From: The SANS Institute (NewsBitessans.org)
Date: Tue Mar 25 2008 - 13:35:05 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The Excel story is number two in Top of the News this week because of
the critical lesson it teaches: When you see your anti-virus package
"scanning" a Word or Excel file, the odds are VERY high that it won't
find any of the important new vulnerabilities nation states and rich
criminals are using to get past the most sophisticated defenses. Don't
open email attachments unless you were expecting them. Send a note back
and ask the person to embed the text in a simple email. This matters
to your career. The people who break this rule will be the reason their
organization's data are stolen and they won't be able to hide.

2008 Short Lists of security products that actually work. Did we get
them right? If you use any security products, please take a few minutes
to complete the quick survey that lets you tell which security products
matter and whether we have the right products in the short lists. If
you can do it before Wednesday night (11 PM EDT), you'll be eligible for
a $500 cash drawing. The survey is posted at
http://www.surveymethods.com/EndUser.aspx?9BBFD3CA98DBCACB

                              Alan

*************************************************************************
SANS NewsBites March 25, 2008 Vol. 10, Num. 24
*************************************************************************
TOP OF THE NEWS
  Cyber Attacks Targeting Pro-Tibet Groups on the Rise
  Exploit Code for Excel Flaw Released
  State Dept. Names Contractors in Passport File Breaches
  Stolen Laptop Holds NIH Clinical Trial Data
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
  Former Employee Gets Probation for Destructive Cyber Intrusion
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
  Beckstrom First to head Up National Cyber Security Center
SPYWARE, SPAM & PHISHING
  Millions of Chinese Mobile Users Hit with Spam
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
  Microsoft Acknowledges Flaw in Jet Database Engine
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
  Stolen Computer Holds Unencrypted Agilent Employee Data
  Lasell College Notifies 20,000 of Data Breach
LETTER TO THE EDITORS
LIST OF UPCOMING FREE SANS WEBCASTS

******************* Sponsored By Credant Technologies *******************

FULL DATA ENCRYPTION2 = FULL DISK WITHOUT THE RISK.
Outdated encryption methods require unwelcome compromises to IT
operations, and can't provide the level of data security now needed. New
Full Data Encryption2 is here!
Protects What Matters: Your Data. Download overview.
http://www.sans.org/info/26294

*************************************************************************
TRAINING UPDATE
Where can you find the newest Penetration Testing techniques,
Application Pen Testing, Hacker Exploits, Secure Web Application
Development, Security Essentials, Forensics, Wireless, Auditing, CISSP,
and SANS' other top-rated courses?
- - SANS 2008 in Orlando (4/18-4/25) SANS' biggest program with myriad
    bonus sessions and a huge exhibition of security products:
       http://www.sans.org/sans2008
- - San Diego (5/9-5/16) http://www.sans.org/securitywest08
- - Toronto (5/10-5/16) http://www.sans.org/toronto08
- - and in 100 other cites and on line any time: www.sans.org

*************************************************************************

TOP OF THE NEWS
 --Cyber Attacks Targeting Pro-Tibet Groups on the Rise
(March 21 & 24, 2008)
Cyber attackers are targeting groups sympathetic to anti-China activists
in Tibet. The attacks attempt to disrupt activity and obtain
information about the groups and their supporters. The attacks have
increased in intensity recently. The group Human Rights in China says
it has been on the receiving end of more than 100 targeted attacks since
the first of the year, up from an annual total of 40 in 2007. The Tibet
Support Network reports receiving about 20 email attacks every day.
http://www.washingtonpost.com/wp-dyn/content/article/2008/03/21/AR2008032102605_pf.html
http://www.bbc.co.uk/blogs/technology/2008/03/tibet_the_cyber_wars.html
[Editor's Note (Ullrich): This news release is the result of several
years of work. Up to now, the affected groups had been silent about
these attacks to allow researchers to monitor the attacks. These attacks
are very similar to the ones reported by defense contractors and
government networks. In some cases, the same C&C server was used in
attacks on political groups like the discussed here, and government
contractors. The Internet Storm Center believes a large number of
attacks against these groups and others have been prevented through
moderated sharing of information among victims, security vendors, and
potential victims.
http://isc.sans.org/diary.html?storyid=4177
http://isc.sans.org/diary.html?storyid=4176]

 --Exploit Code for Excel Flaw Released
(March 24, 2008)
Exploit code for a recently patched vulnerability in Excel has been made
public; users are urged to apply the patch released earlier this month
as soon as possible. The flaw has been exploited since mid-January, but
the attack code was released just last week. It is the first exploit
code for the batch of patches Microsoft released in its March 11
MS08-014 security bulletin. This is the same bulletin that Microsoft
re-released just days after its original release to fix a regression
error that produced incorrect calculations in one of the Excel fixes.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9071099&taxonomyId=17&intsrc=kc_top
 
 --State Dept. Names Contractors in Passport File Breaches
(March 21 & 22, 2008)
The US State Department has identified the contractors whose employees
breached presidential candidates' passport files as Stanley and The
Analysis Corporation. Stanley says it fired two employees for the
unauthorized data access as soon as it learned of the incidents. The
breaches were detected through software designed to catch unauthorized
file access. An investigation will determine which laws were broken in
the incidents. At first it was believed that only Barack Obama's file
had been accessed, though it later came to light that the files of
Hillary Clinton and John McCain were accessed as well. There are also
reports that contract workers ignored warnings that files were being
improperly accessed. Secretary of State Condoleezza Rice has apologized
for the breaches.
http://www.fcw.com/online/news/152010-1.html?topic=security
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9070618&source=rss_topic17
http://www.washingtonpost.com/wp-dyn/content/article/2008/03/21/AR2008032100377_pf.html
[Editor's Note (Ullrich and Paller): A breach like this cannot easily
be prevented. Employees need access to do their job. The nice thing
about this story is that policy was backed up by monitoring. It allowed
everybody to get their work done and the misbehaving employees were
identified quickly.
(Pescatore): Authorized users taking unauthorized actions is the classic
security incident because of how difficult it is to defined "authorized
action" in computer readable form. The fact that it was detected is a
major plus - most enterprises don't even have the security controls in
place to detect such actions, as many recent incidents have pointed out.
There has been way too much dependence on policies and claims of data
classification and not enough actual access and data flow monitoring
going on.
(Northcutt): What I like about this story is that they were detected by
software designed to do just exactly that. Way to go State Department;
gold star. Now for the rest of us, when will we ever learn? Britney
Spears checks into the hospital, they end up firing people for looking
at her records:
http://www.latimes.com/news/local/la-me-britney15mar15,0,1421107.story
And the latest on the mother of all government sensitive information
databases, the Bush administration is finally realizing they may not be
able to shove Real ID down the state's throats:
http://ap.google.com/article/ALeqM5hGWEcbtYTTl9RTiO3YS_POnaYJ9gD8VII6T80
(Schultz): This incident brings back memories of Watergate (although it
obviously is not as serious). In the early 1970's, the American public
was furious over sensitive election-related and other information being
compromised the way it was. Tragically, now apathy concerning events of
this nature abounds. It is like John Meyer sings--"Waiting for the world
to change..."]

 --Stolen Laptop Holds NIH Clinical Trial Data
(March 24, 2008)
A laptop computer containing unencrypted personal information of 2,500
National Institutes of Health (NIH) study participants was stolen from
a locked car trunk in February. NIH waited nearly a month before
notifying affected individuals. The clinical trial information includes
names, diagnoses, hospital medical record numbers and MRI data, but no
Social Security numbers (SSNs) or financial information. Government
policy requires that portable electronic devices have encryption
software. An NIH statement indicates that the agency is taking steps to
ensure that all devices have encryption and that personally identifiable
information not be stored on laptops.
http://www.washingtonpost.com/wp-dyn/content/article/2008/03/23/AR2008032301753_pf.html
http://www.govhealthit.com/online/news/350283-1.html
http://www.govexec.com/dailyfed/0308/032408bb2.htm

************************** Sponsored Links: ***************************
1) SANS Third Annual Log Management Survey
What are the challenges in log management? Have perceptions changed
since last year? Help us find out! Take the survey at
http://www.sans.org/info/26299
*************************************************************************

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
 --Former Employee Gets Probation for Destructive Cyber Intrusion
(March 20, 2008)
Joseph Patrick Nolan was sentenced to four years probation for breaking
into his former employer's computer system and destroying data. Nolan
destroyed records from Pentastar Aviation's personnel and payroll
operations, costing the company more than US $50,000. Nolan was also
ordered to pay Pentastar US $1,158. Nolan resigned from Pentastar in
January 2007; the intrusion occurred in February of that year. He was
then employed by the city of Ann Arbor's Information Technology
Department until May 2007.
http://blog.mlive.com/annarbornews/2008/03/ann_arbor_man_to_serve_probati.html

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
 --Beckstrom First to head Up National Cyber Security Center
(March 20 & 21, 2008)
Rod Beckstrom has been named the first director of the National Cyber
Security Center. The center was created by a presidential directive in
January 2008. A statement from Department of Homeland Security (DHS)
Secretary Michael Chertoff says Beckstrom "will serve the department by
coordinating cybersecurity efforts and improving situational awareness
and information sharing across the federal government." Beckstrom is
an author and entrepreneur. Most recently, he co-founded Twiki.net; he
is also the author of "The Starfish and the Spider." Beckstrom will
report directly to Secretary Chertoff.
http://www.gcn.com/online/vol1_no1/45998-1.html?topic=security
http://www.washingtonpost.com/wp-dyn/content/article/2008/03/20/AR2008032001847_pf.html
http://www.eweek.com/c/a/Security/Tech-Exec-Picked-for-Top-Cyber-Security-Post/
[Editor's Note (Pescatore): This one is hard to figure. A political
appointment less than a year before an administration change, of a
person with no background in security or government, less than 18 months
after appointing Greg Garcia as Assistant Secretary for Cyber Security
and Communications at DHS but reporting much lower in DHS.
(Paller): Perhaps the reason for this decision is that the Director of
National Intelligence, White House, and the Secretary of DHS felt the
need for a different type of leadership for the new Cyber Initiative.]

SPYWARE, SPAM & PHISHING
 --Millions of Chinese Mobile Users Hit with Spam
(March 21 & 24, 2008)
Chinese authorities are investigating a spam attack in which 200 million
mobile phone users received unsolicited text messages from advertisers.
China Mobile has apologized and says it will block messages from a
number of online advertising companies. China's State council intends
to conduct an investigation.
http://news.bbc.co.uk/2/hi/business/7311242.stm
http://ap.google.com/article/ALeqM5hzb6fBdKF_xDEHf32QpjIcXOW7XwD8VJOCKG0
[Editor's Note (Ullrich): SMS spam is not new, but certainly on the
rise. It is particular annoying if the recipient is charged for these
messages. China Mobile last year installed a massive SMS filtering and
monitoring infrastructure. It was not used in time to curb this spam.]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
 --Microsoft Acknowledges Flaw in Jet Database Engine
(March 21, 22 & 24, 2008)
Microsoft has issued an advisory warning of a critical vulnerability
affecting users of Word running on Windows 2000, XP and Server 2003 SP1
that is being actively exploited in targeted attacks. Microsoft says
the buffer overflow flaw lies in the Microsoft Jet Database Engine.
Reports of the flaws emerged three weeks ago, but Microsoft has not
publicly acknowledged the problem until now. Users running Word on
Windows Vista and Server 2003 SP2 are not at risk because those
operating systems use a different version of Jet. A fix is not yet
available; Microsoft recommends disabling Jet or blocking .mdb files at
the gateway.
Internet Storm Center: http://isc.sans.org/diary.html?storyid=4192
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9070840&source=rss_topic17
http://www.news.com/8301-10784_3-9901665-7.html?part=rss&subj=news&tag=2547-1_3-0-20
http://www.securityfocus.com/brief/709
http://www.eweek.com/c/a/Security/Microsoft-Confirms-Jet-DB-Flaw-MS-Word-Attacks/
http://www.microsoft.com/technet/security/advisory/950627.mspx

ATTACKS, INTRUSIONS, DATA THEFT & LOSS
 --Stolen Computer Holds Unencrypted Agilent Employee Data
(March 22, 2008)
Agilent Technologies has sent letters to 51,000 current and former
employees notifying them that their personally identifiable information
was on a laptop computer that was stolen on March 1. The unencrypted
data include names, addresses, SSNs, and stock option information. The
laptop was stolen from a vendor's car; Agilent's letter places the blame
on that vendor - Stock & Option Solutions - for not encrypting the data.
A former employee who received a notification letter said, "Agilent
should have put all of the data into an encrypted format to begin with."
http://www.mercurynews.com/peninsula/ci_8660115
Editor's Note (Northcutt): We keep building these databases with
sensitive information. Two governance tips, information is a potential
asset, but it is also a potential liability. I try to make myself look
at the chronology page at privacyrights.org at least once a month to see
who else is going to be party to a class action lawsuit (Welcome to the
club Rhode Island and Agilent Technologies):
http://www.privacyrights.org/ar/ChronDataBreaches.htm
The second suggestion is to quit thinking of this as a technology
problem. Think of sensitive personal information as money! Each record
you store is worth a certain amount, say $10.00 when you average across
all the businesses that store these records. But as we said, these
records have a liability value as well, if losing the information takes
you into litigation. And that liability value is much higher than $10.
If we think of the records we store as money and treat those records as
we treat money, then we put significant controls in place. Many of the
data breaches are due to lost laptops. How much of your company's cash
would you allow an employee to put in a laptop case that they store in
their automobile trunk, front seat of the car, home, or hotel room? I
would bet most companies would not allow more than $100 to be carried
by an employee without some form of controls. Yet, we put thousands of
records on laptops.]

 --Lasell College Notifies 20,000 of Data Breach
(March 12 & 19, 2008)
Lasell College in Newton, Massachusetts has notified 20,000 people that
their personally identifiable information was compromised in a cyber
intrusion. The breach occurred on February 6, 2007. The data include
names and SSNs; the breach affects students and alumni as well as
current and former faculty and staff. Local law enforcement
authorities are conducting an investigation. The college has also
notified Attorneys General and other officials in the states where those
affected reside.
http://www.lasell.edu/admission/adm_news_story.asp?iNewsID=563&strBack=/about/adm_news_archive.asp
http://www.boston.com/news/local/breaking_news/2008/03/hacker_compromi.html

LETTER TO THE EDITORS
Al Hill writes "80+ patches for the Apple OS, 13 patches for their
browser, and not one admonishment by the SANS editors? Very
interesting..."

LIST OF UPCOMING FREE SANS WEBCASTS

Tool Talk Webcast: Are You Naked? Why virtualization and service
processors are leaving traditional log management customers naked.
WHEN: Tuesday, March 25, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKER: Bill Johnson
https://www.sans.org/webcasts/show.php?webcastid=91798
Sponsored By: Tdi

Virtualization and on board service processors are making log management
systems obsolete and opening their customers to huge compliance issues.
All existing log management systems are based on an 'inside out' agent
based, SYSLOG and SNMP architecture. This model is obsolete in today's
datacenter. Traditional log management systems do not log all events or
watch the data center all the time, opening the door to Sarbanes Oxley,
HIPAA and other compliance risks.

***
Tool Talk Webcast: Analyzing Pen Testing Tools: Shootout at the Blackbox Corral
WHEN: Wednesday, March 26, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Larry Suto
http://www.sans.org/info/24653
Sponsored By: Fortify Software

All black box testing tools are not created equal. In the Fall of 2007,
security consultant Larry Suto published a report that evaluates the
coverage and balance between false positives and false negatives of
three popular penetration testing tools. His findings, which some found
surprising, prompted official responses from a number of tool vendors
that called into question areas of the experiment that could have led
to shaky results.

***
SANS Special Webcast: Stephen Northcutt Presents: Managing Vulnerability
Situational Awareness
WHEN: Wednesday, April 2, 2008 at 2:00 PM EDT (1800 UTC/GMT)
FEATURING: Stephen Northcutt
http://www.sans.org/info/24668
Sponsored By: Core Security Technologies

Stephen Northcutt challenges leaders to move past "Security Theater",
practices like confiscating nail files in airport security or running
vulnerability scans and taking no action or pretending a SIEM "partial
implementation" actually helps create effective security. If we want to
get better and actually implement security well one of the atomic keys
is to configure the system correctly and maintain that configuration.
Stephen will discuss the three views, the inside view, outside view and
user view that give us the information we need to assess the
configuration of our system. We can use tools like the Center for
Internet Security toolsets to create the inside view, vulnerability
scanners and exploitation tools like CORE for the outside view and to
get the user view we need to run a number of tests to determine the
level of awareness and practice. The data from all three views gives us
the ability to accurately assess our exposure to threat.

***
SANS Special Webcast: Data Leakage Landscape
WHEN: Thursday, April 3, 2008 at 1:00 PM EDT (1800 UTC/GMT)
FEATURED SPEAKERS: Barb Filkins, Robert Hemeryck and Malte Pollmann
http://www.sans.org/info/24673
Sponsored By: TrendMicro and Utimaco Software

Data leakage occurs everywhere computing is conducted - whether it be
hand-helds, USB tokens or even protected internal computers where cut,
copy and paste functions are difficult to control. Organizations need a
map of these leakage points so they can plug them and protect themselves
against regulatory violations. This Webcast discusses where and how data
leaks, what types of privacy violations these leakage points present,
and what to do about them.

Tool Talk Webcast: A Blueprint for Successful NAC Deployments
WHEN: Wednesday, April 16, 2008 at 1:00 PM EDT (1800 UTC/GMT)
FEATURING: John Curry
http://www.sans.org/info/24618
Sponsored By: StillSecure

This webinar will discuss the challenges associated with NAC deployments
and provide organizations with a blueprint on how to cost-effectively
take advantage of this critical technology. Learn first hand how your
organization can benefit from this ground-breaking technology.

*******************************************************************
Be sure to check out the following FREE SANS archived webcasts:

Tool Talk Webcast: The ABC's of Dealing with Unique Network Security
Risks in a World of Open Campus Networks
WHEN: Wednesday, March 5, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Brian Mehlman
http://www.sans.org/info/22979
Sponsored By: Q1 Labs

SANS Special Webcast: A Response to the "Cold Boot Attack" Announcement
WHEN: Thursday, March 6, 2008 at 3:00 PM EST (1900 UTC/GMT)
FEATURING: John Strand
https://www.sans.org/webcasts/show.php?webcastid=91884
********************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer
for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin,
Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkfpNs0ACgkQ+LUG5KFpTkYJTQCfTTg+0pAw1V8gXXrbTHoX/pJR
VAwAn3pipoEp3q3HbeqO+S/dRQ7hI/9V
=6n08
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]