From: The SANS Institute (NewsBitessans.org)
Date: Fri Sep 01 2006 - 12:47:15 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The US National Institute's of Standards & Technology's new guidelines
for removing sensitive data from old disk drives (the second story under
Top of the News) are refreshingly optimistic and very useful.

Correction: Last issue we shared with you NIST's list of industries that
are directly impacted by vulnerabilities in SCADA and process control
systems. Thanks to all the readers who pointed out that NIST left out
two really important industries. Here's the corrected list: (1)
electric, (2) water, (3) oil and gas (pipelines, too), (4) chemical, (5)
pharmaceutical, (6) pulp and paper, (7) food and beverage, (8) discrete
manufacturing (automotive, aerospace and durable goods), (9) air and
rail transportation, and (10) mining and metallurgy industries.

Reminder: Next Friday (September 8) is the deadline for early
registration saving for the SCADA Security Summit and for Network
Security 2006 (both in Las Vegas). The hotel deadline is also Sept. 8.
Details: SCADA Security: http://www.sans.org/scadasummit_fall06/
Network Security 2006: http://www.sans.org/ns2006/

*************************************************************************
SANS NewsBites Sept. 1, 2006 Vol. 8, Num. 69
*************************************************************************

TOP OF THE NEWS
  UK Home Office Says ID and Passport Database Intrusions Did Not Come From Outside
  NIST Issues Guidelines for Sanitizing Used Media
  Mobile Devices Hold On to Old Data
THE REST OF THE WEEK'S NEWS
  ARRESTS, CONVICTIONS & SENTENCES
    T-mobile Attacker Gets One Year Home Confinement
    Man Pleads Not Guilty in Cyber Attack on Health Clinic Systems
  SPYWARE, SPAM & PHISHING
    Phishers Turning to SMS
  COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
    BSA Wants Government to Put Teeth in Software Piracy Enforcement
    Microsoft to Patch Windows Media DRM Against Application that Bypasses Protections
  VULNERABILITIES, ATTACKS, INTRUSIONS, DATA THEFT & LOSS
    Unpatched Hole in IE 6.0 SP1
    GCN.com to Host Forum on Red Storm Rising Story
    AT&T Acknowledges Online Customer Data Breach
    Stolen Laptops Hold Dept. of Education Employee Information
  MISCELLANEOUS
    Storm Domain Profiteers
    eGold.com Plays with Images to Foil Phishers
    AOL Caught Out by StopBadware.org

********* Sponsored by SANS Network Security 2006 in Las Vegas **********
How Good Are The Courses at SANS Network Security 2006? Ask the alumni.

++ "I have attended courses by several of SANS rivals, and SANS blew
them away." - Alton Thompson, US Marines
++ "This is the only conference/training I've ever attended at which I
learned techniques and found tools I could apply immediately." - Dwight
Leo, Defense Logistics Agency, DLA
++ "This program provided the opportunity to learn from many of the
people who are defining the future direction of information technology"
- - Larry Anderson, Computer Sciences Corp.
++ "The SANS classes have been uniformly excellent. To learn as much
through traditional classes would have entailed weeks away from work."
- - David Ritch, Department of Defense

SANS best instructors all come together at Network Security 2006 in Las
Vegas, October 1-9. 37 immersion courses; big exposition; free evening
classes, much more.
See: http://www.sans.org/ns2006/caag.php

******* And By SANS Voucher Credit Program To Make It Easier ************
"Maximize your Training Budget!
"SANS Program that pays you credits and delivers flexibility"
Do you have remaining fiscal 2006 education funds?
Are you looking for a creative way to finance training?
Visit: http://www.sans.org/info.php?id=1328
*************************************************************************

TOP OF THE NEWS

  --UK Home Office Says ID and Passport Database Intrusions Did Not Come From Outside
(31 August 2006)
The UK Home Office admits that the ID and passport service database has
experienced five security breaches in as many years, but maintains that
the breaches were caused by civil service staff and did not come from
outsiders. Four of the breaches were due to staff accessing the
database for unauthorized purposes. Each of the instances resulted in
the dismissal of the employee responsible. The fifth security breach
was reportedly due to a technical failure in a legacy system; that
system has been replaced. Concern surrounding the database is high, as
the UK's ID card project will result in a huge database of sensitive
information, including biometric data, about UK citizens. Opponents of
the ID card system point to last spring's infiltration of the Department
for Work and Pensions system that resulted in the theft of personal data
belonging to 13,000 civil servants and their subsequent use in making
false tax credit claims. The opponents are concerned the ID card
database will prove even more enticing to identity thieves.
http://www.zdnet.co.uk/print/?TYPE=story&AT=39282044-39020375t-10000025c
[Editor's Note (Ullrich): Governments are asking to collect more and
more data, without considering the effort necessary to safeguard this
data. Data is not only an asset; as many businesses have learned, it can
also a big liability.
(Schultz): If I read this news item correctly, it sounds as if the UK
Home Office is trivializing the break-ins because they were "only"
caused by insiders. Apparently this office does not appreciate the
extremely high levels of risk that insider attacks pose.]

  --NIST Issues Guidelines for Sanitizing Used Media
(30 August 2006)
The National Institute of Standards and Technology (NIST) has released
Special Publication 800-88, "Guidelines for Media Sanitation." The
draft guide addresses sanitation techniques for magnetic, optical,
electrical and other media types. NIST is careful to note that the
"guide is intended to assist organizations and system owners in making
practical sanitation decisions based on the type of information on their
system media. It does not, and cannot, specifically address all known
types of media however; the described draft sanitation decision process
can be applied universally to all forms of media and categorizations of
information."
http://www.fcw.com/article95849-08-30-06-Web&printLayout
http://csrc.nist.gov/publications/nistpubs/800-88/SP800-88_Aug2006.pdf
[Editor's Note (Ullrich): A reassuring quote from the NIST report:
"Studies have shown that most of today's media can be effectively
cleared and purged by one overwrite...". This should put some minds at
rest about the time required to do multiple writes for large disk
systems. A difficult case remains where a defective disk can no longer
be overwritten and has to be returned to the manufacturer for a warranty
claim. Companies have been successful in negotiating warranty terms that
do no longer require the defective disk to be shipped back.
(Honan): This is a welcome document and one that every IT manager should
read as many organisations fail to implement appropriate procedures on
how to dispose of old media. In particular good practise dictates
backup tapes should be removed from the backup schedule as they near
their end of life, however these old tapes can expose sensitive data if
not sanitised properly.]

 --Mobile Devices Hold On to Old Data
(31 & 30 August 2006)
Following the directions that come with mobile devices, such as phones
and PDAs, to remove data before selling or recycling them is not enough
to ensure the next person who holds the device will not be able to see
your private information. Data can still be retrieved from phones that
have been reset. A security software company that purchased 10 used
smartphones and PDAs on eBay found sensitive, personally identifiable
information on nearly all of them. The company plans to return all the
phones to their original owners and has kept all the data it retrieved
from the phones on a computer not connected to its corporate network.
Some companies have provided stronger data wiping functions in their
newer devices.
http://www.theage.com.au/news/Technology/Software-Can-Resurrect-Cell-Phone-Info/2006/08/31/1156816976190.html
http://software.silicon.com/security/0,39024888,39161863,00.htm
http://www.vnunet.com/vnunet/news/2163176/pdas-sold-ebay-loaded-sensitive

************************ Sponsored Links: *******************************

1) Register today for Mu Security's SANS 'Ask The Expert Webcast':
'Eliminating Vulnerabilities Before Attackers Know They Exist'
http://www.sans.org/info.php?id=1329
*************************************************************************

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS & SENTENCES
  --T-mobile Attacker Gets One Year Home Confinement
(29 August 2006)
Nicholas Lee Jacobsen has been sentenced to one year of home detention
and ordered to pay US$10,000 in restitution to T-mobile for breaking
into a T-mobile computing system and accessing the records of hundreds
of T-mobile customers, including those of a US Secret Service agent.
Jacobsen accessed the names and Social Security Numbers (SSNs) of
approximately 400 T-mobile customers when he broke into the system in
2004.
http://news.bbc.co.uk/2/hi/technology/5294412.stm
http://www.smh.com.au/news/Technology/TMobile-Hacker-Gets-Home-Detention/2006/08/29/1156816881114.html

  --Man Pleads Not Guilty in Cyber Attack on Health Clinic Systems
(29 August 2006)
Jon Paul Oson has pleaded not guilty to charges of damaging protected
computers. Oson was formerly employed at San Diego's Council of
Community Health Clinics, but allegedly quit his job after receiving a
disappointing evaluation. Oson allegedly broke into computer systems
at two southern California health clinics and erased patient and billing
data. Some patients did not receive the care they needed as a result
of the attacks. Oson is being held in lieu of US$75,000 bail; a hearing
is scheduled for September 5. If convicted of charges against him, Oson
could face up to 20 years in prison and fines of up to US$500,000.
http://www.signonsandiego.com/news/metro/20060829-9999-1m29hacker.html

SPYWARE, SPAM & PHISHING
  --Phishers Turning to SMS
(31 August 2006)
Phishers have begun using SMS messages as an attack vector. Users have
reported receiving SMS messages purporting to confirm that they have
signed up for a dating service and notifying them they will be charged
US$2 a day until they cancel the order at a certain web site. That site
downloads a Trojan horse program onto their phones, allowing it to be
controlled by the attackers. The practice has been dubbed SMiShing.
http://www.varbusiness.com/showArticle.jhtml;jsessionid=MHD2BBOZMX1E2QSNDLPCKHSCJUNN2JVN?articleId=192500765&printableArticle=true
http://www.networkworld.com/news/2006/082806-mcafee-warns-of-smishing.html
[Editor's Note (Honan): This development indicates how profitable
Phishing has become. Firstly there is an inherent cost barrier for
sending Phishing messages via SMS as there is a charge per text message.
Secondly even if compromised accounts or stolen credit cards are being
used, the criminals are exposing themselves to more risk. So the
returns from victims must be substantial enough to justify the initial
outlay. In a similar vein proposals, to charge for emails in an attempt
to reduce SPAM and Phishing may not prove to be enough of a barrier to
criminals.]

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
  --BSA Wants Government to Put Teeth in Software Piracy Enforcement
(30 August 2006)
The Business Software Alliance (BSA) wants the UK government to
establish penalties for businesses using unlicensed software. At
present, companies found not to be in compliance are able to purchase
licenses and end the problem. The BSA would like to see penalties added
as an incentive to encourage the use of licenses from the start and
reduce the level of software piracy in the UK. The BSA would like the
government to impose a fine to go along with the cost of purchasing the
licenses. In Ireland, judges are free to impose penalties as they see
fit in accordance with the offense. Individuals trafficking in pirated
software are already subject to harsher penalties. The BSA would also
like to see the government educate the public about software licenses.
Roughly 80 percent of the cases in which the BSA intervenes are due "to
negligence and not to malice."
http://www.theregister.co.uk/2006/08/30/fine_software_pirates_says_bsa/print.html
(1 September Update): Anger over call to fine unlicensed software users
http://news.zdnet.co.uk/business/legal/0,39020651,39282111,00.htm
[Editor's Note (Grefer): Given that more than 80 percent of the cases
in which the BSA intervenes are due "to negligence and not to malice,"
why is the BSA so keen on getting the government to impose penalties?]

  --Microsoft to Patch Windows Media DRM Against Application that Bypasses Protections
(29 August 2006)
Microsoft will patch its digital rights management (DRM) software,
Windows Media DRM, after learning of an application that allows users
to remove DRM protection from digital media files. The application in
question was purportedly created to allow users to convert DVDs to
digital media files they can save on computer hard drives; a message on
the web site where it is posted maintains it is designed to allow "fair
use rights" to the media individuals have already purchased.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9002838&taxonomyId=17&intsrc=kc_top
http://news.bbc.co.uk/2/hi/technology/5294750.stm

VULNERABILITIES, ATTACKS, INTRUSIONS, DATA THEFT & LOSS

  --Unpatched Hole in IE 6.0 SP1
(31 August 2006)
A heap overflow vulnerability in Internet Explorer 6.0 SP1 could allow
attackers to create denial of service conditions and possibly execute
arbitrary code. Users are encouraged to use an alternative browser
until a fix is available. The flaw affects IE 6.0 SP1 on Windows 2000,
XP and 2003. An exploit for the flaw has been published.
http://isc.sans.org/diary.php?storyid=1661
http://www.securityfocus.com/archive/1/archive/1/444504/100/0/threaded

  --GCN.com to Host Forum on Red Storm Rising Story
GCN.com will host an online forum with senior writers Dawn Onley and
Patience Wait to answer questions about their recent story "Red Storm
Rising" regarding China's cyber assaults on US government and military
computer systems.
http://www.gcn.com/forum/qna_forum/41835-1.html?topic=security

  --AT&T Acknowledges Online Customer Data Breach
(30 August 2006)
AT&T has acknowledged that cyber intruders accessed personally
identifiable information, including credit card data, belonging to
approximately 19,000 customers who used the company's online shopping
site. The breach affects people who purchased DSL from the online
store. AT&T notified the credit card companies immediately upon
learning of the breach and has notified affected customers by phone,
email and regular mail. AT&T is working with law enforcement on the
investigation.
http://australianit.news.com.au/articles/0,7204,20301936%5E15318%5E%5Enbv%5E,00.html
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1213279,00.html
http://news.com.com/2102-1029_3-6110765.html?tag=st.util.print
http://news.bbc.co.uk/2/hi/technology/5297710.stm

 --Stolen Laptops Hold Dept. of Education Employee Information
(30 & 29 August 2006)
Two laptop computers stolen from the Washington, DC offices of
professional services contractor DTI on August 11 contained the SSNs of
43 Department of Education employees "who were assessing grant
applications for [the department's] Teacher incentive Fund." The data
were not encrypted. DTI vice president Bruce Rankin has spoken with all
but two of the affected individuals regarding the theft and has been in
email contact with the others. Police were informed immediately once
DTI became aware of the theft and the Department of Education was
notified soon after. Security cameras captured footage of a suspect in
the burglary; a reward is being offered for the computers' return.
http://www.fcw.com/article95848-08-30-06-Web&printLayout
http://govexec.com/dailyfed/0806/082906p1.htm

MISCELLANEOUS
 --Storm Domain Profiteers
(30 August 2006)
A number of domains related to tropical storm Ernesto have already been
set up, suggesting that fraudsters are getting ready to take advantage
of concern for people affected by the storm should disaster strike.
Similar web sites appeared in the wake of the December 2004 Tsunami and
last year's Hurricane Katrina. Many of the Katrina-related domains set
up last year appeared to be used for "domain parking," or setting up a
domain to reap profits from advertisers who want to place ads on sites
people are likely to visit. Some people also set up the domains so they
can profit from selling them to others. Because the national Weather
Service publishes its list of storm names in advance, many storm names
have already been registered as domains by people hoping to profit from
them.
http://www.networkworld.com/news/2006/083006-ernesto-fraudsters.html?fsrc=rss-security
http://isc.sans.org/diary.php?storyid=1650&isc=436dda48a4920f1bf285f28bb6fd8dd4

 --eGold.com Plays with Images to Foil Phishers
(31 August 2006)
eGold.com has deployed a trick to protect users from phishing sites.
eGold is a digital gold currency that allows users to transfer ownership
of the precious metal. eGold.com uses a whitelist of sites permitted to
use its images; sites known to be phishing sites get an image that
advertises boldly that the site is fraudulent. The technique could also
be tweaked to warn users who are redirected to legitimate sites from
known phishing sites after handing over their personal details.
http://blog.washingtonpost.com/securityfix/2006/08/using_images_to_fight_phishing.html

 --AOL Caught Out by StopBadware.org
(29 August 2006)
StopBadware.org has chastised AOL for its AOL 9.0 software, which
allegedly includes bundled software and lacks transparency about the
added components. StopBadware.org would like AOL to be more forthcoming
about the software components included with its client and to provide
users with a straightforward way of declining the components and
uninstalling them if they are already on their computers. Among
StopBadware.org's complaints: AOL installs ViewPoint media player
without informing the user and it adds the AOL toolbar to Internet
Explorer without explicit disclosure.
http://www.theregister.co.uk/2006/08/29/aol_badware_warning/print.html
http://www.itnews.com.au/newsstory.aspx?CIaNID=36381

******************* The Editorial Board of SANS NewsBites ***************

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.

Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers.
Schneier has regularly appeared on television and radio, has testified
before Congress, and is a frequent writer and lecturer on issues
surrounding security and privacy.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer
for the State of Colorado.

Alan Paller is director of research at the SANS Institute.

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development
Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a
non-profit federally funded research and development corporation that
provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin,
Ireland.

Roland Grefer is an independent language consultant based in Clearwater,
Florida.

*************************************************************************

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

- ---end---

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFE+GHZ+LUG5KFpTkYRAu3EAJ9hlfoVvaD46U4fl1eM6ikoD8I97gCdEiv4
mKzAYpK8gsv3YdBidlU9RhU=
=F4dY
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]