From: The SANS Institute (NewsBitessans.org)
Date: Fri Jun 06 2008 - 14:13:44 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Next Wednesday is the deadline for early registration discounts for
SANSFIRE 2008 (July 22-31) - the only Washington DC program where seats
are still available (but not many) for the new Penetration Testing
courses. Also Security Essentials, CISSP Prep, Hacker Techniques,
Forensics, Auditing and 21 other courses: http://www.sans.org/sansfire08
                                 Alan

*************************************************************************
SANS NewsBites June 6, 2008 Vol. 10, Num. 45
*************************************************************************
TOP OF THE NEWS
  Software Update Caused Emergency Shutdown at Nuke Plant
  Number of Identity Theft Reports Unaffected by Breach Notification Laws
  UC Irvine Students' Tax Returns Filed Fraudulently; United Healthcare
     Identified as Source of Data Leak
THE REST OF THE WEEK'S NEWS
  HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
    Walter Reed Breach Might Be Due to P2P Software
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
    June's Patch Tuesday Will Offer Seven Microsoft Security Bulletins
    Update Available to Address ActiveX Flaws in HP Instant Support
    Sun Microsystems Releases Fixes for Six Vulnerabilities
  ATTACKS, INTRUSIONS, DATA THEFT & LOSS
    Stolen AT&T Laptop Holds Unencrypted Management Compensation Data
    Stolen Computer Holds Canadian Farmers' Data
    Metasploit Briefly Affected by ARP Cache Poisoning Attack
  MISCELLANEOUS
    BT's Secret Phorm Trial Caused Some Browsers to Crash
    Study Tracked People by Cell Phone for Six Months
    China's Golden Shield Surveillance Society
LIST OF UPCOMING FREE SANS WEBCASTS

*************************************************************************
TRAINING UPDATE
- - Wash. DC (7/22-7/31) (SANSFIRE 2008) http://www.sans.org/sansfire08
- - Singapore (6/30-7/5) http://www.sans.org/singapore08/
- - Boston (8/9-8/16) http://www.sans.org/boston08/
- - and in 100 other cites and on line any time: www.sans.org
*************************************************************************

TOP OF THE NEWS
 --Number of Identity Theft Reports Unaffected by Breach Notification Laws
(June 5, 2008)
A study conducted by researchers at Carnegie Mellon University found
that data breach notification laws in the US have not reduced the number
of reported cases of identity theft. The research was based on data
supplied by the Federal Trade Commission (FTC). Forty-three states have
enacted data breach notification laws over the last five years, but
according to a state-by-state analysis, they have had no effect on
reports of identity theft made to the FTC. Gartner's Avivah Litan notes
that while reports of data breaches are becoming more prevalent in the
news, the laws have prompted some organizations to focus on compliance
instead of security, so that they may pass an audit, but not be in step
with the spirit of the law. Researchers acknowledge that their data
sample is incomplete and based on a self-selecting population.
http://www.csoonline.com/article/383313/Researchers_Notification_Laws_Not_Lowering_ID_Theft
http://www.theregister.co.uk/2008/06/05/breach_disclosure_effects/print.html
[Editor's Note (Paller): What a silly study. It measures the wrong
outcome. What matters about data breach notification is what it does
to the quality of defenses. As many security officers will testify,
mandatory data breach notification has been the catalyst that allowed
them to implement far better defenses. Gartner's John Pescatore said it
best (in NewsBites earlier this week): "turns out that the power of bad
press is very impressive."
(Schultz): From a scientific perspective, this study is badly flawed.
Unfortunately, many players in the information security community have
not had much scientific training, and are thus, unfortunately, likely
to accept the results of and conclusions from this study at face value.
Additionally, Litan's comments are unsupported by scientific data.
Consequently, I urge readers to interpret all statements in this news
item as speculative, not factual.
(Kreitner): I'm hoping to live long enough to see greater realization
that pursuing compliance as an end in itself is hypocrisy. Instead, I'd
like to see us track trends in security outcomes in terms of frequency
and impact of security incidents and then work back upstream in the
process chain to correlate those incidents with use or non-use of
various security practices. Only then will we have a rational basis for
informing our security.]

 --UC Irvine Students' Tax Returns Filed Fraudulently; United Healthcare
    Identified as Source of Data Leak
 (June 2 & 4, 2008)
United Healthcare has been pinpointed as the source of the data leak
that exposed personally identifiable information of 1,132 University of
California Irvine (UCI) graduate students. The breach affects UCI
graduate students who used the UCI Graduate Student Health Insurance
program. The breach came to light in February, 2008 when a number of
students attempted to file their tax returns electronically only to be
informed by the IRS that their returns had already been filed and their
refunds collected. All 155 people who experienced the problem used the
aforementioned healthcare program; the breach affects students enrolled
in the program for the 2006-2007 academic year.
http://www.newuniversity.org/main/article?slug=identity_thefts_traced_to156
http://www.csoonline.com/article/381513/UnitedHealthcare_Data_Breach_Leads_To_ID_Theft
[Editor's Note (Northcutt): The worst thing about this kind of security
flaw is that it messes with people's lives.]

 --Software Update Caused Emergency Shutdown at Nuke Plant
(June 5, 2008)
Flaws in a software update caused the Hatch nuclear power plant in
Baxley, GA to shut down in early March of this year. The software
update was made on just one computer on the plant's business network.
That computer monitors chemical and diagnostic data from one of the
plant's primary control systems. A spokesperson said the emergency
system reacted as it was designed to and that the security and safety
of the plant were never in danger. Although technicians knew of the
two-way communication between some computers on the corporate and
control networks, the engineer who installed the update was not aware
that reboot on the corporate side would force a reset on the control
side. Network connections between the affected servers have since been
severed.
http://www.washingtonpost.com/wp-dyn/content/article/2008/06/05/AR2008060501958_pf.html
[Editor's Note (Northcutt): Not terribly amazing, nor is this the first
time: http://www.cdi.org/nuclear/kurchatov.cfm
http://findarticles.com/p/articles/mi_m1511/is_n5_v17/ai_18199114
http://www.nbcsandiego.com/news/15415516/detail.html ]

********************** SPONSORED LINK *********************************
1) Upcoming SANS webcast on June 17 at 1pm EDT. Tool Talk Webcast: A
Million Little Pieces: Detecting Fraudulent Transactions, Register
Today. http://www.sans.org/info/29434
*************************************************************************
THE REST OF THE WEEK'S NEWS
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
 --Walter Reed Breach Might Be Due to P2P Software
(June 3, 2008)
A message briefly posted to the Walter Reed website suggests that the
data security breach at Walter Reed Army Medical Center may be due to
P2P applications. The breach exposed personally identifiable
information of approximately 1,000 patients, although no medical
information was exposed. Col. Patricia Horoho, commander of the Walter
Reed Health Care System, posted a message that said "I need everyone to
ensure that they are not loading or downloading programs that are not
authorized by the command as it increases our vulnerability and possibly
can cause a breach in protected information being shared." The message
is no longer up on the site.
http://www.darkreading.com/document.asp?doc_id=155501
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1316003,00.html
http://www.roseindia.net/community/spyware/dangers_of_peer_to_peer_systems.shtml
http://www.fbi.gov/cyberinvest/cyberedletter.htm
http://weblog.infoworld.com/securityadviser/archives/Fixing_the_Internet_Final.pdf ]
[Editor's Note (Northcutt): The cost of monitoring software is so very
low, this cannot be excused. P2P really does not have a place at work,
we need to get serious and start taking some of the lowest hanging fruit
off the table, else the Internet (due to the state of the endpoints )
can truly considered to be broken.
(Veltsos): For those in law enforcement or government, the free tool P2P
Marshall will detect the use of P2P clients and report which files were
shared. http://p2pmarshal.atc-nycorp.com/index.html
(Kreitner): Rather than this sort of plea from management which probably
does little to change behavior, I much prefer the approach the US Air
Force has taken with over 500,000 of its Windows desktops: remove local
admin rights from normal users to restrict installation of software not
included in the enterprise standard software image for that platform.
It's about stabilizing the technology by putting up an electric fence
to control who can change what.
(Grefer): A screenshot is available at
http://security.blogs.techtarget.com/files/2008/06/walterreed.JPG ]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
 --June's Patch Tuesday Will Offer Seven Microsoft Security Bulletins
(June 5, 2008)
Microsoft's June Patch Tuesday will comprise seven security bulletins.
Three of the bulletins have maximum severity ratings of critical; those
bulletins address vulnerabilities in Bluetooth, Internet Explorer, and
DirectX. Three others have maximum severity ratings of important and
address flaws in WINS, Active Directory, and PGM. The seventh bulletin
has a maximum severity rating of moderate and is a kill bit update. All
seven bulletins are slated for release on Tuesday, June 10.
http://news.cnet.com/8301-10789_3-9959752-57.html
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9093958&intsrc=hm_list
http://www.microsoft.com/technet/security/bulletin/ms08-jun.mspx

 --Update Available to Address ActiveX Flaws in HP Instant Support
(June 4, 2008)
HP has released an upgrade to address ActiveX remote code execution
flaws in HP Instant Support, an application that comes preinstalled on
HP PCs. HP Instant Support allows automatic updates to the PCs' drivers
and software. The vulnerability affects HP Instant Support
HPISDataManager.dll versions 1.0.0.22 and earlier running on Windows
machines; users are urged to upgrade to version 1.0.0.24.
http://www.theregister.co.uk/2008/06/04/hp_support_app_multiple_vulns/print.html
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01422264

 --Sun Microsystems Releases Fixes for Six Vulnerabilities
(June 4, 2008)
Sun Microsystems has released a software update and workarounds for half
a dozen vulnerabilities in versions 4.0.2 and earlier of its Sun Java
System Active Server Pages. The vulnerabilities could be exploited to
let attackers log on, gain root access, look at and delete files and
execute arbitrary code.
http://www.gcn.com/online/vol1_no1/46395-1.html?topic=security&CMP=OTC-RSS

ATTACKS, INTRUSIONS, DATA THEFT & LOSS
 --Stolen AT&T Laptop Holds Unencrypted Management Compensation Data
(June 5, 2008)
A laptop stolen on May 15 from an AT&T employee's car contains
unencrypted "AT&T management compensation information, including names,
Social Security numbers (SSNs), and [some] salary and bonus
information." Affected employees were notified eight days after the
theft. The breach affects people throughout the US.
http://www.networkworld.com/community/node/28453

 --Stolen Computer Holds Canadian Farmers' Data
(June 5, 2008)
A laptop stolen from a programmer working for the Canadian Canola
Growers Association contains personally identifiable information of
approximately 32,000 Canadian farmers. The compromised data include
bank account numbers and social insurance numbers of farmers who have
applied for Agriculture Canada's advance payment programs. Those
affected by the breach have been notified by letter. Security measures
on the stolen laptop include strong password protection and a biometric
fingerprint reader.
http://www.cbc.ca/canada/manitoba/story/2008/06/05/canola-information.html
[Editor's Note (Ve;tsos): Sometimes, knowing a little about security can
be more dangerous than not knowing at all. The General Manager of the
organization was quoted as saying that the strong password and the
fingerprint reader would prohibit anyone else from accessing the data
on the laptop.]

 --Metasploit Briefly Affected by ARP Cache Poisoning Attack
(June 3 & 4, 2008)
Attackers hijacked the Metasploit website for a short time on Monday
June 2, using an ARP cache poisoning attack. The attack works by
altering the ARP cache in such a way that it redirects packets to a
compromised server the attackers are controlling. All of the ARP caches
on the same network were altered as well. Metasploit creator H.D. Moore
said he addressed the problem "by setting a static ARP entry and
notifying the ISP. ...Metasploit servers were not compromised."
http://www.theregister.co.uk/2008/06/03/metasploit_hijack/print.html
http://www.heise-online.co.uk/security/Hacker-tools-website-hacked--/news/110854
http://blogs.zdnet.com/security/?p=1242&tag=nl.e550

MISCELLANEOUS
 --BT's Secret Phorm Trial Caused Some Browsers to Crash
(June 5, 2008)
A recently leaked report from British Telecom (BT) says that a secret
trial run of technology used by online advertising company Phorm caused
problems for some unsuspecting customers. In September and October
2006, BT allowed Phorm to deploy technology on its network that placed
JavaScript code into every web page downloaded by the 18,000 users in
the trial. The script sent data back to Phorm, allowing the company to
develop a user profile and then send that user targeted advertisements.
Some users experienced flickering problems when the script was sending
the data to Phorm, and some experienced browser crashes. In some cases,
the JavaScript appeared in the users' posts in web forums. A US ISP
is scheduled to test a similar technology, but legislators have called
for its postponement due to a possible violation of privacy laws.
http://blog.wired.com/27bstroke6/2008/06/isp-spying-made.html

 --Study Tracked People by Cell Phone for Six Months
(June 4, 2008)
A study of 100,000 people's movements based on cell phone use found that
nearly 75 percent stayed within a 10-mile radius of home over the course
of six months. The study was conducted by Northeastern University in
Boston without participants' knowledge in an unnamed European country;
in the US, such a study would be illegal. The locations were noted
whenever the people sent or received a phone call or text message.
Precise locations were not known; locations were tracked through the
nearest cell phone tower. The information gathered about people's
travel patterns could be used to help design transportation systems or
predict the spread of disease.
http://news.bbc.co.uk/2/hi/science/nature/7433128.stm
http://www.msnbc.msn.com/id/24969880/
Details and related material,:
http://www.iop.org/EJ/article/1751-8121/41/22/224015/a8_22_224015.pdf
http://www.nature.com/nature/journal/v453/n7196/full/nature06958.html
(full access to the nature.com article requires a fee)

 --China's Golden Shield Surveillance Society
(May 29, 2008)
China is using people tracking technology developed in the US in its
"Golden Shield" high tech surveillance and censorship program, creating
a culture in which the government can track every move people make with
closed circuit TV cameras and high level facial recognition technology.
There are questions about whether or not the export of those
technologies violates a law passed shortly after Tiananmen Square that
forbids US companies to sell products in China that enable "crime
control or detection." The technologies are also used to manipulate
difficult situations, like the March protests in Tibet, so those
opposing governmental positions look bad, while the government appears
benign.
http://www.rollingstone.com/politics/story/20797485/chinas_allseeing_eye/print

UPCOMING SANS WEBCAST SCHEDULE

SANS Special Webcast: Testing; vulnerabilities, defenses and configuration
WHEN: Tuesday, June 10, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Jerry Shenk
http://www.sans.org/info/28714
Sponsored By: Core Security http://www.coresecurity.com/

This webinar will arm you with all the necessary plans for using
penetration testing to investigate your organization's vulnerabilities,
defenses and configurations - including lab testing your processes - to
help you understand what the finished product should look like.

Internet Storm Center Webcast: Threat Update
WHEN: Wednesday, June 11, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Johannes Ullrich
http://www.sans.org/info/28719

This monthly webcast discusses recent threats observed by the Internet
Storm Center, and discusses new software vulnerabilities or system
exposures that were disclosed over the past month. The general format
is about 30 minutes of presentation by senior ISC staff, followed by a
question and answer period.

Tool Talk Webcast: A Million Little Pieces: Detecting Fraudulent
Transactions
WHEN: Tuesday, June 17, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Brian Contos
http://www.sans.org/info/28729
Sponsored By: ArcSight http://www.arcsight.com/

Today's business is digital across the board, relying on digital
processes, communications, assets, and commerce. This has spawned a
massive increase in fraud. We read about it nearly every week, and in
almost every case, the problem seems obvious in hindsight. Societe
Generale, with $7 billion in trading fraud, is the current poster child.
Too often, fraud could have been detected and stopped if only someone
noticed the connection between several activities, each of which was
fine in isolation. Taken together, however, they paint a picture of
fraud.

SANS Special Webcast: Endpoint Security: Point- Solution or Protection
Platform
WHEN: Tuesday, June 24, 2008 at 3:00 PM EDT (1900 UTC/GMT)
FEATURING: Stephen Northcutt and Dan Teal
https://www.sans.org/webcasts/show.php?webcastid=91963
Sponsored By: CoreTrace http://www.coretrace.com/

Join SANS President Stephen Northcutt as he reviews the key features in
endpoint security that really matter, how to shop for the best products,
and why implementing defense in depth on your organization's endpoint
is a best practice.

Ask the Expert: Lessons from the Fontline: Avoiding Costly Breach
Investigation Mistakes and Downtime
WHEN: Thursday, June 26, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Ed Skoudis
http://www.sans.org/info/28754
Sponsored By: Mu Security http://www.mudynamics.com/

This webcast will discuss some of the most egregious mistakes made by
enterprises and network operators who have suffered costly and/or
embarrassing security breaches.

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin,
Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkhJdfkACgkQ+LUG5KFpTkbWIgCfXatA3YmM6P0GzjUT7Y94J0/o
LYUAnjIKNftDygn5+qkZxoRHuJGs03Ru
=8HiT
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]