SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IX - Issue #16

February 23, 2007

Five days left before the early registration deadline for SANS 2007 - the largest security training conference - in San Diego at the end of March. Complete agenda (53 courses):
http://www.sans.org/sans2007/event.php

---

TOP OF THE NEWS

DHS Still Has Long Road Ahead to Securing Data
Google Repairs Cross-Site Scripting Flaw in Google Desktop Retailers
Proposed Legislation in Mass. Would Shift Data Loss Costs to Retailers
TJX Intrusion Began in July 2005

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Man Pleads Guilty in Spam Case
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
TSA Web Site Lacks Security Measures
POLICY & LEGISLATION
Draft Amendment in Sweden Would Criminalize DDoS Attacks
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Buffer Overflow Flaw in Snort
Cisco Routers Vulnerable to Drive-by Pharming Attacks
Malicious eMail Pretends to be News of Australian Prime Minister
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Georgia Tech Employee Data Compromised
Stolen Laptop Holds Patient Information
Stop & Shop Acknowledges Card Reader Tampering

---

******************* Sponsored By Fiberlink Communications ***************

Mobile Preparedness for Business Continuity.

Are you prepared to turn office workers into mobile workers during times of crisis? Does your plan consider complete endpoint security and easy-to-use network connectivity for all users? This whitepaper discusses steps you should take to ensure protection and productivity during an emergency.

http://www.sans.org/info/3946

*************************************************************************

Save more than $200 by registering this week for SANS 2007 in San Diego

Mar 29-April 6: More than 50 immersion training courses on security and audit - taught by the world's best security instructors, plus a big expo all right on the ocean in San Diego. Why attend SANS?

"I have attended courses by several of SANS rivals, and SANS blew them away." (Alton Thompson, US Marines).

http://www.sans.org/sans2007/event.php

*************************************************************************

---

TOP OF THE NEWS

DHS Still Has Long Road Ahead to Securing Data (21 February 2007)

According to a report from Department of Homeland Security (DHS) inspector general (IG) Richard Skinner, the agency still has a long way to go to implement security controls that will help protect sensitive data and personally identifiable information. The report evaluated DHS on its implementation of the Office of Management and Budget (OMB) Memorandum 06-16, Protection of Sensitive Agency Information. DHS has developed policies and has started to identify and "protect" systems that hold sensitive information. However, the majority of mobile devices, including laptop computers, have not been encrypted. The IG has also expressed concern that DHS has not taken steps to protect systems that can be used by remote users.
-http://www.fcw.com/article97725-02-21-07-Web&printLayout
-http://www.dhs.gov/xoig/assets/mgmtrpts/OIGr_07-24_Jan07.pdf

Google Repairs Cross-Site Scripting Flaw in Google Desktop (22 & 21 February 2007)

Google has fixed a cross-site scripting vulnerability in Google Desktop that could allow attackers to access files and, in some cases, gain control of vulnerable machines. Google Desktop allows users to employ Google's searching and indexing technology to quickly find information on their own computers. Google says there is no evidence the flaw was exploited. Users do not need to take any steps to protect their machines, as the software update is performed automatically.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9011630&source=rss_topic17
-http://www.theregister.co.uk/2007/02/21/google_desktop_search_bug/print.html
-http://www.usatoday.com/tech/news/computersecurity/2007-02-21-google-security-pa
tch_x.htm?csp=34
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=61991428-39000005c
-http://www.techworld.com/applications/news/index.cfm?newsID=8093&pagtype=sam
echan
[Editor's Note (Skoudis): This is the second big Cross-Site Scripting (XSS) flaw this week, and I strongly believe this is only the tip of this rather large ice berg. Given the seriousness and widespread nature of these flaws, it surprises me that more IT and even infosec pros aren't very familiar with Cross-Site Scripting. I think the name "Cross-Site Scripting" throws people a bit, sounding rather innocuous. It's anything but. I sometimes call these "reflected" script attacks to help illustrate what's happening. A bad guy injects or gets you to inject malicious scripts into a web application, which reflects them back into your browser, where they run. When they run in your browser, they do anything you can do in that web app, such as (in this Google example) access your files and send them to attackers.
(Pescatore): Google is saying "trust us, it is fixed automatically, nothing bad happened". That is not a sufficient answer if Google intends to be an enterprise software (or software as a service) provider. There are many, many problems that occur (security is just one) when consumer grade products are put to use where enterprise class products are needed or expected.
(Honan): Exploit code is available for this vulnerability, see
-http://www.us-cert.gov/current/current_activity.html#ggledxss]

Proposed Legislation in Mass. Would Shift Data Loss Costs to Retailers (22 & 20 February 2007)

Massachusetts bankers are lobbying for legislation that would place the burden of paying for the costs of cleaning up data security breaches on retailers and other entities that fail to keep the information secure. Currently, banks are forced to absorb the costs of credit card fraud, which was estimated to be US $2 billion last year. Retailers counter that the change would increase banks' profits, but do little to protect consumers. Jon B. Hurst, president of the Retailers Association of Massachusetts, says there are already policies in place that let banks recoup losses incurred when data are mishandled; furthermore, banks charge retailers a percentage of their sales, presumably in part to help cover the cost of fraud. Massachusetts Bankers Association spokesperson Bruce E. Spitzer pointed out that not even one-third of major retailers are in compliance with credit card security standards. The legislation would affect any entity doing business in Massachusetts, regardless of where that business is based.
-http://www.boston.com/business/globe/articles/2007/02/20/bill_targets_retailers_
for_costs_to_fix_data_thefts?mode=PF
-http://online.wsj.com/public/article/SB117211275783215723-aH17xXK5QiR2rZncblC6wD
ttYlA_20070323.html?mod=tff_main_tff_top
[Editor's Note (Pescatore): The burden already falls quite heavily on the retailers, which is well-deserved. I think absolving the banks of any financial responsibility would be a major step in the wrong direction - they still to greatly improve their end of the credit card transaction security. (Schultz): The ongoing debate concerning who should pay for costs resulting from fraud and data security breaches--banks, retailers, or customers--is not likely to be genuinely resolved anywhere in the near future. It seems to me that the proper solution would be to place the responsibility on whoever is responsible for such security incidents. If, for example, a retailer provides insuffient security and an incident results, the retailer should have to pay the associated costs. The same applies to customers who are negligent in their security practices, as evidenced by actions such as sharing their passwords and PIN numbers with others.
(Honan): This proposal by the banks may indicate that the PCI Standard is not being enforced effectively. However, regardless of whether retailers adhere to the PCI Standards or not, banks are best placed to detect fraud on consumer accounts and are adequately compensated by their charges to do so. Trying to spread responsibility for the issue will not protect the consumer. ]

TJX Intrusion Began in July 2005 (22 February 2007)

TJX now says that the intrusion that compromised customers' personal and financial information began nearly one year earlier than first believed. Initially, TJX said the breach occurred between May 2006 and January 2007; now the company believes the system was breached as far back as July 2005 and accessed a number of times since then.
-http://www.washingtonpost.com/wp-dyn/content/article/2007/02/21/AR2007022102039_
pf.html
[Editor's Note (Boeckman): No matter how bad an incident looks at first glance, the reality of it is usually far worse. ]

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Man Pleads Guilty in Spam Case (21 & 9 February 2007)

Joshua Eveloff has pleaded guilty to sending spam that advertised software capable of stealing passwords. Eveloff admitted spoofing information to make it appear the messages came from someone else. The FBI became involved in the case in 2004 when a Florida company reported its systems had been used to send 1.5 million messages in a six-hour period. Eveloff will be sentenced in April, when he could face up to three years in prison and a US $250,000 fine. A second man involved in the case pleaded guilty to related charges in January.
-http://www.smh.com.au/news/Technology/Man-admits-sending-millions-of-spam-emails
-that-offered-to-stealpasswords/2007/02/21/1171733812028.html#
-http://www.guardian.co.uk/worldlatest/story/0,,-6402955,00.html

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

TSA Web Site Lacks Security Measures (21 February 2007)

A Transportation Security Administration (TSA) web site established to help people who have been prevented from boarding a flight because their names match a name on the "no-fly" list appears to the trained eye to have several of the hallmarks of a spoofed site. The site looks like a TSA page, but is actually a subdomain of a web design company. The online form lacks an OMB number which is required on every federal form that requests personal data. The site is "rife with" misspellings and odd capitalizations. People were asked to provide names, dates of birth, driver's license numbers and passport numbers over an unsecure link. The site has reportedly been moved to a secure server. However, it is still outsourced and still uses cookies, contrary to federal policy.
-http://www.theregister.co.uk/2007/02/21/tsa_website_snafu/print.html
-http://blog.wired.com/27bstroke6/2007/02/homeland_securi.html
-http://blog.washingtonpost.com/securityfix/2007/02/tsa_not_living_up_to_its_midd
l_1.html
[Editor's Note (Schmidt): Two things come to mind with this news: 1) Another case where the INMATES are running the asylum and 2) When will there ever be accountability to the leadership for failing to insure basic security practices are developed AND deployed. We have seen cases like this for almost 10 years yet we still see little oversight in the use of basic best practices. ]

POLICY & LEGISLATION

Draft Amendment in Sweden Would Criminalize DDoS Attacks (22, 20 & 19 February 2007)

Beginning June 1, 2007, launching distributed denial-of-service (DDoS) attacks could become a criminal offense in Sweden. People convicted under the proposed law could face prison sentences of up to two years. Prior to the amendment, there were no specific laws against such attacks in Sweden and current "legislation is deemed insufficient." The penalties would apply whether the attack is carried out manually or automatically. Conspiracy to conduct an attack could also become a punishable offense.
-http://www.thelocal.se/6460/20070219/
-http://www.vnunet.com/vnunet/news/2183918/sweden-punish-dos-attacks

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Buffer Overflow Flaw in Snort (22 & 19 February 2007)

A buffer overflow flaw in Snort intrusion detection software could be exploited to run arbitrary code remotely and possibly access data in vulnerable systems. Affected products include but are not necessarily limited to Snort 2.6.1, 2.6.1.1, and 2.6.1.2; Snort 2.7.0 beta 1; Sourcefire Intrusion Sensors versions 4.1.x, 4.5.x, and 4.6x with updates prior to SEU 64; and Sourcefire Intrusion Sensors for Crossbeam versions 4.1.x, 4.5.x and 4.6x with SEUs prior to SEU 64. Users are encouraged to upgrade to Snort 2.6.1.3, which is not affected by the flaw. Users can also protect themselves by disabling the DCE/RPC preprocessor.
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=61991419-39000005c
-http://www.us-cert.gov/cas/techalerts/TA07-050A.html
[Editor's Note (Skoudis): This is a pretty serious issue, and I urge you to upgrade. Disabling the DCE/RPC preprocessor will prevent exploitation of the flaw, but at the cost of making your sensors blind to some very serious attacks. Thus, the "work-around", in my opinion, is a very bad thing in most environments. Bite the bullet and upgrade, please.
(Schmidt): Failure to develop secure applications continues a black eye on the entire development and it is even worse when basic secure code analysis is not used on "security" applications. ]

Malicious eMail Pretends to be News of Australian Prime Minister (20 February 2007)

Users who click on a link in a bogus email claiming that Australian Prime Minister John Howard has suffered a heart attack could find their computers infected with malware. When they click on the link claiming to be a news story providing more detail, users are directed to a site that downloads the malware and then to a regular "404 page not found" error page. The malware logs users' keystrokes and could provide attackers with sensitive information, such as log-in details for bank accounts.
-http://software.silicon.com/malware/0,3800003104,39165872,00.htm
-http://www.theaustralian.news.com.au/story/0,20867,21257632-1702,00.html
-http://www.itnews.com.au/newsstory.aspx?CIaNID=46125

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Georgia Tech Employee Data Compromised (21 February 2007)

Georgia Tech has acknowledged that a cyber intruder may have had access to the personal information of approximately 3,000 current and former employees. The compromised data include names, addresses and Social Security numbers (SSNs) as well as several hundred state purchasing card numbers. The school is contacting all those affected by the breach. The Georgia Bureau of Investigation and the FBI have been notified of the incident.
-http://atlanta.bizjournals.com/atlanta/stories/2007/02/19/daily20.html?t=printab
le

Stolen Laptop Holds Patient Information (20 February 2007)

A laptop computer stolen from the offices of Seton Healthcare Network in Austin, Texas contains the personal information of approximately 7,800 uninsured patients who have visited Seton emergency rooms, outpatient services and health clinics since July 1, 2005. The data include names, dates of birth and SSNs. Seton will begin notifying affected patients by letter this week.
-http://www.statesman.com/news/content/news/stories/local/02/20/20laptop.html
[Editor's Note (Kreitner): These stolen laptop episodes could go away with enterprise adoption of a simple and seriously enforced policy of "No personal information on laptops unless it is encrypted". Lose the laptop with unencrypted personal data; lose your job. Irresponsible enterprise management is the source of too many of our self-inflicted security problems.
(Schmidt): You would think with report after report about portable media being stolen or lost that use of whole disk encryption would be a standard by now. As Orson Swindel (Former FTC commissioner) used to say: "If you do not secure your data there will be an FTC in your life" While there have been some large fines levied against major corporations the FTC might want to consider setting some examples of others to "convince" others that the time has LONG passed to encrypt your data. ]

Stop & Shop Acknowledges Card Reader Tampering (19 February 2007)

Stop & Shop said that a number of checkout counter credit card readers were tampered with, allowing thieves to steal credit and debit card data. Confirmed data thefts took place at stores in Coventry and Cranston RI, and machines at four other stores also appeared to have been tampered with.
-http://www.boston.com/business/articles/2007/02/19/stop__shop_reports_credit_dat
a_was_stolen/

---

CORRECTION

In Tuesday's NewsBites, we provided incorrect URLs for NIST documents. The correct URLs are:

http://csrc.nist.gov/publications/nistir/ir7359/NISTIR-7359.pdf http://csrc.nist.gov/publications/nistir/ir7358/NISTIR-7358.pdf

We regret any inconvenience this may have caused.

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/