The SANS Institute <NewsBites@sans.org> wrote:
Date: Tue, 13 Mar 2007 22:05:30 +0000
From: The SANS Institute <NewsBites@sans.org>
Subject: SANS NewsBites Vol. 9 Num. 21
To: <jain.suyash@yahoo.co.in>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The long awaited hard drive with encryption built in was finally
released this week, making laptop encryption easier for users. At the
same time Windows Vista is coming with BitLocker built in. To really
understand where these tools fit and how you might integrate enterprise
encryption solutions, come to San Jose in April for the Mobile
Encryption Summit.
http://www.sans.org/info/4536
*************************************************************************
SANS NewsBites March 13, 2007 Vol. 9, Num. 21
*************************************************************************
TOP OF THE NEWS
Bill Would Exempt Texas County Clerks from Data Privacy Laws
Three Men Indicted for Online Stock Manipulation
US $3 Million Frozen in Pump-and-Dump Case
Hard Drives With Embedded Encryption to Debut
THE REST OF THE WEEK'S NEWS
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Real ID Act Irks Legislators
Stolen Hard Drive Holds California National Guard Data
NZ Revenue Dept. Employees Fired for Unauthorized File Access
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
WGA Always Sends Info to Microsoft
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
U of Idaho Employee Data Inadvertently Posted to Web
STANDARDS & BEST PRACTICES
Laptop Theft Prompts Data Security Rules
MISCELLANEOUS
ICANN Issues Factsheet on February DNS Attack
Scotland Yard Thwarted Plan to Attack Internet Hub in UK
Outsourcer Apologizes for Laptop Theft
SANS Security Tip of the Day
******************** Sponsored By ArcSight, Inc. ************************
Free Whitepaper: Achieving IT Compliance, Automation and Efficiency
IT organizations have a dual role. They make strategic decisions about
implementing a network. Then they shift to a tactical focus, changing
the network to support evolving day-to-day needs. Learn how to automate
and streamline network configuration management with this free
whitepaper. Brought to you by ArcSight, the ESM leader that turns data
into action.
http://www.sans.org/info/4521
*************************************************************************
How Good Are SANS Courses?
++ "I have attended courses by several of SANS rivals, and SANS blew
them away." - Alton Thompson, US Marines
++SANS has the highest quality instructors and the most relevant,
current information of any training I have attended. Melodee McHone,
Hallmark
++ "This is the only conference/training I've ever attended at which I
learned techniques and found tools I could apply immediately." - Dwight
Leo, Defense Logistics Agency, DLA
++ "The SANS classes have been uniformly excellent. To learn as much
through traditional classes would have entailed weeks away from work."
- - David Ritch, Department of Defense
In addition to the big conference in San Diego, programs are scheduled
in more than 40 cities in the next few months or you can attend live
classes (or on-demand courses) without leaving your home, or you may
even study online. Schedule: http://www.sans.org
*************************************************************************
TOP OF THE NEWS
--Bill Would Exempt Texas County Clerks from Data Privacy Laws
(March 12, 2007)
The Texas House of Representatives last week passed emergency
legislation that would absolve county clerks of civil or criminal
liability for exposing SSNs in public documents "in the ordinary course
of business." The bill now goes to the state Senate, where it needs
approval of a two-thirds majority to become law. The legislation comes
in response to a ruling late last month from Texas Attorney General Greg
Abbot that exposing SSNs in public documents violates state and federal
laws. Furthermore, according to Abbot's opinion, county clerks in Texas
could be held criminally liable for exposing SSNs when documents are
made public; violators could face prison time and fines. The ruling
would require that clerks check each document for SSNs and remove them
before making the documents public. Daunted by the task and fearful of
running afoul of the law, county clerks asked state legislators to come
to their aid. The bill would also require that SSNs no longer be
included in public records filed with county governments and allows
Texans to request that their SSNs be removed from existing documents,
though it is up to the individuals to identify the documents from which
they want the information redacted.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=285672&source=rss_topic17
[Editor's Note (Kreitner): If not the County Clerks, who will be
accountable for ensuring that exposing SSN's in public documents does
not occur? Laws without accountability for enforcing the intent of the
law are impotent. ]
- --Three Men Indicted for Online Stock Manipulation
(March 12, 2007)
Three Indian nationals have been indicted on federal charges of
manipulating stock prices by breaking into people's online brokerage
accounts and artificially inflating the prices of certain stocks. The
"hack, pump, and dump" scheme used an estimated total of 60 customer
accounts at nine online brokerages. The suspects bought stocks through
their own accounts, used the hacked accounts to drive up the prices and
sold the stocks at a profit. The US Securities and Exchange Commission
(SEC) has filed separate civil charges against all three men. Two of
the men have been arrested in Hong Kong; one remains at large.
http://www.beatricedailysun.com/articles/2007/03/12/ap-state-ne/d8nqp5g00.txt
http://www.theregister.co.uk/2007/03/12/more_pump_and_dump_charges/print.html
--US $3 Million Frozen in Pump-and-Dump Case
(March 8 & 12, 2007)
A federal judge has granted the SEC's request to freeze US $3 million
in a brokerage account under the name of a Latvian bank. The money is
believed to have been generated by a ring of cyber thieves in Russia,
Latvia, Lithuania and the British Virgin Islands. The scammers
allegedly ran a stock manipulation scheme that netted them more than US
$730,000 in just one year. Investigators believe the perpetrators broke
into online brokerage accounts, sold the customers' holdings and used
the profits to manipulate prices of stocks they had bought earlier.
They then allegedly sold those stocks at artificially inflated values.
http://www.scmagazine.com/us/news/article/643126/sec-3-million-latvian-bank-frozen-part-hacking-pump-and-dump-trial/
http://www.washingtonpost.com/wp-dyn/content/article/2007/03/07/AR2007030702240_pf.html
[Editor's Note (Northcutt): This pump and dump attack isn't exactly new,
but it is very scary. Many people are counting on their stock funds as
part of their retirement, and online brokerages have no legal
responsibility to cover these losses. If anyone knows of an online
trading service that offers two factor authentication drop me a note,
and we can check it out and pass that on as a service to our readers
(Stephen@sans.edu). Here are a few good links on this topic:
http://www.washingtonpost.com/wp-dyn/content/article/2006/10/23/AR2006102301257.html
http://www.marketwatch.com/News/Story/Story.aspx?guid=%7BFB3B61A9-FB01-4FB8-B454-2A2FC43BDB5C%7D&siteId=mktw ]
--Hard Drives With Embedded Encryption to Debut
(March 12, 2007)
Seagate has announced that its hard drives with built-in encryption will
debut in laptops some time in the next few months. The laptops will
have a chip that will make it impossible for anyone to read data from
the disk or boot up without some sort of authentication.
http://www.washingtonpost.com/wp-dyn/content/article/2007/03/12/AR2007031200093_pf.html
[Editor's Note (Kreitner): Kreitner -- A good use of technology to
reduce exposures attributable to careless human behaviors. ]
************************** Sponsored Links: ***************************
1) Webcast March 15th 11am PT Using Log Management to Drive Operational
Insight, Mitigate Risk and Automate Compliance
http://www.sans.org/info/4526
2) 'Storm Worm' wreak havoc on your network? Download FREE White Paper
"Enterprise Network Security Does Not End with IPS" and learn why IPS
is insufficient for securing the network core.
http://www.sans.org/info/4531
3) The SANS Encryption Summit, April 23-25, provides concrete,
actionable information you can deploy as soon as you return to work.
http://www.sans.org/info/4536
*************************************************************************
THE REST OF THE WEEK'S NEWS
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
--Real ID Act Irks Legislators
(March 2 & 12, 2007)
On March 1, the Department of Homeland Security (DHS) issued proposed
regulations for compliance with the Real ID Act, which aims to establish
minimum standards for state-issued driver's licenses and identification
cards. Despite the fact that the requirements appear to be less
stringent than first indicated, US lawmakers are expressing concerns
about citizens' privacy and the costs associated with implementing the
Real ID requirements. DHS Secretary Michael Chertoff said that the
states would hold the data from the cards; the information will not be
held in a national database. The idea is to make driver's licenses very
difficult to forge or alter. The compliance deadline has been extended
from May 2008 to May 2013. While the government is not mandating that
states include biometrics on the cards, it does not discourage their
use. There is a 60-day period for public comment on the proposed
regulations. Two legislators have introduced bills that would repeal
the act.
http://www.eweek.com/print_article2/0,1217,a=202265,00.asp
http://www.fcw.com/article97874-03-12-07-Print&printLayout
http://a257.g.akamaitech.net/7/257/2422/01jan20071800/edocket.access.gpo.gov/2007/07-1009.htm
--Stolen Hard Drive Holds California National Guard Data
(March 9 & 10, 2007)
A stolen hard drive contains personally identifiable information of
approximately 1,300 California National Guard troops who have been
deployed to the US-Mexico border. The compromised data include
addresses, dates of birth and Social Security numbers (SSNs). The drive
was reported missing in late February from the California National
Guard's border mission headquarters at San Diego Naval Base. Guard
members affected by the breach were notified on February 28. The case
has been turned over to the Navy's Criminal Investigative Division.
http://www.tuscaloosanews.com/article/20070309/APA/703092833
http://www.nbc4.tv/news/11221506/detail.html
--NZ Revenue Dept. Employees Fired for Unauthorized File Access
(March 6, 2007)
New Zealand's Inland Revenue Department (IRD) has fired nearly 80
employees in the last four years for accessing files inappropriately. A
number of the people who lost their jobs had accessed their own files
or those of family members outside the bounds of their duties. In 2003,
a minor scandal erupted when it was discovered that IRD employees had
accessed files of a number of celebrities as well as those of their own
families; 75 people were fired as a result. The number of people caught
snooping has decreased each year since 2003 to just 13 in 2006; there
were no instances of employees accessing celebrities' files within the
last year. Inland Revenue Deputy Commissioner Colin MacDonald defends
the IRD's strict codes, saying they are entrusted with ensuring
taxpayers' secrecy.
http://www.stuff.co.nz/print/3983557a11.html
[Editor's Note (Honan): Having policies in place that are not enforced
rigorously and consistently undermines the effectiveness of these
policies and ultimately the security of your systems. The New Zealand
Revenue Department's approach to policy breaches demonstrates that
making people accountable for their actions significantly improves
security.
(Kreitner) An excellent example of resolute management attuned to
security. Also a situation where instituting role-based access would
be helpful. If each agent had access to only his/her assigned accounts,
snooping in other accounts would require human collusion. ]
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
--WGA Always Sends Info to Microsoft
(March 8 & 9, 2007)
Microsoft has acknowledged that its most recent Windows Genuine
Advantage (WGA) update sends some information back to the company's
Redmond, WA headquarters even if users decline to install the update.
A statement from Microsoft's UK anti-piracy manager says the information
sent back does not identify individuals. WGA communicates to Microsoft
the computers' globally unique identifiers (GUIDs), user and machine
language settings and whether or not the machine was connected to a
domain.
http://www.theregister.co.uk/2007/03/09/ms_wga_phones_home/print.html
http://www.heise-security.co.uk/news/86429
[Editor's Note (Schultz): WGA amounts to little more than spyware,
something that sooner or later Microsoft will have to contend with in
court.]
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
--U of Idaho Employee Data Inadvertently Posted to Web
(March 10, 2007)
For the second time in three months, the University of Idaho has
experienced a data security breach. UI is notifying 2,700 employees
that their personal information was accessible on the school's web site
for 19 days in February. The file was removed on February 27 as soon
as the Information Technology Services became aware of the situation.
UI is investigating the incident. An authorized user inadvertently
uploaded the file containing the data along with a report. The data
include names, birth dates and SSNs, but no financial account
information. The data were "in a proprietary binary data file, that
require a special program if they are to be read," according to UI
Provost Doug Baker. In November 2006, three desktop computers were
stolen from UI's fundraising office in Moscow, ID. That incident
prompted the school to "announce it was revamping its policies and
procedures for handling sensitive information." The school also plans
to move away from using SSNs as unique identifiers.
http://www.newsobserver.com/102/story/552644.html
http://www.spokesmanreview.com/tools/story_pf.asp?ID=178531
STANDARDS & BEST PRACTICES
--Laptop Theft Prompts Data Security Rules
(March 8, 2007)
Ontario (Canada) privacy commissioner Ann Cavoukian has issued a report
that orders Toronto's Hospital for Sick Children to implement policies
and procedures to protect the security of patient data. The report is
the outcome of an investigation prompted by the January 4, 2007 theft
of a laptop from a physician's car. The computer held personally
identifiable, sensitive information of 2,900 of the hospital's patients.
The physician had been planning to use the information to work on a
research project at home. The hospital must now prohibit the removal of
patient data from the premises unless doing so would interfere with
providing proper patient care. If a situation arises in which data must
be removed, they must first be encrypted. Furthermore, data loaded onto
mobile devices must be encrypted and be limited to data essential to the
research being conducted. The hospital has until June 15 of this year
to demonstrate compliance with the order.
http://www.cbc.ca/canada/ottawa/story/2007/03/08/sickkids-stolenlaptop.html
http://www.ipc.on.ca/images/Findings/up-3ho_004.pdf
MISCELLANEOUS
--ICANN Issues Factsheet on February DNS Attack
(March 12, 2007)
A factsheet from the Internet Corporation for Assigned Names and Numbers
(ICANN) says DNS servers came through February's attack relatively
unscathed because of the Anycast load-balancing technology put in place
after the last major attack in 2002. The attack targeted six of the 13
root servers. The two servers that fared the worst during the attack
did not yet have the technology installed. The root server operators
also played a significant role in preventing the attack from having a
noticeable effect on Internet users worldwide by staying in constant
communication. The operators noticed that all the attack packets were
larger than 512-bytes and consequently blocked packets that met that
criterion. That step alone managed to stop the attack in its tracks.
http://www.vnunet.com/vnunet/news/2185227/icann-shield-beats-dns-hackers
http://www.zdnet.co.uk/misc/print/0,1000000169,39286256-39001105c,00.htm
http://icann.org/announcements/factsheet-dns-attack-08mar07.pdf
[Editor's Note (Skoudis and Paller): The ICANN fact sheet is really
good, and we strongly encourage you to read it. It describes not only
the attack and defenses, but the overall architecture of the root DNS
infrastructure in terms that even a newbie can understand and
appreciate. It explains interesting things, like why there are 13 root
name servers and not more (it's associated with the 512 byte query
size), and how Anycast technology helped to thwart the attack. Kudos
to ICANN for not only producing this fascinating and useful document,
but for their openness in describing what happened.
(Pescatore): The DNS root servers have proven to be pretty resilient
against these large-scale DoS attacks that get a lot of publicity.
However, a lot of enterprises have been hit by targeted DoS attacks and
have found they have to upgrade their defenses - usually by paying their
ISP extra to get filtered bandwidth. The ISPs need to take some of that
revenue and take steps to make it much harder for DDoS attacks to
succeed.]
--Scotland Yard Thwarted Plan to Attack Internet Hub in UK
(March 11, 2007)
Scotland Yard has foiled an alleged Al-Qaeda plot to "bring down the
Internet" in the UK. In raids carried out last year, detectives
discovered computer files indicating suspects were targeting an Internet
hub in London. The plots considered by the suspects included blowing
up the facility that houses the hub.
http://www.timesonline.co.uk/tol/news/uk/crime/article1496831.ece
[Editor's Note (Honan): Security of our networks is not simply about
electronic defences. One of the key goals of terrorism is to create
fear and uncertainty which is often best achieved by the physical
destruction of key targets. Targeting Internet hubs with physical
attacks is an effective method for terrorists to achieve their goals by
creating the publicity and media attention terrorism craves while also
damaging the Internet infrastructure. If you host sites or
infrastructure that would be attractive to a terrorist attack you should
constantly ensure your threat models and risk profiles include threats
posed by motivated and determined physical terrorist attacks.]
--Outsourcer Apologizes for Laptop Theft
(March 8, 2007)
A company that owned a stolen laptop containing personally identifiable
information of more than 16,000 Worcestershire County (UK) Council
employees has apologized for the incident and says it will pay costs
associated with the data breach. Serco is developing an integrated
human resources and payroll system for the council. An investigation
conducted jointly by the council and Serco found that the Serco employee
should not have had the sensitive data on the computer.
http://www.techworld.com/security/news/index.cfm?newsID=8204&pagtype=all
SANS Security Tip of the Day
Read error messages and checkboxes
When you see an error message pop up on the screen, read it! You may not
understand everything, but if you look through the message, you can get
the gist. Hackers can sometimes generate errors to collect everything
you type and everything that comes up on your screen. If you don't
understand the error, at least capture the screen. To do that, hold down
the shift key and press the key labeled "Print Screen" or "PrtSc". That
will put the screen into short-term storage called the clipboard. Then
open an e-mail message, right click on the message body and select
"paste". Now you can print it or send it to tech support for further
analysis.
If you work for a company of 1,000 or more and would like to help
distribute SANS Security Tips, please email brietveld@sans.org.
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.
Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers.
Schneier has regularly appeared on television and radio, has testified
before Congress, and is a frequent writer and lecturer on issues
surrounding security and privacy.
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer
for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's @RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan leads the cyber threat intent team for Infocomm Development
Authority (IDA) of the Singapore government.
Chuck Boeckman is a Principal Information Security Engineer at a
non-profit federally funded research and development corporation that
provides support to the federal government.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin,
Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
iD8DBQFF9vQN+LUG5KFpTkYRAoUZAJ9D1PTVZ19oQaU7vP0TvfJZRKRj4ACgmddE
xKR+9JWTE3oS2QvAqwgCzHU=
=/x71
-----END PGP SIGNATURE-----
Thanks and Regards
Suyash Jain
Open Source Community Member
Bangalore , INDIA
jain.suyash@yahoo.co.in
Here's a new way to find what you're looking for - Yahoo! Answers
No comments:
Post a Comment