From: The SANS Institute (NewsBitessans.org)
Date: Fri Sep 19 2008 - 13:14:47 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In this morning's Washington Post, Ellen Nakashima reports on
yesterday's Congressional hearing illuminating the US government's
unwillingness to share data about actual, damaging cyber attacks.
http://www.washingtonpost.com/wp-dyn/content/article/2008/09/18/AR2008091803730.html
At precisely the same moment that Congressional hearing was starting,
former US Under Secretary of Defense, John Hamry, now president of the
Center for Strategic and International Studies, introduced a briefing
on the US National Cyber Initiative, with the question, "How can you
expect to fix it [the cyber problem] if you don't talk about it?"
That's a very good question.
                                   Alan

PS The experts running the Cyber Forensics Summit put together a list
of "top seven trends in forensics." Interesting: SANS Top 7 New
IR/Forensic Trends In 2008
http://forensics.sans.org/community/top7_forensic_trends.php
Data on their Summit (October 10) covering the most advanced techniques
used to analyze the Chinese and commercial attacks:
http://www.sans.org/forensics08_summit

*************************************************************************
SANS NewsBites September 19, 2008 Vol. 10, Num. 74
*************************************************************************
TOP OF THE NEWS
  House Subcommittee Hears Testimony on DHS Cybersecurity Shortcomings
  Proposed Legislation Would Demystify Electronic Data Border Searches
  Microsoft Announces Plans to Share SDL Process
THE REST OF THE WEEK'S NEWS
  GOVERNMENT SYSTEMS AND HOMELAND SECURITY
    Norwegian Tax Office Sends Taxpayer Data to Media in Error
    ATF Lost 76 Weapons, 418 Laptops in Five Years
  POLICY AND LEGISLATION
  VULNERABILITIES
    Attack Code Released for Windows Media Encoder Flaw
  DATA LOSS AND THEFT
    Forever 21 Acknowledges Payment Card Breach
    Missing Disks Hold Unencrypted NHS Employee Data
    Memory Stick Found in Street Contains NHS Mental Health Patient Data
  ATTACKS
    Palin's Yahoo! Account Compromised
    Investigation Continues Into Source of UAE ATM Breaches
  MISCELLANEOUS
    SEC Announces Enforcement Action Against LPL Financial

******************** Sponsored By SANS Forensics Summit *****************

How are the latest forensic techniques used to help combat threats in
organizations today? Which products are the best in the incident
response and computer forensic community? Attend the Forensics &
Incident Response Summit October 13-14 and learn the answers to these
and other key Forensics & Incident Response questions.
http://www.sans.org/info/33329
*************************************************************************
TRAINING UPDATE
- - NETWORK SECURITY 2008: Las Vegas (9/28-10/6) 50 courses; big security
tools expo; lots of evening sessions: http://www.sans.org/ns2008/
- - Monterey (10/31-11/6) http://www.sans.org/info/30738
- - Sydney Australia (10/27-11/1) http://www.sans.org/sydney08/
- - Vancouver (11/17-11/22) http://www.sans.org/vancouver08/
and in 100 other cites and on line any time: www.sans.org
*************************************************************************

TOP OF THE NEWS
 --House Subcommittee Hears Testimony on DHS Cybersecurity Shortcomings
(September 17, 2008)
The US House Subcommittee on Emerging Threats, Cybersecurity, Science
and Technology heard testimony critical of the Bush administration's
cyber preparedness efforts. Members of the Center for Strategic and
International Studies' Commission on Cybersecurity for the 44th
President said that the Department of Homeland Security (DHS) has not
established relationships of trust or even partnerships with private
sector organizations and other countries. The commission has proposed
a solution that includes establishing a high level administration cyber
security position that would include necessary security clearances and
access to the president - in essence, shifting the responsibility for
cyber security from DHS to the White House. The Government
Accountability Office (GAO) released a report at the hearing with
similar findings. The GAO's report specifically mentioned the
shortcomings of the US Computer Emergency Readiness Team (US-CERT),
saying it "lacks a comprehensive baseline understanding of the nation's
critical infrastructure operations, does not monitor all critical
infrastructure information systems, does not consistently provide
actionable and timely warnings, and lacks the capacity to assist in
mitigation and recovery in the event of multiple, simultaneous incidents
of national significance." The DHS discounted the findings presented
at the hearing, calling the criticism politics as usual.
 (The USA Today story is just over halfway down the page)
http://blogs.usatoday.com/technologylive/2008/09/a-bi-partisan-c.html
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9114938&source=rss_topic17
http://www.theregister.co.uk/2008/09/17/gao_criticizes_us_cert/print.html
http://www.businessweek.com/pdfs/2008/0916_cyberanalysis_and_warning.pdf
http://www.nextgov.com/nextgov/ng_20080917_9296.php

 --Proposed Legislation Would Demystify Electronic Data Border Searches
(September 17, 2008)
US Representative Loretta Sanchez (D-Calif.) has introduced the Border
Security Search Accountability Act of 2008, which would establish "a
well-defined procedure ... [to] protect [travelers'] electronic data."
The bill would require that the DHS disclose the procedures it has
established for searching electronic media devices at borders and
publish a quarterly report of all devices seized by border agents. It
would also limit the amount of time the DHS agents can hold the devices
and impose stronger protections for proprietary data on the devices.
People whose devices are seized would receive a receipt as well as
written confirmation of how their data were examined and whether they
were copied. There would also be clearly posted lists of rights nearby
so travelers would know what to expect.
http://www.securityfocus.com/brief/821
http://thomas.loc.gov/home/gpoxmlc110/h6869_ih.xml
[Editor's Note (Schultz): The Fourth Amendment to the US Constitution
protects against unreasonable search and seizure. In sharp contrast,
travelers who cross a US border with electronic media devices too often
do not receive the protection that this amendment offers. If signed into
law, the proposed legislation would go a long way in restoring at least
some of the individual rights that those who cross US borders have lost
over the great part of the last decade.
(Honan): In what many of us outside of the United States see as an
ironic twist the US Department of Homeland Security has issued advice
to US corporate and Government travellers on how to secure data on
mobile devices when travelling abroad.
http://file.sunshinepress.org:54445/dhs-travel-threat-assessment-2008.pdf ]

 --Microsoft Announces Plans to Share SDL Process
(September 16 & 18, 2008)
Microsoft will offer three of its Security Lifetime Development (SDL)
process components to other software companies starting in November. The
program is designed to share what Microsoft has learned from
implementing the SDL Threat Modeling Tool, the SDL Optimization Model,
and the SDL Pro Network with the goal of promoting secure software
development across the industry. The first two components will be
available to everyone in November; the SDL Pro Network will be available
to a limited number of organizations for the first year.
http://www.heise-online.co.uk/security/Microsoft-to-support-secure-software-development--/news/111557
http://www.securityfocus.com/brief/820
[Editor's Note (Honan): Microsoft for a long time rightly got a bad
reputation for insecure products. However as an industry we should
recognize the sea change in Microsoft's approach to security, of which
this is just one example, and encourage other vendors to follow
Microsoft's lead. ]

*************************************************************************

THE REST OF THE WEEK'S NEWS

GOVERNMENT SYSTEMS AND HOMELAND SECURITY
 --Norwegian Tax Office Sends Taxpayer Data to Media in Error
(September 17 & 18, 2008)
The Norwegian national tax office has acknowledged that it inadvertently
sent CD-ROMs containing the 2006 tax returns of Norway residents to
editorial staff at various national media groups. Tax statements are
open to public scrutiny in Norway, but the records on the disks include
personal numbers, which are considered confidential. The tax authority
has asked that the disks be returned and says the data they contain can
only be accessed with the use of a secret code. In a separate story,
Norway and the US are about to sign an agreement that would allow them
to share personal data about their citizens. The Norwegian government
wants to be sure the data will be held securely.
http://news.smh.com.au/technology/confidential-data-on-millions-of-norwegians-sent-to-media-by-mistake-20080918-4ir9.html
http://www.theregister.co.uk/2008/09/18/tax_office_blooper_shocks_norway/print.html
http://www.aftenposten.no/english/local/article2659800.ece?service=print

 --ATF Lost 76 Weapons, 418 Laptops in Five Years
(September 17 & 18, 2008)
A report from the US Justice Department says that between 2002 and 2007,
the Department of Alcohol, Tobacco and Firearms (ATF) lost 76 weapons
and 418 laptop computers. Thirty-five of the weapons and 50 of the
laptops were stolen; the remaining items were lost. Two of the weapons
were later used to commit crimes. ATF could not say what data were on
398 of the missing laptops. Of the others, seven held sensitive
information, including names, dates of birth, Social security numbers
(SSNs) and financial account records of people who were under criminal
investigation.
http://www.washingtonpost.com/wp-dyn/content/article/2008/09/17/AR2008091703662_pf.html
http://www.govexec.com/story_page.cfm?articleid=40984&dcn=todaysnewsss

VULNERABILITIES
 --Attack Code Released for Windows Media Encoder Flaw
(September 16, 2008)
Attack code for a recently patched Microsoft Windows Media Encoder
vulnerability has been found in the wild. The attack is being
distributed from at least two vectors: through the Minw0rm exploit list
and through a toolkit called e2 "that is widely deployed."
http://www.theregister.co.uk/2008/09/16/miscreants_exploit_windows_media_encoder/print.html

DATA LOSS AND THEFT
 --Forever 21 Acknowledges Payment Card Breach
(September 16 & 17, 2008)
Forever 21, a US retail clothing store, has acknowledged that as many
as 99,000 payment cards used by its customers over a four year period
may have been compromised by the same group that stole payment card data
from TJX. In a statement on its website released on Friday, September
12, Forever 21 said it was informed of the data theft a month ago. The
breaches occurred on nine specific dates; the compromised information
includes card numbers, expiration dates "and other card data," but not
names or addresses. Forever 21 says its systems have been in compliance
with Payment Card Industry Data Security Standards since 2007. The
company says it adopted additional security measures after learning of
the breaches, but did not provide details.
http://www.theregister.co.uk/2008/09/17/forever_21_breach/
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9114839&source=rss_topic17
http://www.forever21.com/notice/notice.html

 --Missing Disks Hold Unencrypted NHS Employee Data
(September 15 & 17, 2008)
The Whittington Hospital NHS Trust in London has acknowledged that four
CDs containing staff data have been lost. The disks were placed in a
mail room out tray for recorded delivery instead of being sent by
courier in accordance with trust policy. A staff member has been
suspended in connection with the incident. The data on the disks
include names, dates of birth, national insurance numbers and employment
information of nearly 18,000 staff members. The disks did not contain
bank account information. The disks were password protected, but not
encrypted.
http://www.zdnet.co.uk/misc/print/0,1000000169,39489341-39001093c,00.htm
http://news.bbc.co.uk/2/hi/uk_news/england/london/7617490.stm
http://www.telegraph.co.uk/news/newstopics/politics/health/2965231/NHS-Personal-details-of-18000-staff-lost-in-the-post.html

 --Memory Stick Found in Street Contains NHS Mental Health Patient Data
(September 16, 2008)
A memory stick found on a street in Teesdale, England contains
personally identifiable information of about 200 NHS mental health
patients. An investigation determined that a technician who had been
upgrading PCs did not delete the data from the device; the investigation
also revealed that other trust staffers placed sensitive data on their
hard drives in violation of an established security policy. The trust
has contacted people affected by the breach, which occurred at the Tees,
Esk and Wear Valleys Trust.
http://www.teesdalemercury.co.uk/teesdale-news/story,1843.html

ATTACKS
 --Palin's Yahoo! Account Compromised
(September 18, 2008)
Attackers broke into US Republican vice-presidential candidate Governor
Sarah Palin's Yahoo! account and stole email messages and photographs,
which they posted to the internet. The attack is believed to have been
prompted over questions of whether Governor Palin used a personal email
account to conduct state business. The compromised account has been
deactivated. Gabriel Ramuglia, who operates Ctunnel.com, the proxy
service that the attackers used, said that because they posted a
screenshot that displayed most of the Ctunnel.com URL, their true IP
address should be detectible, although it is possible that the attackers
used other proxy servers in addition to Ctunnel.com. Ramuglia is
working with the FBI to help trace the attackers.
http://news.bbc.co.uk/2/hi/americas/7622726.stm
http://latimesblogs.latimes.com/washington/2008/09/now-we-know-why.html
http://www.washingtonpost.com/wp-dyn/content/article/2008/09/17/AR2008091703304_pf.html
http://www.securityfocus.com/brief/822
http://www.theregister.co.uk/2008/09/18/palin_email_investigation/
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9115099&intsrc=hm_list
The following links have details of how the account was compromised...
by resetting the password. Now we know just how secure those cognitive
passwords really are when anyone can use the Internet to find your
birthday, zip code, and where you met your spouse.
http://blog.wired.com/27bstroke6/2008/09/palin-e-mail-ha.html
http://michellemalkin.com/2008/09/17/the-story-behind-the-palin-e-mail-hacking/

 --Investigation Continues Into Source of UAE ATM Breaches
(September 13 & 16, 2008)
An investigation into a recent rash of fraudulent withdrawals from bank
accounts in the United Arab Emirates (UAE) indicates that the breach
occurred on a network that the banks use to share ATM data. Previously,
the source of the breach was posited to be skimmers or hackers. In an
email, the UAE central bank backed off from responsibility for the
fraudulent activity, saying that it "is related to banks' security
systems, not the central bank." Among the banks affected by the breach
are Citibank, HSBC, Lloyds TSB, National Bank of Abu Dhabi and Emirates
NBD.
http://www.thenational.ae/article/20080916/BUSINESS/75296675/1041/OPINION
http://www.informationweek.com/blog/main/archives/2008/09/uae_bank_breach.html

MISCELLANEOUS
 --SEC Announces Enforcement Action Against LPL Financial
(September 15, 2008)
LPL Financial will pay a fine of US $275,000 for failing to take action
to correct security inadequacies in its online trading platform. LPL
had conducted an internal audit in 2006 that identified serious security
issues, but did not take steps to mitigate the problems. As a result,
the personal information of at least 10,000 LPL customers was vulnerable
to theft in a series of intrusions between July 2007 and February 2008.
According to the Securities and Exchange Commission (SEC), the attackers
attempted to place more than US $700,000 worth of unauthorized trades
through 68 compromised accounts. The fine was imposed by the SEC; LPL
"agreed to pay the fine without admitting or denying the findings."
The terms of the SEC's enforcement action also require LPL to develop
and implement policies and procedures for training employees in data
security and to hire an outside consultant to oversee the company's
compliance with the order.
http://www.investmentnews.com/apps/pbcs.dll/article?AID=/20080915/REG/309159969&template=printart
http://www.sec.gov/litigation/admin/2008/34-58515.pdf
[Editor's Note (Honan): Regulatory penalties will probably do more to
drive industry to address security issues than any compliance standard.]

*************************************************************************
The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescastore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Brian Honan is an independent security consultant based in Dublin,
Ireland.

Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security
courses at Minnesota State University, Mankato. He is the President of
Prudent Security LLC and also serves as the President of the Mankato
Chapter ISSA.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkjT4pUACgkQ+LUG5KFpTkanGgCcDZe5czamxm/U0pqt31cTXIhC
aBgAnAhpI6HbxFUwUhKJsR17DKHd/0OJ
=6Bgp
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]