From: The SANS Institute (NewsBitessans.org)
Date: Tue May 08 2007 - 14:18:19 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A little help, please. We are planning for the 2007 Top20 Internet
Security Threats report. If you have any experience with Top20 reports
over the past six years, could you tell us whether you think an annual
or semi-annual or quarterly summary report is necessary or valuable? Do
you think the current categorization is OK or can you think of
improvements Are there any things we can do to improve the value of the
Top20 for you to put it to use? Just reply to this email with your
comments. And thanks.
                                 Alan

*************************************************************************
SANS NewsBites May 8, 2007 Vol. 9, Num. 37
*************************************************************************

TOP OF THE NEWS
  Legislators Get Busy with Data Breach Notification Bills
  Royal Bank of Scotland Will Provide Customers with Chip-and-PIN Readers
THE REST OF THE WEEK'S NEWS
  LEGAL MATTERS
    Teen Gets Probation, Community Service for Cyber Intrusion
    Russian Principal Fined for Using Pirated Software in School
    Michigan Man Sentenced for Selling Pirated Software on eBay
    Student Arrested in Connection with Attacks on Estonian Government
       Web Sites
  HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
    Missing TSA Hard Drive Holds Info. on 100,000 Employees
  POLICY & LEGISLATION
    Singapore Issues Guidelines for Protecting Biomedical Research
       Participant Data
  COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
    Russia and China Top US Trade Priority Watch List for Piracy
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
    Trojan Pretends to be Windows Activation Program
  ATTACKS, INTRUSIONS, DATA THEFT & LOSS
    Stolen Laptop Holds Marks & Spencer Employee Data
  STATISTICS, STUDIES & SURVEYS
    Portable Storage Devices Top List of Security Concerns
  MISCELLANEOUS
    PCI Merchant Level Reclassification Brings New Security Challenges
    TJX Data Thieves Got In Through Wireless Network

********************* Sponsored By ArcSight, Inc. ***********************

Free Whitepaper: Guide to Selecting a SIM Solution for Insider Threat

An attack from a malicious insider can be just as devastating as a
security breach from outsiders. But insider attacks are often more
difficult to detect. Learn the top 10 best practices for selecting a
software solution with this free whitepaper. Brought to you by ArcSight,
the ESM leader that turns data into action.
http://www.sans.org/info/6796
*************************************************************************
SANSFIRE 07 in Washington DC Features the Internet Storm Center Experts

No one knows the newest attacks better than the Internet Storm Center
Incident Handlers, and they are sharing the newest attacks and defenses
in evening sessions during SANSFIRE in Washington DC, July 25-August 7,
2007. Anyone who attends a course can also attend Internet Storm Center
Threat Updates. For a list of courses http://www.sans.org/sansfire07/

If you cannot come to Washington or can't wait that long, SANS award
winning security training is available in more than 70 cities in nine
countries just in the next four months. Better still, you can schedule
SANS training on-site or even take it live online or on demand.

*Complete schedule: http://www.sans.org/training/bylocation/index_all.php
*SANS courses on site at your facility: http://www.sans.org/onsite/
*************************************************************************

TOP OF THE NEWS
  --Legislators Get Busy with Data Breach Notification Bills
(May 3, 2007)
US Representative Tom Davis (R-Va.) has once again introduced
legislation that would require organizations experiencing data breaches
to notify affected individuals promptly. The bill would have the Office
of Management and Budget (OMB) establish practices and policies to
support timely notification. The Senate Judiciary Committee has also
approved two bills that would require notification about data security
breaches.
http://www.scmagazine.com/us/news/article/655110/davis-reintroduces-federal-breach-reporting-act-house/
http://www.fcw.com/article102630-05-03-07-Web&printLayout
[Editor's Note (Skoudis): I'm honestly surprised it's taking so long to
get a law like this put into place at the federal level. The states
have lead the way, with considerably more than half of them having some
form of breach notification law. And, even if you operate in a state
that doesn't have such a law, chances are, you have business dealings
(customers, employees, business partners, etc.) where such laws are on
the books. Thus, if you have a breach, you need to work closely with
your legal team to determine how to disclose appropriately, regardless
of your own state's laws. Plan for this in advance, just in case
something bad happens, so all the decision makers are known.]

  --Royal Bank of Scotland Will Provide Customers with Chip-and-PIN Readers
(May 2, 3 & 4, 2007)
The Royal Bank of Scotland (RBS) will provide all its online banking
customers with chip-and-PIN readers to use at home. Customers will not
be charged for the devices, which work by providing a one-time password
generated with the use of the customer's bank card and a "challenge"
code provided by the bank. Users who want to use online banking
services to check balances and pay bills will be able to continue those
tasks without the use of the reader. Barclay's Bank is in the midst of
deploying chip-and-PIN readers to 500,000 of its online customers.
http://www.zdnet.co.uk/misc/print/0,1000000169,39286964-39001093c,00.htm
http://www.computerworlduk.com/technology/security-products/authentication/news/index.cfm?newsid=2843
http://www.computerweekly.com/Articles/2007/05/03/223620/rbs-to-issue-online-banking-customers-with-smartcard.htm
[Editor's Note (Schultz): Because of growing risks in connection with
customer banking transactions, what RBS and Barclays Bank are doing will
become a standard practice within the international banking community
in the near future.
(Northcutt): Chip and Pin can help, but the certainly are only a tiny
part of the solution, see Bruce Schneier's blog on easy to remember
PINs:
http://www.schneier.com/blog/archives/2005/01/easytoremember_1.html
And if you search for Tetris, you can find fairly vague stories on
breaking the security of chip and pin:
http://hardware.slashdot.org/article.pl?sid=07/02/06/1646247
And of course being a new technology it is considered evil until proven
innocent, here is a study showing chip and pen leads to the poorhouse:
http://news.scotsman.com/uk.cfm?id=423682007 ]

*********************** Sponsored Links: ******************************

1) SAVE BIG! Get 30% off of any of upcoming courses when you sign up for
OnDemand's pre-paid program. Check out our full list of upcoming courses
http://www.sans.org/info/6801. For more information or to request a
pre-paid from please contact ondemandsans.org.
*************************************************************************

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
  --Teen Gets Probation, Community Service for Cyber Intrusion
(May 7, 2007)
A Golden (Co.) High School student was sentenced to one year of
probation for breaking into the school's computer system and changing
his grades. The 17-year-old was arrested earlier this year after
breaking into the school through a skylight, then breaking into his
counselor's office. He pleaded guilty this week to computer crimes,
unlawful accessing and altering. He was also ordered to provide 80
hours of community service and to pay restitution.
http://www.thedenverchannel.com/news/13272734/detail.html

  --Russian Principal Fined for Using Pirated Software in School
(May 7, 2007)
A Russian court has fined a school principal 5,000 rubles (US $194),
roughly half his monthly salary, for using pirated copies of Microsoft
software on a dozen of his school's computers. Alexander Ponosov
maintains he did not know the computers contained pirated software when
they were delivered; the software came pre-installed. Ponosov plans to
appeal the ruling. The case was initially thrown out of court in
February because the losses to Microsoft were considered to be
insignificant, but both parties appealed that decision; Ponosov's reason
for appealing was that he was not cleared of the charges. Microsoft
says Russian authorities initiated the proceedings and that the company
has no plans to file charges against the principal. Former Russian
president Mikhail Gorbachev has asked Bill Gates to intervene on
Ponosov's behalf.
http://www.eweek.com/article2/0,1759,2126686,00.asp?kc=EWRSS03119TX1K0000594
http://www.usatoday.com/tech/news/techpolicy/2007-05-07-russian-principal-piracy_N.htm?csp=34
[Editor's Note (Grefer): There is a considerable discrepancy between the
fine of 5,000 rubles and the losses, found by the court to be 266,000
rubles. If this case had been based on BSA proceedings, though, it
might never have gotten to court, but rather ended with an obligation
for the school to obtain proper licenses. Given the prices listed at
http://allsoft.ru/microsoft.php, the Russian pricing for the operating
system, however, seems to be out of touch with Russian incomes and
rather be based on the US pricing. Having to spend half their monthly
gross salary on a copy of Windows is counter-intuitive. Relative to
monthly income, US prices for Windows are at least one order of
magnitude lower.]

  --Michigan Man Sentenced for Selling Pirated Software on eBay
A Michigan man who sold more than US $1 million worth of counterfeit
Rockwell Automation software on eBay has been sentenced to five months
in prison followed by five months of home confinement. James Thomas has
also been ordered to pay Rockwell US $15,660 in restitution. Thomas is
not the only person to target Rockwell; in March, Courtney Smith of
Anderson, Indiana was sentenced to 27 months in prison for selling
pirated Rockwell software in eBay.
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=199204272
In a story we ran last week, four men pleaded guilty to selling Rockwell
software on eBay.
http://www.infoworld.com/article/07/04/26/HNfourpleadguilty_1.html

  --Student Arrested in Connection with Attacks on Estonian Government Web Sites
(May 1, 5 & 7, 2007)
A 19-year-old student has been arrested in connection with a spate of
attacks on Estonian government web sites. The suspect is identified
only as Dmitri; he allegedly posted instructions for conducting
denial-of-service attacks as well as calls for launching attacks against
Estonian servers. The cyber attacks were spurred by civil unrest
following Estonia's removal of several Soviet monuments in its capital
city of Tallinn as well as the excavation of WWII Red Army graves.
Authorities expect to arrest more suspects.
http://www.theregister.co.uk/2007/05/07/estonian_attacks_suspect/print.html
http://www.hs.fi/english/article/Organiser+of+Internet+DoS+attacks+arrested+in+Estonia+/1135227074182
http://www.theregister.co.uk/2007/05/01/estonian_riots/print.html
[Editor's Note (Skoudis): This case is an excellent example of
politically motivated computer attacks, something that has fallen below
the radar screen of some organizations with the huge rise in
money-making computer attack schemes (spyware, phishing, etc.) In fact,
given all the focus on thwarting malware-for-profit schemes, this attack
seems almost old fashioned. But, we need to be diligent in fighting
both kinds of threats, especially government agencies. Kudos to those
who helped find the perpetrator of this attack.]

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
  --Missing TSA Hard Drive Holds Info. on 100,000 Employees
(May 4 & 5, 2007)
The US Transportation Security Administration (TSA) has acknowledged
that a hard drive containing personally identifiable information of
approximately 100,000 current and former employees is missing. The
breach affects individuals employed by the TSA between January 2002 and
August 2005. The payroll data on the drive include names, Social
Security numbers (SSNs) and bank account and routing numbers. Employees
were notified of the situation by email on Friday, May 4. The TSA
became aware the drive was missing from the TSA Headquarters Office of
Human Capital on May 3; the FBI and the US Secret Service have been
asked to investigate.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9018678&source=rss_topic17
http://www.usatoday.com/news/washington/2007-05-04-harddrive-tsa_N.htm?csp=34
http://www.govexec.com/story_page.cfm?articleid=36816&dcn=todaysnews
http://www.washingtonpost.com/wp-dyn/content/article/2007/05/04/AR2007050402152_pf.html
http://www.tsa.gov/press/happenings/050407_statement.shtm
[Editor's Note (Northcutt): I was reading an article by Richard Hammer
and it included the text from Alan Paller's commencement speech from the
first SANS Technology Institute graduation. There were some really scary
points in that article and it makes it all the harder to swallow self
inflicted wounds like this one from the folks that are supposed to keep
us safe. The article with the speech can be found here:
http://www.sans.edu/resources/leadershiplab/cyber_security_lead.php
(Kreitner): Given the obvious decrease in respect, trust, and
credibility that organizations suffer as a result of episodes like this,
I just can't fathom why top management doesn't establish policies that:
(1) designate a single person as accountable for each laptop, (2) make
automatic termination the consequence of losing the laptop, (3) require
all new laptop purchases to come with encryption capability, and (4)
make use of that encryption capability mandatory with automatic
termination the consequence for failure to do so. Is that rocket
science for enterprise leaders? Where are the real leaders out there
in enterprise-land?
(Grefer): Repeat after me: "All personally identifiable information
should be encrypted at rest as well as in transit."]

POLICY & LEGISLATION
  --Singapore Issues Guidelines for Protecting Biomedical Research Participant Data
(May 7, 2007)
Singapore's Bioethics Advisory Committee has released guidelines to
protect personal information of individuals participating in biomedical
research. The researchers will bear the burden of protecting
participants' personal data. If they violate the guidelines, they could
face fines or jail time. There is similar legislation already in effect
in other countries, including Sweden, Germany, the UK and the US.
http://www.channelnewsasia.com/stories/singaporelocalnews/view/274730/1/.html

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
  --Russia and China Top US Trade Priority Watch List for Piracy
(April 30 & May 1, 2007)
Office of The United States Trade Representative has released a report
"examining in detail the adequacy and effectiveness of intellectual
property rights protection in 87 countries." The report includes a
"priority watch list" of the top 12 countries that are not taking
adequate steps to protect intellectual property copyrights. China,
where "infringement levels remain unacceptably high," and Russia are at
the top of the list. The US government has already filed a complaint
against China with the World Trade Organization alleging unfair trade
practices, which include "failing to enforce its laws protecting
American copyrights and patents."
http://news.bbc.co.uk/2/hi/entertainment/6612685.stm
http://www.cio-today.com/story.xhtml?story_id=13200EQLATPC
http://www.ustr.gov/assets/Document_Library/Reports_Publications/2006/2006_Special_301_Review/asset_upload_file473_9336.pdf

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
  --Trojan Pretends to be Windows Activation Program
(May 4, 2007)
A Trojan horse program called "Kardphisher" pretends to be a Windows
activation program in an attempt to elicit credit card details from
unsuspecting users. After machines become infected, users get a screen
telling them that someone else has activated their copy of Windows, and
that "to help reduce software piracy, [they should] reactivate their
copy of Windows." They are told they will need to provide their billing
information, but that their credit card will not be charged. Clicking
"no," shuts down their computers; clicking "yes" pops up a second screen
that asks for name and credit card information. PCs running Windows 95,
98, 2000, NT and Server 2003 are vulnerable to the attack. Kardphisher
has been detected in the wild.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9018645&source=NLT_SEC&nlid=38
[Editor's Note (Skoudis): Not to be evil or anything, but this just
seems poetic. Microsoft pops up messages asking for personal
information to help thwart piracy, so bad guys pretend to be Microsoft
asking for personal information. In retrospect, I suppose it was
inevitable.]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS
  --Stolen Laptop Holds Marks & Spencer Employee Data
(May 5, 2007)
UK retailer Marks and Spencer (M&S) has informed 26,000 employees that
a laptop computer containing their personal information was stolen from
a printing company. The compromised data include addresses, dates of
birth, national insurance numbers and salary information. The computer
was stolen on April 18 from a company that had the data so it could send
information about changes in M&S employees' pension plans to them.
http://news.bbc.co.uk/2/hi/programmes/moneybox/6626581.stm
http://www.channel4.com/news/articles/uk/laptop+theft+risk+to+ms+staff+ids/499687

STATISTICS, STUDIES & SURVEYS
  --Portable Storage Devices Top List of Security Concerns
(May 7, 2007)
A study of IT managers found that portable storage devices topping their
lists of security concerns. It is all too easy for someone to quickly
load sensitive data onto a flash drive or an MP3 player and walk out of
an office undetected, or to lose a flash drive loaded with sensitive
information. Eighty percent of respondents said their organizations do
not have "effective measures" for preventing misuse of portable storage
devices. Just 8.6 percent have imposed a ban on such devices in their
workplaces. Despite their worries about the devices, 65 percent of IT
managers say they use flash drives daily.
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=199300021
http://www.net-security.org/secworld.php?id=5103
[Editor's Note (Skoudis): Rather than just fretting about these, you
need to either: 1) outlaw them in your organization... good luck on
that, 2) provide training in how to encrypt such devices and offer
encryption solutions that protect them (like at least the Encrypting
File System if they are used with Windows machines and formatted NTFS),
or 3) Require that people use corporate-approved devices that offer
built-in encryption. The third solution is the nicest, but most
costly.]

MISCELLANEOUS
  --PCI Merchant Level Reclassification Brings New Security Challenges
(May 7, 2007)
Less than two years after it began accepting credit card payments,
Indianapolis-based Steak n Shake Co. was thrust from Level 4 merchant
classification under the Payment Card Industry (PCI) Data Security
Standard into Level 1 merchant classification. With that move came
added requirements to comply with the standard and protect customer
data. The company's director of strategic technology services said the
"PCI requirements and the difficulty of attaining them changed by a
magnitude of sixfold to tenfold." Level 1 merchants "are required to
undergo quarterly network security scans and an annual on-site security
audit" in addition to implementing the 12 security controls required of
all merchants. Steak n Shake has made a number of changes, including
shifting to "a log-in system based on Active Directory that can be
centrally monitored and managed... [so the company knows] who is
accessing what when and where;" deploying tools for central management
of IT assets at the restaurants and for pushing out updates and patches;
and "replacing VSAT satellite communication links with a T1 network that
will tie each restaurant to headquarters via secure point-to-point
virtual private network connections." Steak n Shake, which operates
more than 450 restaurants in the Midwest and Southeast US, did not
reveal what the changes would cost.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=291415&source=rss_topic17
[Editor's Note (Kreitner): Wonderful! This is exactly the kind of
change the PCI standard is intended to effect in organizations handing
our payment cards. Nobody said better security was free.
(Schultz): After all the whining is over, Steak n Shake senior
management will at some point in time realize that the resources it had
to expend to conform to PCI DSS Level 1 requirements will have been
wisely invested. The alternative is to run a high risk of having the
same thing that happened to TJX occur; TJX has experienced mounting
financial losses and severe damage to its reputation because of failure
to secure its personal and financial information. Additionally,
lawsuit-after-lawsuit has been filed against this company.
(Grefer): Quarterly network security scans adherence to the 12 security
controls are required at all four levels. The primary differentiator is
the number of transactions.
http://usa.visa.com/merchants/risk_management/cisp_merchants.html
http://www.mastercard.com/us/sdp/merchants/merchant_levels.html]

  --TJX Data Thieves Got In Through Wireless Network
(May 4, 2007)
According to the Wall Street Journal, the TJX data thieves began their
attacks outside a Minnesota Marshall's store; with the help of an
antenna, they were able to access the store's wireless network and from
there, gain access to the company's main server in Framingham,
Massachusetts. TJX apparently secured its wireless network with nothing
more than the Wired Equivalent Privacy protocol (WEP). The company had
no firewalls in place and had not deployed available software patches.
TJX is facing 21 lawsuits stemming from the breach. It is possible that
some information was gleaned while customers were awaiting approval of
their credit card purchases; TJX transmitted that information
unencrypted, which violates the security guidelines set by the credit
card companies.
http://www.theregister.co.uk/2007/05/04/txj_nonfeasance/print.html
http://online.wsj.com/article_email/article_print/SB117824446226991797-lMyQjAxMDE3NzA4NDIwNDQ0Wj.html

==end==

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer
for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development
Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a
non-profit federally funded research and development corporation that
provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin,
Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iD4DBQFGQLqd+LUG5KFpTkYRAummAJjvYp7RGP2bvXhKOyS2+UM8eet4AJ9AkLX9
UTFgwOAsYu3t0NlAEGPzPA==
=mqNF
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]