SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IX - Issue #11

February 06, 2007

We mentioned last week that forces acting on the security field make it imperative that people's security skills are as current as possible. In choosing the security training that will make the most difference in your career, the following data may add value. These are the current SANS Top Ten (most popular) courses:

1. SANS Security Essentials Bootcamp Style
2. Hacker Techniques, Exploits & Incident Handling
3. Intrusion Detection In-Depth
4. System Forensics, Investigation & Response
5. Assessing and Securing Wireless Networks
6. Securing Windows
7. Auditing Networks, Perimeters & Systems
8. SANS(r) +S(tm) Training Program for the CISSP(r) Certification Exam
9. Perimeter Protection In-Depth
10. Cutting-Edge Hacking Techniques - Hands On

You'll find them soon in
Four in Brisbane http://www.sans.org/brisbane07/
Five in Tyson's Corner (outside DC): http://www.sans.org/tysonscorner07/
(Note: early registration deadline in a few days)
And all of them in San Diego: http://www.sans.org/sans2007/
Or study at home or in your own city or in courses at your university:
www.sans.org

---

TOP OF THE NEWS

Missing Hard Drive Holds 48,000 Veterans' Data
Microsoft Acknowledges Zero-Day Office Attack
TJX in Violation of Payment Card Industry Data Security Standard

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Dutch Spammer Fined
Duracell Employee Pleads Guilty to Stealing Trade Secrets
MySpace Worm Creator Sentenced
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Data Security Breach Exposes Workers' Comp Info. in Mass.
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Vista Speech Recognition Could be Exploited to Delete Files
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
CDC Podcast Site Infected with Malware
Superbowl Sites Infected with Malware
Michigan Tax Preparer's Computer Stolen
MISCELLANEOUS
Researchers Hope to Vindicate Teacher by Demonstrating Spyware was Responsible for Offensive Images on Classroom Computer
Destroyed Hard Drives a Catch-22
February 6 is Safer Internet Day

---

******************** Sponsored By Credant Technologies ******************

Data Security: It's About More Than Just Encryption To ensure data security in today's dynamic environment it must be controlled and managed consistently, across all mobile platforms, across all users, and across all locations. Organizations today require a flexible solution that also treats mobile data protection as integral part of the enterprise's overall security processes.
http://www.sans.org/info/3256

*************************************************************************

---

TOP OF THE NEWS

Missing Hard Drive Holds 48,000 Veterans' Data (2 February 2007)

The Department of Veterans Affairs (VA) and the FBI are investigating the disappearance of a portable hard drive from the VA medical center in Birmingham, Alabama. The drive was reported missing on January 22, 2007; it is believed to hold research project information as well as personally identifiable information of as many as 48,000 veterans. Some of the data were encrypted. "Pending results of the investigation, the VA is planning to send individual notifications and to provide a year of free credit monitoring" to those affected. The drive was used to back up data from an employee's office computer. The VA Office of the Inspector General has taken the employee's work computer and is analyzing its contents. Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=2169
-http://www.signonsandiego.com/news/nation/20070202-2112-securitybreach.html
-http://www.wsls.com/servlet/Satellite?pagename=WSLS%2FMGArticle%2FSLS_BasicArtic
le&c=MGArticle&cid=1149192998926&path=!news!localnews
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9010302&source=rss_topic17

Microsoft Acknowledges Zero-Day Office Attack (5 February 2007)

Microsoft has acknowledged a newly disclosed flaw in Excel and said the flaw may also affect other Office software. The flaw could allow malware to be paced on vulnerable systems. Microsoft is looking into reports that the flaw is already being exploited in limited attacks. The flaw reportedly affects Microsoft Office 2000, Microsoft Office XP, Microsoft Office 2003 and Microsoft Office 2004 for Mac. It is unlikely Microsoft will have a patch for the flaw available by February 13, the next scheduled monthly security update. Users are urged not to open untrusted Office documents until Microsoft has issued a fix for the problem. Internet Storm Center coverage:
-http://isc.sans.org/diary.html?storyid=2157
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9010219&source=rss_topic17
-http://news.com.com/2102-7349_3-6156209.html?tag=st.util.print
-http://www.theregister.co.uk/2007/02/05/0-day_office_flaw/print.html
[Editor's Note (Multiple): The advice to users is insufficient. Users should not open attachments or follow links in any emails that they did not expect. It is too easy to spoof a trusted person's address. If you get an email with an attachment ask the sender for verification before opening it. It takes only a couple of minutes, while cleaning out an infected PC takes weeks and causes a lot of pain. ]

TJX in Violation of Payment Card Industry Data Security Standard (30 & 29 January 2007)

TJX Companies was storing customer credit card information in violation of the Payment Card Industry Data Security Standard. As a result, the data thieves were able to obtain Track 2 card information, which includes the card number, expiration date and card verification value. Some of the data stored on the TJX system dates back to 2003. The theft affects millions of cardholders. TJX owns a number of store chains, including TJ Maxx, Marshalls and HomeGoods.
-http://www.informationweek.com/news/showArticle.jhtml;jsessionid?articleID=19700
1447
-http://www.zdnet.co.uk/misc/print/0,1000000169,39285692-39001093c,00.htm
[Editor's Note (Honan): Will VISA and MasterCard severely reprimand TJX? If not, they will send out the wrong message to other companies and seriously undermine the credibility of the Payment Card Industry Data Security Standard ]

---

************************** Sponsored Links: ***************************

1) Disk encryption with SafeGuard(R) Easy software provides the ultimate in laptop security.
http://www.sans.org/info/3261

2) Do you like to study on your own schedule? Want to save money on travel costs? Check out SANS OnDemand online training.
http://www.sans.org/info/3266

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Dutch Spammer Fined (3 & 2 February 2007)

An unidentified Dutch man has been fined 75,000 Euros (US $97,000) for sending more than nine billion spam emails. The Dutch telecom regulator OPTA said that nine billion is a low estimate and that the man used hundreds of proxies and earned more than 40,000 Euros (US $52,000) from his spam operation.
-http://www.theage.com.au/news/security/dutch-spammer-sent-9-billion-emails/2007/
02/03/1169919576491.html
-http://www.theregister.co.uk/2007/02/02/dutch_spammer_fined/print.html

Duracell Employee Pleads Guilty to Stealing Trade Secrets (2 February 2007)

Former Duracell employee Edward Grande has pleaded guilty to one count of stealing trade secrets. According to court documents and records, Grande downloaded research about Duracell AA batteries to his computer; he then sent the information to two rival companies. Both companies reportedly sent the information back to Duracell; neither had solicited the information from Grande. When he is sentenced, Grande could face up to 10 years in prison and a fine of as much as US $250,000.
-http://www.washingtonpost.com/wp-dyn/content/article/2007/02/02/AR2007020200906_
pf.html

MySpace Worm Creator Sentenced (1 February 2007)

The man believed to be responsible for a worm attack on MySpace.com in October 2005 has pleaded guilty to a felony charge for his actions. Samy Kamkar was sentenced to three years of probation and 90 days of community service for "what is believed to be the first self-propagating cross-site scripting worm." Kamkar used Asynchronous JavaScript and XML (AJAX) to carry out his attack. Kamkar must also pay restitution to MySpace and is prohibited from using the Internet for an unspecified length of time.
-http://www.scmagazine.com/us/news/article/630543/myspace-superworm-creator-sente
nced-probation-community-service/
-http://www.theinquirer.net/default.aspx?article=37422
-http://www.techspot.com/news/24226-myspace-speaks-about-samy-kamkars-sentencing.
html
[Editor's Note (Schultz): Punishment for computer crime needs to fit the crime. A punishment of three years of probation and 90 days of community service for all the trouble this person has caused thus seems terribly inappropriate. ]

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

Data Security Breach Exposes Workers' Comp Info. in Mass. (1 February 2007)

The Massachusetts Department of Industrial Accidents (DIA) has acknowledged a data security breach that exposed personally identifiable information, including Social Security numbers (SSNs), of as many as 1,200 individuals who had submitted workers' compensation claims. A former contractor allegedly accessed the database with the intent of stealing the information; the worker was fired and charged with identity fraud. Three people have reported that their information was misused. DIA has sent notification letters to the people whose data were compromised.
-http://www.boston.com/business/ticker/2007/02/workers_comp_da.html

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Vista Speech Recognition Could be Exploited to Delete Files (2 & 1 February 2007)

The speech recognition feature in Microsoft Vista could be exploited to tell a PC to delete files or folders. Because the new operating system responds to vocal commands, there has been concern that malicious audio files from web sites or email could tell the computer to execute commands without the user present. Microsoft says the problem is not especially worrisome because "for the attack to be successful, the targeted system would need to have the speech recognition feature previously activated and configured ...
[and ]
the system would need to have speakers and a microphone installed and turned on." Microsoft also says that users would be likely to be in the room to hear the malicious file being played; other difficulties attackers would have to overcome include speaker and microphone placement and the audio file's clarity of diction. Internet Storm Center coverage:
-http://isc.sans.org/diary.html?storyid=2148
-http://news.bbc.co.uk/2/hi/technology/6320865.stm
-http://www.theregister.co.uk/2007/02/01/vista_voice_recognition_attack/print.htm
l
-http://www.itnews.com.au/newsstory.aspx?CIaNID=45253
[Editor's Note (Schultz): This kind of vulnerability was first identified in Macintosh systems many years ago. Microsoft is correct--the likelihood that this vulnerability could and would be exploited in real-world settings is small. ]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

CDC Podcast Site Infected with Malware (5 February 2007)

The Center for Disease Control (CDC) and Prevention has temporarily shut down its podcast site after the Atlanta-based agency became aware that attackers had planted malicious code on the site. CDC officials do not believe any sensitive information was compromised, but they are encouraging people who have visited the site to scan their PCs for malware. The malware reportedly "entered the system on Thursday (February 1)."
-http://www.ledger-enquirer.com/mld/ledgerenquirer/news/local/16626841.htm
[Editor's Note (Multiple): These stories illustrate why it is important for organizations to have email security and web filtering software that checks web traffic for computer viruses and other malware. ]

Superbowl Sites Infected with Malware (5 & 2 February 2007)

At least two web sites that were likely to have been visited by football fans in the days before the Superbowl have been discovered to contain malicious code that can infect users' computers with keylogging and Trojan horse programs. The malware exploits two known Windows vulnerabilities; patches for these flaws were released in April 2006 and January 2007. The Dolphin Stadium web site has reportedly been cleansed. Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=2151
-http://www.theregister.co.uk/2007/02/05/superbowl_trojan/print.html
-http://www.eweek.com/print_article2/0,1217,a=200254,00.asp
-http://www.vnunet.com/vnunet/news/2174135/super-bowl-host-website-hacked
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9010164
[Editor's Note (Northcutt): Once again, the Internet Storm Center played a significant role in managing the response to these events. I expect to see much more sophisticated attacks at future Superbowls or other uber-news-worthy events. You can make a difference in response time, if you are willing to contribute your log files. The 6,000 sites that participate empower the storm center to deal with events such as these:
-http://isc.sans.org/diary.html?storyid=2166]

Michigan Tax Preparer's Computer Stolen (2 February 2007)

A computer stolen from a tax preparer's office in Cassopolis, Michigan holds tax records for 800 people. Evidence suggests that thieves broke into the office in the early morning hours and took the computer, leaving behind cash and checks. The tax preparer is offering a US $5,000 reward to help catch the perpetrators. The information includes SSNs and bank routing numbers. The tax preparer has clients from Michigan, Indiana, Ohio, Virginia, Illinois and Washington.
-http://www.wndu.com/news/headlines/5530966.html
[Editor's Note (Honan): It is worrying that the thieves appeared to only target the computer in this case. Leaving behind cash and other valuables clearly indicates that thieves are becoming more aware of the value of the information that computers contain. Companies of all sizes need to take a serious look at how they protect customer information using encryption. ]

MISCELLANEOUS

Researchers Hope to Vindicate Teacher by Demonstrating Spyware was Responsible for Offensive Images on Classroom Computer (2 February 2007)

Researchers are teaming up to prove that the conviction of a substitute teacher for allowing students to see pornographic pop-up ads was based on "a lack of understanding of the technology involved." While prosecutors maintain that Julie Amero clicked on pornographic links that caused the offending pop-ups to appear on the computer, other evidence indicates the computer in question was a "Windows 98 SE machine with IE 5 and an expired antivirus subscription" and was infested with spyware. In addition, because Amero was a substitute, another teacher had logged in to the computer and Amero was instructed not to log out or turn the machine off. "Both the prosecutor ... and Amero's attorney ... declined to comment for this story."
-http://www.securityfocus.com/news/11440

Destroyed Hard Drives a Catch-22 (2 February 2007)

Former Arkansas governor Mike Huckabee has been hit with an ethics complaint for destruction of state property; Huckabee had computer hard drives from four servers and 83 PCs destroyed before he left office. Huckabee spokesperson Alice Stewart says the governor was acting on "recommendations from the Department of Information Systems (DIS) to destroy the hard drives." Huckabee stated in an email to Computerworld, "This is not about destroying state property, this is about honoring our obligation to protect the privacy of the thousands of people who had personal data on those hard drives." Arkansas DIS director Claire Bailey said they "backed up information from the servers but not the PCs, and gave the backup tapes to Huckabee's former chief-of-staff." Tampering with public records is a Class D felony in Arkansas. The Arkansas's attorney general's office "is reviewing the situation to determine whether any laws were broken."
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=government&articleId=9010162&taxonomyId=13&intsrc=kc_top
[Editor's Note (Schultz): I am confident that issues such as this one are likely to become increasingly prominent over the next few years. Destroying sensitive data that could fall into unauthorized hands seems like a "no-brainer," yet legal statutes often require the retention of such information. ]

February 6 is Safer Internet Day (3 February/29 January 2007)

February 6 is Safer Internet Day 2007. The focus this year is on child safety and mobile phones. Safer Internet Day will be observed by more than 40 countries worldwide. A worldwide blogathon will start in Australia and move westward around earth, ending in the US and Canada. There is also a competition for students to create Internet safety awareness materials on e-privacy, netiquette and the power of image. This is the fourth Safer Internet Day.
-http://www.siliconrepublic.com/news/news.nv?storyid=single7696
-http://www.vnunet.com/vnunet/news/2149723/eu-sponsors-safer-internet-day
-http://europa.eu.int/information_society/activities/sip/index_en.htm
[Editor's Note (Honan): This effort should be fully supported and lauded by all. ]

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/