From: The SANS Institute (NewsBitessans.org)
Date: Fri Sep 14 2007 - 13:14:40 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In the past three months, more than 35 software and service vendors have
begun promoting themselves as data leakage protection (DLP) providers.
Some did it without even changing their product while others actually
at least made an effort to make their products useful for DLP. These
vendors are responding to a massive buying surge that has begun in data
leakage protection, and that is continuing in data encryption. If you
are going to spend money in either of these areas, please come listen
to other users who have actually deployed the tools as they tell what
works and what doesn't, the errors they made and the lessons they
learned. I've been interviewing a lot of these users and they have GREAT
stories to tell - stories that will save you a lot of pain if you are
implementing DLP or encryption. The meetings are December 3-4 in
Orlando on the Disney property. Whichever one you decide to attend, you
may mix and match sessions between the two meetings.
***WhatWorks in Stopping Data Leakage and Insider Threat Summit
         http://www.sans.org/leakage07_summit/
***WhatWorks in Mobile Encryption Summit
         http://www.sans.org/encryption07_summit/
                                     Alan
*************************************************************************
SANS NewsBites September 14, 2006 Vol. 9, Num. 73
*************************************************************************
TOP OF THE NEWS
   DoJ Mobile Workers May Not Use Own PCs or PDAs
   Calif. Breach Liability Bill Awaits Gov's Signature
   BofA Deploys Additional Online Banking Security Layer
   Customers Come First in Successful Breach Navigation
THE REST OF THE WEEK'S NEWS
  LEGAL MATTERS
    Ringleader of ID Fraud Gang Gets Five Year Sentence
    Man Charged with Hacking UN Employee's Private eMail
    German Police Arrest 10 in Connection with Phishing Scheme
    Man Faces Prison for ID Fraud
  HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
    CT to Hold Hearing on Stolen Revenue Dept. Laptop
    Chinese Official Makes Cyber Espionage Allegations
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
    Exploit Code Posted for Critical Microsoft Agent Flaw
  ATTACKS, INTRUSIONS, DATA THEFT & LOSS
    Stolen Computers Hold Mental Health Histories
    Gander Mountain Computer Theft Exposes Transaction Data
  MISCELLANEOUS
    Microsoft Responds to Stealth Update Reports
LIST OF UPCOMING FREE SANS WEBCASTS

*********** Sponsored By netForensics, Inc. ***********

*NEW* Whitepaper. Technology now exists to keep track of internal user
activity amidst massive amounts of data - without compromising
performance. Learn how to prevent data breaches, identify user threats
and see who is accessing critical, compliance related data. This
whitepaper reveals 10 proven strategies for rapidly responding to and
stopping threats, no matter where they originate.
http://www.sans.org/info/16101
*************************************************************************
TRAINING UPDATE
Where can you find Hacker Exploits and SANS other top-rated courses?
Las Vegas (9/23-9-28): http://www.sans.org/ns2007/event.php
Chicago (11/2-11/7): http://www.sans.org/chicago07/event.php
Tokyo (11/5-11/10): http://www.sans.org/sanstokyo2007_autumn/event.php
London (11/26 - 12/1): http://www.sans.org/london07/
Washington DC (12/13-12/18): http://www.sans.org/london07/
New Orleans (1/12-1/17): http://www.sans.org/security08/event.php
How good are the courses? Here's what past attendees said:
"An extraordinary amount of information covered in a week, backed up
with excellent documentation for those long winter nights." (Keith
Mellism, Canada Life)
"This course has valuable information that can be implemented
immediately in the work place." (Christopher O'Brien, Booz Allen
Hamilton)
"You will never ever find anything more valuable than SANS super
knowledge. Worth the price!!" (Carlos Fragoso, CESCA)
*************************************************************************

TOP OF THE NEWS
 --DoJ Mobile Workers May Not Use Own PCs or PDAs
(September 13, 2007)
Due to concerns over data security, US Department of Justice employees
are no longer permitted to use their own computers or PDAs to access
agency email and files. Teleworkers must now use department-issued
laptops, docking stations, or BlackBerries so the devices can be
properly monitored and equipped with encryption.
http://www.fcw.com/article103746-09-13-07-Web&printLayout
[Editor's Note (Kreitner): This is such a common sense policy that one
wonders why it isn't more common. Let's hope DOJ is also using a
"comply to connect" process to dynamically check the configuration
status of remote devices before connection to enterprise networks is
allowed.
(Pescatore): While this is a prudent decision for many enterprises who
don't have security solutions for allowing use of non-managed devices,
just saying no to use of personally owned devices isn't going to last
forever - just the way saying no to the Internet or wireless LANs didn't
last. There are security approaches to allowing remote access from
unmanaged devices (ranging from thin clients to virtualization, combined
with Network Access Control) and most enterprises are finding that
business demands and a changing workforce are requiring them to move in
the direction of supporting this. Plus, remember: mechanisms like
Outlook Web Access, GoToMyPC and others have provided means for
employees to use their own devices - if you are saying no, you better
be investing in ways to find and stop these mechanisms. ]

 --BofA Deploys Additional Online Banking Security Layer
(September 11, 2007)
This week, Bank of America (BofA) is debuting an added security feature
for its online banking customers. The optional service, called
SafePass, will send a six digit code to customers' mobile phones that
can be used to authenticate banking transactions. The code can be used
once and is valid for 10 minutes. BofA customers can choose to require
SafePass authentication for various types of transactions. SafePass is
being rolled out for most customers this week; customers in California
and the northwestern US will have the service in the next few months.
http://www.pcworld.com/printable/article/id,137057/printable.html#
[Editor's Note (Pescatore): The use of mobile phones as the
authentication token has worked pretty well outside the US, as in most
other countries babies come out of the womb with a tiny little cellphone
grasped in their hand and workers' mobile phone numbers are on their
business cards and an attribute in Active Directory. It is an
underutilized approach in the US, mainly because the US cellular phone
system is such a hodge podge. But watch anyone under 30 and see how
rarely they are without their cellphone in coverage and see how often
they text message.
(Ullrich): Very nice idea, and worthwhile trying. I used a similar
system while visiting China a few years back to get access to WiFi
access points operated by China Telecom. Before this announcement, BofA
used only a somewhat flawed "1 1/2 factor" authentication scheme.]

 --Calif. Breach Liability Bill Awaits Gov's Signature
(September 12, 2007)
All that now stands between Californians and a new data breach law is
the governor's signature. AB 779, known as the Consumer Data Protection
Act, would make retailers responsible for the costs incurred by banks
and credit unions that have to notify consumers and issue new cards as
a result of a data security breach. Breached entities would also have
to be forthcoming with information about the types of data exposed and
would also have to refrain from storing certain types of financial
transaction data. Retailers who suffer a breach but have proof that
they had followed certain security guidelines would be exempt from the
law. Governor Schwarzenegger is expected to sign the bill. Privacy
legislation in California has been known to have a "ripple effect"
across the rest of the country.
http://www.scmagazineus.com/California-a-signature-away-from-passing-consumer-protection-data-breach-law/article/35643/
[Editor's Note (Schultz): If this act is signed into law, California
customers of retailers will win big. Not only would retailers be liable
for data security breaches, but they would also have virtually no choice
but to put higher levels of security in place.]

 --Customers Come First in Successful Breach Navigation
(September 10 & 11, 2007)
David Escalante, Boston College's director of computer policy and
security, described how his institution managed a data security breach
that compromised the personal information of approximately 100,000
alumni without alienating people affected by the breach. Within two
weeks of discovering the breach, Escalante had assembled an incident
response team from departments across the school, including legal and
PR, and had sent notification letters to the 100,000 potentially
affected alumni. Escalante said it was important to be up front about
the incident with those it affected, and to apologize. BC also
established phone lines for concerned alumni to call and have questions
answered. College police reports were available to alumni who requested
them and though the response team chose not to make an announcement to
the press about the breach, the PR department responded to press
inquiries. In contrast, TJX failed to be forthcoming with information
abut the breach of their systems that exposed millions of credit and
debit card details.
http://www.infoworld.com/archives/emailPrint.jsp?R=printThis&A=/article/07/09/11/dos-and-donts-for-dealing-with-data-breaches_1.html
http://www.networkworld.com/news/2007/091007-boston-college-data-breach-recover.html
[Editor's Note (Schultz): Boston College's response to this incident was
not perfect, but it was so much better than the norm that I predict it
will serve as a model of how to deal with incidents of this nature for
years to come.
(Honan): One aspect done well by BC in their preparation was engaging
with law enforcement before any breach occurred. Establishing a
relationship with law enforcement before you suffer a breach allows you
to better respond to the incident knowing in advance what is expected
of you. ]

************************* Sponsored Links: ***************************
1) Find out what Seagate knows about secure storage. It could improve
your company's security.
http://www.sans.org/info/16106

2) The SANS Software Security Series in Tysons Corner, Virginia October
9-10 will feature two new courses on the importance of security in the
software development lifecycle!
To find out more or register, go to http://www.sans.org/info/16186
Seating is limited so register today.
*************************************************************************

THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
 --Ringleader of ID Fraud Gang Gets Five Year Sentence
(September 13, 2007)
The ringleader of an identity theft group has been sentenced to five
years in prison. Irving Escobar will also pay US $600,000 in
restitution. Some of the data used in the scheme were stolen in the TJX
data breach, but Escobar and his cohorts are not believed to have been
responsible for that attack; they bought the data they used from other
people. Five other people involved in the scheme are now serving
probation and a fifth person was deported. The gang used the data to
create clone credit cards that they used to purchase gift cards at
Wal-Mart and Sam's Club; losses from the scheme were estimated to be US
$3 million.
http://www.usatoday.com/tech/news/computersecurity/infotheft/2007-09-13-tjx-escobar_N.htm

 --Man Charged with Hacking UN Employee's Private eMail
(September 13, 2007)
An Egyptian man is on trial in Dubai for allegedly hacking into the
email account of a United Nations employee and attempting to blackmail
her. The suspect allegedly accessed her private files and pictures. He
has been charged with breaking into her email account, stealing her
password and threatening to divulge her personal information through
email.
http://www.gulfnews.com/nation/Police_and_The_Courts/10153555.html
[Editor's Note (Ullrich): This is not the first time that a hacker has
used personal information found on a hacked system against the victim.
Like most blackmail schemes, the victim is frequently too embarrassed
to come forward, and even if they do, local law enforcement may not be
able to offer much help.]

 --German Police Arrest 10 in Connection with Phishing Scheme
(September 13, 2007)
Police in Germany have arrested 10 people believed to be involved in a
phishing scheme. The arrests are the culmination of an 18-month
investigation into a scam in which people received phony emails
purporting to be from eBay and Deutsche Telekom. Those email messages
contained malware that collected sensitive banking account login data
from infected computers.
http://www.eweek.com/article2/0,1759,2182880,00.asp?kc=EWRSS03119TX1K0000594
[Editors' Note (Ullrich, Paller): German law enforcement has had a
number of successes in computer fraud cases over the last couple years.
Several involved east European criminals who were arrested while
visiting or passing through Germany. The German law enforcement
organizations have, up to this point, not gotten all the recognition
they deserve, and it is great to see them getting credit for their
impressive successes.]

 --Man Faces Prison for ID Fraud
(September 11, 12 & 13, 2007)
Max Ray Butler, who sometimes used the online moniker "Iceman," was
arrested on September 5 and indicted on three counts of wire fraud and
two counts of transferring stolen identity information. Butler
allegedly broke into computer networks at several financial institutions
and credit card processing centers, stole sensitive data, and sold them
to others. If he is convicted of all charges against him, Butler could
face up to 40 years in prison and a US $1.5 million fine. Butler also
allegedly operated a website where cyber criminals traded data that
could be used in identity fraud. Witnesses allege Butler used a
high-powered antenna to intercept wireless communications. Butler
previously served prison time for breaking into government computers.
http://www.msnbc.msn.com/id/20729556/
http://scmagazine.com/uk/news/article/737773/hacker-salesman-indicted-id-theft-charges/
http://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2007/09/12/BUC7S3PUV.DTL&type=printable
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201805605
http://www.theregister.co.uk/2007/09/12/max_vision_faces_more_hacking_charges/print.html
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9035818&source=rss_topic17
[Editor's Note (Ullrich): Max Butler is also known as "Max Vision" and
has been convicted of computer crimes before. He appears to be one of
the first career cyber criminals.]

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
 --CT to Hold Hearing on Stolen Revenue Dept. Laptop
(September 8 & 13, 2007)
The Connecticut legislature's finance, revenue, and bonding committee
will hold a hearing about the stolen laptop that contains personally
identifiable information of 106,000 state taxpayers. The committee
hopes to hear testimony from representatives from the Department of
Revenue Services, the Department of Information and Technology, and the
Office of the Attorney General. In the last fiscal year alone, more
than 30 state-owned laptops were stolen or reported missing; Connecticut
Governor M. Jodi Rell has ordered the state to develop more stringent
measures to protect the state's laptop computers and other portable
devices and the data they contain.
http://blogs.courant.com/capitol_watch/2007/09/legislators-to-.html
http://www.theday.com/re.aspx?re=a1990858-e3c9-4f2d-afe7-2848cfec8964

 --Chinese Official Makes Cyber Espionage Allegations
(September 12 & 13, 2007)
In a Communist Party magazine, Chinese Information Industry Vice
Minister Lou Qinjian alleges that "hostile" foreign governments,
including the US, have successfully infiltrated Chinese government,
military and scientific research computers and stolen "massive" amounts
of sensitive information. The counter accusations appear to be a
response to recent allegations that China has broken into government
computers in Germany, France, the UK, and the US, among others.
http://www.washingtonpost.com/wp-dyn/content/article/2007/09/12/AR2007091200791_pf.html
http://www.reuters.com/article/worldNews/idUSPEK8648420070912?sp=true
http://www.vnunet.com/vnunet/news/2198534/china-threatens-internet
http://www.theregister.co.uk/2007/09/12/french_cyberattacks/print.html
http://www.news.com.au/heraldsun/story/0,21985,22405996-662,00.html
http://www.zdnetasia.com/news/security/0,39044215,62032117,00.htm
[Editor's Note (Pescatore): It is silly to hyperventilate about which
countries attacks are coming from. Every country, including the US, has
the knowledge and the capacity to hack computer systems and every
country has used it.
(Ullrich): I hope this is true. It's always hard to validate these
claims, but I would think that any self-respecting national intelligence
service includes cyber attacks as part of their standard toolkit.]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
 --Exploit Code Posted for Critical Microsoft Agent Flaw
(September 13, 2007)
Less than a day after Microsoft released a patch for a critical remote
code execution flaw in Windows 2000 Service Pack 4, exploit code for
that vulnerability has appeared on the Internet. The flaw lies in the
Windows Agent Active X control; ActiveX controls are "a pretty common
attack vector," according to one advisory. Users are advised to apply
the patch immediately, or if unable to do that, "disable support for
active content in their browsers" until they can apply the patch.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9036218&source=rss_topic17
http://www.microsoft.com/technet/security/bulletin/ms07-051.mspx
[Editor's Note (Ullrich): "Hacktive X" as it is sometimes called by
critics has probably been one of the largest architectural mistakes made
by Microsoft. Not supporting Active X is one critical advantage
alternative web browsers have over Internet Explorer.]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS
 --Stolen Computers Hold Mental Health Histories
(September 11, 2007)
Two computers stolen from a welfare office in Harrisburg, Pennsylvania
contain mental health histories of more than 300,000 people, as well as
names and Social Security numbers (SSNs) of approximately 2,000 people.
The patients whose mental health histories are on the computers are not
identified by name, and their treatment is recorded in coded form. The
theft occurred on August 22, 2007. The Department of Public Welfare has
begun notifying affected patients of the data security breach.
http://www.pennlive.com/midstate/patriotnews/article121468.ece#story
http://digital50.com/news/items/PR/2007/09/11/DC02749/

 --Gander Mountain Computer Theft Exposes Transaction Data
(September 10, 2007)
Computer equipment stolen from a Gander Mountain Company store in
Greensburg, Pennsylvania contains records of transactions that took
place between July 2002 and June 2007 at that particular store,
including 112,000 credit card number and expiration date alone,
approximately 10,000 credit card numbers and expiration dates along with
a name, and approximately 5,750 records with credit card number,
expiration date, name and driver's license numbers. Gander Mountain has
notified the customers for whom it has address information, as well as
credit card companies and their card-processing bank. A toll-free
number for affected customers has been established.
http://money.cnn.com/news/newsfeeds/articles/prnewswire/AQM90510092007-1.htm

MISCELLANEOUS
 --Microsoft Responds to Stealth Update Reports
(September 13, 2007)
Nate Clinton, Microsoft program manager in the Windows Update (WU)
group, acknowledged that the company was not "as transparent as [it]
could have been" regarding WU's updates. Clinton was responding to a
report that Microsoft's WU service had made modifications to users'
computers in the middle of the night, even if those users had set the
program not to install updates without their permission. Clinton says
the changes that were installed without permission were changes in the
WU software itself, and that those using the service have implied by
doing so that they expect to be notified of updates, so the service
itself must be kept in good working order.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9036478&source=rss_topic17

LIST OF UPCOMING FREE SANS WEBCASTS

Ask the Expert: One Team, Two Team, Red Team, Blue Team
WHEN: Tuesday, September 18, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKER: Dave Shackleford
http://www.sans.org/info/16126
Sponsored By: Core Security

When you want to find out if a process or technology is really working,
what do you do? Test it! This applies to auditing, disaster recovery,
and certainly information security. In this webcast, learn how to build
a penetration testing team to assess your organization's security
posture, as well as an incident response team to detect and respond to
the attacks.

Ask the Expert: Encryption Face-Off: Software Encryption vs. DriveTrust Technology
WHEN: Thursday, September 20, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Jim Hietala and Joni Clark
http://www.sans.org/info/16136
Sponsored By: Seagate Technology

The stakes have never been higher for organizations that process and
store sensitive information on customers and employees. This webcast
will explore the business drivers for encryption of system disks and
provide the results of a hands-on evaluation comparing SeagateR
DriveTrustT against a software-based approach.

Ask the Expert Webcast: Separated at Birth - Identity and Access Reunited!
WHEN: Tuesday, September 25, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Andrew Hay and Stuart Rauch
http://www.sans.org/info/16151
Sponsored By: Secure Computing

This webcast will focus on the trend toward reuniting Access and
Identity and why it is important to consider strong authentication right
from the planning phase of a remote access project. We will also review
key criteria associated with choosing and deploying two-factor
authentication in an enterprise environment.

Ask the Expert Webcast: Curing The Common Cold With Log Management
WHEN: Wednesday, September 26, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and A.N. Ananth
http://www.sans.org/info/16161
Sponsored By: Prism MicroSystems EventTracker

Well, perhaps that is a stretch, but Log Management is incredibly
valuable to help solve a host of other real problems in IT beyond simple
compliance. Compliance drives most log management purchases but IT
Managers are constantly challenged to maximize investments in
technology.

*************************************************************************
The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer
for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.

Chuck Boeckman is a Principal Information Security Engineer at a
non-profit federally funded research and development corporation that
provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iD8DBQFG6r7J+LUG5KFpTkYRAvi4AJ9Ewp72q9xF7vZAzj3ydWgcLYI0cQCfUZC+
6lJgNcACcRbZdU056v2kv3M=
=30Gn
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]