SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IX - Issue #12

February 09, 2007

TOP OF THE NEWS

DNS Servers Weather DDoS Attack
Senators Introduce (Better) Data Privacy and Security Act
UK to Increase Punishment for Convicted Data Thieves

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
German Court Says Police May Not Place Spyware on Suspects' PCs
Coroner Allegedly Shared 911 Web Site Log-on Credentials with Journalists
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
US President's Proposed FY 2008 Budget Seeks Increase in IT Spending
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
February Security Update Will Include 12 Bulletins
Trend Micro Patches Flaw in Anti-Virus Scanning Engine
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Missing Backup Tapes Hold Johns Hopkins Employee and Patient Data
Univ. of Nebraska-Lincoln Data Exposed
Computer Taken from State Auditor's Home
MISCELLANEOUS
Mass. AG Leading Probe of TJX Breach
IMF Hard Drives Stolen in Azerbaijan

---

*********************** Sponsored By Symark Software ********************

How do you meet compliance and guard against insider threat at the same time? PowerBroker and PowerKeeper are compliance-based solutions that centralize systems administration while creating and enforcing strong privileged password and security policies. Granular, dynamic password management and audibility ensure a secure access control infrastructure. Sign up for a FREE 30 day trial with full technical support today.
http://www.sans.org/info/3301

*************************************************************************

Register today for SANS2007 in San Diego to get a place in one of the 56 immersion courses. Here are the Top 10:
1. SANS Security Essentials Bootcamp Style
2. Hacker Techniques, Exploits & Incident Handling
3. Intrusion Detection In-Depth
4. System Forensics, Investigation & Response
5. Assessing and Securing Wireless Networks
6. Securing Windows
7. Auditing Networks, Perimeters & Systems
8. SANS(r) +S(tm) Training Program for the CISSP(r) Certification Exam
9. Perimeter Protection In-Depth
10. Cutting-Edge Hacking Techniques - Hands On

In San Diego: http://www.sans.org/sans2007/
Or study at home or in your own city or in courses at your university:
www.sans.org

*************************************************************************

---

TOP OF THE NEWS

DNS Servers Weather DDoS Attack (7 February 2007)

DNS servers were the targets of a distributed denial-of-service (DDoS) attack over a 12-hour period on Tuesday, February 6. While there was "minor degradation of service" the attack had no significant impact. Investigators are trying to find out where the attacks came from. Internet Storm Center Coverage:
-http://isc.sans.org/diary.html?storyid=2184
-http://dnsmon.ripe.net/dns-servmon/domain/plot?domain=root&day=5&month=2
&year=2007&hour=16&period=48h&plot%2F=SHOW---
-http://www.us-cert.gov/current/current_activity.html#dnsanom
-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn_daily&stor
y.id=43105
-http://www.washingtonpost.com/wp-dyn/content/article/2007/02/06/AR2007020601563_
pf.html
-http://news.bbc.co.uk/2/hi/technology/6338261.stm
-http://www.informationweek.com/showArticle.jhtml?articleID=197004237&cid=RSS
feed_TechWeb
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9010619&source=NLT_PM&nlid=8
-http://www.theregister.co.uk/2007/02/07/root_server_attack/print.html
[Guest Editor's Note (Mike Poor): The information that is publicly available, and reliable, show a sustained attack of over 12 hours against the root servers, particularly against G (maintained by the DOD), and L (maintained by ICANN). According to US-Cert, the attacks consisted of floods of malformed packets. The root server architecture allowed the systems to weather the attack and not impact the Internet. The last major attack against the root servers was in October of 2002. (
-http://d.root-servers.org/october21.txt
)
(Ullrich): Most of the attack sources came from Asia. Many of the DNS servers use Anycast to maintain multiple geographically diverse servers. In this case, Anycast worked nicely to contain the attacks to the geographic area from which the attack originated. The three DNS servers which experienced the most significant outage did not use Anycast. ]

Senators Introduce (Better) Data Privacy and Security Act (6 February 2007)

On Tuesday, February 6, US Senators Patrick Leahy (D-Vt.) and Bernie Sanders (I-Vt.) introduced legislation aimed at protecting citizens' personal information. The Personal Data Privacy and Security Act of 2007 would impose more stringent penalties for identity theft and would require entities that keep personal data to disclose data security breaches to the FBI and the Secret Service within 14 days of the occurrence. The disclosure to government agencies must also precede notification of consumers. Those who willfully or intentionally conceal a breach could face fines or prison sentences of up to five years.
-http://jurist.law.pitt.edu/paperchase/2007/02/leahy-introduces-new-bill-to-comba
t.php
-http://news.zdnet.com/2102-1009_22-6156904.html
-http://www.forbes.com/feeds/ap/2007/02/06/ap3400992.html
-http://www.internetnews.com/security/article.php/3658296
[Editor's Note (Paller): The business lobby had persuaded the old Congress that they should pass a law that didn't protect consumers and, in fact, removed protection that the states had provided. From a cybersecurity perspective, reducing the consumer protection would also reduce top management focus on protecting consumer information and lead to much worse security. No redeeming value in it other than bigger bonuses for the Washington business lobbyists. Leahy and Sanders' law is MUCH better.
(Schultz): This proposed legislation constitutes a big step forward in protecting the US public against identity theft attempts resulting from data security breaches. I hope that there is public uproar if this legislation does not pass. ]

UK to Increase Punishment for Convicted Data Thieves (7 February 2007)

The UK Department for Constitutional Affairs says it will impose jail sentences of up to two years for individuals convicted of stealing personal data. The move is aimed at deterring private investigators who have been trafficking in such information.
-http://www.theregister.co.uk/2007/02/07/jail_data_rats/print.html

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

German Court Says Police May Not Place Spyware on Suspects' PCs (6 & 5 February 2007)

Germany's Federal Court of Justice has ruled that police may not use Trojan horse programs to access suspects' computers. The court's ruling says that gaining access to suspects' computers without authorization is not the same as searching a home or tapping telecommunications. The court ruled that legal searches are conducted in the presence of the suspect or a witness while wire-tapping is monitoring live communication, not looking at stored information. However, it is likely that German Interior Minister Wolfgang Schauble will introduce legislation that will allow covert police searches of suspects' computer hard drives and Internet access records in certain circumstances.
-http://www.theregister.co.uk/2007/02/06/german_police_trojan_unlawful/print.html
-http://www2.csoonline.com/blog_view.html?CID=28602
-http://www.theinquirer.net/default.aspx?article=37447
-http://www.dw-world.de/dw/article/0,2144,2337932,00.html

Coroner Allegedly Shared 911 Web Site Log-on Credentials with Journalists (5 February 2007)

The Pennsylvania Attorney General's Office has filed charges against Lancaster County (PA) Coroner G. Gary Kirchner for allegedly providing newspaper reporters with his password to the 911 system's confidential web site. Five reporters from the Lancaster Intelligencer Journal gave testimony before a grand jury after they were granted immunity from prosecution. Investigators searched four computer hard drives in the newspaper's newsroom and found that the 911 site was accessed with Kirchner's username and password from newspaper offices 57 times.
-http://www.phillyburbs.com/pb-dyn/news/103-02052007-1294444.html
-http://www.whptv.com/news/local/story.aspx?content_id=d7159824-f690-4be8-b40d-38
7d95b94504
[Editor's Note (Schultz): Whether or not Mr. Kirchner has indeed shared the password to the web site in question is a serious issue. However, one must also question why only a password is necessary to gain access to this sensitive site given that the use of passwords is fundamentally unsafe in the first place.
(Honan): This story demonstrates how fragile security is when depending on passwords alone. ]

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

US President's Proposed FY 2008 Budget Seeks Increase in IT Spending (8 & 7 February 2007)

President Bush has requested $65.5 billion for federal IT spending for fiscal 2008 budget, a 2.6 percent increase over last year's IT budget. Office of Management and Budget (OMB) administrator for electronic government and information technology Karen Evans says that agencies that have not demonstrated attention to cyber security may not get as much money as others; Evans said, "This year we're really focused on making sure agencies are delivering results ... and are really executing now on the activities they said they are going to do." The budget includes a "watch list" of IT projects that have not been well managed or have proven vulnerable to cyber attackers.
-http://news.com.com/2102-1028_3-6157346.html?tag=st.util.print
-http://www.washingtonpost.com/wp-dyn/content/article/2007/02/07/AR2007020702398_
pf.html
-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn_daily&stor
y.id=43106
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9010780&source=rss_topic17
[Editor's Note (Kreitner): With its $65.5 Billion of procurement leverage, federal agencies buying systems have a huge opportunity to advance the ambient level of federal information security by requiring system vendors to deliver systems configured for adequate security and requiring system integrators to deliver applications that function on hardened OS and middleware platforms. Agencies should also require the capability to sustain properly secured software images after operational deployment. ]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

February Security Update Will Include 12 Bulletins (8 February 2007)

Microsoft has announced that it will release 12 security updates on Tuesday, February 13. At least four of the bulletins will carry a severity rating of critical. Five of the bulletins will address flaws in Windows, two will address flaws in Office and one will address flaws in both Windows and Office. The other bulletins address flaws in Visual Studio, Step-by-Step Interactive raining, Microsoft data Access Components and Microsoft's anti-virus products. Some of the updates may require restarts.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9010900&source=rss_topic17
-http://news.com.com/2102-1002_3-6157698.html?tag=st.util.print
-http://www.microsoft.com/technet/security/bulletin/advance.mspx

Trend Micro Patches Flaw in Anti-Virus Scanning Engine (8 February 2007)

Trend Micro has issued a patch for a critical buffer overflow vulnerability in its anti-virus scanning engine. The flaw could be exploited by manipulating the engine into processing a maliciously crafted UPX compressed executable file. This could in turn allow attackers to crash or take control of unpatched computers. The flaw affects "virtually every Trend Micro product." The patch fixes the UPX parsing algorithm and provides detection for malicious UPX files. The fix has already been pushed out to users who have automatic updating enabled. There are no reported exploits at this time.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9010878&source=rss_topic17
-http://news.com.com/2102-1002_3-6157554.html?tag=st.util.print
[Editor's Note (Ullrich): UPX is one of the favorite "packers" used by malware to hide itself from virus checkers. It is critical for AV software to understand these packers and sad to see that even a simple and old one like UPX can not be implemented correctly. It is yet more evidence demonstrating signature-based AV hitting a dead end.
(Skoudis): There was a major set of these kind of flaws back in Feb 2005 that hit a lot of anti-virus vendors. And, with the number of different packing schemes used by malware proliferating today, and the apparent difficulty of properly managing memory while unpacking, I expect to see lots more of this kind of flaw in the future... especially the near future. These issues tend to come in batches, where "researchers" find one flaw like this in one AV tool, and then other researchers find and publicize similar flaws in other vendor products shortly thereafter. ]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Missing Backup Tapes Hold Johns Hopkins Employee and Patient Data (7 February 2007)

Nine computer backup tapes are missing from Johns Hopkins University and Johns Hopkins Hospital. The tapes were supposed to be returned by a contractor who performs data backups. The tapes hold payroll data, including Social Security numbers (SSNs) and some bank account numbers for 52,000 current and former Johns Hopkins employees, as well as less sensitive data about 83,000 hospital patients. Officials say there is no evidence that the tapes were stolen; it is likely they were delivered to the wrong location or mistaken for trash and destroyed. The university is notifying people affected by the data security breach by letter and email.
-http://www.wmdt.com/wires/displaystory.asp?id=58386284
-http://www.washingtonpost.com/wp-dyn/content/article/2007/02/07/AR2007020701004_
pf.html

Univ. of Nebraska-Lincoln Data Exposed (7 February 2007)

The SSNs of 72 University of Nebraska-Lincoln (UNL) students, faculty and staff were inadvertently posted on the university's public web site; the information had been accessible for more than two years when the problem was discovered earlier this week. The university sent notification letters to those affected by the data security breach. A similar incident occurred at UNL less than a year ago. In March 2006, the university discovered that the SSNs, email addresses and GPAs of nearly 350 engineering students had been accidentally posted to the web. The university periodically scans its web site for SSNs; the numbers exposed in the latest incident were not caught because they did not contain the usual two dashes that normally appear in the numbers.
-http://www.omaha.com/index.php?u_page=1000&u_sid=2326625

Computer Taken from State Auditor's Home (5 February 2007)

A laptop computer stolen from the Glens Falls home of a New York Department of Labor unemployment auditor holds personally identifiable information of more than 500 individuals employed by 13 businesses in and around the Albany area. The state Department of Labor has sent notification letters to people affected by the breach and is reviewing its policies regarding employees taking work home.
-http://poststar.com/articles/2007/02/06/news/doc45c8abf57b7ae609243186.txt
-http://www.wnyt.com/x11919.xml?ag=x995&sb=x183

MISCELLANEOUS

Mass. AG Leading Probe of TJX Breach (8 & 7 February 2007)

Massachusetts Attorney General Martha Coakley is leading a probe of the security data breach at TJX Companies. Coakley "is heading up a group of more than 30 states" in an attempt to get answers from the company about "what security measures
[it ]
took to protect consumer information." Among the issues the probe will focus on is the one-month lag between discovery of the breach and its public disclosure and the fact that the attacks began in May 2006 but were not discovered until the middle of December. The probe will also examine ways in which TJX can compensate victims of identity fraud and help them clear up ensuing problems. Rhode Island is pursuing a separate investigation of TJX.
-http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomy
Name=cybercrime_and_hacking&articleId=9010884&taxonomyId=82&intsrc=k
c_top
-http://www.eweek.com/print_article2/0,1217,a=200603,00.asp

IMF Hard Drives Stolen in Azerbaijan (6 February 2007)

Police in Baku, Azerbaijan are investigating the apparent theft of four computer hard drives from the office of the International Monetary Fund in that city. The drives contain financial, personnel and research files and "the fund's primary database of information for its operations" in Azerbaijan.
-http://www.abcmoney.co.uk/news/06200718804.htm

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/