underscores the data privacy concerns among other countries about the FBI's intention to compile an international criminal database.
[Editor's Note (Northcutt): both reporters pick up on the key point, massively sensitive government databases need to be equipped with controls and audited. The government needs to enforce the principle of least privilege and the states are right to challenge Real ID AKA National Drivers License because that database will be badly abused:

FERC Releases Electric Utility Cybersecurity Standards (January 18 & 19, 2008)

The Federal Energy Regulatory Commission has issued a final rule, Mandatory Reliability Standards for Critical Infrastructure Protection, describing an approved list of cybersecurity standards for electric utilities. The standards include critical cyber asset identification; security management controls; personnel and training; electronic security perimeters; physical security of critical cyber assets; systems security management; incident reporting and response planning; and recovery plans for critical cyber assets. The timing seems especially apt considering last week's disclosure by the CIA that power grids in several foreign countries have come under attack, causing a power outage in at least one city. Speaking at a recent SANS conference in New Orleans, CIA analyst Tom Donahue said the attacks were financially motivated; the attackers made extortion demands. He did not identify the locations of the power grids that were attacked.



Ireland Will Start Retaining eMail and Chat Data (January 19 & 21, 2008)

To satisfy the requirements of a European Union (EU) directive, Ireland will begin retaining records of its citizens' emails and Internet chats. While the content of the communications will not be retained, records of the IP addresses of the participants, the time and date of the communication, and the physical size of the message would be stored. The plan would take effect within one month through a statutory instrument in lieu of introducing legislation in Parliament because the country has received notice from the EU that it is three months overdue in implementing a data retention plan. A civil liberties organization has voiced its opposition to the plan as well as the way in which it is being implemented. The group maintains that law enforcement officials will be permitted to access the retained data without court orders or warrants.
[Editor's Note (Honan): In our struggle to maintain a free and democratic society we need to ensure that the laws we introduce and the steps we take to protect those freedoms don't in themselves become tools to be used against us. We need assurances that appropriate safeguards, controls, accountability and transparency are maintained at all times and that any misuse of the information will be dealt with swiftly and severely. Unfortunately the proposed legislation is not clear on what these measures, if any, are.]

************************* Sponsored Links: ***************************

1) SANS Third Annual Log Management Survey What are the challenges in log management? Have perceptions changed since last year? Help us find out! Take the survey at http://www.sans.org/info/22633

2) Join SSH in introducing SSH Tectia ConnectSecure enhanced file transfer capabilities for all SSH environments! http://www.sans.org/info/22638

3) Over 450 security professional participated in the 2007 Web Security Leadership Survey. Get the results at http://www.sans.org/info/22643




RIAA Must Pay Defendant's Legal Fees (January 17, 2008)

A US District Judge in Oregon has ruled that the Recording Industry Association of America (RIAA) must pay the legal fees of Tanya Andersen. In February 2005, Andersen was sued by the RIAA for alleged copyright violations for filesharing, but the RIAA dropped the case for lack of evidence. The case was ultimately dismissed with prejudice, which means Andersen could pursue legal fee recovery from the plaintiff. A federal magistrate awarded Andersen the legal fees last fall, but the RIAA appealed. Last week's decision upheld the magistrate's ruling. Andersen is pursuing a separate lawsuit against the RIAA.

[Editor's Note (Northcutt): I understand the need to protect copyrighted material, but the series of articles at the bottom of theregister.co.uk URL above make these guys sound like thugs. If it is true they impersonated her 10 year old daughter's grandmother to get information, I hope the person responsible does time. ]


Stolen MoD Laptop Affects 600,000 Armed Forces Applicants (January 19 & 20, 2008)

The UK Ministry of Defence (MoD) has acknowledged that a laptop computer stolen from a car holds personally identifiable information of approximately 600,000 people who applied to join the armed forces in the last decade. The laptop was taken from a junior naval officer's car. Approximately 150,000 of the records are of active duty members, and of those, 3,500 records include bank information. The other information on the laptop includes names, passport data, and NHS numbers. This incident is similar to other UK government data losses that have become public recently - old data were retained long after they were needed, and junior personnel had access to the data and the authority to copy the data onto a laptop. MoD has admitted that 571 laptops have been lost or stolen over the last decade.

[Editor's Note (Honan): Yet again we see a junior official being made the scapegoat for a data breach. Senior Management need to step up to the mark and take responsibility and accountability for not ensuring policies, controls and appropriate training are in place to prevent large amounts of data being accessed and downloaded databases onto an insecure device. ]

Related: A Timeline of Public and Private Sector Data Loss in the UK

IRS Blames Kansas City Officials For Data Tape Loss (January 19, 2008)

According to a report obtained through the Freedom of Information Act (FOIA), 26 IRS backup tapes reported missing in 2006 hold data belonging to an unspecified number of taxpayers. The report from the Treasury Department's inspector general for tax administration places the blame for the lost tapes on Kansas City officials. According to the report, "the city did not follow and was not following the proper safeguards for protecting federal tax return information." Much of the document released under FOIA was redacted; an additional 105 pages were not released at all because of concerns that it "could impede... law enforcement activities."

House to Hold Hearing on Missing White House eMails (January 17 & 18, 2008)

A congressional hearing scheduled for February 15 will look into reports that 473 days of White House email records are missing. While "the Presidential Records Act requires that all White House email be saved," CIO of Office of Administration Theresa Payton said in January 15 testimony that backup tapes containing some of the missing email were recycled and files on them overwritten. Payton testified that the recycling practice began at the start of the present Bush administration and continued through 2003, but there is evidence that email messages from as recently as 2005 are missing. There are also many days for which the amount of archived email is unusually low.



[Editor's Note (Schultz): It seems ironic that the US government is trying to push e-Discovery legislation through while the White House cannot find records that the law requires be saved.]


Citrix Issues Fixes for Code Execution Flaw in Several Products (January 15 & 18, 2008)

Citrix has released security updates for a remote code execution flaw in the IMA Service used by Citrix Presentation Server. Attackers could exploit the vulnerability by sending a maliciously crafted packet to create a buffer overflow condition, which would allow arbitrary code execution. The vulnerability affects all versions of Citrix MetaFrame and Presentation Server up through and including 4.5, as well as Citrix Access Essentials and Citrix Desktop Server. Administrators are encouraged to apply the fixes as soon as possible; they are also urged to block incoming traffic on ports 2512 and 2513 at the firewall.


Missing Tape Holds Data on 650,000 Retail Consumers (January 18, 2008)

Approximately 650,000 retail consumers may be at risk of fraud due to a missing backup tape. The unencrypted tape contains data from GE Money, a company that "manages in-store credit-card programs for
[hundreds of ]
US retailers." An estimated 150,000 of the records also contain Social Security numbers (SSNs). GE Money became aware the tape was missing in October 2007 and began notifying affected customers by letter in December. The data on the tape belong to customers of 230 US retailers, including J.C. Penney.


Stolen Tennessee Election Commission Laptop Recovered (January 18, 2008)

The hard drive from a laptop computer stolen from the Davidson County (Tennessee) Election Commission in late December has been recovered. The drive holds personally identifiable information of approximately 337,000 registered voters. One man has been arrested; law enforcement officials expect to make more arrests in connection with the theft. Other stolen items were recovered as well. The drive is being examined to determine if any data were accessed or altered.


ICO to Question Facebook on Data Privacy Practices (January 18, 2008)

The UK Information Commissioner's Office (ICO) plans to question Facebook regarding the social networking site's data privacy policies. The investigation was prompted by a Facebook user's complaint that even after deactivating an account, personal information was still retained on Facebook servers. If users want to delete all profile information, they must log in to their account and delete the content themselves. The ICO is concerned that this may be too much to ask of some users. The ICO adheres to the idea, codified in the UK Data Protection Act, that organizations should retain data only as long as necessary. The ICO hopes to help make it clearer to Facebook users exactly what happens to the information they post to their accounts.

Cyber Thieves Going After Americans' Healthcare Data (January 17, 2008)

US Department of Homeland Security analyst Mark Walker says that foreign cyber thieves are trying to steal Americans' healthcare records. Speaking at a National Institute of Standards and Technology (NIST) workshop, Walker said that early last year, the Centers for Disease Control and Prevention website became infected with malware, and last spring, a computer holding information about a military health insurance program was broken into. It is unclear why the attackers are seeking healthcare data.
[Editor's Note (Schultz): Most states within the US have passed data security breach notification laws that apply to theft of personal and financial information. Similar legislation should now also be passed for data security breaches involving theft of medical information.]


We received insightful commentary from NewsBites editor emeritus William H. Murray regarding the story about the Fifth Amendment ruling in Vermont. Here is our summary as it ran on Friday, followed by Mr. Murray's comments.

Federal Government Appeals Judge's Decryption Key Decision (January 16, 2008)
The federal government has appealed a decision by a judge in Vermont that has prevented a man from divulging the password necessary to decrypt his computer. Magistrate Judge Jerome J. Niedermeier said that to force an individual to enter the password into his computer is a violation of the Fifth Amendment, which grants protection from self-incrimination. The case involves a Canadian citizen with legal residency in the US whose computer was found to contain child pornography. The computer was seized, but the government has been unable to access data in drive Z because it is protected by PGP encryption. (please note this site requires free registration)

[Editor's Note (Pescatore): In the US (and I think at least also Canada) there is certainly legal precedent for law enforcement using court orders to require a suspect to open a locked desk drawer, locker or safe. So, it is hard to see how in the long run this same thinking wouldn't extend to decrypting data - entering a password is pretty equivalent to entering a combination. But in the short run technology always moves faster than laws and regulations.
(Schultz): The judge's ruling makes considerable sense given that the US Bill of Rights guarantees that a person does not have to testify against himself. Requiring an accused person to surrender a password, encryption key, or some other object that allows investigators to access evidence against that person is in reality equivalent to forcing someone to provide self-incriminating testimony. ]

Bill Murray wrote:

When it is too good to be true, it isn't. I do not think that this ruling will stand up under appeal, in or out of Vermont. The fundamental rule is that the court is entitled to any and all records. One cannot be forced to make an incriminating record. Once one makes it, the court is entitled to see it. The analogy is to a vault. If there is "probable cause" to believe that a crime has been committed, a court will issue a warrant and the owner of the vault is compelled to open it.

The protection against self-incrimination is to protect the citizen from torture and a conviction based upon nothing but a coerced confession. However in the case of the vault or the laptop, the contents speak for themselves. The contents are incriminating or they are not. If they are not, no amount of coercion will make them so; constitutional protections are not necessary. If they are, then they should be available to the court.

Note that one may not even destroy records; if one cannot destroy them, one may not conceal them.
[One might think that it is better to be held in contempt of court than for "child pornography." However, courts do not like to be disobeyed and have very strong sanctions at their command. ]

There may be an issue of "probable cause" here. The court would not issue a warrant for the combination of the vault or the pass-phrase of the laptop in the absence of probable cause. Courts will not issue warrants for fishing expeditions. Courts are entitled to all records but investigators are not.
[At least they are not entitled to one's own records. However, under the USA PATRIOT Act, they are entitled to everyone else's records about one. ]

Note that in order to get a warrant, one may have to be able to demonstrate that both a cryptogram and a key exists. In this case that is stipulated to. However, without a stipulation or a showing, one could be jailed simply for having random looking data on one's hard drive.

Let us hope for an appeal so that a precedent can be established. Note that it is the prosecutors who must appeal in this case and they have all the money necessary.

I was fairly confident that we would get an appeal.


SANS Ask the Expert Webcast: Going beyond log management to solve security, risk and audit challenges
WHEN: Wednesday, January 23, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and Vijay Basani

Sponsored By: eIQnetworks

In this webcast, learn the benefits of going beyond log management to perform end-to-end correlation and analysis, how compliance can tie into the use of security technologies, and why the future of security information management (SIM) systems is shaping up to integrate security, risk and audit management onto one platform.

SANS Special Webcast: Things That Go Bump in the Network: Embedded Device Security
WHEN: Thursday, January 24, 2008 at 1:00 PM EST (1800 UTC/GMT)

Sponsored By: Core Security

Embedded devices come into your network and appear in many different forms, including printers, iPhones, wireless routers and network-based cameras. What you might not realize is that these devices offer unique opportunities for attackers to do damage and gain access to your network - and to the information it contains. This webcast will review known embedded device vulnerabilities and cover how these vulnerabilities can be used to gain control of devices, networks, and data - and, more importantly, what can be done about it.

SANS Special Webcast: The SANS Database and Compliance Survey
WHEN: Tuesday, February 5, 2008 at 1:00 PM EST (1800 UTC/GMT)

Sponsored By: Lumigent

How many organizations really understand their data privacy rules well enough to know where and how to protect their regulated data with proper audit?
What are their perceptions of data privacy regulations, and how are they integrating compliance into their data management practices, starting at the database?
These and other questions will be answered when, on Feb. 5, SANS analyst

Barbara Filkins uncovers the findings in the SANS Database Auditing and Compliance Survey. Conducted over three months, 348 respondents answered a variety of questions ranging from their perceptions of compliance issues to security frameworks and roles and responsibilities for data privacy protection inside their organizations.

We will also be announcing the $250 American Express card winner from among nearly 200 respondents who signed up for our drawing.

SANS Special Webcast: A Brief History of Hacking with Dave Shackleford
WHEN: Wednesday, February 6, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Dave Shackleford

Sponsored By: Core Security

Quick quiz: What do Phreaking, Captain Crunch, Blue boxes, LoD and MoD have in common?
Answer: They were all milestones in the evolution of hacking and information security.

Please join Dave Shackleford, CTO at the Center for Internet Security and SANS certified instructor, for a look at the evolution of hacking and hackers.

You'll hear Dave's take on lessons learned from hacking milestones, including:

The early days of phone phreaks and bulletin boards The growth of hacker gangs and 2600: The Hacker Quarterly The 75-cent accounting error that led to an international crime investigation Bill Cheswick's evening with "Berferd" The first malware and Trojan horse programs

At the same time, Dave will give his predictions for the coming year of hacking - and discuss which hacker movies are most realistic (if any)!

WhatWorks Webcast: WhatWorks in Intrusion Detection and Prevention: Improving Network Visibility at GraceKennedy
WHEN: Tuesday, February 12, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Alan Paller and Gregory Henry

Sponsored By: Sourcefire

A need for increased visibility into its diverse network prompted GraceKennedy's security team to seek an intrusion detection system. They found a solution that met all their needs and offered great tech support, as well as a component that could establish a network activity baseline and another that included a top vulnerability scanner for the same price as other solutions they tried. GraceKennedy is one of the Caribbean's largest and most dynamic corporate entities. The company started in Jamaica in 1922 as a small trading establishment and wharf founder. It has expanded and diversified over the years, changing from a privately-owned enterprise to a public company listed on the stock exchanges of Jamaica, Trinidad, Barbados and the Eastern Caribbean. Today, the GraceKennedy Group comprises a varied network of some 60 subsidiaries and associated companies located across the Caribbean, in North and Central America and the United Kingdom. The group's operations span the food distribution, financial services, insurance, remittance, hardware retailing and food-processing industries.


The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/