Back to newsletter listDate:
Tue, September 09, 2008 05:09:02 PMFrom:
The SANS Institute
Subject:
SANS NewsBites Vol. 10 Num. 71
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The hottest job in information security in 2008 and 2009 is application
security penetration testing, and the only course preparing these folks
will be held in Las Vegas in three weeks (See SEC542 at
http://www.sans.org/ns2008) Regular pen testers can prepare for the
their GPEN exam with SEC560 course at the same site.
Alan
*************************************************************************
SANS NewsBites September 9, 2008 Vol. 10, Num. 71
*************************************************************************
TOP OF THE NEWS
Proposed Calif. Law Would Impose Security Requirements on Retailers
Seattle-based Healthcare Organization Agrees to Action Plan to Address
HIPAA Concerns
IRS Network Has 1,811 Unauthorized Web Servers
French Citizens Oppose Massive Database
THE REST OF THE WEEK'S NEWS
ARRESTS, CHARGES, CONVICTIONS & SENTENCES
Man Sentenced in Pump-and-Dump Scheme
'90s DoD Hacker Arrested in Debit Card Fraud Scheme
LEGAL ISSUES
Comcast Appeals FCC Ruling
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
Profiles For Your Eyes Only: Social Networking for Spies
Lost Drive Holds Prison Officers' Data
UPDATES AND PATCHES
Google Releases Chrome Update
Cisco Patches Vulnerabilities in Access Control Server, ASA and PIX
Security Appliances
DATA LOSS AND EXPOSURE
Arrest Warrants Issued in Connection with Customer Data Found on
Discarded Disks
Iowa County Officials Planned to Sell Data
********************** Sponsored By Sourcefire, Inc. ********************
Best of Open Source Security (BOSS) Conference
February 8-10, 2009 -- Flamingo, Las Vegas
Be sure to register the first IT security conference dedicated to
promoting open source security (OSS) technologies and the commercial
products that embrace them.
This long overdue conference will bring together passionate OSS
advocates and vendors under the same roof to share ideas and
experiences.
For more information, visit http://www.sans.org/info/32943
*************************************************************************
TRAINING UPDATE
- - NETWORK SECURITY 2008: Las Vegas (9/28-10/6) 50 courses; big tools
expo; lots of evening sessions: http://www.sans.org/ns2008)
- - Chicago (9/3-9/10) http://www.sans.org/chicago08 AUDIT & COMPLIANCE
- - Monterey (10/31-11/6) http://www.sans.org/info/30738
- - Sydney Australia (10/27-11/1) http://www.sans.org/sydney08/
- - Vancouver (11/17-11/22) http://www.sans.org/vancouver08/
and in 100 other cites and on line any time: www.sans.org
*************************************************************************
TOP OF THE NEWS
--Proposed Calif. Law Would Impose Security Requirements on Retailers
(September 8, 2008)
The Consumer Data Protection Act (AB 1656) that is now before California
Governor Arnold Schwarzenegger would require businesses to provide more
information about data breaches when they occur, but would also impose
specific requirements on businesses for protecting customers' financial
data. The latter is a controversial idea; Gartner analyst Avivah Litan
notes that while the government can impose breach disclosure
regulations, "it's totally inappropriate for a state to mandate security
controls." Lobbyists are more optimistic that this version of the bill
will pass now that a provision that would have required retailers to
bear the cost of replacing cards affected by breaches has been removed.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=325574&source=rss_topic17
[Editor's Note (Shpantzer): PCI already specifies specific controls and
anyone subject to SB 1386 already knows the costs of reporting are
astronomical, so these inputs are already in place for anyone handling
sensitive information. This bill is starting to get a bit too close for
comfort.
(Schultz): Litan's statement is incredibly out of touch. Some of the
best cybersecurity legislation in the US is in effect only at the state
level, something that shows that states are often more in touch
concerning the need for security-related statutes than is the federal
government.]
--Seattle-based Healthcare Organization Agrees to Action Plan
to Address HIPAA Concerns
(September 8, 2008)
Providence Health & Services, a Seattle, Washington-based organization,
has agreed to adopt a corrective action plan (CAP) to address "potential
violations" of the Health Insurance Portability and Accountability Act
(HIPAA). The plan is part of a resolution agreement between Providence
and the US Department of Health and Human Services (HHS). Providence
will pay US $100,000 to settle the "potential violations." The
resolution agreement is the first to be issued under HIPAA; it was
prompted by the loss or theft of a variety of media holding unencrypted
Providence patient data. The CAP calls for Providence to overhaul
security policies, deploy technical data protection, such as encryption,
conduct unannounced audits and submit compliance reports to HHS for the
next three years. Of particular note is part of the agreement that
prohibits Providence from contesting or appealing any obligations as
described in the CAP.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=Security&articleId=325376&taxonomyId=17&pageNumber=1
http://www.dhhs.gov/ocr/privacy/enforcement/agreement.pdf
--IRS Network Has 1,811 Unauthorized Web Servers
(September 4 & 8, 2008)
According to a report from the US Treasury Inspector General for Tax
Administration, more than 1,800 unapproved internal web servers are
connected to the Internal Revenue Service's network. The audit findings
indicate that 2,093 web servers with at least one known security flaw
are connected to the IRS network. Of the 1,811 unauthorized servers,
1,150 were being used for purposes other than business. "The IRS
requires that business units register all internal web sites and web
servers with the Web Services Division in the Modernization and
Information Technology Services organization." Unregistered servers are
a danger "because the IRS has no way to ensure that they will be
continually configured in accordance with security standards and patched
when new vulnerabilities are identified." The report makes several
recommendations to improve network security at the IRS, including
conducting scans to detect all machines connected to the network and
blocking unauthorized servers from network access.
http://www.nextgov.com/nextgov/ng_20080904_3324.php
http://www.fcw.com/online/news/153690-1.html
http://www.theregister.co.uk/2008/09/05/irs_network_report/print.html
http://www.ustreas.gov/tigta/auditreports/2008reports/200820159fr.pdf
[Editor's Note (Pescatore): There are a lot of things going on here that
point out the futility of requiring business units to "register" web
servers with some manual process. The database had over 2800
"registered" web servers of which only 282 could be actually found on
the network - basically 90% of the "registered" web servers didn't seem
to exist. The network scan found 1,800 web servers that were *not*
registered. Essentially the dashboard (the database) was not really
connected to the engine. There are plenty of open source and commercial
tools to support automated network discovery and baselining, which is
absolutely necessary to any reliable vulnerability management process.
(Veltsos): The report also points out the high number of different web
software packages used (33) and that 437 servers were found to have
high- risk vulnerabilities.
(Honan): An interesting note from the report at ustreas.gov web site is
that of the unauthorized servers detected " We did find some that were
operating unintentionally as web servers." With modern operating
systems including inbuilt web server functionality this is something
that can easily happen, especially when users are granted local
administrator access to their PCs . These unauthorized web servers are
one of the more common items we discover when auditing customers'
networks for weaknesses and will often be unpatched with default
settings. Make sure you that you regularly scan you own network for
unauthorized servers to ensure you are not also exposed. ]
--French Citizens Oppose Massive Database
(September 4 & 9, 2008)
French citizens and some government officials are voicing their
opposition to Edvige, a police database that will store vast amounts of
personal information about anyone over the age of 13 who is "likely to
breach public order." Edvige, which has been called "Sarkozy's Big
Sister" (Edvige is also a woman's name) and an "electronic Bastille,"
would store a wide range of data, including people's opinions, circle
of friends, sexual orientation, ethnic origins and financial
information. The government maintains that the database is merely an
updated, centralized version of information that has already been
gathered for many years.
http://www.timesonline.co.uk/tol/news/world/europe/article4703054.ece
http://ca.reuters.com/article/technologyNews/idCAL434783820080904?sp=true
************************** SPONSORED LINKS: *****************************
1) Visit the SANS Buyers Guide for updated listings and useful
information when selecting the latest in IT security technologies.
http://www.sans.org/info/32948
2) Worried about NetFlow overhead? Consult Lancope's NetFlow Bandwidth
Calculator
http://www.sans.org/info/32958
*************************************************************************
THE REST OF THE WEEK'S NEWS
ARRESTS, CHARGES, CONVICTIONS & SENTENCES
--Man Sentenced in Pump-and-Dump Scheme
(September 8, 2008)
A US District Judge in Oklahoma has sentenced Thirugnanam Ramanathan to
two years in prison for his involvement in a pump-and-dump scheme.
Ramanathan, who is from India and was living in Malaysia, was indicted
along with two other men in January 2007; he was extradited to the US
in May 2007. Ramanathan pleaded guilty to conspiracy to commit wire
fraud, securities fraud, computer fraud and aggravated identity theft.
He and the other two men used stolen information to pose as investors
and drive up the price of securities they held in their own brokerage
accounts; they sold the shares once the price had been artificially
inflated. Ramanathan was also ordered to pay US $362,000 in
restitution.
http://money.cnn.com/news/newsfeeds/articles/apwire/9b2f904ec34b59c1284133e274bbd84e.htm
--'90s DoD Hacker Arrested in Debit Card Fraud Scheme
(September 5, 6 & 8, 2008)
Ehud Tenenbaum is one of four people arrested in Calgary, Canada, in
connection with a CAD $1.8 million (US $1.685 million) cyber theft from
a company in Calgary; they have been charged with fraudulent use of
credit card data and fraud. Tenenbaum remains in custody. As a
teenager, Tenenbaum infiltrated US Defense Department computers. The
recent crime involved increasing the values of pre-paid debit cards and
withdrawing funds from bank machines during the last two weeks of 2007.
Tenenbaum is believed to be the one who broke into the computers; the
others allegedly used the cards to withdraw the funds.
http://www.canada.com/calgaryherald/news/city/story.html?id=c442f4a5-4deb-440b-85b0-c7329d76d063
http://blog.wired.com/27bstroke6/2008/09/the-analyzer-su.html
http://www.theregister.co.uk/2008/09/08/israeli_hacker_atm_fraud_charges/print.html
[Editor's Note (Northcutt): Tennenbaum was called the Analyst in those
earlier attacks. The Solar Sunrise video is still worth watching and the
lesson just as valid as it was ten years ago:
http://vimeo.com/1179948?pg=embed&sec=1179948 ]
LEGAL ISSUES
--Comcast Appeals FCC Ruling
(September 5, 2008)
Comcast is appealing a recent US Federal Communications Commission (FCC)
ruling that concluded the company was throttling users' Internet traffic
in a discriminatory fashion. Comcast maintains that the FCC ruling was
"legally inappropriate and its findings were not justified by the
record." The issue came to a head when users complained that Comcast
was selectively blocking BitTorrent traffic, ostensibly to discourage
users' filesharing activity. Comcast plans to comply with the FCC
order, which requires the company to disclose the methods it used to
block traffic and describe a remediation process it will implement so
it will be in compliance with the order by the end of 2008.
http://blog.wired.com/27bstroke6/2008/09/fears-swirling.html
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
--Profiles For Your Eyes Only: Social Networking for Spies
(September 8, 2008)
A social networking site has been created for use solely by US
intelligence agencies. Called A-Space, the site was designed to allow
analysts to share information, to "think out loud, think in public
amongst their peers." The site, which is scheduled to launch on
September 22, will be on the US government's Joint Worldwide
Intelligence Communications System. It will be available only to
members of the intelligence agencies, and will be monitored by a system
designed to recognize anomalous behavior to catch potential
infiltrators.
http://www.cnn.com/2008/TECH/ptech/09/05/facebook.spies/index.html
http://www.heise-online.co.uk/security/US-intelligence-community-launches-its-own-social-network--/news/111488
[Editor's Note (Northcutt): We always talk about enforcing the "need to
know," and that has its place, but the US Intelligence world is starting
to realize they have a requirement to share as well. I hope this works
out well for them. ]
--Lost Drive Holds Prison Officers' Data
(September 5, 2008)
UK Justice Secretary Jack Straw has launched an inquiry into the loss
of a computer drive that holds personally identifiable information of
5,000 justice staff members. Prison officers threatened to strike after
they learned of the incident. The disk was in the possession of EDS, a
government contractor, when it was lost; the last time anyone at EDS saw
the disk was July 2007, but the Prison Service was not notified that the
disk was missing until July 2008.
http://www.guardian.co.uk/society/2008/sep/08/prisonsandprobation.justice/print
http://www.dailymail.co.uk/news/article-1053381/Jail-staff-risk-data-loss.html
http://www.timesonline.co.uk/tol/news/politics/article4699110.ece
UPDATES AND PATCHES
--Google Releases Chrome Update
(September 8, 2008)
Google has released an update for Chrome less than a week after the
company's browser was introduced. Among the vulnerabilities found in
the Chrome beta was a buffer overflow flaw that could be exploited to
take control of vulnerable computers. Google Chrome 0.2.149.29 fixes a
problem that crashed the browser when a website's URL contained the
characters ".%;" a problem with JavaScript on Facebook; and an
unspecified number of security vulnerabilities, but does not provide
specific information about which vulnerabilities have been mitigated.
At least one flaw disclosed last week a blended threat known as a
"carpet bomb" was not fixed in the update. Chrome will check for
available updates every few hours and download them automatically as
they become available.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&a rticleId=9114287&source=rss_topic17
http://news.cnet.com/8301-1009_3-10035004-83.html?part=rss&subj=news&tag=2547-1009_3-0-20
[Editor's Note (Pescatore): Consumer grade software times beta software
= many vulnerabilities. That said, more browser competition, especially
towards reducing browser bloat and increasing security as a top of mind
feature, is badly needed.
(Skoudis): The lack of specificity in the number or nature of
vulnerabilities fixed by this update leaves me very ill at ease.
Without such information, it will be hard to compare this browser's
security history against its competitors over time. It's almost like
they want to keep their users, and the industry more generally, in the
dark about what they're up to and their security flaws. Imagine that!]
--Cisco Patches Vulnerabilities in Access Control Server, ASA and PIX
Security Appliances
(September 5, 2008)
Cisco has issued updates for several flaws in its products. A
denial-of- service vulnerability in the way the Access Control Server
handles Remote Access Dial-In User Service (RADIUS) communications could
be exploited to crash the server. Attackers would need to know the
targeted server's IP address and the RADIUS Shared Secret. There are
also a half dozen flaws in Cisco's ASA and PIX Security Appliances; five
are denial-of-service flaws and one is an information disclosure flaw.
Users are urged to apply updates as soon as possible.
http://www.vnunet.com/vnunet/news/2225515/cisco-warns-security-risks
http://www.cisco.com/warp/public/707/cisco-sr-20080903-csacs.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080903-asa.shtml
DATA LOSS AND EXPOSURE
--Arrest Warrants Issued in Connection with Customer Data Found
on Discarded Disks
(September 6 & 8, 2008)
Two disks found in a trash pile near a Seoul, Korea subway station
contain personal information of 11.1 million GS Caltex customers. GS
Caltex is one of South Korea's largest oil refineries. The information
correlates to data gathered through the company's bonus card membership
sign-up; the bonus card gives customers discounts at filling stations.
The card does not contain bank or credit card account information. GS
Caltex said there is no evidence that their systems were breached by an
outsider and suggested that it may have been an inside job. Arrest
warrants have been issued for three GS Caltex employees.
http://english.donga.com/srv/service.php3?bicode=040000&biid=2008090631088
http://english.donga.com/srv/service.php3?bicode=040000&biid=2008090844298
--Iowa County Officials Planned to Sell Data
(September 4 & 5, 2008)
An organization made up of county officials in Iowa has admitted that
it was negotiating with Data Tree for access to county mortgage records
and other documents that contain personally identifiable information of
Iowa residents. IowaLandRecord.org, the organization, had planned to
sell Data Tree its database and updates in the future for US $11,750 a
month. The officials agreed to hold off on the deal when state
legislators became concerned about the situation. The site is
maintained by the Iowa County Recorders Associations. The site has been
inaccessible since last week, shortly after the issue was made public
in The Des Moines Register. The site is estimated to hold more than 10
million records.
http://www.chicagotribune.com/news/chi-ap-ia-landrecords,0,4324310.story
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9114172&source=rss_topic17
*************************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescastore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's @RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the E-
Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin,
Ireland.
Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security
courses at Minnesota State University, Mankato. He is the President of
Prudent Security LLC and also serves as the President of the Mankato
Chapter ISSA.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no
posting is allowed on web sites. For a free subscription, (and for free
posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkjGpIUACgkQ+LUG5KFpTkbxTgCfVcL2IWA2bJRXS39NcGRkp7jk
+WkAni0aRNZVWnjiecoW+Q5UVE1K1txL
=9HbP
-----END PGP SIGNATURE-----
