From: The SANS Institute (NewsBitessans.org)
Date: Tue May 27 2008 - 10:06:51 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

*************************************************************************
SANS NewsBites May 27, 2008 Vol. 10, Num. 42
*************************************************************************
TOP OF THE NEWS
  Gartner: Many Data Security Breaches Still Not Reported
  Deutsche Telekom Accused of Accessing Retained Call Data
THE REST OF THE WEEK'S NEWS
  LEGAL MATTERS
    Phisher Who Stole US $288,000 Draws Three-Year Sentence
    Connecticut Bank Customers File Lawsuit Over Missing Backup Tapes
    Significant Player in Software Piracy Scheme Convicted of Conspiracy
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
    AusCERT Attendees Receive Malware-Infected USB Drives
    Cross-Site Scripting Flaw in Facebook
  ATTACKS, INTRUSIONS, DATA THEFT & LOSS
    Stolen Bank of Ireland Laptops Held Other Banks' Info, Too
    Doctor Resigns After Donated Computer Compromises Patient Data
  MISCELLANEOUS
    TJX Fired Employee for Making Posts About Lax Security
LIST OF UPCOMING FREE SANS WEBCASTS

********************** Sponsored By HP (SPI Dynamics) *******************
Top 4 AJAX Security Dangers - Free White Paper!
Are you ready for AJAX? Hackers definitely are!
With the growth of Web 2.0 and Rich Internet Applications (RIA),
developers are rapidly adopting AJAX and unknowingly exposing serious
security risks. This free whitepaper, from HP Software, 'AJAX Security
Dangers', provides more information about AJAX and its risks.
http://www.sans.org/info/29259
*************************************************************************
TRAINING UPDATE
Where can you find the newest Penetration Testing techniques,
Application Pen Testing, Hacker Exploits, Secure Web Application
Development, Security Essentials, Forensics, Wireless, Auditing, both
new Pen Testing courses, CISSP, and SANS' other top-rated courses plus
evening sessions with Internet Storm Center handlers.
- - SANSFIRE 2008 in Washington DC (7/22-7/31) SANS' biggest summer program
      with many bonus sessions and a big exhibition of security products:
      http://www.sans.org/info/26774
- - London (6/2-6/7) and Amsterdam (6/16-6/21) and Brussels (6/16-6/21)
      http://www.sans.org/secureeurope08
- - Denver (6/7-6/13) http://www.sans.org/rockymnt2008/
- - Singapore (6/30-7/5) http://www.sans.org/singapore08/
- - Boston (8/9-8/16) http://www.sans.org/boston08/
- - and in 100 other cites and on line any time: www.sans.org
*************************************************************************

TOP OF THE NEWS
- --Gartner: Many Data Security Breaches Still Not Reported
(May 23, 2008)
A recent study from Gartner found that many retail data security
breaches in the US are not being reported to customers. Of 50 US
retailers surveyed, 18 said they knew they had experienced a data
breach, but just three of the retailers had publicly disclosed the
breach. While the small sample precludes drawing hard conclusions, the
trend suggests that "there are a lot more breaches than we hear about,"
according to Gartner analyst Avivah Litan. Four of the retailers
participating in the survey had been fined for failing to comply with
Payment Card Industry (PCI) standards, and 11 more were threatened with
fines.
http://www.pcworld.com/businesscenter/article/146278/most_retailer_breaches_are_not_disclosed_gartner_says.html
[Editor's Note (Schultz): The Gartner Group is almost without a doubt
correct. Cover-ups of data security breaches are much more frequent than
most people suspect, and many organizations do not take statutes
concerning mandatory reporting of these breaches to potential victims
very seriously.
(Paller) A similar situation exists in federal agencies where agencies
report thousands of limited compromises and minor data breaches to
US-CERT, but conveniently forget to report the really important ones.
You'll hear about one important government (very senior official's)
laptop loss on Friday.]
(Honan): PCI could be strengthened if the names of retailers that are
and are not compliant were made public. That would significantly raise
the value of compliance for the retailer.]

- --Deutsche Telekom Accused of Accessing Retained Call Data
(May 24 & 26, 2008)
In a situation reminiscent of the Hewlett-Packard scandal a few years
back in the US, Deutsche Telekom is suspected of having snooped on
communications to determine the source of leaks to the media involving
sensitive information. The Deutsche Telekom internal security unit
allegedly used stored information, including numbers dialed, dates and
durations of calls to look for connections between Telekom executives
and media reporters. The breaches allegedly took place three years ago,
and both public prosecutors and a private law firm are investigating.
No calls were tapped, according to Telekom, but the stored data were
accessed without authorization. The German government is urging
Deutsche Telekom to be forthcoming with information about how
investigators obtained the information.
http://www.dw-world.de/dw/article/0,2144,3357090,00.html
http://www.topnews.in/law/berlin-urges-telekom-disclose-how-snoopers-got-phone-data
http://www.spiegel.de/international/business/0,1518,555363,00.html
http://www.allheadlinenews.com/articles/7011066534
[Editor's Note (Honan): This story is a prime example of how EU Data
Retention legislation can be used for purposes other than intended.]

************************* SPONSORED LINK ******************************
1) Where Is Your Confidential Data and How Do You Protect It? A Customer
Success Story
https://ww.sans.org/info/29254
*************************************************************************

THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
 --Phisher Who Stole US $288,000 Draws Three-Year Sentence
(May 23, 2008)
The High Court in Auckland, New Zealand has sentenced Thomasz Grygoruk
to three years in jail for blackmail and document and computer fraud.
Grygoruk used a sophisticated phishing scheme to steal people's
financial information that he then used to create phony ATM cards. He
stole as much as AU $300,000 (US $288,000) from their accounts. Grygoruk
also attempted to blackmail a man in the US; that man called the FBI,
which ultimately became involved in the investigation and helped to
bring Grygoruk to justice. Justice Lyndon Stevens also ordered that the
computer equipment Grygoruk used to commit the crimes be destroyed.
http://www.nzherald.co.nz/feature/story.cfm?c_id=1501833&objectid=10512131

 --Connecticut Bank Customers File Lawsuit Over Missing Backup Tapes
(May 23, 2008)
Some customers of Peoples United Bank of Bridgeport (Connecticut) have
filed a lawsuit regarding the loss of backup tapes containing personally
identifiable sensitive information. The suit, which seeks class action
status, was filed against both Peoples and Bank of New York Mellon, the
institution that lost the tapes. The plaintiffs are seeking extended
credit monitoring, credit insurance and punitive damages. Connecticut
Governor M. Jodi Rell says Bank of New York Mellon did not inform
Peoples of the breach in a timely manner; Connecticut state law requires
that customers affected by a data security breach be notified
immediately.
http://www.fayobserver.com/article_ap?id=123206

 --Significant Player in Software Piracy Scheme Convicted of Conspiracy
(May 22, 2008)
Barry Gitarts has been convicted of conspiracy to commit criminal
copyright infringement. Gitarts played a significant role in an
Internet piracy group known as the Apocalypse Production Crew (APC).
According to court records, Gitarts funded and administered a server
that was used to upload and download pirated content, including music,
software and movies. APC appears to have been a "first-provider,"
meaning it was the original source for much pirated content on the
Internet. Gitarts' conviction is the 15th for members of APC. He is
scheduled for sentencing on August 8, 2008, when he will face as many
as five years in prison, a US $250,000 fine, and three years of
supervised release. In addition, he could be required to make full
restitution for his actions.
http://www.cybercrime.gov/gitartsConvitct.pdf

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
 --AusCERT Attendees Receive Malware-Infected USB Drives
(May 23, 2008)
Attendees at the recent AusCERT conference on Australia's Gold Coast
received USB drives from Telstra that were inadvertently infected with
malware. The malware exploits autorun to install itself onto devices
into which they were plugged. The USB drives were "certified
pre-owned." Telstra recalled the drives as soon as it learned of the
problem.
http://blogs.zdnet.com/security/?p=1173
http://searchsecurity.techtarget.com.au/articles/24758-Telstra-distributes-malware-infected-USB-drives-at-AusCERT
[Editor's Note (Ullrich): Handing out free USB drives is very popular.
At this year's RSA conference, each attendee received a USB drive which
included the conference proceedings. This particular USB drive was
equipped with 'U3' technology to make it auto-run enabled. Please take
a minute and check that you disabled auto-run.
(Paller): Last month HP Australia reported some of the USB keys shipped
with its ProLiant servers were infected with Fakerecy and SillyFDC
viruses. And last summer, attendees at a national security conference
sponsored by a public-private partnership were also given infected usb
thumb drives. These events are just the tip of the iceberg. Supply
chain attacks where infections are embedded in usb devices have already
ruined Christmas for a bunch of people who got infected digital picture
frame from their relatives or friends.]

 --Cross-Site Scripting Flaw in Facebook
(May 23, 2008)
A cross-site scripting vulnerability in Facebook could be exploited to
steal users' login credentials and take control of their accounts.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9088940&source=rss_topic17
http://www.informationweek.com/blog/main/archives/2008/05/facebook_vulner.html
[Editor's Note (Skoudis): Cross-Site Scripting (XSS) flaws are a plague.
I've been working a lot lately on analyzing how network penetration
testing and web app pen testing can be folded together to exploit
vulnerabilities in a much more powerful way than either could
separately. In this work, I've seen that XSS and SQL injection are
incredible vectors for such combined attacks. Although a flaw in
Facebook or related sites may seem less than important to most
enterprises, if unpatched, it could lead to bigger attacks inside your
enterprises by exploiting browsers that access such sites.
(Ullrich): Preventing cross site scripting in sites like Facebook is
hard work, in part because preventing cross site scripting also stops
users from taking advantage of the html markup capabilities they are
used to and which are part of the site.]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS
 --Stolen Bank of Ireland Laptops Held Other Banks' Info, Too
(May 25, 2008)
It has recently come to light that the four Bank of Ireland laptop
computers reported stolen in April contained not only account details
for 31,500 of its own Bank of Ireland Life customers, but also of 1,500
customers of other banks. Those banks include AIB, Ulster Bank and
National Irish Bank. It is not uncommon for the bank to have account
information from other banks, as some customers make payments with
direct debits from other accounts.
http://www.thepost.ie/ezineSBP/story.asp?storyid=33180

 --Doctor Resigns After Donated Computer Compromises Patient Data
(May 20 & 25, 2008)
A Jacksonville, Florida physician has resigned from his position after
learning that a used computer he gave to a family he was acquainted with
contained sensitive patient data. Dr. Francis D. Ong was an assistant
professor of plastic surgery at the University of Florida College of
Medicine's Jacksonville campus; he had used the machines to store
patient pictures and identifying data, including names and Social
Security numbers (SSNs). The computer has been recovered and all
affected patients have been notified of the incident. The family that
received the computer says they never viewed the information. They also
replaced the operating system, resulting in the loss of most of the
data.
http://www.theledger.com/article/20080525/NEWS/805250381/0/FRONTPAGE
http://www.bizjournals.com/jacksonville/stories/2008/05/19/daily9.html

MISCELLANEOUS
 --TJX Fired Employee for Making Posts About Lax Security
(May 23 & 26, 2008)
TJX Companies has fired an employee from a Lawrence, Kansas TJ Maxx
store for making posts to a forum about the company's lax security
practices, even after the notable breach. The employee, Nick Benson,
said in several posts that except for a period of time following the
breach disclosure when a strong password policy was enforced, the
employee password at his store's server was set to blank. In addition,
at one point a store server was running in administrator mode. When
Benson began work at TJX, his password was the same as his user name.
TJX says Benson was fired for disclosing confidential company
information.
http://www.theregister.co.uk/2008/05/23/tjx_fires_whistleblower/print.html
http://computerworld.co.nz/news.nsf/scrt/3A2C5453A05F8C31CC257454006CE111
[Editor's Note (Schultz): Once again TJX is proving itself to be a
villain. Interestingly, I still sometimes shop at a TJ Maxx or Marshalls
store, but I always pay cash--I would never use a credit card because
of TJX's huge security deficiencies. And if Nick Benson reads this
comment, I would encourage him to contact me, because I will do
everything in my power to help him find another job.]

UPCOMING SANS WEBCAST SCHEDULE:

WhatWorks in Intrusion Prevention and Detection: Peering Deeply into the
Network at Weill Cornell Medical College
WHEN: Wednesday, May 28, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Ben Nathan & Weill Cornell Medical College
http://www.sans.org/info/27129
Sponsored By: Sourcefire http://www.sourcefire.com/

An inability to see deep inside its network to determine security
weaknesses and other potential concerns prompted Weill Cornell Medical
College to seek an intrusion detection system. The SNORT rules community
helped to put Sourcefire at the top of the pile, but it was the RNA
(Real-time Network Awareness) option, which provides even greater
insight and reduces false positives, that closed the deal.

SANS Special Webcast: Virtual Roundtable with Eric Cole, Mike Poor, and Ed Skoudis
WHEN: Thursday, May 29, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Dr. Eric Cole, Mike Poor, and Ed Skoudis
http://www.sans.org/info/27139
Sponsored By: Core Security http://www.coresecurity.com/

Ever want to pull a chair up to the SANS lunch table? Here's your chance
to get some virtual face time with three of the "cool kids" from SANS
as they discuss the latest topics on the information security threat
horizon, including new attacks to look out for and what to do about
them.

Tool Talk Webcast: Log Management: No Longer Optional How to Choose the
Right Tool for the Job
WHEN: Tuesday, June 3, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Andrew Hay
http://www.sans.org/info/28704
Sponsored By: Q1 Labs http://www.q1labs.com/

Both network and security professionals agree - a log management
solution is no longer optional. It's now a required tool in their
arsenal. Unfortunately, many of their log management projects have
failed because the solution they chose was unable to support the size
and scope of the deployment and/or effectively deliver useful results.
During this webcast Andrew Hay will discuss important considerations
when selecting and deploying a log management solution for your
organization and how to avoid some of the pitfalls.

SANS Special Webcast: Fourth Annual Log Management Survey
WHEN: Thursday, June 5, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Jerry Shenk and Anton Chuvakin
http://www.sans.org/info/28709
Sponsored By: LogLogic http://www.loglogic.com/

The fourth annual Log Management Survey will compare and contrast how
respondents use their log data, their challenges, and what they hope to
derive out of their log data in the future.

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer
for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkg8FVYACgkQ+LUG5KFpTkboVACeL33GSjP3LTQ08jXhMHqwKlgU
tcwAn32Nbp9jdUpLpN8sOvrSSgWQNZqk
=JYgW
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]