Back to newsletter listDate:
Fri, August 29, 2008 05:24:38 PMFrom:
The SANS Institute
Subject:
SANS NewsBites Vol. 10 Num. 68
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
*************************************************************************
SANS NewsBites August 29, 2008 Vol. 10, Num. 68
*************************************************************************
TOP OF THE NEWS
European Court of Human Rights Will Not Prevent McKinnon's Extradition
Judge Dismisses Lawsuit Against Video Sharing Site
US Government and Private Sector Can't Agree on Cyber Security
Responsibilities
THE REST OF THE WEEK'S NEWS
ARRESTS, CHARGES & CONVICTIONS
Six Arrested in Taiwan for Data Theft
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
FAA Computer System Glitch Delays Flights
VULNERABILITIES
Locked iPhones Not So Secure
Space Station Laptop Has Virus
DATA LOSS
Number Affected by Bank of New York Mellon Corp Breach Increases
Computer Purchased on eBay Holds Bank Customers' Data
ATTACKS
Best Western Offers Details of Data Breach
STUDIES AND STATISTICS
Reported Data Breaches on the Rise
MISCEL***OUS
Researchers Develop Technique to Detect Man-in-the-Middle Attacks
************************ Sponsored By F-Secure **************************
F-Secure's FREE Security Threat Webinar: STOP Online Crime!
Do YOU know enough to protect yourself, your customers and your business
against the latest Internet Security Threats? Be an expert by staying
on top of the latest web threats and trends by joining F-Secure's FREE
security threat webinar - STOP Online Crime!
Space is limited!
Register NOW! http://www.sans.org/info/32464
*************************************************************************
TRAINING UPDATE
- - NETWORK SECURITY 2008: Las Vegas (9/28-10/6) 50 courses; big tools
expo; lots of evening sessions: http://www.sans.org/ns2008)
- - Chicago (9/3-9/10) http://www.sans.org/chicago08 AUDIT & COMPLIANCE
- - Monterey (10/31-11/6) http://www.sans.org/info/30738
- - Sydney Australia (10/27-11/1) http://www.sans.org/sydney08/
- - Vancouver (11/17-11/22) http://www.sans.org/vancouver08/
and in 100 other cites and on line any time: www.sans.org
*************************************************************************
TOP OF THE NEWS
--European Court of Human Rights Will Not Prevent McKinnon's Extradition
(August 28, 2008)
The European Court of Human Rights has refused Gary McKinnon's appeal
against extradition to the United States to face charges related to
infiltrating US government computer networks. McKinnon claimed that the
penalties he would face if he were tried in the US would constitute
inhumane treatment. There is no higher court to which his attorneys can
take his case, but they plan to take a new tack and appeal to the UK
Home Secretary on the grounds that McKinnon suffers from Asperger's
Syndrome.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9113702&source=rss_topic17
http://news.bbc.co.uk/2/hi/uk_news/7585861.stm
[Editor's Note (Schultz): McKinnon should receive some kind of "drama
queen" award. When all is said and done, he almost certainly will end
up being extradicted to the US, where he is bound to serve prison time.
Meanwhile, it is entertaining to learn of yet another futile attempt on
his part to escape justice.
(Northcutt): Per Wikipedia in case I am not the only one that did not
know: Asperger syndrome is named after Austrian pediatrician Hans
Asperger who, in 1944, described children in his practice who lacked
nonverbal communication skills, failed to demonstrate empathy with their
peers, and were physically clumsy. Fifty years later, AS was
standardized as a diagnosis.]
--Judge Dismisses Lawsuit Against Video Sharing Site
(August 28, 2008)
A US District Court judge has dismissed a case against Veoh Networks
which had been sued by Io Group Inc. for violating copyright laws
because it hosted content without authorization from copyright holders.
The judge ruled that Veoh, a video-sharing website, is protected under
the safe harbor provisions of the Digital Millennium Copyright Act
(DMCA) and cannot be held liable for the uploading activity of its
users. Companies are protected under the safe harbor provisions as long
as they remove unauthorized content when asked to remove it by the
copyright holder. The ruling is somewhat heartening to YouTube, which
is facing a similar lawsuit brought by Viacom. One major difference in
the lawsuits, however, is that Io did not notify Veoh about the
copyright violations before it filed its lawsuit. In contrast, YouTube
received more than 100,000 takedown notifies from Viacom before that
lawsuit was filed.
http://www.informationweek.com/news/management/legal/showArticle.jhtml?articleID=210201310
http://news.cnet.com/8301-1023_3-10028214-93.html
[Editor's Note (Schultz): This appears to be an extremely reasonable
ruling. ISPs should not be expected to police every action in which
their users engage. If ISPs are informed of user copyright violations,
however, they should cooperate by cracking down on the offending users.]
--US Government and Private Sector Can't Agree on Cyber Security
Responsibilities
(August 26, 2008)
Despite several major cyber security incidents that have made headlines
in recent weeks, the US government and the private sector still cannot
agree on who is responsible for managing the security of the country's
computer networks. Contributing to the problem are the decentralized
nature of government cyber security and the fact that much of the
nation's critical infrastructure runs on private networks. Recent
events, including arrests in connection with a cyber theft ring
involving millions of credit card numbers, the disclosure of a critical
DNS vulnerability and the seemingly politically motivated attacks on
Georgian government websites, have made no discernible impact on either
presidential candidate's platform.
http://www.latimes.com/business/la-fi-security26-2008aug26,0,2021258.story
************************** SPONSORED LINKS: *****************************
1) Please join Eric Cole and Core Security for their webcast: From Spend
Game to Endgame - Balancing Security ROI. Previously scheduled for July 22, 2008
http://www.sans.org/info/32469
2) Register for Control Systems Cyber Security Trainings. SANS Process
Control and SCADA Summit September 8-9 - Amsterdam, NL.
http://www.sans.org/info/32474
*************************************************************************
THE REST OF THE WEEK'S NEWS
ARRESTS, CHARGES & CONVICTIONS
--Six Arrested in Taiwan for Data Theft
(August 27, 2008)
Six people have been arrested in Taiwan in connection with the theft of
personal data from a variety of organizations. The stolen data include
information about Taiwan's current and former presidents. More than 50
million records are believed to have been stolen from government
agencies, state-run organizations, telecommunications companies and a
television shopping network; the suspects allegedly tried to sell the
data for about US $10 per record. If they are convicted, they each face
up to five years in prison.
http://news.smh.com.au/technology/taiwan-cracks-major-hacking-ring-data-on-president-stolen-20080827-43th.html
[Editor's Note (Northcutt): According to the people I talk to, identity
information in general only sells for about $1.50 per identity. If you
have a current source that would support the $10 claim in the article I
would love to hear from you (stephen@sans.org)]
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
--FAA Computer System Glitch Delays Flights
(August 26, 2008)
"An internal software processing problem" is being blamed for a glitch
in the Federal Aviation Administration's (FAA) National Aerospace Data
Interchange Network, which delayed hundreds of flights across the US on
Tuesday, August 26. A facility that processes flight plan information
went down, so data were sent to a backup facility, which could not
sustain the additional traffic. Radar systems were unaffected, as were
communications with aircraft in flight; the issue affected only p***s
that had not yet taken off. By Wednesday morning, flights were back to
a normal schedule; officials say that terrorism and cyber attack have
been ruled out. The FAA plans to have a new system in place by the end
of the calendar year.
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=210200907
http://www.washingtonpost.com/wp-dyn/content/article/2008/08/26/AR2008082602203_pf.html
http://www.eweek.com/c/a/IT-Infrastructure/Corrupt-File-Brought-Down-FAAs-Antiquated-IT-System/
[Editor's Note (Honan): This story demonstrates why it is important to
run live tests of your business continuity plan rather than a desktop
review or simulation exercise. You don't want to discover your backup
systems cannot "sustain the additional traffic" when you are in the
middle of a disaster. ]
VULNERABILITIES
--Locked iPhones Not So Secure
(August 27 & 28, 2008)
Apple says it is preparing a fix for a vulnerability in its iPhone that
could allow unauthorized users to gain access to locked phones. The
devices can be locked with a four digit code, but a locked iPhone can
be used to make calls to any number. In addition, with just a few more
taps, unauthorized users can get to the phone's "favorites" page without
entering the unlock code. An Apple spokesperson said that until the fix
is available, users should set their "Home" buttons to their iPod music
rather than their "favorites" menu.
http://www.infoworld.com/article/08/08/27/Locked_iPhones_can_be_unlocked_without_a_password_1.html
http://www.msnbc.msn.com/id/26438428/
[Editor's Note (Ullrich): The iPhone "lock" has never actually done
much. Even on a locked phone you can still dial arbitrary numbers. This
has also been used in some early "jail breaking" exploits.]
--Space Station Laptop Has Virus
(August 26, 2008)
A laptop computer brought aboard the International Space Station was
found to have been infected with the W32.Gammima.AG virus. The malware
is designed to steal passwords, and though its presence has not affected
operational systems, NASA is investigating how the security breach
occurred. A NASA spokesperson said this was not the first time viruses
have been found aboard the space station. Two laptops are known to be
infected; it is likely that the same memory device was plugged into both
machines. The affected computers are used for email and to store data
on nutritional experiments.
http://blog.wired.com/27bstroke6/2008/08/virus-infects-s.html
http://www.telegraph.co.uk/connected/main.jhtml?xml=/connected/2008/08/27/dlvirus127.xml
http://www.theregister.co.uk/2008/08/26/nasa_laptops_infected/
http://news.cnet.com/8301-13554_3-10027754-33.html?tag=rsspr.6246142&part=rss&subj=news
http://www.universetoday.com/2008/08/26/has-the-first-extraterrestrial-computer-virus-been-discovered-on-the-space-station/
[Editor's Note (Honan): The Honey Stick Project
http://www.honeystickproject.com/ provides an interesting perspective
showing how curiosity results in over 40% of the seeded USB stick are
plugged into people's computers after they find them.]
DATA LOSS
--Number Affected by Bank of New York Mellon Corp Breach Increases
(August 28, 2008)
The estimated number of people affected by a data breach at Bank of New
York Mellon Corp has been raised from 4.5 million to 12.5 million. In
February, the bank lost between six and ten unencrypted backup tapes
containing customer names, addresses, birth dates and Social Security
numbers (SSNs). In May, Connecticut Governor M. Jodi Rell launched an
investigation into the incident which affected hundreds of thousands of
Connecticut residents.
http://www.reuters.com/article/domesticNews/idUSN2834717120080828?sp=true
--Computer Purchased on eBay Holds Bank Customers' Data
(August 27, 2008)
The UK Information Commissioner's Office is investigating an incident
in which a used computer sold on eBay still held personally identifiable
information of one million bank customers. The affected banks plan to
also launch investigations. The computer, which was purchased for GBP
35 (US $64) in an eBay auction, belonged to Graphic Data UK Ltd, a
document management services firm; a spokesperson for the company called
the incident an "honest mistake." The information includes names,
account numbers and signatures. The computer and another piece of
equipment purchased at the same time by the same buyer were returned to
Graphic Data. Graphic Data is owned by Mail Source UK.
http://www.dailymail.co.uk/news/article-1049121/Government-probe-launched-details-million-bank-customers-sold-eBay.html
[Editor's Note (Honan): if you outsource processing of sensitive data
to a third party make sure that company abides by your data handling a
destruction policies. Ultimately the data is your data and so is the
responsibility of ensuring it is kept secure.]
ATTACKS
--Best Western Offers Details of Data Breach
(August 28, 2008)
Best Western has provided additional information about a data security
breach it says occurred at one facility in Germany and affected 10
customers. The company refutes as "grossly unsubstantiated" claims made
in the media that the breach affected more than 8 million customers. In
its statement, Best Western acknowledges a breach in which "three
separate attempts were made via a single logon ID to access the same
data from a single hotel." The logon account used to access the system
was terminated and the computer is no longer being used.
http://news.cnet.com/8301-1009_3-10028291-83.html?part=rss&subj=news&tag=2547-1009_3-0-20
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9113757&source=rss_topic17
http://www.marketwatch.com/news/story/statement-best-western-international/story.aspx?guid={DC0141F6-85D0-468E-97DC-92BB3F54D1BB}&dist=hppr
[Editor's Note (Pescatore): This is mostly an example of the need for a
well defined (and tested/dry run) incident response process. If your
company receives a call from a reporter saying "we have evidence that
your branch office was breached and your customers' data exposed, please
comment" what would happen? Just the way many learn *after* the
generator didn't start that it is a good idea to dry run disaster
recovery operations, same is true for incident response.]
STUDIES AND STATISTICS
--Reported Data Breaches in the US on the Rise
(August 26, 2008)
According to statistics from the Identity Theft Resource Center, there
have already been more data breaches reported this year in the US than
were reported in all of 2007. Businesses, government agencies and
universities have reported 449 data breaches so far this year; in 2007,
446 breaches were reported. It is not clear if the number of breaches
is rising or if organizations are doing a better job of reporting
breaches. Last year, the total number of records reported compromised
was 127 million, the majority of which were part of the TJX breach. So
far this year, 22 million records have been reported compromised.
http://www.washingtonpost.com/wp-dyn/content/article/2008/08/25/AR2008082502496.html
Direct link to the tool: http://www.cs.cmu.edu/~perspectives/
Additional info (CMU site):
http://www.cmu.edu/news/archive/2008/August/aug25_internetperspectives.shtml
MISCEL***OUS
--Researchers Develop Technique to Detect Man-in-the-Middle Attacks
(August 26 & 28, 2008)
Researchers at Carnegie Mellon University have developed software that
they hope will help thwart man-in-the-middle cyber attacks. The system,
called Perspectives, designates a series of websites as trusted notaries
that check for discrepancies in the encryption keys used by the sites
people are visiting. Such differences could indicate that attackers are
routing traffic though machines they control before sending users on to
the sites they want to visit. The software is available as a Firefox
add-on and for Apple OS X on Intel and Linux machines.
http://news.smh.com.au/technology/researchers-offer-new-way-to-avoid-bogus-web-sites-20080828-447m.html
http://news.bbc.co.uk/2/hi/technology/7581949.stm
[Editor's Note (Ullrich): The value of this technique is questionable.
Proper usage of SSL certificates appears to be a simpler and better
solution than this workaround. On the other hand, the technique may be
useful for research purposes.]
*************************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescastore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's @RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin,
Ireland.
Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security
courses at Minnesota State University, Mankato. He is the President of
Prudent Security LLC and also serves as the President of the Mankato
Chapter ISSA.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAki4NCEACgkQ+LUG5KFpTkZpdgCfcdlDQ22fH2lDe2iZdO1cIuDS
EiQAn1d9+LHB2KC8driz0bubfOI/Uh0c
=Bd83
-----END PGP SIGNATURE-----
