OnDemand Includes 4 Months Access to Course Content - Special Offers Available Now!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume X - Issue #63

August 11, 2008


Georgia Receives International Help in Wake of Cyberattacks
US Intelligence Issues Warning About Traveling Abroad with Electronic Devices
Data Breach Indictment Reveals Alleged Breaches Not Previously Disclosed
Judge Grants MBTA Request for Injunction Against MIT Researchers
Ohio Sec. of State Sues eVoting Vendor for Dropped Votes
Top Ten Courses named at SANS Network Security 2008


Irish Social Welfare Data on Missing Laptop
Australian ISPs Urged to Join Fight Against Piracy
Dutch Police Notify Users Infected with Bot Malware
Wells Fargo Codes Used to Access Consumer Data at Reseller
 BBC Apologizes for Losing Children's Data
 Texas Hospital Patient Data on Missing USB Drive
Many Businesses in Dublin Shopping District Using Unsecure Wireless Networks
Cybersecurity Advice for Next President

**************** Sponsored By BlueCat Networks, Inc. *******************

IP Address Management is much more than just a marriage between DNS and DHCP services.  Given the network challenges of VoIP, RFID tags, wireless authorized devices, Virtual Servers/ Clients, and IPv6, 3rd generation IP Address Management brings with it urgency in moving away from spreadsheets, homegrown, and legacy solutions to intelligent IPAM solutions.



- - NETWORK SECURITY 2008: Las Vegas (9/28-10/6) 50 courses; big tools expo; lot's of evening sessions: http://www.sans.org/ns2008
- - Boston (8/9-8/16) http://www.sans.org/boston08/
- - Virginia Beach (8/21-8/29): http://www.sans.org/vabeach08/
- - Chicago (9/3-9/10) http://www.sans.org/chicago08 AUDIT & COMPLIANCE
- - and in 100 other cites and on line any time: http://www.sans.org/index.php



Georgia Receives International Help in Wake of Cyberattacks (August 11, 2008)

The Georgian presidential website and other government websites have once again been the target of cyber attacks. Similar attacks occurred in late July, prior to the outbreak of military conflict between Georgia and Russia regarding South Ossetia.  The malware used to launch the most recent distributed denial-of-service attacks appears to be a variant of Pinch; the command and control server used in the attacks is based in Turkey.  In a separate, related story, Poland's president Lech Kaczynski has made his official website available to the Georgian government so it can disseminate information about the conflict.  In addition, the website of Georgian President Mikhail Saakashvili was moved to a US hosting facility over the weekend. The attacks on the site are continuing.


[Editor's Note (Ullrich): There have now been some suggestions that the attack was organized in part by the infamous "Russian Business Network" (RBN) in cooperation with Russian intelligence services. See

(Honan): The Ministry of Foreign Affairs of Georgia has set up a Blog on Google to provide updates on the conflict at

while Wikipedia is also keeping track of events

US Intelligence Issues Warning About Traveling Abroad with Electronic Devices (August 5, 7, 9 & 11, 2008)

The US Office of the National Counterintelligence Executive (NCIX) issued a strongly-worded advisory for travelers warning them to take special precautions when traveling overseas with portable electronic devices.  The warning appears to be aimed specifically toward those travelling to China for the Olympic Games.  Security services in China are capable of tracking individuals' whereabouts through mobile phones and PDAs and of turning on microphones in devices without users' knowledge; users are urged to remove batteries from the devices when they are not being used.  Travelers should not take electronic devices with them unless they are absolutely necessary, and they should assume that if the devices are examined by customs officials or their hotel rooms are searched that the contents of their hard drives have been copied.  Travelers should also change all their passwords frequently during their travels and again as soon as they return home. All information sent electronically can be intercepted.  The advisory does not name China specifically, but in a television interview and a press release, NCIX head Joel Brenner did mention China.  The advisory also says, "In most countries you have no expectation of privacy in Internet cafes, hotels, offices, or public places."  Malware can be placed on the devices with USB drives or other freebies; by the same token, do not use your own USB drive in foreign computers.  It may be a good idea to encrypt the data on the devices, but customer officials in some countries may not permit travelers to bring in encrypted data.

Data Breach Indictment Reveals Alleged Breaches Not Previously Disclosed (August 11, 2008)

The recent indictments of 11 people in connection with the theft of payment card information from the wireless networks of nine large retailers was the first some consumers had heard of certain incidents, despite data breach notification laws in the majority of US states. While the TJX breach received a significant media coverage, breaches at other retailers, such as Boston Market, Forever 21 and Barnes and Noble came as a surprise.  Boston Market and Forever 21 said they did not notify customers because they had not been able to determine if customer data were actually stolen.
[Editor's Note (Schultz): Boston Market and Forever 21's reasoning shows just how little they value the welfare of their customers. Companies that value their customers' welfare would have notified them just in case there was a compromise. ]

Judge Grants MBTA Request for Injunction Against MIT Researchers (August 9 & 11, 2008)

A federal judge has issued an injunction preventing three Massachusetts Institute of Technology (MIT) students from presenting their research regarding vulnerabilities in the electronic payment system used by the Massachusetts Bay Transit Authority (MBTA).  Their research centered on manipulating the system to ride the transit system without paying. The complaint alleges that the students refused to provide the MBTA with the information they would present at DefCon.  The students plan to appeal the ruling and are being represented by the Electronic Frontier Foundation (EFF).


[Editor's Note (Honan): The recent judgement in the Dutch courts regarding the Oyster Card RFID Chip Hack

demonstrates that the courts should realize the problem lies with the weaknesses in the technology and not with those who discover them. ]

Ohio Sec. of State Sues eVoting Vendor for Dropped Votes (August 8, 2008)

Ohio Secretary of State Jennifer Brunner has filed a lawsuit against Premier Election Solutions seeking damages for dropped votes in Ohio's March primary election.  Premier, which was formerly known as Diebold, makes the evoting machines used in half the counties in Ohio. Problems with dropped votes arose in 11 counties; the discrepancies were caught and final counts corrected.  Officials from Butler County, where discrepancies were first detected, wrote to Premier in April asking for an explanation for the dropped votes.  Premier responded with a report in May that suggested that the problems were due either to human error or to problems with antivirus software.  A follow-up report suggested disabling antivirus software on voting tabulation machines, but they had been certified with the antivirus software installed.  Brunner's lawsuit is a countersuit in response to one filed by premier in May requesting a court determination that the company had met its obligations as set out in contracts and warranties.


Top Ten Courses named at SANS Network Security 2008

In addition to a big security tools expo and a lot of free sessions at SANS Network Security 2008 in Las Vegas (end of September), here are the ten most popular courses (out of 45 being offered there):

1. SEC560 Network Penetration Testing and Ethical Hacking
2. SEC401 SANS Security Essentials Bootcamp Style
3. SEC 504 Hacker Techniques, Exploits & Incident Handling
4. SEC508 Computer Forensics, Investigation, and Response
5. SANS(r) +S(tm) Training Program for the CISSP(r) Certification Exam
6. MAN512 SANS Security Leadership Essentials For Managers with Knowledge Compression
7. SEC505 Securing Windows
8. SEC502 Perimeter Protection In-Depth
9. AUD507 Auditing Networks, Perimeters & Systems
10 MAN525 Project Management and Effective Communications for Security Professionals and Managers

Early registration deadline is next Wednesday, August 20.
Details: See:



Irish Social Welfare Data on Missing Laptop (August 11, 2008)

Irish Data Protection Commissioner Billy Hawkes has called the loss of a laptop holding personally identifiable information of social welfare recipients a "serious incident."  According to the results of an audit by the Comptroller and Auditor General (CAG) at the Department of Social and Family Affairs a laptop missing since July holds information of approximately 390,000 recipients.  The data sent to the CAG from the Dept of Social and Family Affairs was originally sent in encrypted format.  It was subsequently stored unencrypted by the CAG on the stolen laptop.  The department is making an effort to contact all people whose information is on the missing computer. Some of the records include bank account information.

UPDATE: Staff off the hook for laptop security blunders

[Editor's Note (Honan): The fact that this breach occurred 17 months ago highlights the need for Ireland, and the EU, to introduce mandatory Data Breach Disclosure legislation.  The CAG not only did not contact those impacted by the breach but only notified the Department of Social and Family Affairs within the last week.]

Australian ISPs Urged to Join Fight Against Piracy (August 8, 2008)

The Australian Federation Against Copyright Theft (AFACT) wants Australian ISPs to follow the lead of their British counterparts, that have agreed to send warning letters to Internet users suspected of illegal filesharing.  The proposed letters would contain information about where and how to obtain copyrighted content legally on the Internet.  Following a three-strikes model, repeat offenders could find their Internet speeds reduced or surfing curtailed, and eventually disconnected.  The plan would be to give the ISPs the IP addresses of suspected offenders and have them send the letters.  However, Internet Industry Association executive director Peter Coroneos says AFACT is asking ISPs to act as law enforcement, comparing the request to holding the postal service responsible for what people send through the mail.  The ISPs propose to provide copyright holders with access to suspected downloader information so they can take legal action. Coroneos also observes that IP addresses are not irrefutable proof of who downloaded digital content.  AFACT says that a study in the US showed that 90 percent of college students who received warning letters stopped illegal downloading activity.

Dutch Police Notify Users Infected with Bot Malware (August 8, 2008)

Dutch police have notified people whose computers were infected with malware that made them part of a botnet comprising more than 100,000 PCs.  People were redirected to a web page containing directions on disabling the malware and a link to an online virus scanner. The police were able to automatically forward the infected users to the help page because they have taken control of the botnet. A 19-year old man was arrested last week when he tried to sell the botnet to someone in Brazil for GBP 25,000 (US $47,839).

[Editor's Note (Ullrich): An interesting tactic that should probably be investigated more. In the past, investigators of botnets (law enforcement or not) have been careful not to use the botnet functions themselves. Most of the time, the exact effects of these actions are not well understood. Other methods have however not been very successful in notifying users. ]

Wells Fargo Codes Used to Access Consumer Data at Reseller (August 11, 2008)

Wells Fargo is in the process of notifying approximately 7,000 consumers that their personally identifiable information may have been compromised when someone used Wells Fargo codes to access consumer credit data.  The suspicious activity occurred over a five-year period at MicroBilt Corp., a consumer data reseller.  The compromised data include Social Security numbers (SSNs), birth dates, driver's license numbers and some credit card account information.

BBC Apologizes for Losing Children's Data (August 8 & 11, 2008)

The BBC has sent letters of apology to the parents of approximately 250 children whose personal information were on a flash drive that was stolen.  The data were on the device because the children had signed up for a cooking program.  The data include names, addresses, phone numbers, and dates that the children and their families would be away on vacation.  The drive was in the possession of an employee of an independent production company that was making the show.

Texas Hospital Patient Data on Missing USB Drive (August 7, 2008)

A hospital administrator in Texas apparently downloaded sensitive patient information to a flash drive that was later reported lost or stolen.  The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers to take measures to protect patient data from exposure.  The associate administrator for Harris County Hospital District allegedly placed records of 1,200 patients with HIV, AIDS and other medical conditions on the storage device. The data, which include names, Social Security numbers (SSNs), medical conditions and treatments, were not encrypted or password-protected.

Many Businesses in Dublin Shopping District Using Unsecure Wireless Networks (August 10, 2008)

A study from the Sunday Business Post indicates that up to one-third of stores and restaurants on Henry Street and Grafton Street in Dublin, Ireland's two busiest shopping streets, are using unsecure wireless systems, potentially exposing customer credit card information to cyber thieves.

Cybersecurity Advice for Next President (August 7, 2008)

Bruce Schneier offers "three pieces of policy advice for the next president" to improve cybersecurity, and for that matter, "national security in general."  First, the government should use its leverage as a major customer of commercial products and services to improve the quality of products overall by making security requirements part of the RFPs.  Second, the government should legislate the results it wants to see, but not the processes for achieving those results. Finally, the government should "broadly invest in research," beyond the scope of short-term high-profit projects and military applications by allowing funding agencies like NSF and NIH to decide how to allocate the money.

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescastore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa).  He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security courses at Minnesota State University, Mankato. He is the President of Prudent Security LLC and also serves as the President of the Mankato Chapter ISSA.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/