Special Offer w/ OnDemand: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training thru Jan 27

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XI - Issue #13

February 17, 2009

Two big stories and a blog this morning in USA Today about massive increases in attacks against the federal government and what the White House is doing about them:

Front Page:

White House Action (Money Section):

Blog on White House Action: http://lastwatchdog.com/archives/467


Canadian Judge Rules Internet Users Have "No Reasonable Expectation of Privacy"
Three Arrests in Heartland Breach Case
UK Plans to Consolidate Communication Data Retention


Pirate Bay Trial Begins in Stockholm
Two of Three Tenenbaum's Alleged Accomplices Cleared of Charges
US State Department Employees Use Biometrics to Access Network
Mass. Extends Data Protection Compliance Deadline Again
Univ. of Alabama Data Breach
McAfee Mobile Security Report 2009
Forrester Report Indicates IT Security Spending is Up Slightly
Italian Police Say Criminals Turning to VoIP to Avoid Wiretaps
FTC Revises Online Behavioral Advertising Principles

*************************** Sponsored By CA *****************************

Web-Based Security for Business Enablement
While "secure" and "Web" were once incompatible notions, they are now co-elements that support dynamic Web-based commerce. Technologies such as Web access management, single sign-on, identity management, federation, and strong authentication - when leveraged together - represent a more efficient way to conduct IT-enabled business. This IDC whitepaper explores how competitive advantage can be effectively realized through secure Web business enablement technologies. Learn more... https://www.sans.org/info/38738



- - SANS 2009 in Orlando in early March - the largest security training conference and expo in the world with lots of evening sessions: http://www.sans.org/
- - Looking for training in your own Community? http://sans.org/community/
For a list of all upcoming events, on-line and live: www.sans.org



Canadian Judge Rules Internet Users Have "No Reasonable Expectation of Privacy" (February 13, 2009)

A judge in Canada has ruled that Internet users have "no reasonable expectation of privacy" regarding records kept by their Internet service providers (ISPs). The ruling was made in the course of a child pornography case in which law enforcement officers asked an ISP to provide subscriber information for an IP address that was allegedly used to access the content. Bell Canada provided the information without a warrant. Most Canadian ISPs require warrants before they will provide subscriber names, except in the case of child pornography. Privacy advocates are concerned the ruling could set a precedent that would put individuals' entire surfing history at the disposal of law enforcement authorities without the need for warrants. They maintain the judge operated under the faulty assumption that the information obtained from the ISP is similar to what could be found in a telephone directory.

[Editor's Note (Northcutt): The ever dwindling right to privacy. Keep in mind that ISPs want to collect information on user's surfing etc., so they can sell that data to marketing firms. Be sure to check out the related FTC story elsewhere in this issue.
(Hoelzer): This topic will become more and more interesting legally since in many jurisdictions governments are requiring that certain records be kept; while the intent is good the potential for abuse toward individuals unfriendly to a particular political point of view could result in the end. For example, consider the story out of the UK this week moving to consolidate this type of data into top tier providers for easier access and monitoring by government. ]

Three Arrests in Heartland Breach Case (February 13, 2009)

Law enforcement officials in Florida have arrested three individuals in connection with the Heartland Payment Systems data security breach. The three men allegedly used credit card numbers stolen in the breach to make purchases at an area Wal-Mart; the items were then resold for cash. The number of financial institutions with cards affected by the Heartland breach is now believed to be at least 220. Heartland disclosed last month that intruders stole payment card information from its systems sometime in 2008.


UK Plans to Consolidate Communication Data Retention (February 13 & 16, 2009)

Rather than requiring every service provider in the UK to keep its own user communication information to comply with European data retention rules, the UK government plans to use BT and other "high tier providers" to retain the data. The move comes as a result of the government's decision not to bear the burden of paying for each individual provider's compliant data retention system. UK draft laws require retention of IP address and session data for 12 months. The data retention scheme is expected to cost taxpayers about GBP 46 million (US $65.7 million).

******************** SPONSORED LINKS **********************************

1) Need to meet PCI DSS v1.2 Compliance Requirements? - Download Configuresoft's FREE Compliance Checker for PCI DSS v1.2 http://www.sans.org/info/38743
2) Come see the best tools for your pen test toolbox at the Penetration Testing and Ethical Hacking Summit June 1-2 Las Vegas. See what works. http://www.sans.org/info/38748




Pirate Bay Trial Begins in Stockholm (February 13 & 16, 2009)

The Swedish trial of the founders of the Pirate Bay website has begun. Pirate Bay contains links that allows site members to download copies of music, movie and television program files; the site's founders are being sued by a group of media companies. The defendants, Frederik Neij, Gottfrid Svartholm Warg, Peter Sunde and Carl Lundstrom, maintain that they have not done anything illegal because the content in question is not hosted on their servers. The four are facing charges of accessory and conspiracy to break copyright law. The lawsuit is seeking 120 million kronor (US $14 million) in damages and interest. The site has an estimated 25 million users. If the men are convicted, they could face sentences of up to two years in prison and fines of as much as US $180,000.


Two of Three Tenenbaum's Alleged Accomplices Cleared of Charges (February 11, 2009)

Two of the three people arrested along with Ehud Tenenbaum in Canada last September for their alleged involvement in a fraud scheme have been cleared of charges, although no reason was given for the decision. Tenenbaum and three others were arrested last fall for allegedly breaking into the computer system of Direct Cash Management, a company that sells prepaid debit and credit cards. The system was accessed through an SQL injection attack. Limits on some accounts were changed, and all told, those involved in the scheme stole CN $1.8 million (US $1.4 million). Tenenbaum gained notoriety in the late 1990s for his role in several intrusions into US government computer systems. He is currently free on CN $30,000 (US $24,000) bond, but the US is seeking to extradite him to face other charges. Tenenbaum's girlfriend, Priscilla Mastrangelo, still faces charges.


US State Department Employees Use Biometrics to Access Network (February 11, 2009)

More than half of US State Department employees who use the department's unclassified computer network now log on with smart cards that contain biometric data. The cards were issued through the department's Biometrics for Logical Access Development and Execution (BLADE) public key infrastructure program. The program is doubly effective in that it requires users to provide a fingerprint that matches the data held on the card and when the card is removed from the workstation, that workstation is locked.
[Editor's Note (Northcutt): This appears to be an interesting program. They claim to be able to keep an unauthorized macro from running. This apparently is part of Homeland Security Presidential Directive 12 (HSPD-12) compliance, though I thought Agencies had to be compliant for common federal identification standard by 2005:

The stimulus for the story was probably the biometrics conference in Washington last week:

If anyone has a copy of Mr. Frahm's presentation, I would love to see it. ]


Mass. Extends Data Protection Compliance Deadline Again (February 13, 2009)

Massachusetts officials have once again extended the deadline for compliance with the state's stringent data security regulations. Organizations now have until January 1, 2010 to ensure that any personal data they retain that belong to Massachusetts residents are protected in a number of ways, including encrypting data while they are being transmitted over public networks or stored on devices that can be carried from one location to another and limiting the amount of information they retain. The decision to extend the deadline was based in part on the current economic climate as well as the need to allow companies ample time to make the necessary changes to their systems. State regulators have also pared back their demands that third-parties with access to the data be required to demonstrate that they were compliant with the requirements as well. Originally, the compliance deadline was January 1, 2009; last November, the date was pushed back to May 1, 2009, and last week, it was once again extended.

[Editor's Note (Hoelzer): There are sometimes excellent reasons to extend deadlines. When it comes to compliance requirements, however, my experience tells me that extending the deadline simply leads to businesses choosing to do nothing until the deadline again draws near. ]


Univ. of Alabama Data Breach (February 14, 2009)

A computer intrusion at the University of Alabama (UA) in November 2008 exposed information contained in 37,000 records of medical laboratory test results. The compromised information includes names, addresses, birthdates and Social Security numbers (SSNs) of people who have had lab work done on the UA campus since 1994. The intruder or intruders managed to access 17 UA servers.


McAfee Mobile Security Report 2009 (February 16 & 17, 2009)

According to McAfee's Mobile Security Report 2009, half of mobile phone manufacturers said they had experienced security incidents in the last year, including malware attacks and voice and text spam. Seventy percent of respondents believe security of mobile devices is a critical issue. Nearly half of those responding said that they had felt a significant financial impact from the cost of addressing security issues in their devices. Most of those responding believe that security improvement costs should be the responsibility of service providers or manufacturers instead of end users. Among the most serious security concerns are mobile payments, installing applications and Wi-Fi and Bluetooth connections.


Internet Storm Center Comment:
[Editor's Note (Honan): Mobile devices are raising similar challenges to businesses that PCs did when they were first introduced in the 1980s.
(Schultz): There is no doubt that security risks associated with mobile devices are growing at an alarming rate, and that control measures are not being implemented nearly as quickly. Organizations are not likely to reverse this trend unless auditors start paying more attention to mobile devices, something that ultimately will put more pressure on organizations to substantially improve mobile device security. ]

Forrester Report Indicates IT Security Spending is Up Slightly (February 16, 2009)

A survey from Forrester Research says that the percentage of IT operating budgets devoted to security is increasing, from 11.7 percent in 2008 to 12.6 percent in 2009. Fully half of the security budgets are earmarked for staffing and upgrades to existing technology. The report, "The State of Enterprise IT Security: 2008 to 2009", surveyed nearly 950 IT and security managers in Europe and North America.


Italian Police Say Criminals Turning to VoIP to Avoid Wiretaps (February 14 & 16, 2009)

Police in Italy say that organized crime rings in their country are increasingly using Skype VoIP (voice over Internet protocol) technology to communicate in an effort to evade wiretaps and mobile phone communication interception. Police said they overheard a drug trafficker recommending the use of Skype precisely to avoid eavesdropping. Skype has thus far refused to share information about its system with law enforcement authorities.

[Editor's Note (Honan): New technologies will always be exploited by criminals for their own means. Law enforcement needs to accept that fact and develop strategies to deal with the problem. German police have been reported to be developing a Trojan aimed at eavesdropping on Skype
while the NSA is reported to be offering large sums of money to anyone who can develop a reliable means of eavesdropping on Skype calls and messaging

FTC Revises Online Behavioral Advertising Principles (February 12 & 13, 2009)

The US Federal Trade Commission (FTC) last week issued a report critical of current Internet privacy policies. The report says that websites are for the most part not making clear to their users what information is being collected about them and how that information is used for advertising. The report stops short of calling for federal regulation of online privacy rules, but its tone suggests that if ISPs do not take steps quickly, that is exactly what will happen. The report is an update to voluntary guidelines for online behavioral advertising. Privacy groups say the report does not go far enough and that the time has come for legislation.

[Editor's Note (Northcutt): The report is here:
It is worth taking the time to read at least the principles found starting on page 46 and take note of number 3. ]

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Ron Dick headed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/