From: The SANS Institute (NewsBitessans.org)
Date: Tue Jul 01 2008 - 12:03:34 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

*************************************************************************
SANS NewsBites July 2, 2008 Vol. 10, Num. 52
*************************************************************************
TOP OF THE NEWS
  More Than 630,000 Laptops Lost at Airports Each Year
  Companies Need to Invest in IT Risk Management
THE REST OF THE WEEK'S NEWS
  LEGAL MATTERS
    Man Convicted in P2P Copyright Infringement Case
    Teen Charged in Nugache Worm Case
    City Employee Resigns After Password-Sniffing Software Found on Computer
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
    US-CERT Issues IE IFrame Warning
  ATTACKS, INTRUSIONS, DATA THEFT & LOSS
    Bank Issues New Cards to All Affected by Hannaford Data Breach
    ICANN and IANA Domains Hijacked
    Montgomery Ward Parent Company Didn't Inform Customers of Data Breach
    Social Security Administration Exposes 20,000 Records
  MISCELLANEOUS
    Microsoft Retires Windows XP, Will Support OS Through 2014

********************** Sponsored By Sourcefire, Inc. ********************

SC Magazine Names Snort(r) "Best Network Security." Learn how Snort is
the engine powering the Sourcefire 3D(tm) System. This IPS is different
from others because it shows you everything running on your network in
real time. It also gives you context for your security events. Know more
real threats. No more wild goose chases. Call 1.800.917.4134 today.
http://www.sans.org/info/30423
*************************************************************************
TRAINING UPDATE
- - Wash. DC (7/22-7/31) (SANSFIRE 2008) http://www.sans.org/sansfire08
- - Singapore (6/30-7/5) http://www.sans.org/singapore08/
- - Boston (8/9-8/16) http://www.sans.org/boston08/
- - and in 100 other cites and on line any time: www.sans.org
*************************************************************************

TOP OF THE NEWS
 --More Than 630,000 Laptops Lost at Airports Each Year
(June 30, 2008)
More Than 630,000 Laptops Lost at Airports Each Year (June 30, 2008) A
Ponemon Institute survey of 106 airports in 46 states found that as many
as 637,000 laptops are reported lost each year. Overall, more than
12,000 laptops are reported lost at the airports every week, and 67% are
never recovered. The 36 largest US airports account for more than 10,000
lost laptops each week. The laptops are most commonly lost at security
checkpoints and departure gates. The survey also included feedback from
864 business travelers: 53% said their laptops held confidential data;
42% said their data was not backed up; 16% said they would do nothing
if they lost a laptop while traveling on business; 77% said the chance
of recovering a lost laptop was less than ten percent. The study was
commissioned by Dell, which has just released "a suite of data
protection and asset protection services," including laptop tracking and
remote data deletion.
http://www.dell.com/downloads/global/services/dell_lost_laptop_study.pdf
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9105198&source=rss_topic17
http://www.crn.com/managed-services/208801451

 --Companies Need to Invest in IT Risk Management
(June 28, 2008)
According to Information Week's 2008 Strategic Security Study, most
companies are spending as much or more on IT security than they did last
year, but 66 percent believe that their vulnerability to attacks is the
same or greater than it was before. The problem lies in the relative
lack of effective risk management practices in IT. Because it is
virtually impossible for organizations to protect their systems from
every conceivable security threat, companies would benefit from the
practice of "classifying IT assets, assigning values, evaluating
threats, then determining where and how to mitigate risk."
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=208800942

************************* Sponsored Links: ****************************
1) Where can you get an overview of industry "best practice" to secure
your virtual infrastructure? Find out at the Virtualization Security
Summit August 7-8 in Las Vegas.
http://www.sans.org/info/30428

2) Please visit the SANS Buyers Guide when selecting the latest in IT
security technologies.
http://www.sans.org/info/30433
*************************************************************************

THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
 --Man Convicted in P2P Copyright Infringement Case
(June 27 & 30, 2008)
Daniel Dove has been convicted on charges of conspiracy and felony
copyright infringement for operating a website where people uploaded
pirated content for others to download. The US Department of Justice
says this is the first criminal conviction for peer-to-peer copyright
infringement. According to prosecutors, Dove helped distribute the
pirated content with BitTorrent technology. He faces up to 10 years in
prison.
http://www.informationweek.com/news/management/legal/showArticle.jhtml?articleID=208801676
http://www.theregister.co.uk/2008/06/27/daniel_dove_elitetorrents_guilty_verdict/print.html
http://www.usdoj.gov/opa/pr/2008/June/08-crm-574.html

 --Teen Charged in Nugache Worm Case
(June 30, 2008)
A Wyoming teen has been charged in connection with the spread of the
Nugache worm. Nineteen year-old Jason Michael Milmont allegedly tricked
users into allowing the worm onto their systems through IM spam and
Limewire downloads. The AIM messages contained links to sites where
people would be asked to download a file, which turned out to be
Nugache. Infected PCs were then made to send spam to all AOL Instant
Messenger contacts. The botnet was allegedly used to launch a
distributed denial-of-service attack against a California online
business. Milmont also allegedly updated the software so it logged
keystrokes and could steal sensitive financial information from the PCs'
users. Milmont faces up to five years in prison and a fine of US
$250,000, but has agreed to a plea deal under which he will pay more
than US $70,000 in restitution in return for prosecutors asking for a
lighter sentence.
http://www.jacksonholestartrib.com/articles/2008/06/30/news/wyoming/doc48656c8a93378754215938.txt
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9104838&source=rss_topic17
[Editor's Note (Northcutt): According to the Register, he wrote some
pretty nifty command and control software and had between 5 and 15k
computers under his command at any time:
http://www.theregister.co.uk/2008/06/28/nugache_creator_plea_agreement/ ]

 --City Employee Resigns After Password-Sniffing Software Found on Computer
(June 26, 2008)
Timothy Nagel resigned from his position of computer support specialist
for the city of Bowie, Maryland after a routine security sweep
discovered password-sniffing software on his computer. The program was
harvesting password data entered into City Hall computers from one of
the city network's servers. Staff members were advised to change their
passwords. A private company has been hired to investigate the breach.
http://www.gazette.net/stories/062608/bowinew173015_32357.shtml
[Editor's Comment (Northcutt): I *think* I found an eight year old
resume for him, though there could certainly be more than one Timothy
Nagel in Bowie. I like to see if I can find any hints of trouble and in
this case, I could not:
http://www.unimind.org/pages/Nagel_Resume4-6.doc
(Guest Editor Nichols): One of the first documents any security
professional should have on file in HR is written permission from
management to download what could be misconstrued as potentially
malicious security related programs. The second is written permission
to use them. Without adequate permissions, you set yourself up for a
situation like this to occur; and you may be breaking the law. A
production system is not a playground for testing security programs.
Use a lab environment and always CYA.]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
 --US-CERT Issues IE IFrame Warning
(June 27 & 30, 2008)
The US Computer Emergency Readiness Team (US-CERT) has issued a
vulnerability note warning of an IFrame security flaw in several version
of Internet Explorer. Proof-of-concept code for the flaw has been
published; the flaw is known to affect IE6, IE7 and IE8 beta 1 and can
be exploited by tricking users into visiting a maliciously crafted web
site or opening malicious email. Users are urged to disable active
scripting until a fix is available. Microsoft is investigating the
issue.
http://www.kb.cert.org/vuls/id/516627
http://www.informationweek.com/news/internet/browsers/showArticle.jhtml?articleID=208801757

ATTACKS, INTRUSIONS, DATA THEFT & LOSS
 --Bank Issues New Cards to All Affected by Hannaford Data Breach
(June 30, 2008)
Portsmouth, NH-based Ocean National Bank has decided to reissue new
ATM/debit cards to all of its customers whose data were compromised in
the Hannaford Bros. supermarket chain data breach. When the bank first
learned of the breach earlier this year, it gave its customers the
opportunity to request new cards if they wanted them; however, some
customers have reported recent fraudulent charges, so the bank plans to
reissue cards to all of the approximately 7,000 affected customers. The
bank has sent letters to the customers notifying them of the decision.
Ocean National Bank has branches in New Hampshire and Maine.
http://www.seacoastonline.com/apps/pbcs.dll/article?AID=/20080630/BIZ/80630032/-1/NEWS19

 --ICANN and IANA Domains Hijacked
(June 30, 2008)
A Turkish hacker group managed to hijack domains used by the Internet
Corporation for Assigned Names and Numbers (ICANN) and the Internet
Assigned Numbers Authority (IANA) for a short period of time late last
week. The DNS records for the websites were changed to point to the
group's own site. The ICANN problem was addressed in less than half an
hour, but it took a day or two for the fix to make it through DNS
servers around the world.
http://news.cnet.com/8301-10789_3-9980713-57.html?part=rss&subj=news&tag=2547-1_3-0-20
http://www.heise-online.co.uk/security/ICANN-and-IANA-domains-hijacked--/news/111026

 --Montgomery Ward Parent Company Didn't Inform Customers of Data Breach
(June 27, 2008)
The credit card information of at least 51,000 people who purchased
items from Wards.com was compromised late last year, but customers were
never informed of the breach. The data thieves stole the information
from a database belonging to Direct Marketing Services, Inc., which
bought the Montgomery Ward name in 2004, several years after the company
went out of business. Direct Marketing Services apparently followed
guidelines from Visa on how to respond to a data breach, which included
informing the payment processor and Visa and MasterCard and filing a
report with the US Secret Service. However, it appears the guidelines
did not informing affected consumers, despite the fact that most states
have data breach notification laws on the books. The company now says
it plans to inform customers of the breach.
http://www.cbsnews.com/stories/2008/06/27/tech/main4215439.shtml?source=RSSattr=SciTech_4215439
http://www.scmagazineus.com/Report-Montgomery-Ward-fails-to-alert-victims-of-breach/article/111922/
[Editor's Note (Cole): Credit card theft will continue to be a problem.
Some tricks are (1) only use one card for credit card purchases on the
Internet or in stores and have a low/reasonable credit limit on it; (2)
expire your card every 3-6 months to reduce exposure; (3) look at secure
card options that generate a unique card number for every purchase. ]

 --Social Security Administration Exposes 20,000 Records
(June 26, 2008)
The personal data, including Social Security numbers (SSNs), of more
than 20,000 people were exposed after the US Social Security
Administration (SSA) mistakenly included the information on the Death
Master File (DMF), according to the agency's inspector general. The DMF
is provided to the Commerce Department's National Technical Information
Service (NTIS), where it can be purchased by the government,
investigators, credit reporting companies and others. The SSA removed
the information from the list when it learned of the error, but the
information had already been shared with others. In some cases, the
data were available for viewing on the Internet.
http://www.fcw.com/online/news/152975-1.html?type=pf
[Editor's Note (Pescatore): This is one of those "data quality"
incidents, not really a security issue, sort of like when the fortune
cookie company put the risqu fortunes into the wrong fortune cookies.
The SSA has had a phenomenally good security record over the years, and
consistently high FISMA grades as a consequence of their strong security
program. ]

MISCELLANEOUS
 --Microsoft Retires Windows XP, Will Support OS Through 2014
(June 30, 2008)
As of July 1, Microsoft will no longer be making its Windows XP
operating system available to computer makers or consumers. XP will
still be made available to small, independent computer makers through
July 2009, and to manufacturers of low cost computers such as Asus until
2010. Some manufacturers are taking advantage of a loophole in
Microsoft's licensing agreement that allows users to downgrade to
earlier versions of operating systems at no cost. The decision to
discontinue XP has met with protests from users who are unhappy with
Windows Vista. In response, Microsoft has recently announced that it
will support Windows XP through 2014.
http://www.informationweek.com/news/windows/operatingsystems/showArticle.jhtml?articleID=208801694
[Editor's Note (Northcutt): When I was doing the research for my
Endpoint security webcast I came to realize that we are pretty much down
to whitelisting technology as our last line of defense and that there
was essentially no possibility for the "average Joe" to secure their
home user and small office endpoint systems. I realize Microsoft is
totally dominant, but if they keep misplaying their hand, I would not
be surprised to see more and more people take a look at an alternative
such as Ubuntu:
https://www.sans.org/webcasts/show.php?webcastid=91963
http://www.ubuntu.com/ ]

In our last issue, Stephen Northcutt pointed out that terminating an
employee with privileged access is a tough problem and asked for your
suggestions. We want to thank Raymond Parks, Joona Airamo, Jay Libove
and Jeffery Williams for their input which is summarized below:

1. The possibility of damage from the individual must be considered in
deciding when to revoke privileges - the greater their capacity to do
damage, the sooner privileges should be revoked, up to the point that
they are told of being fired.

2. The security staff should pay special attention and possibly expand
their checks when something like this is about to happen - again
depending upon the capacity for damage of the to-be-fired individual.
The security staff needs to think of what the individual leaving could
do and put in place mechanisms to detect all of those malicious
activities.

3. The confidentiality of the personnel action is critically important-
there should be no leaks in advance of notifying the individual.

4. Conversely, the individual should not find out they're fired when
their password no longer works. The individual will quickly deduce what
has happened and management will have squandered any chance of
transition help. What's more, revocation of privileges may not be
complete in time to prevent the individual from getting around that
first unintentional notice.

5. The need for careful timing of announcement with privilege
revocation can mean that others who need to take action need to have the
tools, processes, and manning to do so on very short notice.

6. If there needs to be a transition period with knowledge transfer -
then access can only be granted under two-person control. The person
overseeing the individual leaving must be carefully instructed about the
need for maintaining that control and must be able to detect malicious
actions.*

7. If there is any chance the employee had access to production
systems, checking for logic bombs is recommended.

8. You may need to consider changing all passwords. The admin would
have had access to all password hashes. This would allow them to brute
force attack them to derive original passwords. If you have LANMAN
enabled, this will happen quickly. With Rainbow tables (pre-computed
hashes), the weaknesses in the MD4 algorithm used in the NT hash will
also allow those hashes to be derived in fairly short order. This attack
vector should be considered if an admin leaves and there is any doubt
or suspicion.

9. In Europe, due to privacy laws you may not be able to inspect
removable media when the admin is leaving. It may be best to jointly
destroy any removable media or to ask permission to search it. In
Europe you also need to consider the person's right to privacy with
regards to the reason they are leaving the organisation. It is
therefore critical that there are no leaks/rumours regarding the
person's termination outside of the key people involved in the process.
As a European organisation you can only search removable media
belonging to the organisation and not personal media such as MP3
players, USB keys etc that are the individuals private property.

10. Consider a password management system for privileged users such as
Cyber-Ark, PowerBroker or BeyondTrust.

11. If you are using full disk encryption consider re-encrypting
sensitive data with a different key.

12. Even an imperfect policy, properly followed is better than no
policy.

13. The termination process should include physical security whereby the
member of staff is physically escorted from the premises to ensure they
do no harm and that security guards are briefed and instructed to
prevent the person entering the premises again.

*Long ago, I was asked whether having a security policeman watching over
the shoulder of the person modifying the security alarm system was
two-person control - I suggested that would only work if the SP knew
enough to do the work of the alarm technician. Otherwise, the observer
was useless to prevent malicious activity by the alarm technician.

- ---end---

*************************************
The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin,
Ireland.

Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security
courses at Minnesota State University, Mankato. He is the President of
Prudent Security LLC and also serves as the President of the Mankato
Chapter ISSA.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkhqWGQACgkQ+LUG5KFpTkYRVwCgmk7uFcfoqiz+otiYCGXCcV08
4rUAni3D+rUJ0AZ6Upb6JwBzb782q38A
=MkU5
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]