Take your cyber security skills to the next level with SANS training in Miami! Save $300 thru 11/20.

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume X - Issue #79

October 07, 2008

The Coolest Jobs in Cyber Security.

As promised on Friday, the coolest jobs survey, with the "top gun" jobs
and job paths highlighted, is now available at
More information is in the last story of this issue


Proposed Legislation Would Restrict US Border Searches of Electronic Devices
Estonia's Cyber Security Policy
Skype Acknowledges Message Filtering and Retention in China
80,000+ Websites Serving Drive-by Malware Attacks


US Financial Crisis Ripe Pickings for Scammers
T-Mobile Acknowledges 2006 Loss of Customer Data
Stolen Laptop Holds Irish Health Service Executive Employee Data
Virgin Media Ordered to Encrypt Portable Media Devices to Protect Customer Data
Two Indicted in Botnet Attack Case
Reported Data Breaches in US on the Rise
Most Hotel Internet Connections for Guests are Not Adequately Secured
Mifare Classic RFID Vulnerability Research Published
Cool Jobs in Information Security

*********** Sponsored By Sourcefire, Inc. ***********

Best of Open Source Security (BOSS) Conference
February 8-10, 2009 Flamingo-Las Vegas
Be sure to register the first IT security conference dedicated to promoting open source security (OSS) technologies and the commercial products that embrace them. This long overdue conference will bring together passionate OSS advocates and vendors under the same roof to share ideas and experiences.
For more information, visit http://www.sans.org/info/33933">http://www.sans.org/info/33933



- - SANS CDI in Washington 30 courses; big security tools expo; lots of evening sessions: http://www.sans.org/ cdi08/
- - Monterey (10/31-11/6) http://www.sans.org/info/30738
- - Sydney Australia (10/27-11/1) http://www.sans.org/sydney08/
- - Vancouver (11/17-11/22) http://www.sans.org/vancouver08/
and in 100 other cites and on line any time: www.sans.org



Proposed Legislation Would Restrict US Border Searches of Electronic Devices (September 30 & October 2, 2008)

US legislators have introduced a bill that would rein in the broad power that the Department of Homeland Security (DHS) has granted border control agents in seizing and searching travelers' laptops and other electronic devices. The Travelers' Privacy Protection Act would require that DHS establish reasonable suspicion of wrongdoing before searching US residents' devices; it would also require that DHS have probable cause and a court order or a warrant to hold a device for more than 24 hours. There would be restrictions placed on the sharing of information gathered through the searches and DHS would be required to report to Congress on its border searches.
[Editor's Note (Schultz): Allowing DHS border patrol agents virtually unlimited power in seizing, searching, and keeping laptops translates to unreasonable search and seizure as well as infringement of privacy. If it signed into law, the proposed legislation will go far in reining in some of these excesses. ]

Estonia's Cyber Security Policy (October 3, 2008)

A year-and-a-half after suffering coordinated denial-of-service attacks against its government and commercial computer systems, Estonia has released a national cyber security strategy that includes details about the attacks and offers recommendations for preventing attacks in the future and for a global stance toward cyber security. The report identifies four "policy fronts": "application of a graduated system of security measures in Estonia; development of Estonia's expertise in and high awareness of information security to the highest standard of excellence; development of an appropriate regulatory and legal framework to support the secure and seamless operability of information systems; (and) promoting international cooperation aimed at strengthening global cyber security."

Skype Acknowledges Message Filtering and Retention in China (October 3 & 6, 2008)

Skype has acknowledged that instant messages sent over its service in China were tapped, but points the finger at its local partner, TOM Online. Skype has a filter in place in China to block sensitive keywords, but only last week found out that the filter had been modified to log the conversations in which the keywords appear. The issue was discovered by Canadian researchers, who found the unsecured servers on which the messages were being stored. Skype has consulted with TOM on the matter and the security hole that allowed the researchers to read the stored messages has been closed.

Supporting sites:

[Editor's Note (Pescatore): This is just one of the many risks for businesses when employees start to use consumer-grade services for business purpose. This will increasingly be the case, however, and security strategies that just rely on policy to say "don't do that" aren't going to work any better than did saying don't use the Internet, don't use WiFi, etc. ]

80,000+ Websites Serving Drive-by Malware Attacks (October 3, 2008)

More than 80,000 websites have been "modified with malicious content" that serves exploit code to unpatched PCs of site visitors. A server containing administrative login credentials for more than 200,000 websites has been found, although not all the sites are known to be infected with the malware. The infected sites include universities, Fortune 500 companies, government systems, and the US Postal Service.

[Editor's Note (Veltsos): Use a browser or add-ons that disable all javascript and Flash content. I run Firefox with the Noscript add-on enabled by default. NoScript lets you designate web sites as being safe (and thus can run javascript) or you can temporarily (for duration of the session) allow javascript to run on a particular web site. ]

************************* SPONSORED LINK ******************************

1) Visit the SANS Buyers Guide for updated listings and useful information when selecting the latest in IT security technologies. http://www.sans.org/info/33938




US Financial Crisis Ripe Pickings for Scammers (October 2, 2008)

The mergers and acquisitions of banks resulting from the US financial crisis have provided new opportunities for online scam artists. Attacks have been seen in which the customers of a bank are asked to provide account information and other personal details to the bank's new owner for verification purposes. Banks would not ask for such information online; it would be done through paper mail.


T-Mobile Acknowledges 2006 Loss of Customer Data (October 4 & 6, 2008)

T-Mobile has acknowledged that a disk containing personally identifiable information of 17 million German customers was lost more than two years ago. T-Mobile is a subsidiary of Deutsche Telekom AG, which publicly acknowledged the data loss only after an article published in Der Spiegel indicated that the data were being offered for sale online. The data include names, addresses, email addresses and mobile phone numbers, but no bank account information. Those affected by the breach run the gamut from everyday citizens to politicians and celebrities. T-Mobile reported the loss to the state prosecutors as soon as it learned of the situation and started monitoring sites where such information might be offered for sale.


Stolen Laptop Holds Irish Health Service Executive Employee Data (October 3, 2008)

A laptop stolen in Dublin, Ireland on September 17 contains personally identifiable information of several thousand Health Service Executive (HSE) staff. The compromised data include names, salaries and staff numbers; the data were not encrypted. Just weeks ago, several HSE data storage devices, including a laptop, a Blackberry and a data disk, were stolen from a medical officer's home. After that theft, HSE committed to encrypt all digital media storage devices that contain personal and medical data within one month.

Virgin Media Ordered to Encrypt Portable Media Devices to Protect Customer Data (September 30, 2008)

The UK Information Commissioner's office has ordered Virgin Media to encrypt all portable media that hold data. An unencrypted CD lost in May 2008 contained personally identifiable data of approximately 3,000 people. The CD had been provided to Virgin Media by Carphone Warehouse; the people whose data were on the CD had expressed interest in signing up for Virgin Media services. The compromised data include names, addresses, and some bank account information. The data loss constitutes a violation of the UK's Data Protection Act.

[Editor's Note (Pelgrin): The whole issue of hand-me-down equipment is of real concern. One hears too frequently that old computers and other hardware are given to charity groups, schools or left out with the trash. There is need to raise the awareness of all the personal, private and sensitive data that may be stored on most hardware devices. Therefore, caution must be applied when giving away or disposing of computers and electronic storage media. This is crucial if we are to help prevent the inadvertent disclosure of information that often occurs because of inadequate cleansing and disposal of computers and electronic storage media. ]


Two Indicted in Botnet Attack Case (October 3 & 6, 2008)

A US federal grand jury has indicted two European men suspected of being involved in distributed denial-of-service (DDoS) attacks against the websites of two US satellite television equipment retailers in 2003. Lee Graham Walker of England and Axel Gembe of Germany could each face up to 15 years in prison if they are convicted of the charges of conspiracy and intentionally damaging a computer system. Both are presently still at large. Two other men, Saad (also called Jay) Echouafni and Paul Ashley, were charged in 2004 with conspiracy for the same attack. Ashley served two years for his role in the attacks; Echouafni fled the country that same year and remains a fugitive. The new indictment alleges Echouafni told Ashley to block access to rival sites Rapid Satellite and Weaknees.




Reported Data Breaches in US on the Rise (October 6, 2008)

According to statistics compiled by the Identity Theft Resource Center, there have been 516 reported consumer data breaches in the first nine months of 2008, exposing 30 million records; in 2007, the total number of reported breaches was 446. Extrapolated from the numbers so far this year, the total number of reported breaches in 2008 could top 680. Eighty percent of the breaches involved digital media; the remaining 20 percent involved data recorded on paper. Of the incidents this year, 36 percent occurred at businesses, 21 percent occurred at educational institutions, and 16 percent on military or federal government systems. Twenty percent of the reported braches were due to lost or stolen digital media storage devices, 17 percent were due to insider theft and 13 percent were exposed through hacking.

Most Hotel Internet Connections for Guests are Not Adequately Secured (October 3, 2008)

A study from the Cornell University School of Hotel Administration found that most hotels do not take adequate security precautions on the Internet connections they provide for their customers. The study compiles data from 147 written survey responses and from visits to 46 hotels. Twenty percent of the hotel networks use simple hub topologies, making them unsecured networks. Most of the other hotel networks channel guest traffic through switches or routers, which are more secure than hubs, but still make users susceptible to man-in-the-middle attacks. The researchers recommend that the hotels set up Virtual Local Area Networks (VLANs) to best protect guests from Internet threats.
[Editor's Note (Veltsos): This report points out that the Hotel industry has been asleep at the wheel when it comes to providing a minimum level of security for its guests: 18% of the hotels visited had not separated the hotel's business network from that used by guests; most hotels' wireless and network infrastructures exposed guests to unnecessary risks due to unencrypted wireless traffic and poorly managed network devices. The study concludes with a number of basic recommendations for hotel network security (e.g. use VLANs) and for hotel guests (e.g. use a firewall and a VPN).
(Northcutt): The report is free, but you have to register. I am a bit confused though, we are trying to buy hubs for one of our classes this week and they are hard to find. How do hotel networks find enough hubs? The report does say "antiquated hub technology", but what do they do when one breaks? I wrote a related paper on ISPs, such as the ones hotels use tracking user behavior presumably for marketing purposes:


Mifare Classic RFID Vulnerability Research Published (October 6, 2008)

A research paper detailing a security vulnerability in the Mifare Classic RFID chip has been published. The research, which was conducted by Professor Bart Jacobs and his colleagues at Radboud University in Holland, was set to be published earlier this year, but NXP, the company that manufactures the Mifare Classic chip, sought an injunction to delay the paper's dissemination to allow customers time to make changes to their security systems. The chip is used in prepaid transportation system cards in London, Boston and Holland and is also used to restrict access to some buildings.

Cool Jobs in Information Security (October 7, 2008)

As promised on Friday, the "Best Security Jobs" survey is now ready. It attempts to focus on the jobs that are interesting and make a substantial difference in protecting organizations' information, networks, applications and systems. If you have a job you consider to be good, or you know about good security jobs, please take a moment to complete the survey at:

We have also marked the jobs where the "top guns" in security are often found or are seasoned. These are the best and brightest technical security experts - the people who can take apart an exploit and see how it works, find flaws in communications protocols, see an attack as it is forming on the wire, identify the faintest evidence of malicious code and root out the infection, find evidence of criminal activity even when it is carefully hidden, plan and execute an attack that bypasses conventional and even sophisticated defenses, design a network that can block known attack vectors, and more. Without these "top guns" no nation or industry can hope to have effective protection. Their jobs are highlighted in the survey to identify the areas of most critical need for any nation or industry that takes security seriously.

Once the survey is completed, we'll produce a booklet on "Cool Jobs in Cyber Security" to help guide people who interested in entering the field.

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescastore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security courses at Minnesota State University, Mankato. He is the President of Prudent Security LLC and also serves as the President of the Mankato Chapter ISSA.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/