From: The SANS Institute (NewsBitessans.org)
Date: Tue Sep 02 2008 - 12:30:51 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tomorrow (September 3) is the last day to avoid a late payment charge
for SANS Network Security (the largest fall security conference) in Las
Vegas.
http://www.sans.org/ns2008

*************************************************************************
SANS NewsBites September 2, 2008 Vol. 10, Num. 69
*************************************************************************
TOP OF THE NEWS
  Calif. Lawmakers Approve Strict Data Protection Law
  Army Issues Request for Information About Industry Data Protection
  Volume of Internet Traffic Through US is Diminishing
THE REST OF THE WEEK'S NEWS
  ARRESTS, CHARGES & CONVICTIONS
    Dubai Court Gives Man Three Months in Jail for Breaching UN
       Employee's eMail Account
    Computer Sold on eBay Holds Personal Data; One Person Arrested
  COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
    Man Arrested for Streaming Unreleased Guns N' Roses Songs
  SPAM, PHISHING & ONLINE SCAMS
    Spam Pretends to be About Undeliverable FedEx Package
  COMPROMISES & BREACHES
    Suspected Breach at Unnamed National Retailer Under Investigation
  ATTACKS
    Info Stolen from US ATMs Used to Make Phony Cards Being Used in UK
  STUDIES AND STATISTICS
    Offshore Outsourcing Affects IT Workers More Than Others
  MISCELLANEOUS
    Russian Opposition Website Owner Killed
    Companies Take Steps to Prepare for Gulf Coast Disaster

************** Sponsored By SANS Control Systems Summit ****************
How is my Control System vulnerable? How are attackers penetrating my
defenses? How can I mitigate this threat? These are some of the topics
of the Process and Control and SCADA Summit. Learn what commercial and
governmental solutions are available and how other have used them.
September 8-9 - Amsterdam, NL.
http://www.sans.org/info/32634
*************************************************************************
TRAINING UPDATE
- - NETWORK SECURITY 2008: Las Vegas (9/28-10/6) 50 courses; big tools
expo; lots of evening sessions: http://www.sans.org/ns2008)
- - Chicago (9/3-9/10) http://www.sans.org/chicago08 AUDIT & COMPLIANCE
- - Monterey (10/31-11/6) http://www.sans.org/info/30738
- - Sydney Australia (10/27-11/1) http://www.sans.org/sydney08/
- - Vancouver (11/17-11/22) http://www.sans.org/vancouver08/
and in 100 other cites and on line any time: www.sans.org
*************************************************************************

TOP OF THE NEWS
 --Calif. Lawmakers Approve Strict Data Protection Law
(August 31, 2008)
State legislators in California have almost unanimously approved a bill
that would require retailers to employ stringent data protection methods
if they retain customers' personal information. The bill refers
specifically to credit and debit card numbers, verification codes and
personal identification numbers (PINs). Firms choosing to retain the
financial data would be required to follow security guidelines set by
the credit card industry. These include limiting access to the data to
only those who need it to do their jobs. Firewalls would need to be
bolstered and all data would need to be encrypted when it is sent over
public networks. A similar bill was vetoed by the governor last year.
The new version has removed a provision that would have held the
companies liable for the cost of replacement credit and debit cards in
the event of a breach. The new version requires that the companies bear
the cost of notifying customers affected by breaches.
http://www.mercurynews.com/breakingnews/ci_10351650
[Editor's Note (Veltsos): In May 2007, Minnesota became the first US
state to pass a bill requiring compliance with the core requirements of
the Payment Card Industry's Digital Security Standards for companies
with over 20,000 transactions per year. The liability portion of the
bill, which became effective on August 1, 2008, holds companies that
were not in compliance responsible for costs incurred to issue new
cards.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9020923
https://www.revisor.leg.state.mn.us/laws/?id=108&year=2007&type=0]

 --Army Issues Request for Information About Industry Data Protection
(August 28 & September 1, 2008)
The Program Executive Office for Enterprise Information Systems and the
Assistant Secretary of the Army for Acquisition, Logistics and
Technology has issued a request for information about the techniques and
procedures private industry uses to protect sensitive data. Army
officials want the information so they can include specific language
about data security in future acquisition orders.
http://www.fcw.com/online/news/153643-1.html
http://www.fcw.com/online/news/153662-1.html
https://www.fbo.gov/index?s=opportunity&mode=form&id=66db1462de18d0b15e1c8a10fdfb7383&tab=core&_cview=0

 --Volume of Internet Traffic Through US is Diminishing
(August 30, 2008)
As other countries invest more and more in next generation Internet
technology, the flow of Internet traffic through the US has begun to
lessen. Traffic routed largely through the US appeared to be a boon to
US intelligence; some countries, wary of the erosion of privacy in the
US as evidenced by the passage of the Patriot Act, began to look for
ways to avoid storing customer data on US systems and to prevent
Internet traffic from passing through US-based switching equipment. In
addition, countries have started to develop their own data networks for
economic reasons.
http://www.nytimes.com/2008/08/30/business/30pipes.html?_r=2&oref=slogin&adxnnlx=1220288467-RTpZWRCL6wK%2001BeAvKejw&pagewanted=print

*************************************************************************

THE REST OF THE WEEK'S NEWS
ARRESTS, CHARGES & CONVICTIONS
 --Dubai Court Gives Man Three Months in Jail for Breaching UN
Employee's eMail Account
(September 1, 2008)
A Dubai court has sentenced a man who worked as a secretary for a United
Nations employee to three months in jail for accessing a UN employee's
email account, stealing her credit card information and sending her
threatening messages from another of her email accounts he broke into.
The man, who is Egyptian, will be deported once he completes his
sentence.
http://www.gulfnews.com/nation/Police_and_The_Courts/10241859.html

 --Computer Sold on eBay Holds Personal Data; One Person Arrested
(August 27 & September 1, 2008)
The hard drive of a computer recently sold on eBay for GBP 6.99 (US
$12.59) was found to contain personally identifiable information of
thousands of Charnwood (UK) Borough Council taxpayers dating back to
2002. The individual who purchased the computer says the information
has not been shared with anyone else and is cooperating with police. A
criminal investigation into the incident has been launched and one
person has been arrested.
http://www.northumberlandgazette.co.uk/latest-national-news/Arrest-made-over-%20-eBay-computer.4439016.jp
http://news.bbc.co.uk/2/hi/uk_news/7583985.stm
http://www.dailymail.co.uk/news/article-1049413/New-data-blunder-details-thousands-council-taxpayers-6-99-sold-eBay.html
http://www.out-law.com/page-9393
[Editor's Note (Pescatore): A good reminder to make sure you have a
process and policy for what should be done to PCs and PDAs (and even
printers these days, as lots of them have hard drives in them) before
transferring or surplusing them.]

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
 --Man Arrested for Streaming Unreleased Guns N' Roses Songs
(August 28 & 29, 2008)
US Federal agents have arrested a California man for allegedly making
nine songs from Guns N' Roses' unreleased album available for streaming
on his website. Kevin Cogill appeared in court last Wednesday, where
he was not required to enter a plea and his bail was set at US $10,000.
An arrest affidavit indicates that Cogill admitted that he placed the
songs on his website. He removed the songs when lawyers for the band
complained. If he is convicted, Cogill faces up to three years in
prison and a fine of up to US $250,000. He is being charged under the
Family Entertainment and Copyright Act of 2005, "a federal anti-piracy
law that makes it a felony to distribute a copyrighted work on computer
networks before its release."
http://www.nzherald.co.nz/section/story.cfm?c_id=5&objectid=10529496
http://www.latimes.com/business/la-fi-music29-2008aug29,1,4801463,full.story

SPAM, PHISHING & ONLINE SCAMS
 --Spam Pretends to be About Undeliverable FedEx Package
(September 1, 2008)
Spammers have been sending out phony messages that claim to be from
FedEx regarding an undeliverable parcel. The recipients are instructed
to print an attachment that the message claims is a bill, but which is
actually a .zip file that infects the user's computer with malware
capable of stealing sensitive financial account information,
deactivating firewalls, and taking screen shots. Spammers have also sent
out messages pretending to be from DHL and UPS.
http://www.allheadlinenews.com/articles/7012135991
[Editor's Note (Schmidt): This continues to erode the trust in doing
business online and taking advantage of the technology that we have come
to rely on. As long as we do not implement reliable mail authentication
we will continue to be plagued by this kind of malware. We have the
technology so why do we not deploy it?]

COMPROMISES & BREACHES
 --Suspected Breach at Unnamed National Retailer Under Investigation
(August 28, 2008)
About 1,000 customers of the Washington Trust Co. in Rhode Island have
been notified that their credit and debit card information may have been
exposed following "a suspected security breach at an unidentified
MasterCard merchant." There have been no reported instances of the
information being used to commit fraud, but the bank's policy dictates
that the affected credit cards be deactivated and new cards issued.
Washington Trust received a notice from MasterCard about the suspected
breach along with the names of 963 account holders who were potentially
affected. Other financial institutions have likely received similar
notices from MasterCard.
http://www.pbn.com/stories/34753.html

ATTACKS
 --Info Stolen from US ATMs Used to Make Phony Cards Being Used in UK
(August 28 & 29, 2008)
Conversations on "underground Internet forums" suggest that a group of
cyber criminals is using information stolen from US ATMs to clone
payment cards and is also recruiting mules to go into stores in the UK
to purchase big ticket items that can be resold. Because the criminals
are not making withdrawals from ATMs, it is likely that they did not
capture the associated passwords. UK cards would not work because most
have chip-and-pin technology, but foreign cards that do not employ the
chip-and-pin technology force retailers to rely on information encoded
on the card's magnetic stripe.
http://www.theregister.co.uk/2008/08/29/cloned_us_atm_cards_in_uk/print.html
http://news.bbc.co.uk/2/hi/technology/7584258.stm

STUDIES AND STATISTICS
 --Offshore Outsourcing Affects IT Workers More Than Others
(August 28, 2008)
A study conducted by researchers from the New York University Stern
School of Business and The Wharton School of the University of
Pennsylvania found that offshore outsourcing affects IT workers more
than workers in other professions. An estimated eight percent of IT
workers have either lost their jobs or been forced to transfer due to
outsourcing. The practice most often affects programmers and software
developers who have little or no interaction with customers. The survey
gathered information from 6,700 workers and 3,000 hiring managers and
human resource professionals across many different professions. The
average rate of offshore outsourcing across all professions surveyed is
about 15 percent, but among the technology and telecommunications
companies, the figure is 40 percent.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9113755&intsrc=hm_list

MISCELLANEOUS
 --Russian Opposition Website Owner Killed
(August 31, September 1 & 2, 2008)
Magomed Yevloyev, who owned an Internet news site that ran stories
critical of Kremlin policies, was found by the side of the road in
southern Russia with a gunshot wound to his head; he died later at a
hospital. Yevloyev had been detained by police and was in their custody
when he was killed. A court had ordered him to shut down his website,
saying he was promoting extremism; the site was taken off line but later
reappeared with a different name.
http://news.cnet.com/8301-13578_3-10029798-38.html?tag=newsEditorsPicksArea.0
http://www.themoscowtimes.com/article/1010/42/370607.htm
http://www.telegraph.co.uk/news/worldnews/europe/georgia/2663222/Russia-faces-news-Caucasus-uprising-in-Ingushetia.html
http://www.nytimes.com/2008/09/01/world/europe/01ingushetia.html?pagewanted=print

 --Companies Take Steps to Prepare for Gulf Coast Disaster
(August 29 & 30, 2008)
Four New Orleans, Louisiana-area organizations describe their disaster
recovery plans, which have been bolstered with knowledge gained from
their experience with the 2005 hurricanes that devastated the area.
Digimation Inc., a 3-D digital animation software company, employs
multiple backups, including a 1TB USB-connected drive that the last
person evacuating the premises takes along. The company's website is
also hosted far from New Orleans, as is its email server. Loyola
University has also migrated its course management system online so
students' education need not be interrupted. St. Tammany Parish
Hospital has installed a satellite communications system to ensure
better connectivity in the event of a disaster, and has moved critical
backups out of state. Their data center is in a bunker designed and
located to withstand severe weather. Tidewater, Inc., which "provides
support, assistance, boats and crews to oil and gas exploration and
productions companies," has established a redundant IT system in Dallas.
Phone companies are also taking steps to ensure that customers will have
greater connectivity than they did in 2005 in the event of another
disaster.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=Disaster+Recovery&articleId=9113880&taxonomyId=151&pageNumber=1
http://news.smh.com.au/technology/phone-companies-prepare-backup-plans-for-gustav-20080830-45sf.html
[Editor's Note (Schultz): In information security, business continuity
and disaster recovery there is no greater impetus for improvement than
unexpected, gigantic incidents. Katrina resulted in substantial
improvement of disaster recovery functions in New Orleans and the
surrounding area, as evidenced by the success stories in this news
item.]

 --Device Steals Data from Cell Phones and PDAs
(August 29, 2006)
Law enforcement officers were introduced to a device that steal sdata
from cell phones. Called the Cell Seizure Investigator Stick, the
device can be purchased for approximately $200 plus $100 for required
software.
http://news.cnet.com/8301-1009_3-10028589-83.html?tag=mncol;title

*************************************************************************
The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescastore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin,
Ireland.

Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security
courses at Minnesota State University, Mankato. He is the President of
Prudent Security LLC and also serves as the President of the Mankato
Chapter ISSA.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAki9Z6cACgkQ+LUG5KFpTkbBlgCggIVKYYO2ma5WbGB/niRD4zVv
ZGkAn29EfVg3I4ptj/xzgJ92GLkIAeuA
=jHwX
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]