SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume X - Issue #69
September 02, 2008
Tomorrow (September 3) is the last day to avoid a late payment charge for SANS Network Security (the largest fall security conference) in Las Vegas. http://www.sans.org/ns2008
TOP OF THE NEWSCalif. Lawmakers Approve Strict Data Protection Law
Army Issues Request for Information About Industry Data Protection
Volume of Internet Traffic Through US is Diminishing
THE REST OF THE WEEK'S NEWSARRESTS, CHARGES & CONVICTIONS
Dubai Court Gives Man Three Months in Jail for Breaching UN Employee's eMail Account
Computer Sold on eBay Holds Personal Data; One Person Arrested
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Man Arrested for Streaming Unreleased Guns N' Roses Songs
SPAM, PHISHING & ONLINE SCAMS
Spam Pretends to be About Undeliverable FedEx Package
COMPROMISES & BREACHES
Suspected Breach at Unnamed National Retailer Under Investigation
Info Stolen from US ATMs Used to Make Phony Cards Being Used in UK
STUDIES AND STATISTICS
Offshore Outsourcing Affects IT Workers More Than Others
Russian Opposition Website Owner Killed
Companies Take Steps to Prepare for Gulf Coast Disaster
Device Steals Data from Cell Phones and PDAs
************** Sponsored By SANS Control Systems Summit ****************
How is my Control System vulnerable? How are attackers penetrating my defenses? How can I mitigate this threat? These are some of the topics of the Process and Control and SCADA Summit. Learn what commercial and governmental solutions are available and how other have used them.
September 8-9 - Amsterdam, NL.
- - NETWORK SECURITY 2008: Las Vegas (9/28-10/6) 50 courses; big tools expo; lots of evening sessions: http://www.sans.org/ns2008)
- - Chicago (9/3-9/10) http://www.sans.org/chicago08 AUDIT & COMPLIANCE
- - Monterey (10/31-11/6) http://www.sans.org/info/30738
- - Sydney Australia (10/27-11/1) http://www.sans.org/sydney08/
- - Vancouver (11/17-11/22) http://www.sans.org/vancouver08/
and in 100 other cites and on line any time: www.sans.org
TOP OF THE NEWS
Calif. Lawmakers Approve Strict Data Protection Law (August 31, 2008)State legislators in California have almost unanimously approved a bill that would require retailers to employ stringent data protection methods if they retain customers' personal information. The bill refers specifically to credit and debit card numbers, verification codes and personal identification numbers (PINs). Firms choosing to retain the financial data would be required to follow security guidelines set by the credit card industry. These include limiting access to the data to only those who need it to do their jobs. Firewalls would need to be bolstered and all data would need to be encrypted when it is sent over public networks. A similar bill was vetoed by the governor last year. The new version has removed a provision that would have held the companies liable for the cost of replacement credit and debit cards in the event of a breach. The new version requires that the companies bear the cost of notifying customers affected by breaches.
[Editor's Note (Veltsos): In May 2007, Minnesota became the first US state to pass a bill requiring compliance with the core requirements of the Payment Card Industry's Digital Security Standards for companies with over 20,000 transactions per year. The liability portion of the bill, which became effective on August 1, 2008, holds companies that were not in compliance responsible for costs incurred to issue new cards.
Army Issues Request for Information About Industry Data Protection (August 28 & September 1, 2008)The Program Executive Office for Enterprise Information Systems and the Assistant Secretary of the Army for Acquisition, Logistics and Technology has issued a request for information about the techniques and procedures private industry uses to protect sensitive data. Army officials want the information so they can include specific language about data security in future acquisition orders.
Volume of Internet Traffic Through US is Diminishing (August 30, 2008)As other countries invest more and more in next generation Internet technology, the flow of Internet traffic through the US has begun to lessen. Traffic routed largely through the US appeared to be a boon to US intelligence; some countries, wary of the erosion of privacy in the US as evidenced by the passage of the Patriot Act, began to look for ways to avoid storing customer data on US systems and to prevent Internet traffic from passing through US-based switching equipment. In addition, countries have started to develop their own data networks for economic reasons.
THE REST OF THE WEEK'S NEWS
ARRESTS, CHARGES & CONVICTIONS
Dubai Court Gives Man Three Months in Jail for Breaching UN Employee's eMail Account (September 1, 2008)A Dubai court has sentenced a man who worked as a secretary for a United Nations employee to three months in jail for accessing a UN employee's email account, stealing her credit card information and sending her threatening messages from another of her email accounts he broke into. The man, who is Egyptian, will be deported once he completes his sentence.
Computer Sold on eBay Holds Personal Data; One Person Arrested (August 27 & September 1, 2008)The hard drive of a computer recently sold on eBay for GBP 6.99 (US $12.59) was found to contain personally identifiable information of thousands of Charnwood (UK) Borough Council taxpayers dating back to 2002. The individual who purchased the computer says the information has not been shared with anyone else and is cooperating with police. A criminal investigation into the incident has been launched and one person has been arrested.
[Editor's Note (Pescatore): A good reminder to make sure you have a process and policy for what should be done to PCs and PDAs (and even printers these days, as lots of them have hard drives in them) before transferring or surplusing them. ]
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Man Arrested for Streaming Unreleased Guns N' Roses Songs (August 28 & 29, 2008)US Federal agents have arrested a California man for allegedly making nine songs from Guns N' Roses' unreleased album available for streaming on his website. Kevin Cogill appeared in court last Wednesday, where he was not required to enter a plea and his bail was set at US $10,000. An arrest affidavit indicates that Cogill admitted that he placed the songs on his website. He removed the songs when lawyers for the band complained. If he is convicted, Cogill faces up to three years in prison and a fine of up to US $250,000. He is being charged under the Family Entertainment and Copyright Act of 2005, "a federal anti-piracy law that makes it a felony to distribute a copyrighted work on computer networks before its release."
SPAM, PHISHING & ONLINE SCAMS
Spam Pretends to be About Undeliverable FedEx Package (September 1, 2008)Spammers have been sending out phony messages that claim to be from FedEx regarding an undeliverable parcel. The recipients are instructed to print an attachment that the message claims is a bill, but which is actually a .zip file that infects the user's computer with malware capable of stealing sensitive financial account information, deactivating firewalls, and taking screen shots. Spammers have also sent out messages pretending to be from DHL and UPS.
[Editor's Note (Schmidt): This continues to erode the trust in doing business online and taking advantage of the technology that we have come to rely on. As long as we do not implement reliable mail authentication we will continue to be plagued by this kind of malware. We have the technology so why do we not deploy it? ]
COMPROMISES & BREACHES
Suspected Breach at Unnamed National Retailer Under Investigation (August 28, 2008)About 1,000 customers of the Washington Trust Co. in Rhode Island have been notified that their credit and debit card information may have been exposed following "a suspected security breach at an unidentified MasterCard merchant." There have been no reported instances of the information being used to commit fraud, but the bank's policy dictates that the affected credit cards be deactivated and new cards issued. Washington Trust received a notice from MasterCard about the suspected breach along with the names of 963 account holders who were potentially affected. Other financial institutions have likely received similar notices from MasterCard.
Info Stolen from US ATMs Used to Make Phony Cards Being Used in UK (August 28 & 29, 2008)Conversations on "underground Internet forums" suggest that a group of cyber criminals is using information stolen from US ATMs to clone payment cards and is also recruiting mules to go into stores in the UK to purchase big ticket items that can be resold. Because the criminals are not making withdrawals from ATMs, it is likely that they did not capture the associated passwords. UK cards would not work because most have chip-and-pin technology, but foreign cards that do not employ the chip-and-pin technology force retailers to rely on information encoded on the card's magnetic stripe.
STUDIES AND STATISTICS
Offshore Outsourcing Affects IT Workers More Than Others (August 28, 2008)A study conducted by researchers from the New York University Stern School of Business and The Wharton School of the University of Pennsylvania found that offshore outsourcing affects IT workers more than workers in other professions. An estimated eight percent of IT workers have either lost their jobs or been forced to transfer due to outsourcing. The practice most often affects programmers and software developers who have little or no interaction with customers. The survey gathered information from 6,700 workers and 3,000 hiring managers and human resource professionals across many different professions. The average rate of offshore outsourcing across all professions surveyed is about 15 percent, but among the technology and telecommunications companies, the figure is 40 percent.
Russian Opposition Website Owner Killed (August 31, September 1 & 2, 2008)Magomed Yevloyev, who owned an Internet news site that ran stories critical of Kremlin policies, was found by the side of the road in southern Russia with a gunshot wound to his head; he died later at a hospital. Yevloyev had been detained by police and was in their custody when he was killed. A court had ordered him to shut down his website, saying he was promoting extremism; the site was taken off line but later reappeared with a different name.
Companies Take Steps to Prepare for Gulf Coast Disaster (August 29 & 30, 2008)Four New Orleans, Louisiana-area organizations describe their disaster recovery plans, which have been bolstered with knowledge gained from their experience with the 2005 hurricanes that devastated the area. Digimation Inc., a 3-D digital animation software company, employs multiple backups, including a 1TB USB-connected drive that the last person evacuating the premises takes along. The company's website is also hosted far from New Orleans, as is its email server. Loyola University has also migrated its course management system online so students' education need not be interrupted. St. Tammany Parish Hospital has installed a satellite communications system to ensure better connectivity in the event of a disaster, and has moved critical backups out of state. Their data center is in a bunker designed and located to withstand severe weather. Tidewater, Inc., which "provides support, assistance, boats and crews to oil and gas exploration and productions companies," has established a redundant IT system in Dallas. Phone companies are also taking steps to ensure that customers will have greater connectivity than they did in 2005 in the event of another disaster.
[Editor's Note (Schultz): In information security, business continuity and disaster recovery there is no greater impetus for improvement than unexpected, gigantic incidents. Katrina resulted in substantial improvement of disaster recovery functions in New Orleans and the surrounding area, as evidenced by the success stories in this news item. ]
Device Steals Data from Cell Phones and PDAs (August 29, 2006)Law enforcement officers were introduced to a device that steal sdata from cell phones. Called the Cell Seizure Investigator Stick, the device can be purchased for approximately $200 plus $100 for required software.
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescastore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security courses at Minnesota State University, Mankato. He is the President of Prudent Security LLC and also serves as the President of the Mankato Chapter ISSA.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/