SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IX - Issue #14

February 16, 2007

For organizations moving to or testing Vista. Have you discovered any important application that won't work under Microsoft Vista's SSLF (secure configuration)? Nearly all leading vendors that sell to the federal government have begun testing their applications on SSLF and early data show they work fine (with exceptions that seem to be caused by less skilled developers rather than real conflicts). Apparently several agencies will soon stop buying any application not certified to work on SSLF even if it would now be installed on XP. If you have found any application that won't work, or that forces changes in SSLF in order to work, please email me at paller@sans.org. We'll try to figure out whether it is real incompatibility or just programmers who are taking short cuts. Organizations that buy applications that work under SSLF will see significantly improved security and their security costs will fall.

Alan

---

TOP OF THE NEWS

Chinese Cyber Attacks on DOD Networks Are Relentless
Zero-Day Word Flaw Exploited in Targeted Attack
Nationwide Building Society Fined Over Stolen Laptop

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Man Arrested for Writing Malware Will Create Fix
Sandia Analyst Wins Wrongful Termination Suit
Man Sentenced for Stealing Data from American College of Physicians Site
POLICY & LEGISLATION
Singapore Parliament Hears Spam Bill
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Belgian Court Upholds Copyright Judgment Against Google
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Microsoft Releases a Dozen Security Updates
Cisco Issues Two Security Advisories
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Citibank Korea Requests Credit Card Fraud Investigation
Stolen Computer Holds Kaiser Permanente Patient Information
Patient Registration Computer Stolen from Maryland Hospital

---

************************** Sponsored By SANS ****************************

Interested in retaining the knowledge from your live SANS training? We've got a solution for you, OnDemand's online training Bundles! This is a tactical study tool that uses a combination of learning techniques to reinforce the concepts taught in the course. For more information please email ondemand@sans.org or call(301)654-7267.

*************************************************************************

Register today for SANS2007 in San Diego to get a place in one of the 56 immersion courses. Here are the Top 10:
1. SANS Security Essentials Bootcamp Style
2. Hacker Techniques, Exploits & Incident Handling
3. Intrusion Detection In-Depth
4. System Forensics, Investigation & Response
5. Assessing and Securing Wireless Networks
6. Securing Windows
7. Auditing Networks, Perimeters & Systems
8. SANS(r) +S(tm) Training Program for the CISSP(r) Certification Exam
9. Perimeter Protection In-Depth
10. Cutting-Edge Hacking Techniques - Hands On

In San Diego: http://www.sans.org/sans2007/
Or study at home or in your own city or in courses at your university:
www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Chinese Cyber Attacks on DOD Networks Are Relentless (13 February 2007)

The Naval Network Warfare Command says Chinese hackers are relentlessly targeting Defense Department networks with cyber attacks. The "volume, proficiency and sophistication" of the attacks supports the theory that the attacks are government supported. The "motives
[of the attacks emanating from China ]
... include technology theft, intelligence gathering, exfiltration, research on DOD operations and the creation of dormant presences in DOD network for future action."
-http://www.fcw.com/article97658-02-13-07-Web&printLayout

Zero-Day Word Flaw Exploited in Targeted Attack (15 February 2007)

There are reports that a zero-day flaw in Microsoft Word is being used in a highly targeted attack. The buffer overflow vulnerability affects Microsoft Office 2000 and Microsoft Office XP. The attack focused on two employees at a certain organization and attempted, unsuccessfully, to solicit personal and business information. For the attack to be launched, users must be enticed to open a maliciously crafted Office file attachment.
-http://www.informationweek.com/showArticle.jhtml?articleID=197006393&cid=RSS
feed_TechWeb
-http://www.vnunet.com/vnunet/news/2183298/zero-day-word-attack-emerges
[Editor's Note (Paller): We put this in "Top of The News" because it illustrates the primary vector used by the Chinese to penetrate US and allied military sites, by organized criminals to penetrate banks, and in many other catastrophic attacks. Gullible employees (nearly all of whom have attended ineffective security awareness classes) are falling for simple email requests to open attachments or click on bad links. Security officers who don't test their employees to be sure they are immune to these spear phishing attacks are not meeting even a minimum standard of due care. At some point the CEO will ask - who caused this? When that happens the security officer won't be able to hide. These successful attacks against our military (and Commerce and State and other agencies) point a finger directly at the US House Government Oversight and Reform Committee and at OMB who both score agencies on whether federal employees have had awareness training, but don't even ask the important question: does the awareness training work? ]

(Honan): If as the InformationWeek article suggests these attacks were detected by the end users then a large round of applause to that organisation's security awareness program. Hopefully in time they can share it with everyone else. ]

Nationwide Building Society Fined Over Stolen Laptop (14 February 2007)

The UK's Financial Services Authority has fined the Nationwide Building Society GBP 980,000 (US $1.92 million) for failing to "have adequate information security procedures and controls in place." A laptop computer stolen from an employee's home in August 2006 held confidential information of nearly 11 million customers. The employee reported the theft promptly, but neglected to tell the company what data were on the computer until he returned from holiday three weeks later. Nationwide has not said if the person is still in its employ or has been disciplined. The company says the data do not include PINs, passwords or account balance information. A company spokesperson said they have taken measures "to ensure it doesn't happen again." Nationwide informed all affected customers by letter; no customers have lost money.
-http://news.bbc.co.uk/2/hi/business/6360715.stm
-http://www.channel4.com/news/content/news-storypage.jsp?id=27099299
-http://software.silicon.com/security/0,39024888,39165800,00.htm
-http://www.zdnet.co.uk/misc/print/0,1000000169,39285928-39001084c,00.htm
[Editor's Note (Honan): Worryingly Nationwide did not know that confidential information was stored on the lost laptop. If you do not know where your information is then how can you protect it? Data is an asset and should be treated as such with appropriate tracking, controls and management according to the value of the asset. Interesting to note that the fine could have been GBP 1.4m but Nationwide got a 30% discount because they agreed to settle early with the FSA,
-http://www.metro.co.uk/money/article.html?in_article_id=37377&in_page_id=36.
(Schultz): I very much like what The UK's Financial Services Authority has done. Assessing significant fines against organizations that experience data security breaches is an effective way of getting these organizations to pay more attention to data security.
(Kreitner): A financial penalty is a good way to motivate more organizations to pay attention to their security controls. Just sending letters out to people whose information may have been compromised is too easy. ]

---

**************************** Sponsored Link: **************************

1) Join other security professionals at the SANS Laptop Encryption Summit April 23-25 and benefit from an in-depth program aimed at getting you the information you need to protect your sensitive data.
http://www.sans.org/info/3541

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Man Arrested for Writing Malware Will Create Fix (15, 14 & 13 February 2007)

Chinese police have arrested six men in connection with the Panda Burning Incense virus that spread late last year, infecting over one million PCs in that country. The malware was used to steal gaming and instant messaging account names, which can be traded for money. Five of the men were arrested for updating and spreading the malware. The sixth, Li Jun, is believed to have written and sold the malware earning him approximately 100,000 yuan (US $12,900). Chinese state media is reporting that Li will be permitted to release a fix for the malware.
-http://www.australianit.news.com.au/articles/0,7204,21224325%5E15322%5E%5Enbv%5E
,00.html
-http://www.theregister.co.uk/2007/02/13/panda_worm_arrest/print.html
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=security&articleId=9011263&taxonomyId=17&intsrc=kc_top
-http://www.shanghaidaily.com/article/?id=306475&type=National

Sandia Analyst Wins Wrongful Termination Suit (14 & 13 February 2007)

Shawn Carpenter, a former Sandia National Laboratories employee, has won a US $4.3 million wrongful termination suit against Sandia. In 2002, Carpenter began detecting attacks on the Sandia computer networks; he alerted several government agencies, including Sandia, the FBI and the Army Research Laboratory. Carpenter used "back-hacking" techniques to trace the attacks back to their origins. Carpenter was fired in January 2005 for insubordination because he refused to comply with orders not to disclose the attacks to anyone either inside or outside Sandia.
-http://www.fcw.com/article97661-02-13-07-Web&printLayout
-http://www.freenewmexican.com/news/56982.html
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=network_security&articleId=9011283&taxonomyId=142&intsrc=kc
_top
[Editor's Note (Honan): Sandia's approach brings a new meaning to "security by obscurity", hide the problem and it will go away. Unfortunately given the nature and numbers of attacks against key government networks worldwide, ignoring the problem and not sharing details with other agencies will NOT make the problem go away. (Kreitner): A case like this makes you wonder just what percentage of organizations whose systems have been compromised are successful at containing that information.]

Man Sentenced for Stealing Data from American College of Physicians Site (13 February 2007)

William Bailey Jr. has been sentenced to three months in prison for breaking into the American College of Physicians web site and downloading information of 80,000 members during the first half of 2005. Bailey was also sentenced to three years of supervised release and ordered to pay a US $10,000 fine. Bailey operated a company that sold contact information to physicians. The data he took did not include credit-card information or Social Security numbers (SSNs). Bailey already reached a US $150,000 civil settlement with the American College of Physicians.
-http://charlotte.bizjournals.com/philadelphia/stories/2007/02/12/daily17.html

POLICY & LEGISLATION

Singapore Parliament Hears Spam Bill (13 February 2007)

Singapore's Parliament heard the Spam Control Bill earlier this week. If passed, the bill would require marketers to clearly label unsolicited email and SMS messages to indicate that they are advertisements. The marketers must also provide legitimate contact information and a means for the recipients to opt out of receiving messages in the future. Recipients' requests to be removed from distributions lists must be honored within 10 days. Violators could face fines of up to S $25 (US $16.30) per message with a cap of S $1 million (US $652,000).
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=61989447-39000005c

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

Belgian Court Upholds Copyright Judgment Against Google (14 & 13 February 2007)

A Belgian court upheld an earlier ruling that prohibits Google from using snippets of headlines from a coalition of Belgian newspapers. Copiepresse, the organization that manages the papers' copyrights, maintains that Google is allowing free access to copyrighted content. Copiepresse says it is willing to allow Google to print excerpts from the newspapers for a fee. Google wrote in its official blog "if a newspaper does not want to be a part of Google News, we remove their content from our index. All the newspaper has to do is ask." Google also pointed out that if readers want to view the whole story, they must click through to the publisher's site.
-http://www.theage.com.au/news/biztech/google-loses-copyright-case/2007/02/13/117
1128978006.html
-http://www.vnunet.com/vnunet/news/2183150/belgian-newspapers-claim-final

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Microsoft Releases a Dozen Security Updates (15 February 2007)

On Tuesday, February 13, Microsoft released 12 security updates addressing 20 remote code execution and elevation of privilege flaws in Microsoft Windows, Internet Explorer (IE), Office, Works, Malware Protection Engine, Visual Studio and Step-by-Step Interactive Training. Six of the bulletins have maximum severity ratings of critical; the other six have maximum severity ratings of important. Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=2232
-http://news.bbc.co.uk/2/hi/technology/6360433.stm
-http://www.us-cert.gov/cas/techalerts/TA07-044A.html
-http://www.microsoft.com/technet/security/bulletin/ms07-feb.mspx

Cisco Issues Two Security Advisories (14 & 13 February 2007)

Cisco released two security advisories this week. The first advisory addresses multiple vulnerabilities in the firewall services module. The second advisory addresses vulnerabilities in the Cisco IOS Intrusion Prevention System (IPS) feature set. A fragmented packet evasion vulnerability could be exploited to "circumvent the IPS protection built into the affected routers." An ATOMIC.TCP regular expression denial-of-service vulnerability could crash unprotected routers. Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=2247
-http://www.zdnet.co.uk/misc/print/0,1000000169,39285924-39001093c,00.htm
-http://www.informationweek.com/news/showArticle.jhtml?articleID=197005905
-http://www.cisco.com/warp/public/707/cisco-sa-20070213-iosips.shtml

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Citibank Korea Requests Credit Card Fraud Investigation (15 February 2007)

Twenty Citibank Korea customers have reported credit card fraud; the bank has asked police to investigate. Initial findings indicate the breach occurred at a company that operates Citibank Korea's electronic payment system. The data thieves used the credit card information to make multiple transactions of less than 300,000 won (US $320) to evade detection. The bank promises to "cover all financial losses caused by the hacking and improve
[their ]
fraud detection system to prevent such a case from reocurring." A total of 50 million won (US $ 53,560) was stolen.
-http://times.hankooki.com/lpage/biz/200702/kt2007021520235611910.htm
-http://news.mk.co.kr/newsReadEnglish.php?sc=30800005&cm=General&year=200
7&no=83542&selFlag=sc&relatedcode=&wonNo=&sID=308

Stolen Computer Holds Kaiser Permanente Patient Information (14 February 2007)

A laptop computer stolen from a Kaiser Permanente Medical Center in Oakland, California contains information of as many as 22,000 patients. The organization is notifying those affected by the theft, which occurred in November 2006. The data include some SSNs. A Kaiser spokesperson said they are implementing new security policies that include encrypting data on electronic devices and prohibiting the storage of large amounts of patient data on any hard drive.
-http://cbs5.com/consumer/local_story_045212622.html
[Editor's Note (Ranum): Barn Door. Horse. Latch. Must get sequence right. Laptops containing patient/customer/account/veteran/top secret information are a problem. Were these guys hibernating under a rock the last two years?
(Paller): Laptop encryption is necessary; nearly every mid-sized and larger organization is planning or implementing it. The risks of doing it wrong are great, however; destruction of data can be devastating. Two surprising sources of critical problems are Windows Safe Mode and older versions of Ghost. These and product selection and implementation issue are what will be covered in the Laptop Encryption Summit in April in San Jose.
-http://www.sans.org/encryptionsummit07/]

Patient Registration Computer Stolen from Maryland Hospital (13 February 2007)

A laptop computer stolen from the St. Mary's Hospital emergency care center in Leonardtown, Maryland, contained unencrypted data of approximately130,000 current and former patients. Some of the affected patients were seen as long ago as 1989. The data include names and SSNs, but not medical or financial information. The laptop was used to register patients who came into the center for treatment. The computer was seen last on December 5, 2006. The hospital has notified patients affected by the data security breach. According to Maryland law, the hospital did not have a legal obligation to disclose the theft because medical records were not compromised. St. Mary's now bolts down laptops used to register patients and links them to the hospital's mainframe so they can be disabled if they are stolen.
-http://www.baltimoresun.com/news/local/bal-te.md.identity13feb13,1,271722,print.
story?coll=bal-home-headlines&ctrack=1&cset=true

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/