From: The SANS Institute (NewsBitessans.org)
Date: Fri Mar 16 2007 - 14:20:24 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

*************************************************************************
SANS NewsBites March 16, 2007 Vol. 9, Num. 22
*************************************************************************
TOP OF THE NEWS
  Most Data Breaches Traced to Company Errors
  NIST Bans Vista From its Networks
  FTC Investigating TJX
  Google Will Anonymyze Some Retained Data
THE REST OF THE WEEK'S NEWS
  LEGAL MATTERS
    Microsoft Sues Cybersquatters
  HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
    Lawrence Livermore National Lab Not Following DOE Data Wiping
       Procedures
    US National Computer Forensic Institute
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
    Patches Available for Critical Flaw in OpenBSD Kernel
    Microsoft Investigating Report of Phishing Hole in IE 7
    Mac OS X Update Fixes 45 Flaws
  ATTACKS, INTRUSIONS, DATA THEFT & LOSS
    Lost Medical Data Disk Has Been Found
  STATISTICS, STUDIES & SURVEYS
    Compliance Driving IT Security Budget Increases
  MISCELLANEOUS
    Indonesia to Monitor Internet Use
    Copiers' Hard Drives Retain Document Images
    Pump & Dump Revisited
SANS Security Tip of the Day

*********************** Sponsored By Imperva Inc. ***********************

Unwanted Activity Undermining Web Apps? ID Thieves Carting off Customer
Data? Learn how to thwart the Top 5 online attacks. Get the latest
information for protecting your Web applications against SQL Injection,
XSS, cookie tampering, and others. Don't let someone else be you - or
your customers. Download white paper now: "Top 5 On-line Identity Theft
Attacks".
http://www.sans.org/info/4661
*************************************************************************
              SANS Expands Security Training Opportunities
SANS award winning training is available in more than 70 cities in nine
countries just in the next four months. Better still, you can schedule
SANS training on-site or even take it live online or on demand. Complete
schedule: http://www.sans.org/training/bylocation/index_all.php
SANS courses on site at your facility: http://www.sans.org/onsite/
*************************************************************************

TOP OF THE NEWS
 --Most Data Breaches Traced to Company Errors
(March 13 & 14, 2007)
A researcher from the University of Washington, Seattle says that
organizations are more often to blame for data security breaches than
outside intruders. Phil Howard looked at 550 data breaches that
received media coverage between 1980 and 2006. Approximately two-thirds
of the breaches could be traced to lost or stolen equipment and a
variety of management errors. Less than one-third of the breaches were
the work of outside attackers.
http://www.networkworld.com/news/2007/031307-data-breach-companies.html
http://www.physorg.com/news93000637.html
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyId=14&articleId=9013142&intsrc=hm_topic
[Editor's Note (Schultz): The results of this research study are by no
means new. Many previous studies show that human error accounts for more
losses than any single information security-related reason.]

 --NIST Bans Vista From its Networks
(March 12, 13 & 15, 2007)
The US National Institute of Standards and Technology (NIST) has joined
the Department of Transportation (DOT) in banning the use of Microsoft's
Windows Vista operating system on internal networks. Both NIST and DOT
have concerns about the new operating system's security and its
compatibility with other software they use. NIST plans to begin testing
Vista in several months, after it has finished encrypting all its laptop
computers to comply with government policy. If the operating system
meets with approval, NIST may lift the Vista ban.
http://www.informationweek.com/news/showArticle.jhtml?articleID=198000229
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=198001185
http://news.com.com/2102-1002_3-6166868.html?tag=st.util.print
[Editor's Note (Pescatore): It will take the typical enterprise 12-18
months to complete the planning and evaluation to move to Vista in any
event. Once determining that their applications will run and be
supported on Vista, PCs and laptops will transition to Vista as part of
natural attrition (vs.. early replacement), so that planning needs to
include living in a mixed PC environment for quite some time.]
(Northcutt): Ban? Why are they calling it a ban? It sounds like
fundamental configuration management to me: don't make a change to the
system until you have an urgent operational or security need to do so.
The most interesting statement in any of the articles came from FAA
spokesperson Jones, "We're trying to see what the cost impact would be
to the FAA to convert to the new Microsoft products," Jones said. "We
want to explore what some of the alternatives are. Google is one that
we're looking at, so is Linux." (That apparently would mean running
Google Apps on a Linux platform)]

 --FTC Investigating TJX
(March 13, 2007)
The US Federal Trade Commission (FTC) has confirmed that it is
investigating TJX, the parent company of Marshalls, T.J. Maxx and other
stores; the company acknowledged a major security breach that may have
exposed millions of customers' credit and debit card information,
putting those accounts at risk for fraud. The breach was discovered in
January; evidence suggests intruders had been accessing the system as
far back as July 2005. There is also evidence that TJX was not in
compliance with the Payment Card Industry (PCI) data security standard.
http://www.boston.com/business/globe/articles/2007/03/13/tjx_faces_scrutiny_by_ftc?mode=PF
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=198000608
[Editor's Note (Pescatore): The TJ Maxx (and other) incidents have shown
that there is a wide variety of devices that store information that
shouldn't be stored. Copiers and point of sale terminals and everything
else should by default have those "security kits" built in as standard
equipment.
(Northcutt): This is not a surprise, nor will States like Mass. "helping
us" by passing new regulation because of this be a surprise. Attorney
Ben Wright has some interesting commentary on the topic:
http://www.sans.edu/resources/leadershiplab/tjx_security_comment.php
Michael Rasmussen from Forrester pointed me to the document, Value
Killers, a risk management study by Deloitte today. 3 takeaways Michael
shared were: 1. Almost 50% of global 1000 companies lost 20% or more in
share price in less than a month during the past 10 years - some never
recovered. 2. 80% of losses were due to interaction of multiple risks.
3. Most major losses were as the result of a series of high-impact but
low-likelihood events. TJX is a real candidate to be a poster child for
value killers.
http://www.deloitte.com/dtt/cda/doc/content/us_assur_Value%20Killers%20Report%20.pdf
(Shpantzer): Relating this to the study on outsiders vs. management
errors in this edition... outside hackers are still an important factor
in security and always will be.]

 --Google Will Anonymize Some Retained Data
(March 14 & 15, 2007)
Google says it will remove the last eight bits of the IP addresses that
identify search request origins from retained data when those data are
between 18 and 24 months old. After the data are removed, the remaining
information will be associated with groups of 256 computers instead of
just one. Under its current policy, Google retains the information for
an indefinite period of time. Internet service providers are required
to retain data for a specified amount of time; the removal of the
identifying data will make it difficult, although not impossible, to
link users to the information after that period. Authorities could
still subpoena information from Google within the time frame before it
is anonymized, and Google will retain complete information for longer
periods if legally obligated. Some privacy advocates feel Google is
headed in the right direction but has not gone far enough to protect
users' privacy; some believe the data should be anonymized much more
quickly. Google maintains it needs the data for analysis and diagnostic
purposes. The 18 to 24 month period matches data retention laws in
Europe. The policy will go into effect by the end of the year and
covers searches made from the Google home page, but not Google calendar
or Gmail correspondence.
http://www.zdnetasia.com/news/security/printfriendly.htm?AT=61996489-39000005c
http://www.usatoday.com/tech/news/internetprivacy/2007-03-14-google-privacy_N.htm?csp=34
http://www.theregister.co.uk/2007/03/15/google_anonymizes_data/print.html
http://www.washingtonpost.com/wp-dyn/content/article/2007/03/14/AR2007031402398_pf.html
http://googleblog.blogspot.com/2007/03/taking-steps-to-further-improve-our.html

*********************** Sponsored Links *******************************

1) Join professionals to learn about Log Management tools at the Log
Management Summit April 23-25.
http://www.sans.org/info/4666

2) Don't miss SANS Ask the Expert Webcast: Sustainable Compliance
through Host Access Management and Data Security Reviews on Thursday,
March 22nd at 1:00 PM EDT (1700 UTC/GMT) Sign up now!
http://www.sans.org/info/4671

3) Protect your company from phishing expeditions. New FREE report has
the facts.
http://www.sans.org/info/4676
*************************************************************************

THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
 --Microsoft Sues Cybersquatters
(March 13 & 14, 2007)
Microsoft has filed two new lawsuits against cybersquatters to stop them
from profiting from web surfers' misspellings and typographical errors.
Microsoft said it has settled several other cybersquatting lawsuits in
the UK and the US. A cybersquatter is usually defined as someone who
"grabs" a domain name in anticipation that an organization or person
who/that wants to use that domain name will be willing to pay the
cybersquatter to give up the domain name. In this case the
cybersquatting is used to mean the practice of registering domain names
that are close to actual trade names; web surfers are tricked into
visiting these sites where they are often greeted with advertisements.
These cybersquatters usually aim to profit from surfers clicking on ads
on their sites. In a separate story, the number of cybersquatting
complaints filed with the World Intellectual Property Organization
(WIPO) increased 25 percent last year for a total of 1,823 complaints
in 2006.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&article
WIPO:
http://www.computerworlduk.com/management/security/data-control/news/index.cfm?newsid=2201
[Editor's Note (Northcutt): Interesting story. I almost wish they would
raise the price of domain names to a point where someone had to really
want to infringe. Ten years ago it was good practice to register the
.net, .org, .com variations on your domain name. Nowadays, you have to
register all the similar names to practice due care, but that is usually
cheaper than making one Uniform Domain Name Dispute Resolution complaint
to WIPO. And the problem, as the related story points out, is getting
worse. The WIPO information behind the related story and that discusses
domain resolution can be found: http://www.wipo.int/amc/en/domains/ ]

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

 --Lawrence Livermore National Lab Not Following DOE Data Wiping Procedures
(March 12, 2007)
A report from the Department of Energy's (DOE) inspector general's
office indicates that the Lawrence Livermore National Laboratory in
California is not "wiping sensitive data from ... computers it disposes
of." When agencies get rid of extra or unneeded computers, that process
is called "excessing." Although DOE policy requires that all memory
devices on excessed machines be wiped clean of sensitive data or
physically destroyed, the policy has not been fully implemented at
Lawrence Livermore. In fact, the lab has its own policy for dealing
with excessed computers, but it is "not always consistent with
applicable Department [DOE] policies." The lab is under the aegis of
the National Nuclear Security Administration (NNSA) whose chief was
fired in January after numerous security breaches at laboratories.
Approximately 5,300 computers are excessed at LLNL every year.
DOE-approved methods of wiping data include overwriting data a specified
number of times, degaussing or physically destroying the memory device.
http://www.fcw.com/article97898-03-12-07-Web&printLayout
http://www.ig.energy.gov/documents/IG-0759_.pdf

 --US National Computer Forensic Institute
(March 12 & 14, 2007)
The US National Computer Forensic Institute will train US state and
local law enforcement officials, prosecutors and judges in cyber crime
investigation and analysis. The institute will formally open its doors
in January 2008 in Hoover, Alabama; however, instruction could start
earlier. The curriculum will be based on the one used by the Secret
Service to educate federal law enforcement officials.
http://www.theregister.co.uk/2007/03/14/us_cyber_forensics_lab/print.html
http://www.fcw.com/article97894-03-12-07-Web&printLayout

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
 --Patches Available for Critical Flaw in OpenBSD Kernel
(March 15, 2007)
A remotely exploitable buffer overflow flaw has been discovered in the
OpenBSD kernel. Attackers could gain control of vulnerable machines by
sending maliciously crafted IPv6 packets. Attackers would need to be
on the same network as targeted systems or on a network that can route
packets to the targeted systems. Patches are available for Open BSD 3.9
and 4.0. "Applying the patches involves recompiling the kernel and
rebooting affected machines." Users can disable IPv6 traffic as a
temporary workaround.
Internet Storm Center: http://isc.sans.org/diary.html?storyid=2445
http://www.theregister.co.uk/2007/03/15/openbsd_kernel_bug/print.html
http://www.scmagazine.com/us/news/article/643820/openbsd-flaw-exploits-ipv6-weakness/
http://www.zdnetasia.com/news/security/printfriendly.htm?AT=61996470-39000005c
http://isc.sans.org/diary.html?storyid=2445
[Editor's Note (Boeckman): (Boeckman): Despite this vulnerability,
OpenBSD has an extraordinary track record when it comes to security.
This is not only a result of meticulous code review, but also because
they embrace the philosophy of minimizing what gets installed in the
default configuration.]

 --Microsoft Investigating Report of Phishing Hole in IE 7
(March 14, 2007)
Microsoft is investigating a report of a cross-site scripting
vulnerability in Internet Explorer 7 (IE 7) that could be exploited by
phishers. Attackers could take advantage of error messages in IE 7 to
redirect users to maliciously crafted web sites that appear to have
trusted addresses. Attackers would need to convince users to click on
links to sites they would normally visit, like online banking sites.
The links would be crafted to return an error message saying the page
loading has been aborted and asking if the user would like to try to
load the page again. The reload link will direct the user to the
phishing sites. Proof-of-concept code for the exploit code has been
published.
http://news.com.com/2102-1002_3-6167410.html?tag=st.util.print
http://www.networkworld.com/news/2007/031407-new-ie-7-bug-could.html

 --Mac OS X Update Fixes 45 Flaws
(March 14, 2007)
Earlier this week, Apple released a Mac OS X update that addresses 45
security flaws. Some of the flaws could be exploited to take control
of vulnerable machines. Others could be exploited to crash computers
to elevate privileges. The update also includes fixes for problems in
some third-party components such as OpenSSH, MySQL and Abode Flash
Player. The flaws affect Mac OS X and Mac OS X Server 10.3.x and
10.4.x.
Internet Storm Center: http://isc.sans.org/diary.html?storyid=2450
http://news.com.com/2102-1002_3-6166971.html?tag=st.util.print
http://www.theregister.co.uk/2007/03/14/apple_megapatch/print.html

ATTACKS, INTRUSIONS, DATA THEFT & LOSS
 --Lost Medical Data Disk Has Been Found
(March 15, 2007)
A CD holding patient data that had been lost in transit has been found.
The unencrypted disk held personally identifiable information of 75,000
Empire Blue Cross and Blue Shield members and disappeared in January en
route from Health Data Management Solutions to Magellan Behavioral
Services. The disk had been mistakenly delivered to a residence in the
Philadelphia area.
http://www.nytimes.com/2007/03/14/business/14insure.html?_r=2&n=Top%2fReference%2fTimes%20Topics%2
http://news.com.com/CD+with+medical+data+of+75%2C000+is+found/2100-1029_3-6167435.html?tag=cd.top
[Editor's Note (Grefer): Unfortunately a CD does not track access to the
data, so that it is going to be impossible to determine if the data was
used or copied.]

STATISTICS, STUDIES & SURVEYS
 --Compliance Driving IT Security Budget Increases
(March 15, 2007)
A survey of 147 IT managers at Fortune 1000 companies found that more
than 70 percent are increasing security spending on systems and
processes to help them comply with regulatory and audit requirements.
The areas of spending topping the list are policy and process changes,
software and encryption. One of the reasons for the increase in
compliance-related spending is the possible fallout from a data security
breach.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9013220&source=rss_topic17

MISCELLANEOUS
 --Indonesia to Monitor Internet Use
(March 14, 2007)
Indonesia plans to begin monitoring Internet use for criminal activity.
The plan calls for monitoring all Internet users, whether they are at
home, at work or at Internet cafes. Information collected will include
when and where users log on and the sites they visit, but not surfers'
identities.
http://asia.news.yahoo.com/070313/afp/070313174940hightech.html

 --Copiers' Hard Drives Retain Document Images
(March 13 & 14, 2007)
Some new models of copiers have hard drives that store images of what
has been copied. More often than not, the data are not encrypted and
stay there until overwritten by new data. A survey commissioned by
Sharp, one of the major copier makers, found that more than half of the
people planned to copy their tax returns and associated documents; most
intended to make those copies outside of their homes. About the same
number of people did not know that photocopiers keep images of what they
copy. Sharp and several other manufacturers offer security kits to
encrypt and overwrite scanned images.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=
http://www.kansas.com/mld/kansas/business/technology/16896436.htm
[Editor's Note (Honan): This is not only an issue with photocopiers.
Many modern printers and fax machines also contain storage facilities
where sensitive data can remain.
(Shpantzer): Add to this the fact that many printers are also
wireless-enabled, and you have a hard-drive that's accessible to the
outside.]

 --Pump & Dump Revisited
- From Editor Stephen Northcutt
In our last issue we covered a story on three hackers indicted for
breaking into online brokerage accounts and manipulating the victims
stock buying activity to push stock prices higher so the criminals could
make gains on their own stock holdings. We asked whether anyone was
using an online brokerage that supported two-factor authentication.
Eighteen readers mentioned E-Trade which uses RSA technology:
https://us.etrade.com/e/t/jumppage/viewjumppage?PageName=secureid_enter
One reader wrote in to say that if you contact tech support at Schwab
they have a Verisign solution but we were unable to verify the Schwab
solution.

- --SANS Security Tip of the Day

Don't use unauthorized software
It may be tempting to use useful-looking software that you can get free
on the Internet, but these tools may carry a hidden cost. Installing
them may often cause other programs to stop working and it can take a
long time for your IT teams to track down the problem. More seriously,
they can display unwanted ads, slow your PC down or make it less secure
by letting the PC download more ads from the Internet. Most seriously,
they can be infected by viruses or spyware that are intended to damage
your PC or steal confidential information.

If you work for a company of 1,000 or more and would like to help
distribute SANS Security Tips, please email brietveldsans.org.

==end==

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers.
Schneier has regularly appeared on television and radio, has testified
before Congress, and is a frequent writer and lecturer on issues
surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer
for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development
Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a
non-profit federally funded research and development corporation that
provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin,
Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iD8DBQFF+uFb+LUG5KFpTkYRAuQDAJ9LRPo4MfGRtDRRt28f+qfb1Ly1zgCgo1ni
FTJ5wOwfFsRHzQ6Nyjv5OPw=
=chLe
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]