The SANS Institute

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

*************************************************************************
SANS NewsBites August 11, 2008 Vol. 10, Num. 63
*************************************************************************
TOP OF THE NEWS
Georgia Receives International Help in Wake of Cyberattacks
US Intelligence Issues Warning About Traveling Abroad with Electronic
Devices
Data Breach Indictment Reveals Alleged Breaches Not Previously
Disclosed
Judge Grants MBTA Request for Injunction Against MIT Researchers
Ohio Sec. of State Sues eVoting Vendor for Dropped Votes
Top Ten Courses named at SANS Network Security 2008

THE REST OF THE WEEK'S NEWS
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
Irish Social Welfare Data on Missing Laptop
COPYRIGHT ISSUES
Australian ISPs Urged to Join Fight Against Piracy
MALWARE
Dutch Police Notify Users Infected with Bot Malware
DATA LOSS
Wells Fargo Codes Used to Access Consumer Data at Reseller
BBC Apologizes for Losing Children's Data
Texas Hospital Patient Data on Missing USB Drive
STUDIES AND STATISTICS
Many Businesses in Dublin Shopping District Using Unsecure Wireless
Networks
MISCEL***OUS
Cybersecurity Advice for Next President

**************** Sponsored By BlueCat Networks, Inc. *******************

IP Address Management is much more than just a marriage between DNS
and DHCP services. Given the network challenges of VoIP, RFID tags,
wireless authorized devices, Virtual Servers/ Clients, and IPv6,
3rd generation IP Address Management brings with it urgency in moving
away from spreadsheets, homegrown, and legacy solutions to intelligent
IPAM solutions.
http://www.sans.org/info/31613

*************************************************************************
TRAINING UPDATE
- - NETWORK SECURITY 2008: Las Vegas (9/28-10/6) 50 courses; big tools expo; lot's of evening sessions: http://www.sans.org/ns2008
- - Boston (8/9-8/16) http://www.sans.org/boston08/
- - Virginia Beach (8/21-8/29): http://www.sans.org/vabeach08/
- - Chicago (9/3-9/10) http://www.sans.org/chicago08 AUDIT & COMPLIANCE
- - and in 100 other cites and on line any time: http://www.sans.org/index.php
*************************************************************************

TOP OF THE NEWS
--Georgia Receives International Help in Wake of Cyberattacks
(August 11, 2008)
The Georgian presidential website and other government websites have
once again been the target of cyber attacks. Similar attacks occurred
in late July, prior to the outbreak of military conflict between
Georgia and Russia regarding South Ossetia. The malware used to
launch the most recent distributed denial-of-service attacks appears
to be a variant of Pinch; the command and control server used in the
attacks is based in Turkey. In a separate, related story, Poland's
president Lech Kaczynski has made his official website available to
the Georgian government so it can disseminate information about the
conflict. In addition, the website of Georgian President Mikhail
Saakashvili was moved to a US hosting facility over the weekend.
The attacks on the site are continuing.
http://www.theregister.co.uk/2008/08/11/georgia_ddos_attack_reloaded/print.html
http://news.smh.com.au/technology/poland-makes-web-site-available-to-georgia-20080811-3tl5.html
http://www.usatoday.com/tech/world/2008-08-11-georgia-president-hacked_N.htm?csp=34
[Editor's Note (Ullrich): There have now been some suggestions that
the attack was organized in part by the infamous "Russian Business
Network" (RBN) in cooperation with Russian intelligence services. See
http://ddanchev.blogspot.com/
(Honan): The Ministry of Foreign Affairs of Georgia has
set up a Blog on Google to provide updates on the conflict at
http://georgiamfa.blogspot.com/2008/08/cyber-attacks-disable-georgian-websites.html
while Wikipedia is also keeping track of events
http://en.wikipedia.org/wiki/War_in_South_Ossetia_(2008)#Cyberattacks ]

--US Intelligence Issues Warning About Traveling Abroad with
Electronic Devices
(August 5, 7, 9 & 11, 2008)
The US Office of the National Counterintelligence Executive (NCIX)
issued a strongly-worded advisory for travelers warning them to take
special precautions when traveling overseas with portable electronic
devices. The warning appears to be aimed specifically toward those
travelling to China for the Olympic Games. Security services in China
are capable of tracking individuals' whereabouts through mobile phones
and PDAs and of turning on microphones in devices without users'
knowledge; users are urged to remove batteries from the devices
when they are not being used. Travelers should not take electronic
devices with them unless they are absolutely necessary, and they
should assume that if the devices are examined by customs officials or
their hotel rooms are searched that the contents of their hard drives
have been copied. Travelers should also change all their passwords
frequently during their travels and again as soon as they return home.
All information sent electronically can be intercepted. The advisory
does not name China specifically, but in a television interview and a
press release, NCIX head Joel Brenner did mention China. The advisory
also says, "In most countries you have no expectation of privacy in
Internet cafes, hotels, offices, or public places." Malware can be
placed on the devices with USB drives or other freebies; by the same
token, do not use your own USB drive in foreign computers. It may be
a good idea to encrypt the data on the devices, but customer officials
in some countries may not permit travelers to bring in encrypted data.
http://www.ncix.gov/publications/reports/traveltips.pdf
http://www.vnunet.com/vnunet/news/2223619/warns-olympic-travellers-us-china
http://www.cbsnews.com/stories/2008/08/07/eveningnews/main4329769.shtml
http://news.smh.com.au/technology/us-intelligence-alerts-travelers-to-cyber-spies-20080809-3sik.html

--Data Breach Indictment Reveals Alleged Breaches Not Previously Disclosed
(August 11, 2008)
The recent indictments of 11 people in connection with the theft
of payment card information from the wireless networks of nine
large retailers was the first some consumers had heard of certain
incidents, despite data breach notification laws in the majority of US
states. While the TJX breach received a significant media coverage,
breaches at other retailers, such as Boston Market, Forever 21 and
Barnes and Noble came as a surprise. Boston Market and Forever 21
said they did not notify customers because they had not been able to
determine if customer data were actually stolen.
[Editor's Note (Schultz): Boston Market and Forever 21's
reasoning shows just how little they value the welfare of their
customers. Companies that value their customers' welfare would have
notified them just in case there was a compromise.]

--Judge Grants MBTA Request for Injunction Against MIT Researchers
(August 9 & 11, 2008)
A federal judge has issued an injunction preventing three Massachusetts
Institute of Technology (MIT) students from presenting their research
regarding vulnerabilities in the electronic payment system used by the
Massachusetts Bay Transit Authority (MBTA). Their research centered
on manipulating the system to ride the transit system without paying.
The complaint alleges that the students refused to provide the MBTA
with the information they would present at DefCon. The students
plan to appeal the ruling and are being represented by the Electronic
Frontier Foundation (EFF).
http://www.theregister.co.uk/2008/08/09/defcon_talk_halted/print.html
http://news.cnet.com/8301-1009_3-10012612-83.html?part=rss&subj=news&tag=2547-1009_3-0-20
http://www.heise-online.co.uk/security/MIT-students-muzzled--/news/111289
http://news.cnet.com/8301-1009_3-10014376-83.html?part=rss&subj=news&tag=2547-1009_3-0-20
[Editor's Note (Honan): The recent judgement in the
Dutch courts regarding the Oyster Card RFID Chip Hack
http://www.sans.org/newsletters/newsbites/newsbites.php?vol=10&issue=57#sID201
demonstrates that the courts should realize the problem lies with
the weaknesses in the technology and not with those who discover them.]

--Ohio Sec. of State Sues eVoting Vendor for Dropped Votes
(August 8, 2008)
Ohio Secretary of State Jennifer Brunner has filed a lawsuit against
Premier Election Solutions seeking damages for dropped votes in Ohio's
March primary election. Premier, which was formerly known as Diebold,
makes the evoting machines used in half the counties in Ohio. Problems
with dropped votes arose in 11 counties; the discrepancies were
caught and final counts corrected. Officials from Butler County,
where discrepancies were first detected, wrote to Premier in April
asking for an explanation for the dropped votes. Premier responded
with a report in May that suggested that the problems were due either
to human error or to problems with antivirus software. A follow-up
report suggested disabling antivirus software on voting tabulation
machines, but they had been certified with the antivirus software
installed. Brunner's lawsuit is a countersuit in response to one
filed by premier in May requesting a court determination that the
company had met its obligations as set out in contracts and warranties.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9112041&source=rss_topic17
http://www.informationweek.com/news/management/legal/showArticle.jhtml?articleID=210000402&subSection=Infrastructure

********* Top Ten Courses named at SANS Network Security 2008 **********
In addition to a big security tools expo and a lot of free sessions
at SANS Network Security 2008 in Las Vegas (end of September), here
are the ten most popular courses (out of 45 being offered there):

1. SEC560 Network Penetration Testing and Ethical Hacking
2. SEC401 SANS Security Essentials Bootcamp Style
3. SEC 504 Hacker Techniques, Exploits & Incident Handling
4. SEC508 Computer Forensics, Investigation, and Response
5. SANS(r) +S(tm) Training Program for the CISSP(r) Certification Exam
6. MAN512 SANS Security Leadership Essentials For Managers with Knowledge Compression
7. SEC505 Securing Windows
8. SEC502 Perimeter Protection In-Depth
9. AUD507 Auditing Networks, Perimeters & Systems
10 MAN525 Project Management and Effective Communications for Security Professionals and Managers

Early registration deadline is next Wednesday, August 20.
Details: See: http://www.sans.org/ns2008

*************************************************************************

THE REST OF THE WEEK'S NEWS
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
--Irish Social Welfare Data on Missing Laptop
(August 11, 2008)
Irish Data Protection Commissioner Billy Hawkes has called the loss
of a laptop holding personally identifiable information of social
welfare recipients a "serious incident." According to the results
of an audit by the Comptroller and Auditor General (CAG) at the
Department of Social and Family Affairs a laptop missing since July
holds information of approximately 390,000 recipients. The data sent
to the CAG from the Dept of Social and Family Affairs was originally
sent in encrypted format. It was subsequently stored unencrypted
by the CAG on the stolen laptop. The department is making an effort
to contact all people whose information is on the missing computer.
Some of the records include bank account information.
http://www.siliconrepublic.com/news/article/11177/cio/irish-government-data-breach-slammed-as-serious-incident
http://www.irishtimes.com/newspaper/breaking/2008/0811/breaking25.htm
UPDATE: Staff off the hook for laptop security blunders
http://www.independent.ie/national-news/staff-off--the-hook-for-laptop---security-blunders-1452407.html
[Editor's Note (Honan): The fact that this breach occurred 17 months
ago highlights the need for Ireland, and the EU, to introduce mandatory
Data Breach Disclosure legislation. The CAG not only did not contact
those impacted by the breach but only notified the Department of
Social and Family Affairs within the last week. ]

COPYRIGHT ISSUES
--Australian ISPs Urged to Join Fight Against Piracy
(August 8, 20080
The Australian Federation Against Copyright Theft (AFACT) wants
Australian ISPs to follow the lead of their British counterparts, that
have agreed to send warning letters to Internet users suspected of
illegal filesharing. The proposed letters would contain information
about where and how to obtain copyrighted content legally on the
Internet. Following a three-strikes model, repeat offenders could find
their Internet speeds reduced or surfing curtailed, and eventually
disconnected. The plan would be to give the ISPs the IP addresses
of suspected offenders and have them send the letters. However,
Internet Industry Association executive director Peter Coroneos says
AFACT is asking ISPs to act as law enforcement, comparing the request
to holding the postal service responsible for what people send through
the mail. The ISPs propose to provide copyright holders with access
to suspected downloader information so they can take legal action.
Coroneos also observes that IP addresses are not irrefutable proof
of who downloaded digital content. AFACT says that a study in the
US showed that 90 percent of college students who received warning
letters stopped illegal downloading activity.
http://www.smh.com.au/news/web/isps-join-the-copyright-fight/2008/08/06/1217702054216.html?page=fullpage#contentSwap1

MALWARE
--Dutch Police Notify Users Infected with Bot Malware
(August 8, 2008)
Dutch police have notified people whose computers were infected with
malware that made them part of a botnet comprising more than 100,000
PCs. People were redirected to a web page containing directions
on disabling the malware and a link to an online virus scanner.
The police were able to automatically forward the infected users
to the help page because they have taken control of the botnet.
A 19-year old man was arrested last week when he tried to sell the
botnet to someone in Brazil for GBP 25,000 (US $47,839).
http://www.computerworlduk.com/management/security/cybercrime/news/index.cfm?NewsId=10427
[Editor's Note (Ullrich): An interesting tactic that should probably
be investigated more. In the past, investigators of botnets (law
enforcement or not) have been careful not to use the botnet functions
themselves. Most of the time, the exact effects of these actions
are not well understood. Other methods have however not been very
successful in notifying users.]

DATA LOSS
--Wells Fargo Codes Used to Access Consumer Data at Reseller
(August 11, 2008)
Wells Fargo is in the process of notifying approximately 7,000
consumers that their personally identifiable information may have been
compromised when someone used Wells Fargo codes to access consumer
credit data. The suspicious activity occurred over a five-year period
at MicroBilt Corp., a consumer data reseller. The compromised data
include Social Security numbers (SSNs), birth dates, driver's license
numbers and some credit card account information.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9112359&source=rss_topic17

--BBC Apologizes for Losing Children's Data
(August 8 & 11, 2008)
The BBC has sent letters of apology to the parents of approximately
250 children whose personal information were on a flash drive that
was stolen. The data were on the device because the children had
signed up for a cooking program. The data include names, addresses,
phone numbers, and dates that the children and their families would
be away on vacation. The drive was in the possession of an employee
of an independent production company that was making the show.
http://www.timesonline.co.uk/tol/news/uk/article4481621.ece
http://www.vnunet.com/vnunet/news/2223662/bbc-partner-loses-children-data
http://www.scmagazineuk.com/BBC-confirms-personal-details-stolen/article/113625/

--Texas Hospital Patient Data on Missing USB Drive
(August 7, 2008)
A hospital administrator in Texas apparently downloaded sensitive
patient information to a flash drive that was later reported lost
or stolen. The Health Insurance Portability and Accountability Act
(HIPAA) requires healthcare providers to take measures to protect
patient data from exposure. The associate administrator for Harris
County Hospital District allegedly placed records of 1,200 patients
with HIV, AIDS and other medical conditions on the storage device.
The data, which include names, Social Security numbers (SSNs), medical
conditions and treatments, were not encrypted or password-protected.
http://www.chron.com/disp/story.mpl/metropolitan/5931497.html

STUDIES AND STATISTICS
--Many Businesses in Dublin Shopping District Using Unsecure Wireless Networks
(August 10, 2008)
A study from the Sunday Business Post indicates that up to one-third of
stores and restaurants on Henry Street and Grafton Street in Dublin,
Ireland's two busiest shopping streets, are using unsecure wireless
systems, potentially exposing customer credit card information to
cyber thieves.
http://www.thepost.ie/ezineSBP/story.asp?storyid=35087

MISCEL***OUS
-- Cybersecurity Advice for Next President
(August 7, 2008)
Bruce Schneier offers "three pieces of policy advice for the next
president" to improve cybersecurity, and for that matter, "national
security in general." First, the government should use its leverage
as a major customer of commercial products and services to improve the
quality of products overall by making security requirements part of
the RFPs. Second, the government should legislate the results it wants
to see, but not the processes for achieving those results. Finally,
the government should "broadly invest in research," beyond the scope of
short-term high-profit projects and military applications by allowing
funding agencies like NSF and NIH to decide how to allocate the money.
http://www.wired.com/politics/security/commentary/securitymatters/2008/08/securitymatters_0807

*************************************
The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and
the author/co-author of books on Unix security, Internet security,
Windows NT/2000 security, incident response, and intrusion detection
and prevention. He was also the co-founder and original project manager
of the Department of Energy's Computer Incident Advisory Capability
(CIAC).

John Pescastore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level
IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as
Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and
he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND
FEAR and SECRETS AND LIES -- and dozens of articles and academic
papers. Schneier has regularly appeared on television and radio, has
testified before Congress, and is a frequent writer and lecturer on
issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune
50 company (Alcoa). He is leading SANS' global initiative to improve
application security.

Marcus J. Ranum built the first firewall for the White House and
is widely recognized as a security products designer and industry
innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section
of the weekly SANS Institute's @RISK newsletter and is the project
manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin,
Ireland.

Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security
courses at Minnesota State University, Mankato. He is the President of
Prudent Security LLC and also serves as the President of the Mankato
Chapter ISSA.

Roland Grefer is an independent consultant based in Clearwater,
Florida.

Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFIoc5f+LUG5KFpTkYRAqJPAJ9I9I6aItQoLEyba4Hgd7BfL0pqagCgidOe
kf+u7b2wR+Py2yq3v6NNLxg=
=lbW1
-----END PGP SIGNATURE-----

Back to newsletter list

Date:

From:

Subject:

SANS NewsBites Vol. 10 Num. 63