SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume IX - Issue #22
March 16, 2007
TOP OF THE NEWS
Most Data Breaches Traced to Company ErrorsNIST Bans Vista From its Networks
FTC Investigating TJX
Google Will Anonymyze Some Retained Data
THE REST OF THE WEEK'S NEWS
THE REST OF THE WEEK'S NEWS
LEGAL MATTERSMicrosoft Sues Cybersquatters
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Lawrence Livermore National Lab Not Following DOE Data Wiping Procedures
US National Computer Forensic Institute
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Patches Available for Critical Flaw in OpenBSD Kernel
Microsoft Investigating Report of Phishing Hole in IE 7
Mac OS X Update Fixes 45 Flaws
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Lost Medical Data Disk Has Been Found
STATISTICS, STUDIES & SURVEYS
Compliance Driving IT Security Budget Increases
MISCELLANEOUS
Indonesia to Monitor Internet Use
Copiers' Hard Drives Retain Document Images
Pump & Dump Revisited
SANS Security Tip of the Day
*********************** Sponsored By Imperva Inc. ***********************
Unwanted Activity Undermining Web Apps? ID Thieves Carting off Customer Data? Learn how to thwart the Top 5 online attacks. Get the latest information for protecting your Web applications against SQL Injection, XSS, cookie tampering, and others. Don't let someone else be you - or your customers. Download white paper now: "Top 5 On-line Identity Theft Attacks".
http://www.sans.org/info/4661
*************************************************************************
SANS Expands Security Training Opportunities
SANS award winning training is available in more than 70 cities in nine countries just in the next four months. Better still, you can schedule SANS training on-site or even take it live online or on demand. Complete schedule: http://www.sans.org/training/bylocation/index_all.php
SANS courses on site at your facility: http://www.sans.org/onsite/
*************************************************************************
TOP OF THE NEWS
Most Data Breaches Traced to Company Errors (March 13 & 14, 2007)
A researcher from the University of Washington, Seattle says that organizations are more often to blame for data security breaches than outside intruders. Phil Howard looked at 550 data breaches that received media coverage between 1980 and 2006. Approximately two-thirds of the breaches could be traced to lost or stolen equipment and a variety of management errors. Less than one-third of the breaches were the work of outside attackers.-http://www.networkworld.com/news/2007/031307-data-breach-companies.html
-http://www.physorg.com/news93000637.html
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyId=14&articleId=9013142&intsrc=hm_topic
[Editor's Note (Schultz): The results of this research study are by no means new. Many previous studies show that human error accounts for more losses than any single information security-related reason. ]
NIST Bans Vista From its Networks (March 12, 13 & 15, 2007)
The US National Institute of Standards and Technology (NIST) has joined the Department of Transportation (DOT) in banning the use of Microsoft's Windows Vista operating system on internal networks. Both NIST and DOT have concerns about the new operating system's security and its compatibility with other software they use. NIST plans to begin testing Vista in several months, after it has finished encrypting all its laptop computers to comply with government policy. If the operating system meets with approval, NIST may lift the Vista ban.-http://www.informationweek.com/news/showArticle.jhtml?articleID=198000229
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=198001185
-http://news.com.com/2102-1002_3-6166868.html?tag=st.util.print
[Editor's Note (Pescatore): It will take the typical enterprise 12-18 months to complete the planning and evaluation to move to Vista in any event. Once determining that their applications will run and be supported on Vista, PCs and laptops will transition to Vista as part of natural attrition (vs.. early replacement), so that planning needs to include living in a mixed PC environment for quite some time. ]
(Northcutt): Ban? Why are they calling it a ban? It sounds like fundamental configuration management to me: don't make a change to the system until you have an urgent operational or security need to do so. The most interesting statement in any of the articles came from FAA spokesperson Jones, "We're trying to see what the cost impact would be to the FAA to convert to the new Microsoft products," Jones said. "We want to explore what some of the alternatives are. Google is one that we're looking at, so is Linux." (That apparently would mean running Google Apps on a Linux platform) ]
FTC Investigating TJX (March 13, 2007)
The US Federal Trade Commission (FTC) has confirmed that it is investigating TJX, the parent company of Marshalls, T.J. Maxx and other stores; the company acknowledged a major security breach that may have exposed millions of customers' credit and debit card information, putting those accounts at risk for fraud. The breach was discovered in January; evidence suggests intruders had been accessing the system as far back as July 2005. There is also evidence that TJX was not in compliance with the Payment Card Industry (PCI) data security standard.-http://www.boston.com/business/globe/articles/2007/03/13/tjx_faces_scrutiny_by_f
tc?mode=PF
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=198000608
[Editor's Note (Pescatore): The TJ Maxx (and other) incidents have shown that there is a wide variety of devices that store information that shouldn't be stored. Copiers and point of sale terminals and everything else should by default have those "security kits" built in as standard equipment.
(Northcutt): This is not a surprise, nor will States like Mass. "helping us" by passing new regulation because of this be a surprise. Attorney Ben Wright has some interesting commentary on the topic:
-http://www.sans.edu/resources/leadershiplab/tjx_security_comment.php
Michael Rasmussen from Forrester pointed me to the document, Value Killers, a risk management study by Deloitte today. 3 takeaways Michael shared were: 1. Almost 50% of global 1000 companies lost 20% or more in share price in less than a month during the past 10 years - some never recovered. 2. 80% of losses were due to interaction of multiple risks. 3. Most major losses were as the result of a series of high-impact but low-likelihood events. TJX is a real candidate to be a poster child for value killers.
-http://www.deloitte.com/dtt/cda/doc/content/us_assur_Value%20Killers%20Report%20
(Shpantzer): Relating this to the study on outsiders vs. management errors in this edition... outside hackers are still an important factor in security and always will be. ]
Google Will Anonymize Some Retained Data (March 14 & 15, 2007)
Google says it will remove the last eight bits of the IP addresses that identify search request origins from retained data when those data are between 18 and 24 months old. After the data are removed, the remaining information will be associated with groups of 256 computers instead of just one. Under its current policy, Google retains the information for an indefinite period of time. Internet service providers are required to retain data for a specified amount of time; the removal of the identifying data will make it difficult, although not impossible, to link users to the information after that period. Authorities could still subpoena information from Google within the time frame before it is anonymized, and Google will retain complete information for longer periods if legally obligated. Some privacy advocates feel Google is headed in the right direction but has not gone far enough to protect users' privacy; some believe the data should be anonymized much more quickly. Google maintains it needs the data for analysis and diagnostic purposes. The 18 to 24 month period matches data retention laws in Europe. The policy will go into effect by the end of the year and covers searches made from the Google home page, but not Google calendar or Gmail correspondence.-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=61996489-39000005c
-http://www.usatoday.com/tech/news/internetprivacy/2007-03-14-google-privacy_N.ht
m?csp=34
-http://www.theregister.co.uk/2007/03/15/google_anonymizes_data/print.html
-http://www.washingtonpost.com/wp-dyn/content/article/2007/03/14/AR2007031402398_
pf.html
-http://googleblog.blogspot.com/2007/03/taking-steps-to-further-improve-our.html
*********************** Sponsored Links *******************************
1) Join professionals to learn about Log Management tools at the Log Management Summit April 23-25.
http://www.sans.org/info/4666
2) Don't miss SANS Ask the Expert Webcast: Sustainable Compliance through Host Access Management and Data Security Reviews on Thursday, March 22nd at 1:00 PM EDT (1700 UTC/GMT) Sign up now!
http://www.sans.org/info/4671
3) Protect your company from phishing expeditions. New FREE report has the facts.
http://www.sans.org/info/4676
*************************************************************************
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
Microsoft Sues Cybersquatters (March 13 & 14, 2007)
Microsoft has filed two new lawsuits against cybersquatters to stop them from profiting from web surfers' misspellings and typographical errors. Microsoft said it has settled several other cybersquatting lawsuits in the UK and the US. A cybersquatter is usually defined as someone who "grabs" a domain name in anticipation that an organization or person who/that wants to use that domain name will be willing to pay the cybersquatter to give up the domain name. In this case the cybersquatting is used to mean the practice of registering domain names that are close to actual trade names; web surfers are tricked into visiting these sites where they are often greeted with advertisements. These cybersquatters usually aim to profit from surfers clicking on ads on their sites. In a separate story, the number of cybersquatting complaints filed with the World Intellectual Property Organization (WIPO) increased 25 percent last year for a total of 1,823 complaints in 2006.-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9013118&intsrc=hm_list
WIPO:
-http://www.computerworlduk.com/management/security/data-control/news/index.cfm?n
ewsid=2201
[Editor's Note (Northcutt): Interesting story. I almost wish they would raise the price of domain names to a point where someone had to really want to infringe. Ten years ago it was good practice to register the .net, .org, .com variations on your domain name. Nowadays, you have to register all the similar names to practice due care, but that is usually cheaper than making one Uniform Domain Name Dispute Resolution complaint to WIPO. And the problem, as the related story points out, is getting worse. The WIPO information behind the related story and that discusses domain resolution can be found:
-http://www.wipo.int/amc/en/domains/]
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Lawrence Livermore National Lab Not Following DOE Data Wiping Procedures (March 12, 2007)
A report from the Department of Energy's (DOE) inspector general's office indicates that the Lawrence Livermore National Laboratory in California is not "wiping sensitive data from ... computers it disposes of." When agencies get rid of extra or unneeded computers, that process is called "excessing." Although DOE policy requires that all memory devices on excessed machines be wiped clean of sensitive data or physically destroyed, the policy has not been fully implemented at Lawrence Livermore. In fact, the lab has its own policy for dealing with excessed computers, but it is "not always consistent with applicable Department[DOE ]
policies." The lab is under the aegis of the National Nuclear Security Administration (NNSA) whose chief was fired in January after numerous security breaches at laboratories. Approximately 5,300 computers are excessed at LLNL every year. DOE-approved methods of wiping data include overwriting data a specified number of times, degaussing or physically destroying the memory device.
-http://www.fcw.com/article97898-03-12-07-Web&printLayout
-http://www.ig.energy.gov/documents/IG-0759_.pdf
US National Computer Forensic Institute (March 12 & 14, 2007)
The US National Computer Forensic Institute will train US state and local law enforcement officials, prosecutors and judges in cyber crime investigation and analysis. The institute will formally open its doors in January 2008 in Hoover, Alabama; however, instruction could start earlier. The curriculum will be based on the one used by the Secret Service to educate federal law enforcement officials.-http://www.theregister.co.uk/2007/03/14/us_cyber_forensics_lab/print.html
-http://www.fcw.com/article97894-03-12-07-Web&printLayout
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Patches Available for Critical Flaw in OpenBSD Kernel (March 15, 2007)
A remotely exploitable buffer overflow flaw has been discovered in the OpenBSD kernel. Attackers could gain control of vulnerable machines by sending maliciously crafted IPv6 packets. Attackers would need to be on the same network as targeted systems or on a network that can route packets to the targeted systems. Patches are available for Open BSD 3.9 and 4.0. "Applying the patches involves recompiling the kernel and rebooting affected machines." Users can disable IPv6 traffic as a temporary workaround. Internet Storm Center:-http://isc.sans.org/diary.html?storyid=2445
-http://www.theregister.co.uk/2007/03/15/openbsd_kernel_bug/print.html
-http://www.scmagazine.com/us/news/article/643820/openbsd-flaw-exploits-ipv6-weak
ness/
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=61996470-39000005c
[Editor's Note (Boeckman): (Boeckman): Despite this vulnerability, OpenBSD has an extraordinary track record when it comes to security. This is not only a result of meticulous code review, but also because they embrace the philosophy of minimizing what gets installed in the default configuration. ]
Microsoft Investigating Report of Phishing Hole in IE 7 (March 14, 2007)
Microsoft is investigating a report of a cross-site scripting vulnerability in Internet Explorer 7 (IE 7) that could be exploited by phishers. Attackers could take advantage of error messages in IE 7 to redirect users to maliciously crafted web sites that appear to have trusted addresses. Attackers would need to convince users to click on links to sites they would normally visit, like online banking sites. The links would be crafted to return an error message saying the page loading has been aborted and asking if the user would like to try to load the page again. The reload link will direct the user to the phishing sites. Proof-of-concept code for the exploit code has been published.-http://news.com.com/2102-1002_3-6167410.html?tag=st.util.print
-http://www.networkworld.com/news/2007/031407-new-ie-7-bug-could.html
Mac OS X Update Fixes 45 Flaws (March 14, 2007)
Earlier this week, Apple released a Mac OS X update that addresses 45 security flaws. Some of the flaws could be exploited to take control of vulnerable machines. Others could be exploited to crash computers to elevate privileges. The update also includes fixes for problems in some third-party components such as OpenSSH, MySQL and Abode Flash Player. The flaws affect Mac OS X and Mac OS X Server 10.3.x and 10.4.x. Internet Storm Center:-http://isc.sans.org/diary.html?storyid=2450
-http://news.com.com/2102-1002_3-6166971.html?tag=st.util.print
-http://www.theregister.co.uk/2007/03/14/apple_megapatch/print.html
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Lost Medical Data Disk Has Been Found (March 15, 2007)
A CD holding patient data that had been lost in transit has been found. The unencrypted disk held personally identifiable information of 75,000 Empire Blue Cross and Blue Shield members and disappeared in January en route from Health Data Management Solutions to Magellan Behavioral Services. The disk had been mistakenly delivered to a residence in the Philadelphia area.-http://www.nytimes.com/2007/03/14/business/14insure.html?_r=2&n=Top%2fRefere
nce%2fTimes%20Topics%2
-http://news.com.com/CD+with+medical+data+of+75%2C000+is+found/2100-1029_3-616743
5.html?tag=cd.top
[Editor's Note (Grefer): Unfortunately a CD does not track access to the data, so that it is going to be impossible to determine if the data was used or copied. ]
STATISTICS, STUDIES & SURVEYS
Compliance Driving IT Security Budget Increases (March 15, 2007)
A survey of 147 IT managers at Fortune 1000 companies found that more than 70 percent are increasing security spending on systems and processes to help them comply with regulatory and audit requirements. The areas of spending topping the list are policy and process changes, software and encryption. One of the reasons for the increase in compliance-related spending is the possible fallout from a data security breach.-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9013220&source=rss_topic17
MISCELLANEOUS
Indonesia to Monitor Internet Use (March 14, 2007)
Indonesia plans to begin monitoring Internet use for criminal activity. The plan calls for monitoring all Internet users, whether they are at home, at work or at Internet cafes. Information collected will include when and where users log on and the sites they visit, but not surfers' identities.-http://asia.news.yahoo.com/070313/afp/070313174940hightech.html
Copiers' Hard Drives Retain Document Images (March 13 & 14, 2007)
Some new models of copiers have hard drives that store images of what has been copied. More often than not, the data are not encrypted and stay there until overwritten by new data. A survey commissioned by Sharp, one of the major copier makers, found that more than half of the people planned to copy their tax returns and associated documents; most intended to make those copies outside of their homes. About the same number of people did not know that photocopiers keep images of what they copy. Sharp and several other manufacturers offer security kits to encrypt and overwrite scanned images.-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=security&articleId=
-http://www.kansas.com/mld/kansas/business/technology/16896436.htm
[Editor's Note (Honan): This is not only an issue with photocopiers. Many modern printers and fax machines also contain storage facilities where sensitive data can remain.
(Shpantzer): Add to this the fact that many printers are also wireless-enabled, and you have a hard-drive that's accessible to the outside. ]
Pump & Dump Revisited
From Editor Stephen NorthcuttIn our last issue we covered a story on three hackers indicted for breaking into online brokerage accounts and manipulating the victims stock buying activity to push stock prices higher so the criminals could make gains on their own stock holdings. We asked whether anyone was using an online brokerage that supported two-factor authentication. Eighteen readers mentioned E-Trade which uses RSA technology:
-https://us.etrade.com/e/t/jumppage/viewjumppage?PageName=secureid_enter
One reader wrote in to say that if you contact tech support at Schwab they have a Verisign solution but we were unable to verify the Schwab solution.
SANS Security Tip of the Day
Don't use unauthorized software
It may be tempting to use useful-looking software that you can get free on the Internet, but these tools may carry a hidden cost. Installing them may often cause other programs to stop working and it can take a long time for your IT teams to track down the problem. More seriously, they can display unwanted ads, slow your PC down or make it less secure by letting the PC download more ads from the Internet. Most seriously, they can be infected by viruses or spyware that are intended to damage your PC or steal confidential information.If you work for a company of 1,000 or more and would like to help distribute SANS Security Tips, please email brietveld@sans.org.
===============================================
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.
Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/