OnDemand Includes 4 Months Access to Course Content - Special Offers Available Now!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume X - Issue #8

January 29, 2008

The first story today appears to be about US government computing, but it is immediately vital to every organization that finds it difficult to install security patches quickly. The story describes a formal deadline for federal agencies and all application vendors to ensure their systems and applications are fully compatible with the federal desktop core configuration (FDCC). Agencies that led the way with FDCC are already saving many tens of millions of dollars while radically improving security and reducing patching time by more than 90%. You can take advantage of this development by requiring any company selling you software, or building software for you, to "certify their software works with the FDCC," just as the federal government is doing. There has never been a better chance to begin to fix the patching problem. You can find more about the FDCC at http://fdcc.nist.gov/ including the June 30, 2007 White House memo requiring all software vendors to deliver FDCC-compatible software if they run on Windows systems. The software vendors have done it for the US government; it is no added effort to do it for you, as well.


PS If you bought anyone a digital picture frame for Christmas, the Best Buy story may be illuminating.


Feb. 1 is Deadline for Federal Desktop Configuration Compliance
Bush Grants Intelligence Agencies Authority to Monitor Government Computer Systems
French Securities Trader Used Co-Workers' Access Codes


Greek Police Arrest Man for Allegedly Selling Stolen Data
ChoicePoint Will Pay US $10 Million to Settle Lawsuit
Singapore Police Arrest Seven for Computer Law Violations
Prosecutor Will File Charges Against Pirate Bay Operators
IFPI Says Losses in CD Sales Outweigh Gains from Online Music Sales
Mass. HMO Laptop Theft Prompts Investigations
Stolen Computer Holds Marks & Spencer Employee Data
Best Buy Recalls Infected Digital Picture Frames
DC City Workers Fired for Surfing Porn Sites
Computer Security Events that Changed History (or Didn't)

********************* Sponsored By Palo Alto Networks *******************

What would you do if Internet applications you couldn't see were penetrating your firewall right now? How would you even know? What would you do if you did know? What exactly are these applications? And what is their security risk to your network? Now you can get answers to all these questions. Watch and learn!


Where can you find the newest Penetration Testing techniques, Application Pen Testing, Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, CISSP, and SANS' other top-rated courses?
- - Las Vegas (3/17 - 3/18) Penetration Testing Summit:
(an ultra cool program) http://www.sans.org/pentesting08_summit
- - San Jose (2/2 - 2/8): http://www.sans.org/siliconvalley08/event.php
- - Phoenix (2/11 - 2/18) http://www.sans.org/phoenix08/event.php
- - Prague (2/18-2/23): http://www.sans.org/prague08
- - SANS 2008 (4/18-4/25) In Orlando SANS' biggest program with myriad bonus sessions: http://www.sans.org/sans2008
- - and in 100 other cites and on line any-time: www.sans.org



Feb. 1 is Deadline for Federal Desktop Configuration Compliance (January 24 & 25, 2008)

On Friday, February 1, US government agencies must submit to the US Office of Management and Budget (OMB) lists of all desktops running Windows XP and Vista and the number of those that are Federal Desktop Core Configuration (FDCC) compliant; if some machines are not compliant, OMB "want
[s ]
to know how far off
[they ]
are." On that same day, the national Institute of Standards and Technology (NIST) will release a list of validated scanners that check to see if PCs are in compliance with FDCC. All of the validated scanners on the list use the Security Content Automation Protocol (SCAP) as required by the Office of Management and Budget (OMB). The list from NIST neither mandates nor endorses the products; it merely validates that SCAP has been correctly implemented. There are several items that must be checked manually - 15 in Vista and two in XP. The FDCC eliminates desktop users' administrative rights, disables vulnerable services, and uses the most secure versions of Windows components such as Internet Explorer.


[Editor's Note (Paller): The US Air Force was the first to test the FDCC and learned three things: (1) a very small number of applications are negatively impacted - usually only those that demand every user has administrative rights, (2) that security patches were able to be installed in 72 hours or less vs. more than seven weeks before FDCC, and (3) the user experience is significantly improved because there are far fewer mysterious problems that are difficult for the help desk to diagnose. They also learned that costs are radically reduced - in patch testing and help desk services. So the FDCC reduces costs while improving security. (Ullrich): A decent standard and automated validation are a good combination for improved security. ]

Bush Grants Intelligence Agencies Authority to Monitor Government Computer Systems (January 26, 2008)

A classified presidential directive signed earlier this month reportedly gives US intelligence agencies the power to monitor computer networks at all federal agencies. The move is believed to be a response to increasing attacks against government networks. A task force "will coordinate efforts to identify the source of cyber-attacks against government systems." The Department of Homeland Security (DHS) will focus on protecting networks, while the Pentagon will turn its attention toward developing counterattack strategies. The new initiative has met with some concerns. According to the chairman of the House Homeland Security Committee, Rep. Bennie Thompson (D-Miss.), "Agencies designed to gather intelligence on foreign entities should not be in charge of monitoring our computer systems here at home." Others have pointed out that the exclusion of the private sector from the program ignores an important source of cyber attack data.

[Editor's Note (Northcutt): What do you say? They clearly need help, but the Department of Homeland Security is a major player in this and they just got hacked in a major way. How are they going to help the rest of government? It would have been smarter and cheaper to get some GIAC certified intrusion analysts on the detection systems and some people with operating system hardening credentials to work on the OS builds.

French Securities Trader Used Co-Workers' Access Codes (January 26 & 28, 2008)

Jerome Kerviel, the French futures trader who created US $7.14 billion in losses for his employer Societe Generale, apparently stole fellow employees' computer access codes and sent fraudulent email to perpetrate his scheme. Kerviel allegedly evaded detection because he had spent five years working on the bank's trading systems. He also allegedly hacked into the system to hide his electronic tracks, turning off electronic warning systems that could have alerted the bank to anomalous trading patterns. Kerviel's resume indicates that his computer skills were not particularly advanced, which suggests either that Societe Generale's security systems were not what they should be, or that Kerviel had an accomplice.

[Editor's Note (Schultz): The magnitude of this incident and the losses involved are difficult to fathom. Additionally, I would not expect many if any simple causes for this incident because many interacting causes (some security related, others not related to security at all) are likely to be identified. ]

************************** Sponsored Links: ***************************

1) PCI Compliance - Are you ready for June 2008? Learn more from HP Software. http://www.sans.org/info/23143

2) Complimentary White Paper: Beyond NetFlow, JFlow, and SFlow: Harnessing Application-aware Flow Information to Improve Network Security http://www.sans.org/info/23148

*************** COOL NEW RESOURCE FOR SECURITY INSIGHT *****************

One of the very popular new areas on SANS' website is Stephen Northcutt's Thought Leadership interview series. We would love your feedback on it - other people to interview - ways to make it better. In the latest installment. Stephen interviews Pari Networks' Kishore Kumar on the convergence and challenges in managing network operations/configuration, security assessments/remediation and regulatory/corporate compliance.

Additionally, Stephen sits down with LogLogic's Dr. Anton Chuvakin to discuss current status and future trends in system logging. http://www.sans.edu/resources/securitylab/loglogic_chuvakin.php




Greek Police Arrest Man for Allegedly Selling Stolen Data (January 26 & 28, 2008)

Police in Greece have arrested an unnamed man for allegedly selling corporate secrets online. All that is known about the man is that he is a 58-year-old mathematics professor and a Greek national. Dassault Systemes, a French defense contractor, contacted Greek authorities about the data theft in 2002; the company estimates its losses to be US $361 million. The suspect allegedly broke into the company's computer system and stole the data. Authorities are also looking for an accomplice in the UK.

[Editor's Note (Cole): For every insider attacker/data theft incident that gets reported there are 20 that do not. ]

ChoicePoint Will Pay US $10 Million to Settle Lawsuit (January 24 & 27, 2008)

ChoicePoint will pay US $10 million to settle a class action lawsuit brought against the data aggregator after thieves stole personally identifiable information of more than 160,000 people in 2004. The thieves pretended to be small business owners to gain access to the information in ChoicePoint's database. In addition, the Securities and Exchange Commission (SEC) has concluded an investigation into the sale of stock by ChoicePoint's CEO and COO, but did not recommend any action be taken against the two. Two years ago, ChoicePoint agreed to pay US $15 million to settle Federal Trade Commission (FTC) charges of privacy rights violations.
[Editor's Note (Pescatore): The $25M in fines and legal judgments is probably about equal to the other direct costs ChoicePoint had to spend to deal with this incident. Last year ChoicePoint's CISO gave a great presentation on lessons learned, especially about how business processes need to be considered as part of the security equation.
(Schultz): This is just one of many recent examples of the types and amounts of financial costs associated with data security breaches. Just when a company finishes settling a legal case growing out of a data security breach with one plaintiff, another comes on the scene to file additional legal action. (Cole) Keep a copy of this story on files so you can answer your executives' questions about the "value of security." ]

Singapore Police Arrest Seven for Computer Law Violations (January 24, 2008)

Authorities in Singapore have filed charges against seven former Citibank employees for violations of the country's computer misuse act and computer secrecy law. The seven allegedly took private bank client information from Citibank with them when they left the company to work at UBS, a Citibank competitor. They face a total of 1,223 charges for allegedly accessing Citibank computers without authority and making copies of client data. The charges mark the culmination of a one-year investigation by the Singapore police commercial affairs division. The seven have been suspended from their jobs at UBS pending the resolution of the case. If they are convicted, they could be sentenced to up to 20 years in jail and fined as much as S$125,000 (US $88,000).


Prosecutor Will File Charges Against Pirate Bay Operators (January 28, 2008)

A Swedish public prosecutor plans to file charges of accessory and conspiracy to break copyright law this week against the operators of the Pirate Bay website. The prosecutor maintains that Pirate Bay operators are acting as accessories to crimes; the operators say they have no control over the content that people choose to download. If the operators are found guilty, they could face fines or up to two years in prison. Pirate Bay servers contain no pirated content; instead, the site acts as a directory to locations of torrent files on the Internet. What Pirate Bay does make available on its site is the BitTorrent protocol, which allows users to download large files.

IFPI Says Losses in CD Sales Outweigh Gains from Online Music Sales (January 25, 2008)

The International Federation of the Phonographic Industry (IFPI) maintains that 95 percent of music tracks downloaded from the Internet are pirated. Although revenue from digital music sales increased 40 percent over the last year, that does not make up for the losses due to the drop in CD sales worldwide. IFPI chief John Kennedy praised French President Nicolas Sarkozy's call for ISPs to cut off users found to be violating digital copyrights.



Mass. HMO Laptop Theft Prompts Investigations (January 26, 2008)

Medicare officials are investigating the theft of a Fallon Community Health Plan (FCHP) laptop computer and the subsequent response of the Massachusetts HMO. The computer was stolen from a Boston office of a vendor working for FCHP in late December or early January and contains information belonging to 30,000 Medicare Advantage and Summit ElderCare members. The data were not encrypted or password-protected, which violates FCHP policy. The Boston Police are also continuing to investigate the theft.

Stolen Computer Holds Marks & Spencer Employee Data (January 25, 2008)

A laptop computer stolen from the home of a Marks & Spencer contractor contains pension plan information for approximately 26,000 of the UK-based retail store's employees. The computer was stolen in April 2007 and no employees have reported problems due to the data loss. The data on the computer were not encrypted; the Information Commissioner's Office (ICO) found M&S to have breached the Data Protection Act when it did not take steps to ensure the safety of employee data. The ICO has ordered M&S to ensure that all its laptop hard drives are encrypted by April 2008 or face criminal charges.
[Editor's Note (Honan): This sanction is something that all organisations should take heed as it sends a strong and clear message as to what the ICO expects from organisations to whom personal data has been entrusted to. ]


Best Buy Recalls Infected Digital Picture Frames (January 25 & 28, 2008)

Best Buy has acknowledged that it sold a "limited number" of malware-infected digital picture frames over the holidays. The 10.4 inch devices were sold under the Best Buy in-house brand name Insignia, model #NS-DPF10A. The company is investigating the incident and has recalled the frames in question. The virus is reportedly an older one and should be recognized by anti-virus programs. Only Windows machines are affected.
The Internet Storm Center provided the original research for these stories: Dec 25th:
Jan 4th:
Jan 7th:
Jan 27th:

DC City Workers Fired for Surfing Porn Sites (January 23 & 25, 2008)

Nine Washington DC municipal workers have been fired for surfing pornographic websites during work hours. Washington DC chief technology officer Vivek Kundra says figures indicate that each employee looked at approximately 20,000 pornographic images last year. The information was gathered from records of web use generated by content filtering tools. An additional 32 employees who viewed pornographic images more than 2,000 times will be reprimanded or suspended. Filtering software was installed on 10,000 city computers; the city has purchased 20,000 additional copies to track activity on all city PCs.

[Editor's Note (Pescatore): So, policy said "don't go to porno sites" but no URL blocking was used to enforce the policy? Or it was OK as long as you went to fewer than 2,000 sites in a year?? I think we learned way back in the telephone days to block access to 900 numbers, not spend admin time counting up how long everyone spend on prohibited calls.
(Northcutt): 20,000 images would be about 160 hours of viewing at 30 seconds to download and look at a picture. One over achiever downloaded 48,001 images; he is probably filing for disability for repetitive motion injury. This is a management failure. If one employee has to be terminated, it may be an employee behavior problem. If a lot of employees have to be terminated or disciplined, it is a management failure. In my class, we cover this; content filtering is not exactly a new idea. If you do not have content filtering, get it, it will pay for itself.

Computer Security Events that Changed History (or Didn't) (January 2008)

CSO Online's list of "the top eight events that changed the course of computer security history (and two that didn't)" runs the gamut from the Cap'n Crunch whistle and the Morris worm to Titan Rain and the Storm Worm. The events were selected "because of their legislative impact or technical sophistication, ... the media attention they received, and ... the focus they brought to important security issues." Interestingly, the two events that didn't change history are the VA data theft and the TJX breach. Although they had the potential to force changes in data protection laws and regulations and encourage more widespread adoption of security standards, neither of these things has happened.
[Editor's Note (Northcutt): Short article, but good to remind us of the dates and names of some of the really big events. A bit more elbow grease and this could have been an excellent read. ]


WhatWorks in Firewalls and Anti-Malware Gateways: Flexible Firewalling at Harris Corporation
WHEN: Wednesday, January 30, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Alan Paller and Ronda Henning
Sponsored By: Secure Computing

The company that handles information security for major broadcast networks and such government agencies as the FAA, needed a very robust, very secure and very flexible firewall platform that could be tailored and customized to address both new and ancient legacy protocols and applications. Denial of service was a significant concern for Harris Corp. clients so the company turned to a solution that provided a highly available and high performance firewall.

SANS Special Webcast: The SANS Database and Compliance Survey
WHEN: Tuesday, February 5, 2008 at 1:00 PM EST (1800 UTC/GMT)
Sponsored By: Lumigent Technologies

How many organizations really understand their data privacy rules well enough to know where and how to protect their regulated data with proper audit?
What are their perceptions of data privacy regulations, and how are they integrating compliance into their data management practices, starting at the database?
These and other questions will be answered when, on Feb. 5, SANS analyst Barbara Filkins uncovers the findings in the SANS Database Auditing and Compliance Survey. Conducted over three months, 348 respondents answered a variety of questions ranging from their perceptions of compliance issues to security frameworks and roles and responsibilities for data privacy protection inside their organizations.

We will also be announcing the $250 American Express card winner from among nearly 200 respondents who signed up for our drawing.

SANS Special Webcast: A Brief History of Hacking with Dave Shackleford
WHEN: Wednesday, February 6, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Dave Shackleford
Sponsored By: Core Security

Quick quiz: What do Phreaking, Captain Crunch, Blue boxes, LoD and MoD have in common?
Answer: They were all milestones in the evolution of hacking and information security.

Please join Dave Shackleford, CTO at the Center for Internet Security and SANS certified instructor, for a look at the evolution of hacking and hackers. You'll hear Dave's take on lessons learned from hacking milestones, including: The early days of phone phreaks and bulletin boards The growth of hacker gangs and 2600: The Hacker Quarterly The 75-cent accounting error that led to an international crime investigation Bill Cheswick's evening with "Berferd" The first malware and Trojan horse programs At the same time, Dave will give his predictions for the coming year of hacking - and discuss which hacker movies are most realistic (if any)!

WhatWorks Webcast: WhatWorks in Intrusion Detection and Prevention: Improving Network Visibility at GraceKennedy
WHEN: Tuesday, February 12, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Alan Paller and Gregory Henry
Sponsored By: Sourcefire

A need for increased visibility into its diverse network prompted GraceKennedy's security team to seek an intrusion detection system. They found a solution that met all their needs and offered great tech support, as well as a component that could establish a network activity baseline and another that included a top vulnerability scanner for the same price as other solutions they tried. GraceKennedy is one of the Caribbean's largest and most dynamic corporate entities. The company started in Jamaica in 1922 as a small trading establishment and wharf founder. It has expanded and diversified over the years, changing from a privately-owned enterprise to a public company listed on the stock exchanges of Jamaica, Trinidad, Barbados and the Eastern Caribbean. Today, the GraceKennedy Group comprises a varied network of some 60 subsidiaries and associated companies located across the Caribbean, in North and Central America and the United Kingdom. The group's operations span the food distribution, financial services, insurance, remittance, hardware retailing and food-processing industries.


Be sure to check out the following FREE SANS archived webcasts:

Internet Storm Center: Threat Update
WHEN: Wednesday, December 12, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Johannes Ullrich and John Weinschenk
Sponsored By: Cezic

This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.

SANS Special Webcast: Pinpointing and Proving Web Application Vulnerabilities with Eric Cole
WHEN: Monday, December 10, 2007 at 1:00 PM EST (1800 UTC/GMT)
Sponsored By: Core Security

The September "Internet Security Threat Report" from Symantec reported that 61% of all vulnerabilities disclosed in the first half of 2007 were web application vulnerabilities. It's no wonder, since web apps are often highly customized and can be rife with potential security holes. Fortunately, recent advances in penetration testing products can help you to pinpoint and prove web application security weaknesses - even in customized apps.

SANS Special Webcast: Analyzing a Traffic Analyzer: NIKSUN NetDetector/NetVCR 2005
WHEN: Wednesday, December 5, 2007 at 1:00 PM EST (1800 UTC/GMT)
Sponsored By: NIKSUN

How deep can traffic inspection reach without hindering data flow and how much data should it store for post-mortem analysis? Join this Webcast to hear senior SANS Analyst Jerry Shenk go over his test results on the NetDectector/NetVCR 2005 and features such as full packet inspection and the ability to call up and review raw data in its native format.


The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/