From: The SANS Institute (NewsBitessans.org)
Date: Tue Sep 25 2007 - 14:17:06 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

*************************************************************************
SANS NewsBites September 25, 2007 Vol. 9, Num. 76
*************************************************************************
TOP OF THE NEWS
  FBI Investigating DHS Contractor For Alleged Failure to Detect DHS Breaches
  Companies Still Not Taking Adequate Measures to Wipe Used Drives
  Number of Cyber Attacks is Down, But Severity is Up
THE REST OF THE WEEK'S NEWS
  LEGAL MATTERS
    TJX Offers Settlement
    Panda Author Gets Four Years in Prison
  POLICY & LEGISLATION
    Estonia Looking to Update Cyber Security Laws
  COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
    German Courts Order eDonkey Servers Shut Down
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
    Cross-Site Scripting Flaws in Google
    Zero-Day PDF Flaw in Adobe Reader
    Overflow Flaw in OpenOffice Could Allow Remote Code Execution
  ATTACKS, INTRUSIONS, DATA THEFT & LOSS
    Mortgage Data Exposed through Filesharing Network
    Another Laptop Theft in Connecticut
LIST OF UPCOMING FREE SANS WEBCASTS
*************************************************************************
TRAINING UPDATE
Looking at Data Leakage or Encryption, hear lessons learned by the pioneers:
***WhatWorks in Stopping Data Leakage and Insider Threat Summit
         http://www.sans.org/leakage07_summit/
***WhatWorks in Mobile Encryption Summit
         http://www.sans.org/encryption07_summit/

Where can you find Hacker Exploits and SANS other top-rated courses?
Las Vegas (9/23-9-28): http://www.sans.org/ns2007/event.php
Chicago (11/2-11/7): http://www.sans.org/chicago07/event.php
Tokyo (11/5-11/10): http://www.sans.org/sanstokyo2007_autumn/event.php
London (11/26 - 12/1): http://www.sans.org/london07/
Washington DC (12/13-12/18): http://www.sans.org/london07/
New Orleans (1/12-1/17): http://www.sans.org/security08/event.php

How good are the courses? Here's what past attendees said:
"An extraordinary amount of information covered in a week, backed up
with excellent documentation for those long winter nights." (Keith
Mellism, Canada Life)
"This course has valuable information that can be implemented
immediately in the work place." (Christopher O'Brien, Booz Allen
Hamilton)
"You will never ever find anything more valuable than SANS super
knowledge. Worth the price!!" (Carlos Fragoso, CESCA)

*************************************************************************

TOP OF THE NEWS
 --FBI Investigating DHS Contractor For Alleged Failure to Detect DHS Breaches
(September 24, 2007)
The FBI is investigating Unisys over allegations the company failed to
detect cyber attacks on US Department of Homeland Security (DHS)
computer systems. The investigation was prompted by a letter from the
House Committee on Homeland Security, citing the "high and unacceptable"
number of "cyber security incidents" experienced by DHS computer systems
in fiscal years 2005 and 2006. The committee alleges that the intrusion
protection devices placed on DHS systems by Unisys were improperly
installed. Unisys refutes the allegations of improperly installed
systems and maintains it reported cyber security incidents. Committee
chairman Bennie Thompson (D-Miss.) and Subcommittee on Emerging Threats,
Cybersecurity, and Science and Technology chairman James R. Langevin (
D-R.I.) have also asked DHS Inspector General Richard Skinner to conduct
an investigation.
http://www.cio.com/article/140500/FBI_Investigates_Unisys_Over_US_Government_Hack
http://www.govexec.com/story_page.cfm?articleid=38112&dcn=todaysnews
http://www.washingtonpost.com/wp-dyn/content/article/2007/09/23/AR2007092301471_pf.html
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=202101028
[Editor's Note (Ullrich): Nobody will guaranty that a network is fully
secured against any possible attack. However, this case may become
interesting if it evolves into a meaningful discussion about security
service level agreements.
(Hinan): Outsourcing the implementation or management of your security
systems to a third party does not equate to outsourcing the
responsibility for those systems. You need to implement proper checks
and balances to ensure that your provider is providing the level of
service you require. It will be interesting to see how the outcome of
this case will impact on the outsourced security provider space.
(Ranum): While they're all playing "blame the contractor," the truth is
that government agencies have been allowed to become utterly de-skilled
through overreliance on outsiders instead of actually knowing how to do
anything. The fact that DHS is the agency nominally tagged with leading
the US' cyber security efforts makes this whole comic opera a lot less
funny.
(Schultz): It is reasonable to expect events such as this one to occur
more frequently over time. Security service providers are going to
increasingly be held accountable for the results of the services that
they provide.]

 --Companies Still Not Taking Adequate Measures to Wipe Used Drives
(September 21, 2007)
The percentage of used hard drives containing sensitive data has not
changed much in the last two years. According to statistics from BT
Group, 37 percent of second-hand hard drives still contain confidential
information from their previous users. BT Group examined 350 hard
drives bought in online auctions. Nineteen percent of the disks had
sufficient data on them to identify the organization of origin, and 65
percent contained personally identifiable information. The report,
which has yet to be released, also says that used drives are not highly
reliable; 44 percent of the 133 disks purchased in the UK did not work
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9038221&source=rss_topic17
[Editor's Note (Ullriuch): Wiping data takes time. Companies might be
better served by destroying the drives vs. trying to resell them used.
Its not worth the risk.]

 --Number of Cyber Attacks is Down, But Severity is Up
(September 21, 2007)
According to a study from the Computing Technology Industry Association
(CompTIA), the incidence of cyber attacks has declined slightly over the
last year, but the severity of those attacks has increased
significantly. Of the 1,070 organizations responding to the survey, 66
percent did not report a security breach within the previous 12 months.
Last year, that figure was 61.8 percent, and the year before, 42
percent. However, the organizations gave the attacks they did
experience an average severity rating of 4.8 on a scale of 0 to 10; last
year's average severity rating was 2.6. The largest portions of the
costs involved in security breaches were impact on employee productivity
and server and network downtime.
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=202100132
Summary: http://www.comptia.org/sections/research/research%20docs/securitysummary407.pdf
[Editor's Note (Ullrich): Modern malware becomes harder and harder to
remove and detect. Once a system is infected, the damages very quickly
escalate due to malware automation and counter measures taken against
detection. The smaller number of attacks may very well reflect the
difficulties in detecting these attacks vs. an actual decline.
(Northcutt): These results are probably not correct, I think
organizations with DHS as a case in point are simply losing the ability
or desire to detect attacks.
(Ranum: I don't think we should quote these numbers because they are
meaningless and therefore deceptive. I just checked on CompTia's site
- - the site producing the research - appears to simply use web-based
surveys in which basically anyone can log in and fill it out. There are
two horrible methodological flaws in doing this. First and foremost,
it's a self-selected sample, which guarantees bias. You're not measuring
"cyber attacks" you're measuring "what people who were bored enough to
take a survey claimed about cyber attacks." Unless they used some
different methodology for the survey (in which case they should explain
it!) Secondly, there's no way of telling if the respondent actually has
relevant information; for all we know the survey was taken by bored
12-year-olds mashing buttons at random.]

************************* Sponsored Links: ***************************
1) ALERT: Hacking Web Applications- A Step-by-Step Attack Analysis
Download this SPI Dynamics White Paper:
http://www.sans.org/info/16996

2) *NEW* Whitepaper. How do you take control of inside threats?
Learn 10 proven strategies for combating attacks.
http://www.sans.org/info/17001

3) 63% of malware distributed by US hosted web sites. New ID Theft and
Fraud Report provides the latest stats.
http://www.sans.org/info/17006

*************************************************************************

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
 --TJX Offers Settlement
(September 24, 2007)
TJX Companies has made a settlement offer to address class action
lawsuits brought in response to the massive security breach that was
disclosed earlier this year. Under the terms of the offer, customers
would be reimbursed for the cost of replacing their driver's licenses
and would be provided with three years of credit monitoring. The
settlement is subject to court approval. The company would also provide
store vouchers if customers incurred losses as a result of the breach.
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=202101077
http://www.securityfocus.com/brief/594
[Editor's Note (Schultz): TJX would be lucky to have its offer accepted,
as the compensation it is offering is rather meager in comparison to the
magnitude of the impact of its security breach on so many of its
customers.]

 --Panda Author Gets Four Years in Prison
(September 24, 2007)
A Chinese court has sentenced Li Jun to four years in prison for writing
and releasing the Panda worm. Three accomplices received sentences of
between one year and two-and-a-half years. The four earned
approximately 200,000 yuan (US $26,600) from selling the worm to others.
Prosecutors maintain the malware caused significant damage to millions
of computers between November 2006 and March 2007.
http://news.monstersandcritics.com/asiapacific/news/article_1359017.php/China_jails_creator_of_&quotpanda&quot_computer_virus_for_four_years

POLICY & LEGISLATION
 --Estonia Looking to Update Cyber Security Laws
(September 17, 2007)
Estonian legislators are taking steps to amend the penal code to provide
for more stringent punishments for cyber criminals. Estonian government
and business websites came under attack last spring, which prompted the
amendments. Current computer crime law in Estonia addresses crimes with
personal and financial gain as their aim. Under the proposed laws,
cyber crimes would be deemed acts of terrorism if their intents were the
same as acts of physical terrorism.
http://www.baltictimes.com/news/articles/18815/

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
 --German Courts Order eDonkey Servers Shut Down
(September 20 & 21, 2007)
Following orders from German courts, seven eDonkey servers inGermany
were shut down. The removal of those servers means that approximately
one-third of esDonkey's four million users will not have access to the
filesharing network. eDonkey does not have a parent company; it is a
loose organization with no apparent central control, so authorities
decided to take aim at those operating the servers that enabled the
eDonkey network. Injunctions against servers in France and the
Netherlands have also been issued.
http://technology.timesonline.co.uk/tol/news/tech_and_web/article2504723.ece
http://www.heise.de/english/newsticker/news/96264

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
 --Cross-Site Scripting Flaws in Google
(September 24, 2007)
A trio of cross-site scripting flaws in Google applications could be
exploited to steal data. A flaw in the polls application of Google
Groups could allow attackers to steal messages and contacts from Gmail
accounts. The second flaw lies in the Google search appliance and could
be exploited to steal site login credentials and other sensitive
information. The third vulnerability, which is in Google's Picasa photo
organizer, could allow attackers to steal pictures by manipulating users
into visiting specially crafted websites.
http://www.theregister.co.uk/2007/09/24/google_vulns_put_users_at_risk/print.html

 --Zero-Day PDF Flaw in Adobe Reader
(September 21, 2007)
A zero-day, critical flaw in Adobe Acrobat Reader could be exploited
with a maliciously crafted PDF file to take control of PCs. The person
who found the flaw says he will not release proof of concept code until
a fix is available. In the meantime, he advises users to refrain from
opening PDF files. Adobe is investigating the issue.
http://www.theregister.co.uk/2007/09/21/pdf_peril/print.html
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9038099&source=NLT_SEC&nlid=38
http://www.eweek.com/article2/0,1895,2186101,00.asp
[Editor's Note (Ullrich): Sadly, Adobe has done little to shed light on
the issue of severity. Even without a patch available yet, I would hope
a software company would provide clear guidance on severity and
mitigating measures.
(Frantzen): There is no such thing as a 0-day *vulnerability*. There are
only 0-day exploits at best. The right term for a vulnerability is "new"
or "unpatched", even "unconfirmed". The mitigation described is of no
help as the alternative will be even worse. Going back to emailing word
documents where the vulnerabilities are documented with exploits before
they get patched?
(Honan): Given the widespread use of the PDF file format for
distributing files the potential impact of this problem should not be
underestimated. Until more details are available or Adobe issues a
patch I suggest talking to your senior management to highlight this
problem. Based on that discussion mitigation steps such as
blocking/quarantining emails with PDF attachments, preventing the
downloading of PDF files and reinforcing to users not to click on PDF
files can be implemented.): ]

 --Overflow Flaw in OpenOffice Could Allow Remote Code Execution
(September 18, 2007)
A critical heap-based buffer overflow flaw in
OpenOffice could allow attackers to execute arbitrary code and gain
unauthorized access to vulnerable systems. The flaw lies in the way
some tags within Tiff images are processed. To exploit the flaw,
attackers would need to trick users into opening maliciously crafted
documents. The flaw affects OpenOffice version prior to 2.3; users are
urged to upgrade to the most recent version.
http://www.vnunet.com/vnunet/news/2198910/openoffice-hit-highly-critical

ATTACKS, INTRUSIONS, DATA THEFT & LOSS
 --Mortgage Data Exposed through Filesharing Network
(September 21 & 22, 2007)
Personally identifiable information of more than 5,200 ABN Amro Mortgage
customers was leaked to the Internet. A former ABN employee had
BearShare filesharing software installed on her computer, which allowed
the leak of the ABN spreadsheets as well as some of her own personal
information. The leaked data include Social Security numbers (SSNs).
The company is investigating. There is legitimate concern that the
information could be used to commit identity fraud; a man was recently
arrested in Washington state for misusing information he obtained
through filesharing networks.
http://www.theregister.co.uk/2007/09/21/abn_amro_leak_on_bearshare/print.html
http://online.wsj.com/article/SB119042735866835965.html?mod=googlenews_wsj
http://www.msnbc.msn.com/id/20912098/
http://www.channelinsider.com/article/Citigroup+Customer+Data+Leaked+on+LimeWire/215728_1.aspx
[Editor's Note (Northcutt): Companies must have strong policy to never
allow family members to use computers that are used for company business
where the definition of company business is that one or more company
files are on that computer. Also, we must understand that if you put
peer to peer software on a system it is almost certain you will share
more than you expect to:
http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt128.shtm ]

 --Another Laptop Theft in Connecticut
(September 21 & 22, 2007)
A laptop computer stolen from a car earlier this month in Watertown,
Connecticut holds personally identifiable information of individuals
connected with 41 child welfare cases. The computer belonged to a
private consultant and held names, birthdates and allegations that
prompted the involvement of the Department of Children and Families
(DCF), but no financial data. The consultant reported the theft to the
agency the day after it occurred. This information security breach
follows close on the heels of the theft of a laptop computer containing
Department of Revenue Services data for more than 105,000 Connecticut
taxpayers and the revelation that a computer backup tape stolen from a
car in Ohio earlier this year held information about state agency bank
accounts as well as a small number of Connecticut residents.
http://www.wtnh.com/Global/story.asp?S=7108487
http://www.courant.com/news/local/hc-ctaplaptop0922.artsep22,0,924626.story
http://www.journalinquirer.com/site/news.cfm?newsid=18840780&BRD=985&PAG=461&dept_id=161556&rfi=6

LIST OF UPCOMING FREE SANS WEBCASTS

Ask the Expert: Curing The Common Cold With Log Management
WHEN: Wednesday, September 26, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and A.N. Ananth
http://www.sans.org/info/16181
Sponsored By: Prism MicroSystems EventTracker

Well, perhaps that is a stretch, but Log Management is incredibly
valuable to help solve a host of other real problems in IT beyond simple
compliance. Compliance drives most log management purchases but IT
Managers are constantly challenged to maximize investments in
technology.

*************************************************************************
The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer
for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.

Chuck Boeckman is a Principal Information Security Engineer at a
non-profit federally funded research and development corporation that
provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin,
Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iD8DBQFG+VBe+LUG5KFpTkYRAnx3AJwP248ybrlaxcqYOK4XeBpOHm7lIwCdEru8
nDw56nSfjUKdg+ufou0YkWk=
=BSfZ
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]