SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume X - Issue #74
September 19, 2008
In this morning's Washington Post, Ellen Nakashima reports on yesterday's Congressional hearing illuminating the US government's unwillingness to share data about actual, damaging cyber attacks. http://www.washingtonpost.com/wp-dyn/content/article/2008/09/18/AR2008091803730.
At precisely the same moment that Congressional hearing was starting, former US Under Secretary of Defense, John Hamry, now president of the Center for Strategic and International Studies, introduced a briefing on the US National Cyber Initiative, with the question, "How can you expect to fix it [the cyber problem] if you don't talk about it?" That's a very good question.
PS The experts running the Cyber Forensics Summit put together a list of "top seven trends in forensics." Interesting: SANS Top 7 New IR/Forensic Trends In 2008
Data on their Summit (October 10) covering the most advanced techniques used to analyze the Chinese and commercial attacks:
TOP OF THE NEWSHouse Subcommittee Hears Testimony on DHS Cybersecurity Shortcomings
Proposed Legislation Would Demystify Electronic Data Border Searches
Microsoft Announces Plans to Share SDL Process
THE REST OF THE WEEK'S NEWSGOVERNMENT SYSTEMS AND HOMELAND SECURITY
Norwegian Tax Office Sends Taxpayer Data to Media in Error
ATF Lost 76 Weapons, 418 Laptops in Five Years
POLICY AND LEGISLATION VULNERABILITIES
Attack Code Released for Windows Media Encoder Flaw
DATA LOSS AND THEFT
Forever 21 Acknowledges Payment Card Breach
Missing Disks Hold Unencrypted NHS Employee Data
Memory Stick Found in Street Contains NHS Mental Health Patient Data
Palin's Yahoo! Account Compromised
Investigation Continues Into Source of UAE ATM Breaches
SEC Announces Enforcement Action Against LPL Financial
******************** Sponsored By SANS Forensics Summit *****************
How are the latest forensic techniques used to help combat threats in organizations today? Which products are the best in the incident response and computer forensic community? Attend the Forensics & Incident Response Summit October 13-14 and learn the answers to these and other key Forensics & Incident Response questions.
- - NETWORK SECURITY 2008: Las Vegas (9/28-10/6) 50 courses; big security tools expo; lots of evening sessions: http://www.sans.org/ns2008/
- - Monterey (10/31-11/6) http://www.sans.org/info/30738
- - Sydney Australia (10/27-11/1) http://www.sans.org/sydney08/
- - Vancouver (11/17-11/22) http://www.sans.org/vancouver08/
and in 100 other cites and on line any time: www.sans.org
TOP OF THE NEWS
House Subcommittee Hears Testimony on DHS Cybersecurity Shortcomings (September 17, 2008)The US House Subcommittee on Emerging Threats, Cybersecurity, Science and Technology heard testimony critical of the Bush administration's cyber preparedness efforts. Members of the Center for Strategic and International Studies' Commission on Cybersecurity for the 44th President said that the Department of Homeland Security (DHS) has not established relationships of trust or even partnerships with private sector organizations and other countries. The commission has proposed a solution that includes establishing a high level administration cyber security position that would include necessary security clearances and access to the president - in essence, shifting the responsibility for cyber security from DHS to the White House. The Government Accountability Office (GAO) released a report at the hearing with similar findings. The GAO's report specifically mentioned the shortcomings of the US Computer Emergency Readiness Team (US-CERT), saying it "lacks a comprehensive baseline understanding of the nation's critical infrastructure operations, does not monitor all critical infrastructure information systems, does not consistently provide actionable and timely warnings, and lacks the capacity to assist in mitigation and recovery in the event of multiple, simultaneous incidents of national significance." The DHS discounted the findings presented at the hearing, calling the criticism politics as usual. (The USA Today story is just over halfway down the page)
Proposed Legislation Would Demystify Electronic Data Border Searches (September 17, 2008)US Representative Loretta Sanchez (D-Calif.) has introduced the Border Security Search Accountability Act of 2008, which would establish "a well-defined procedure ... (to) protect (travelers') electronic data." The bill would require that the DHS disclose the procedures it has established for searching electronic media devices at borders and publish a quarterly report of all devices seized by border agents. It would also limit the amount of time the DHS agents can hold the devices and impose stronger protections for proprietary data on the devices. People whose devices are seized would receive a receipt as well as written confirmation of how their data were examined and whether they were copied. There would also be clearly posted lists of rights nearby so travelers would know what to expect.
[Editor's Note (Schultz): The Fourth Amendment to the US Constitution protects against unreasonable search and seizure. In sharp contrast, travelers who cross a US border with electronic media devices too often do not receive the protection that this amendment offers. If signed into law, the proposed legislation would go a long way in restoring at least some of the individual rights that those who cross US borders have lost over the great part of the last decade.
(Honan): In what many of us outside of the United States see as an ironic twist the US Department of Homeland Security has issued advice to US corporate and Government travellers on how to secure data on mobile devices when travelling abroad.
Microsoft Announces Plans to Share SDL Process (September 16 & 18, 2008)Microsoft will offer three of its Security Development Lifecycle (SDL) process components to other software companies starting in November. The program is designed to share what Microsoft has learned from implementing the SDL Threat Modeling Tool, the SDL Optimization Model, and the SDL Pro Network with the goal of promoting secure software development across the industry. The first two components will be available to everyone in November; the SDL Pro Network will be available to a limited number of organizations for the first year.
[Editor's Note (Honan): Microsoft for a long time rightly got a bad reputation for insecure products. However as an industry we should recognize the sea change in Microsoft's approach to security, of which this is just one example, and encourage other vendors to follow Microsoft's lead.]
THE REST OF THE WEEK'S NEWS
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
Norwegian Tax Office Sends Taxpayer Data to Media in Error (September 17 & 18, 2008)The Norwegian national tax office has acknowledged that it inadvertently sent CD-ROMs containing the 2006 tax returns of Norway residents to editorial staff at various national media groups. Tax statements are open to public scrutiny in Norway, but the records on the disks include personal numbers, which are considered confidential. The tax authority has asked that the disks be returned and says the data they contain can only be accessed with the use of a secret code. In a separate story, Norway and the US are about to sign an agreement that would allow them to share personal data about their citizens. The Norwegian government wants to be sure the data will be held securely.
ATF Lost 76 Weapons, 418 Laptops in Five Years (September 17 & 18, 2008)A report from the US Justice Department says that between 2002 and 2007, the Department of Alcohol, Tobacco and Firearms (ATF) lost 76 weapons and 418 laptop computers. Thirty-five of the weapons and 50 of the laptops were stolen; the remaining items were lost. Two of the weapons were later used to commit crimes. ATF could not say what data were on 398 of the missing laptops. Of the others, seven held sensitive information, including names, dates of birth, Social security numbers (SSNs) and financial account records of people who were under criminal investigation.
Attack Code Released for Windows Media Encoder Flaw (September 16, 2008)Attack code for a recently patched Microsoft Windows Media Encoder vulnerability has been found in the wild. The attack is being distributed from at least two vectors: through the Minw0rm exploit list and through a toolkit called e2 "that is widely deployed."
DATA LOSS AND THEFT
Forever 21 Acknowledges Payment Card Breach (September 16 & 17, 2008)Forever 21, a US retail clothing store, has acknowledged that as many as 99,000 payment cards used by its customers over a four year period may have been compromised by the same group that stole payment card data from TJX. In a statement on its website released on Friday, September 12, Forever 21 said it was informed of the data theft a month ago. The breaches occurred on nine specific dates; the compromised information includes card numbers, expiration dates "and other card data," but not names or addresses. Forever 21 says its systems have been in compliance with Payment Card Industry Data Security Standards since 2007. The company says it adopted additional security measures after learning of the breaches, but did not provide details.
Missing Disks Hold Unencrypted NHS Employee Data (September 15 & 17, 2008)The Whittington Hospital NHS Trust in London has acknowledged that four CDs containing staff data have been lost. The disks were placed in a mail room out tray for recorded delivery instead of being sent by courier in accordance with trust policy. A staff member has been suspended in connection with the incident. The data on the disks include names, dates of birth, national insurance numbers and employment information of nearly 18,000 staff members. The disks did not contain bank account information. The disks were password protected, but not encrypted.
Memory Stick Found in Street Contains NHS Mental Health Patient Data (September 16, 2008)A memory stick found on a street in Teesdale, England contains personally identifiable information of about 200 NHS mental health patients. An investigation determined that a technician who had been upgrading PCs did not delete the data from the device; the investigation also revealed that other trust staffers placed sensitive data on their hard drives in violation of an established security policy. The trust has contacted people affected by the breach, which occurred at the Tees, Esk and Wear Valleys Trust.
Palin's Yahoo! Account Compromised (September 18, 2008)Attackers broke into US Republican vice-presidential candidate Governor Sarah Palin's Yahoo! account and stole email messages and photographs, which they posted to the internet. The attack is believed to have been prompted over questions of whether Governor Palin used a personal email account to conduct state business. The compromised account has been deactivated. Gabriel Ramuglia, who operates Ctunnel.com, the proxy service that the attackers used, said that because they posted a screenshot that displayed most of the Ctunnel.com URL, their true IP address should be detectible, although it is possible that the attackers used other proxy servers in addition to Ctunnel.com. Ramuglia is working with the FBI to help trace the attackers.
The following links have details of how the account was compromised... by resetting the password. Now we know just how secure those cognitive passwords really are when anyone can use the Internet to find your birthday, zip code, and where you met your spouse.
Investigation Continues Into Source of UAE ATM Breaches (September 13 & 16, 2008)An investigation into a recent rash of fraudulent withdrawals from bank accounts in the United Arab Emirates (UAE) indicates that the breach occurred on a network that the banks use to share ATM data. Previously, the source of the breach was posited to be skimmers or hackers. In an email, the UAE central bank backed off from responsibility for the fraudulent activity, saying that it "is related to banks' security systems, not the central bank." Among the banks affected by the breach are Citibank, HSBC, Lloyds TSB, National Bank of Abu Dhabi and Emirates NBD.
SEC Announces Enforcement Action Against LPL Financial (September 15, 2008)LPL Financial will pay a fine of US $275,000 for failing to take action to correct security inadequacies in its online trading platform. LPL had conducted an internal audit in 2006 that identified serious security issues, but did not take steps to mitigate the problems. As a result, the personal information of at least 10,000 LPL customers was vulnerable to theft in a series of intrusions between July 2007 and February 2008. According to the Securities and Exchange Commission (SEC), the attackers attempted to place more than US $700,000 worth of unauthorized trades through 68 compromised accounts. The fine was imposed by the SEC; LPL "agreed to pay the fine without admitting or denying the findings." The terms of the SEC's enforcement action also require LPL to develop and implement policies and procedures for training employees in data security and to hire an outside consultant to oversee the company's compliance with the order.
[Editor's Note (Honan): Regulatory penalties will probably do more to drive industry to address security issues than any compliance standard. ]
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescastore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security courses at Minnesota State University, Mankato. He is the President of Prudent Security LLC and also serves as the President of the Mankato Chapter ISSA.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/