From: The SANS Institute (NewsBitessans.org)
Date: Tue Nov 04 2008 - 11:46:04 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We welcome Ron Dick to the NewsBites Editorial Board - Ron headed the
National Infrastructure Protection Center (NIPC) at the FBI and is the
incoming President of the InfraGard National Members Alliance - with
22,000 members. He has uncommon pragmatism, clarity of vision and a
sense of humor, as you'll see in his Editor's Note on the UK Memory
Stick story below.
                                Alan
*************************************************************************
SANS NewsBites November 4, 2008 Vol. 10, Num. 87
*************************************************************************
TOP OF THE NEWS
  Group Challenges Texas Law Requiring Computer Repair Technicians to
     Have Private Investigator Licenses
  French Senate Approves Law That Would Cut Off Pirates' Internet Access
  Test Finds Recertified Data Storage Tapes Expose Old Information
  Memory Stick Containing Sensitive UK Government Passwords Found Outside
     Pub
THE REST OF THE WEEK'S NEWS
  GOVERNMENT SYSTEMS AND HOMELAND SECURITY
    US Defense Department Takes Cyber Security Seriously
  UPDATES AND PATCHES
    Updates Available for Two Critical OpenOffice Flaws
  DATA LOSS, THEFT & EXPOSURE
    Bank of Ireland Acknowledges Missing USB Stick
    Trojan Responsible for Theft of Half a Million Records of
  Financial Account Data
    US State Department Warns of Passport Application Data Theft
  ACTIVE EXPLOITS, WORMS & VIRUSES
    In-the-Wild Worm Exploits Flaw Fixed by Microsoft Out-of-cycle patch
  STUDIES AND STATISTICS
    Microsoft Security Intelligence Report for First Half of 2008
  MISCELLANEOUS
    Orange Will Not Use Phorm

************************* Sponsored By ArcSight, Inc. ******************
Complimentary Whitepaper: Extracting Value from Enterprise Log Data
Compliance, forensics, security and IT operations teams have long
recognized the value that log data can deliver. An effective log
management solution can help organizations cut costs and time, improve
investigation efficiency, and adhere to SLAs. Despite these tangible
benefits, organizations continue to struggle with even the basic steps
of log management such as collection and analysis.

This whitepaper outlines the drivers for log management as well as their
underlying challenges and drive towards a common set of requirements for
evaluation of log management tools.
http://www.sans.org/info/34894
*************************************************************************
TRAINING UPDATE
- - SANS CDI in Washington 30 courses; big security tools expo; lots of
evening sessions: http://www.sans.org/ cdi08/
- - London (12/1- 12/9) http://sans.org/london08/
- - Vancouver (11/17-11/22) http://www.sans.org/vancouver08/
- - Las Vegas (1/24-2/01) http://sans.org/securitywest09/
- - Orlando SANS SCADA Security Summit http://www.sans.org/scada09_summit
and in 100 other cites and on line any time: www.sans.org
*************************************************************************

TOP OF THE NEWS
 --Group Challenges Texas Law Requiring Computer Repair Technicians to
 Have Private Investigator Licenses
(October 31, 2008)
The Texas Private Security Board has once again refused to approve a
rule that would exempt computer repair technicians from licensing
requirements. Presently, anyone in Texas who performs an action on a
computer that is deemed an investigation must have a valid,
government-issued private investigator's license. The Board tabled a
proposal exempting repair technicians from the requirement earlier this
year and did so again last week. The law also punishes consumers who
have their computers repaired by unlicensed individuals. The law is
Being challenged under the Texas Constitution by the Institute for
Justice Texas Chapter.
http://www.ij.org/index.php?option=com_content&task=view&id=2438&Itemid=129
[Editor's Note (Pescatore): Uh oh, next dry cleaners will have to get
PI licenses if they look in the pockets of garments to remove items
before cleaning.
(Ranum): Generally, these kind of regulations are more about cutting out
an economic niche than anything else. Anyone who thinks the private
investigators didn't instigate that requirement is naive.]

 --French Senate Approves Law That Would Cut Off Pirates' Internet Access
(October 31, 2008)
The French Senate has approved a "graduated response" law that would cut
off Internet users who habitually download digital content in violation
of copyright law. The law still needs to be approved by the lower house
before it can be enacted. First time violators would receive an email
warning. If they continue to download illegally, they will receive a
letter in the mail, and continued infractions will result in Internet
service being cut off for one year. If enacted, the law would be at
odds with a European Parliament amendment that prohibits cutting off
Internet service for illegal downloading.
http://euobserver.com/9/27026

 --Test Finds Recertified Data Storage Tapes Expose Old Information
(October 30, 2008)
In a test of 100 erased and recertified data storage tapes conducted by
storage media maker Imation, researchers were able to read sensitive
bank and hospital information, as well as field research and Human
Genome Project data. The test "confirms industry guidance that the only
way to properly dispose of data is to destroy the media itself." Other
companies that sell data storage technology have conducted similar
studies that drew similar conclusions, but a company that sells
recertified tapes says that "any data that remains on the tape is not
usable/readable."
http://www.darkreading.com/security/storage/showArticle.jhtml?articleID=211800370
[Editor's Note (Schultz): There appears to be no end in sight for ways
that duplicated data can be compromised. The test reported in this news
item has shown something that many of us (myself included) never
suspected, namely that even erased tapes can contain data that was
supposedly completely removed.]

 --Memory Stick Containing Sensitive UK Government Passwords Found Outside Pub
(November 2 & 3, 2008)
The UK's Government Gateway website was shut down after a memory stick
containing pass codes for the system was found in a pub parking lot. The
Gateway site allows citizens to access services from 50 government
departments, including managing parking tickets, pension entitlements
and tax returns; someone with those pass codes could access personally
identifiable information of the 12 million people who have registered
on the site. The system was restored after it was found that the data
on the stick were encrypted. The stick belongs to Atos Origin, the
company that manages the website; an investigation is underway. Atos
said the employee violated company policy by taking the memory stick off
business premises. Prime Minister Gordon Brown has taken some heat for
remarking that "It is important to recognize that we cannot promise that
every single item of information will always be safe because mistakes
are made by human beings."
http://www.smh.com.au/news/technology/security/memory-stick-loss-sparks-government-system-shutdown/2008/11/03/1225560695249.html
http://www.scmagazineuk.com/Government-website-briefly-closed-following-USB-loss/article/120275/
http://www.scmagazineuk.com/Lib-Dems-call-for-ban-on-memory-sticks-to-carry-confidential-data/article/120277/
http://www.timesonline.co.uk/tol/news/politics/article5064274.ece
http://www.mailonsunday.co.uk/news/article-1082467/I-make-promises-keeping-personal-details-safe-admits-Brown-wake-latest-data-blunder.html
http://www.scmagazineuk.com/Prime-Minister-criticised-over-data-loss-comment/article/120276/
[Editor's Note (New Editor Ron Dick): While probably not the most
politically correct thing to say, Prime Minister Gordon Brown is right.
People make mistakes that cause harm to others. The challenge is how
we educate and reinforce in people to do what is correct. I have said
for years there needs to be a law entitled U.S. Code Title 18 "Stupid".
In my former life, I would have had a lot more convictions. However, I
am not sure what the consequences should be for stupid. ]

************************* SPONSORED LINKS ******************************
1) Click here to view Free SANS' Analyst Webcast and Whitepaper- Log
Management in the Cloud: A Comparison of Do-it-yourself Versus Cloud
Services sponsored by Alert Logic
http://www.sans.org/info/34899

2) Hear what major government labs have implemented for Control Systems
security at the SCADA & Process Control Security Summit February 2-3.
http://www.sans.org/info/34904
*************************************************************************

THE REST OF THE WEEK'S NEWS
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
 --US Defense Department Takes Cyber Security Seriously
(October 30, 2008)
Speaking at the National Homeland Defense Foundation's Cyber Threats
Symposium, Rear Admiral Jan Hamby says that cyber security has become a
priority in the US military ever since the 2005 Titan Rain attacks on
military systems. The Defense Department's Joint Task Force Global
Network Operations (JTF-GNO) has stepped forward as a model in cyber
security best practices, including banning YouTube, MySpace and other
such sites from military computers. JTF-GNO has also taken a hard line
on patch management on military computer systems.
http://mail.google.com/mail/?shva=1#inbox/11d6494cdc0443b4
        
UPDATES AND PATCHES
 --Updates Available for Two Critical OpenOffice Flaws
(October 31, 2008)
Two updates for OpenOffice address a pair of remote code execution flaws
that affect all versions of OpenOffice prior to version 2.4.2. The flaws
lie in the way OpenOffice handles WMF and EMF files; attackers could
create malicious files that would cause overflow errors, allowing them
to run code on the vulnerable computers. There is no known exploit for
either of the flaws. Users are urged to update as soon as possible.
The recently released OpenOffice 3.0 is not believed to be vulnerable
to the flaws.
http://www.vnunet.com/vnunet/news/2229501/open-office-gets-security-fixes

DATA LOSS, THEFT & EXPOSURE
 --Bank of Ireland Acknowledges Missing USB Stick
(November 3, 2008)
Bank of Ireland has confirmed that a USB memory device containing
personally identifiable information of nearly 900 customers has been
lost. The drive contains names, addresses and contact numbers but no
financial account information. Bank of Ireland policies and procedures
do not allow storage of customer data on unencrypted memory devices.
http://www.breakingnews.ie/ireland/mhideygbkfsn/

 --Trojan Responsible for Theft of Half a Million Records of Financial
 Account Data
(October 31, 2008)
Researchers have uncovered a trove of financial account data stolen by
a Trojan horse program known as Sinowal over the last several years. As
many as half a million accounts have been compromised; more than 20
percent were stolen in the last six months alone. Sinowal, which is
also known as Torpig and Mebroot, spreads through websites onto
unpatched PCs without any user interaction. That the Trojan had been
operating for nearly three years has been called "extraordinary." It
lies in wait on infected PCs; when a user enters a banking URL, it
offers up a phony site to collect the pertinent data and then sends the
information back to a drop server.
http://www.theregister.co.uk/2008/10/31/sinowal_trojan_heist/
http://www.theregister.co.uk/2008/10/31/torpig_banking_trojan/
http://news.bbc.co.uk/2/hi/technology/7701227.stm
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9118718&intsrc=hm_list
[Editor's Note (Ullrich): Note that this is only one specific trojan's
"password dump" that was recovered. The total number of accounts lost
is probably at least an order of magnitude larger.]

 --US State Department Warns of Passport Application Data Theft
(October 31, 2008)
The US State Department has notified 383 people that their personal
information supplied when applying for a passport may have been
compromised. A man arrested earlier this year was found to have credit
cards in nearly 20 different names; several passport applications in his
possession matched the names on some of the cards. The information from
the applications was allegedly used to open the fraudulent credit card
accounts. The suspect told authorities at the time that he had two
accomplices, one at the State Department and the other at the US Postal
Service.
http://www.msnbc.msn.com/id/27475651/
http://www.washingtonpost.com/wp-dyn/content/article/2008/10/30/AR2008103004716_pf.html
[Editor's Note (Ranum): A classic example of the trust problem.]

ACTIVE EXPLOITS, WORMS & VIRUSES
 --In-the-Wild Worm Exploits Flaw Fixed by Microsoft Out-of-cycle patch
(November 3, 2008)
Malware that exploits the vulnerability for which Microsoft released an
out-of-cycle patch less than two weeks ago has been detected. The worm,
which has been named Wecorl and MS08-067.g, appears to have originated
in China and targets Chinese language versions of Windows 2000. The
worm is not the same malware that prompted the patch's unusual release
date. It appears to install several components on machines it infects,
including a Trojan downloader and rootkit code to help it evade
detection. Once it has infected a PC, the worm attempts to infect all
other machines on the same subnet. Users who have not yet applied the
MS08-067 update should do so as soon as possible.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9118885&source=rss_topic17

STUDIES AND STATISTICS
 --Microsoft Security Intelligence Report for First Half of 2008
(November 3, 2008)
According to Microsoft's most recent semi-annual Security Intelligence
Report, while machines running Windows Vista are less likely to be
infected with malware than their Windows XP counterparts, ActiveX
browser plug-ins still pose a threat to the newer operating system.
During the first six months of 2008, for each thousand times Microsoft's
Malicious Software Removal Tool (MSRT) was executed, it scrubbed malware
from three Vista SP1 machines, 10 Windows XP SP2 machines and eight
Windows XP SP3 machines. Of the top 10 browser-based attacks against
Vista during that same period, eight were ActiveX vulnerabilities. The
report also found that 90 percent of disclosed vulnerabilities were in
applications, while just six percent were in operating systems.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9118879&source=rss_topic17
http://news.cnet.com/8301-1009_3-10080428-83.html?part=rss&subj=news&tag=2547-1009_3-0-20
[Editor's Note (Pescatore): There are far more applications than there
are operating systems, so that last bit is not very surprising. The most
meaningful data in this report is the chart that shows what types of
installed malware the MSRT found and removed. It shows that Trojans and
"potentially unwanted software" are getting through desktop defenses
pretty easily - the signature and patch-centric approach to protecting
desktops isn't dealing with the new, targeted threats that aim at the
user, not unpatched PCs.]

MISCELLANEOUS
 --Orange Will Not Use Phorm
(October 31, 2008)
UK mobile service and broadband provider Orange has announced that it
will not use Phorm, the controversial targeted advertising technology.
Orange said of the Phorm technology, "The way it was proposed, the
privacy issue was too strong." It should be noted that Orange uses
another targeted advertising service "to study anonymous usage trends
on [its] own portal." An Orange representative went on to differentiate
between the web-based data model and the telecoms data model for
targeted behavioral advertising products.
http://news.zdnet.co.uk/security/0,1000000189,39536632,00.htm?r=2
http://blog.wired.com/business/2008/10/british-isp-ora.html

*************************************************************************
The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescastore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.

Will Pelgrin is Chief Information Security Officer of New York State,
chair of the Multi-State Information Sharing and Analysis Center and
co-chair of the National ISAC Council.

Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Brian Honan is an independent security consultant based in Dublin,
Ireland.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkkQgaYACgkQ+LUG5KFpTkbcVgCfeBq3iWPqD2cNeU2ZA2eJAWhw
GFMAmgPGOboWpDrmLLHKcNSNd3Np3q+k
=ScOr
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]