SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IX - Issue #33

April 24, 2007

The incident handlers at SANS Internet Storm Center spent much of last week finding fake web sites stealing money from people who thought they were donating to Virginia Tech victims' families, and sharing the information with law enforcement. On Friday, we ran a story about the potential for exploitation of domain names related to Virginia Tech. We thank reader Kevin D. Martin for letting us know that www.vt.edu has a link for those who wish to make relevant monetary donations. There is no need to visit any other page.
Alan

---

TOP OF THE NEWS

Contract Employee Arrested for Computer Sabotage at CA Power Facility
Dept. of Commerce Says No Data Were Stolen Despite Malware Infection
Targeted Attacks Using Malicious Office Docs on the Rise
Mac Hacked in Challenge

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Software Pirate Sentenced to Two Years in Prison
Japanese Company Sues Former Employee for Leaking Data
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Audit Says 106 NZ Inland Revenue Dept. Computers Missing
USDA Data Exposed
LANL Warns Employees of Possible Data Compromise
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Nortel Warns of Vulnerabilities
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Cards Readers Found on ATMs in Three California Supermarkets
Stolen Laptop Holds Proprietary Information About Unreleased Films
STATISTICS, STUDIES & SURVEYS
BSA Survey Finds UK SME's Lax on Software Licensing
MISCELLANEOUS
Blackberry Outage Blamed on Software Update

---

******************** Sponsored By ArcSight, Inc. ************************

Free Whitepaper: Calculating Return on Security Investment With budgets shrinking and regulations growing, today's IT managers need to justify every security infrastructure purchase. Calculating Return on Security Investment (ROSI) means measuring the intangibles. Learn how to measure ROSI with our free whitepaper. Brought to you by ArcSight, the leader in security, compliance and insider threat.
http://www.sans.org/info/6226
*************************************************************************
New Attack Patterns: The 40 handlers of the Internet Storm Center (isc.sans.org) are better informed about how the sophisticated new attacks work than any group other than the criminals carrying them out. If your job is protecting systems against the new wave of more sophisticated attacks, you will want to come to SANSFIRE 2007 in Washington in the last week in July. There the Internet Storm Center handlers will be giving numerous free evening briefings, exclusively for the SANSFIRE attendees, on what they have uncovered about how newest hacker techniques work.
Course list for SANSFIRE: http://www.sans.org/sansfire07/
*************************************************************************

---

TOP OF THE NEWS

Contract Employee Arrested for Computer Sabotage at CA Power Facility (April 20 & 21, 2007)

A California man has been arrested for allegedly interfering with computers at the California Independent System Operator (Cal-ISO) agency, which "controls the state's power transmission lines and runs its energy trading markets." Lonnie Charles Denison's "security access was suspended at the request of his employer based on an employee dispute." The allegation is that when his attempt at a remote cyber intrusion failed, Denison gained physical access to the facility with his card key; apparently not all access had been suspended. Once inside the facility, Denison allegedly broke the glass protecting an emergency power cut-off station and pushed the button, causing much of the data center to shut down. Cal-ISO was unable to access the energy trading market, but the power transmission grid was unaffected.
-http://www.theregister.co.uk/2007/04/20/terrorists_among_us_flee_flee/print.html
-http://www.latimes.com/technology/la-fi-grid21apr21,1,5633750.story?coll=la-head
lines-technology
[Editor's Note (Skoudis): Here's a great opportunity for us all to emphasize to management the importance of removing access credentials thoroughly from systems at employee termination. It also highlights the need for removing such access from both the physical and computer/network assets. I treasure stories like this, which help us all to illustrate to management the importance of certain critical security actions so we can get the management attention and resources we need to do our jobs right.
(Schultz): This is a really scary "lesson learned" that illustrates just how many types of access must be considered when user access is supposed to be revoked. The fact that this incident occurred in the electric power arena is very significant because the convergence problem between logical and physically access security in this arena has been a lingering, serious, and unresolved issue for years.]

Dept. of Commerce Says No Data Were Stolen Despite Malware Infection (April 19, 2007)

In testimony last week, David Jarrell of the US Department of Commerce (DOC) described how his department became aware of cyber intruders and what they did to thwart their attempts to infiltrate their networks and steal information. Jarrell, who is manager of DOC's critical infrastructure protection program, believes no information was stolen in the end, despite the fact that 33 DOC computers were infected with malware. Jarrell also pointed out that the compromised systems were in compliance with the Federal Information Security Management Act (FISMA), but said "The security incident could have occurred regardless of FISMA because the ... attack uses Internet access to exploit zero-day attack vulnerabilities, irrespective of the commercial computer security and network monitoring tools and standard prescribed
[penetration testing ]
."
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=security&articleId=9017183&taxonomyId=17&intsrc=kc_top
[Editor's Note (Paller): Another nail in the coffin of the current metrics used by FISMA. Zero days are a way of life; that an agency believes that they are defenseless against zero days demonstrates how allowing non-technical people to run security has damaged the nation. FISMA measurement will be changing. Even the people who profit from writing FISMA reports have concluded that the gluttony has gone on too long. As a result of the hearings last week, a council has been convened to provide guidance on how the metrics should be changed to better reflect defensibility of federal systems. ]

Targeted Attacks Using Malicious Office Docs on the Rise (April 22, 2007)

There have been an increasing number of attacks involving maliciously crafted Microsoft Office files. The manipulated files are generally sent as email attachments to specific people; if a document is opened, the attacker can gain control of the user's computer and from there, explore the internal computer network. The attacks have been targeting employees at US federal agencies and nuclear and defense contractors. Just over a year ago, the number of such attacks detected was one or two a week; in March 2007, one security company intercepted 716 emails with malicious files at 216 agencies and organizations. Such an attack helped intruders gain access to computers at the US State Department.
-http://www.usatoday.com/tech/news/computersecurity/2007-04-22-cyberspies-microso
ft-office_N.htm?csp=34

Mac Hacked in Challenge (April 20 & 23, 2007)

A software engineer attending CanSec West hacked into a MacBook there using a zero-day vulnerability in the Safari web browser. The exploit he used, developed by a second person, gave the hacker full user rights to the machine he hacked.
-http://news.com.com/2102-7349_3-6178131.html?tag=st.util.print
-http://www.theregister.co.uk/2007/04/20/pwn-2-own_winner/print.html
-http://www.macworld.com/news/2007/04/20/machack/index.php
[Editor's Note (Schultz): I very much like Macs--I have and frequently use three such machines at home. At the same time, I fear that many if not most Mac users are for the most part oblivious to vulnerabilities in these machines. They too often feel that their use of these machines makes them immune to attacks and malware infections. Interest in exploits for Mac vulnerabilities is growing rapidly, so rapidly that I predict that in the near future a growing proportion of successful attacks on computing systems will involve Macs. ]

---

************************ Sponsored Link: ******************************
1) Do you like to study on your own schedule? Want to save money on travel costs? Check out SANS OnDemand online training.
http://www.sans.org/info/6231
*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Software Pirate Sentenced to Two Years in Prison (23 April, 2007)

A man who owned and operated a web site providing paid subscribers with unlimited access to pirated software has been sentenced to two years in federal prison. Ronnie A. Knott was convicted of criminal copyright infringement and will serve three years of supervised release when his prison term is completed. His site was taken down in May 2006 following an FBI investigation. Knott earned approximately US $20,000 from subscriptions to his site; the software he had made available had a total value of US $2.5 million.
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=199200544

Japanese Company Sues Former Employee for Leaking Data (April 17, 2007)

The Japanet Takata mail-order company is suing a former employee for allegedly leaking customer data. Japanet's lawsuit seeks 110 million yen (US $929,000) in damages. The defendant allegedly conspired with another former employee to copy information about more than 500,000 Japanet customers onto a portable memory device in 1998. The pair then allegedly leaked the information to outsiders, costing Japanet 2.57 billion yen (US $21.7 million) in losses. The defendant denied involvement with the incident during arbitration. Japanet knows he cannot pay the amount sought by the lawsuit; what the company really want is for him to admit his culpability.
-http://mdn.mainichi-msn.co.jp/national/news/20070417p2a00m0na011000c.html

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

Audit Says 106 NZ Inland Revenue Dept. Computers Missing (April 22, 2007)

Although New Zealand's Inland Revenue Department (IRD) cannot account for 106 of its computers, the Revenue Minister says taxpayer data are not at risk of exposure. IRD policy requires that taxpayer information be stored on a central database and that no sensitive data are stored on hard drives. The missing computers came to light during a December 2006 audit. The department offered a number of possible explanations for the missing computers: they could be laptops that were out of the office while the audit was being conducted; they could have been out for repairs; they could have been out of use and stored out of sight; or they could be obsolete computers that have been "dumped."
-http://www.radionz.co.nz/news/latest/200704221140/assurances_tax_info_safe_despi
te_mislaid_computers
[Editor's Note (Pescatore): Or they could have been full of sensitive data and have been lost or stolen. The bottom line is that if good guys can carry it, bad guys can steal it, or good guys will lose it. Having policy not to store sensitive information anywhere but centrally is good policy, but are they really sure none of those missing laptops didn't have a spreadsheet or two chock full of sensitive data on them?]

USDA Data Exposed (April 20, 21 & 23, 2007)

The US Department of Agriculture (USDA) has admitted that personally identifiable information of 38,700 individuals was inadvertently exposed on its web sites for years before the situation was discovered earlier this month. The exposed data are related to the Federal Assistance Award Data System (FAADS) and affects people who received funds through the Farm Service Agency or the USDA Rural Development Program. The data, which include Social Security numbers (SSNs) and tax identification numbers, have been removed. In June 2006, USDA experienced a security breach in which an intruder may have gained access to personally identifiable information of 26,000 current and former employees and contractors. Following that intrusion, USDA Secretary Mick Johanns directed agency programs to make sure SSNs were not being exposed. The reason these data were missed is that they were embedded in grant identification numbers. The data were removed on April 13, but the agency did not go public with the situation until a week later to allow time to contact affected individuals and mirror sites. The number of affected individuals was at one point estimated to be as high as 150,000, but analysis has determined that the actual number is lower.
-http://www.gcn.com/online/vol1_no1/43543-1.html
-http://www.washingtonpost.com/wp-dyn/content/article/2007/04/20/AR2007042002208_
pf.html
-http://www.nytimes.com/2007/04/20/washington/20cnd-data.html?hp=&pagewanted=
print
-http://www.forbes.com/feeds/ap/2007/04/20/ap3637323.html
-http://www.usda.gov/wps/portal/!ut/p/_s.7_0_A/7_0_1OB/.cmd/ad/.ar/sa.retrievecon
tent/.c/6_2_1UH/.ce/7_2_5JM/.p/5_2_4TQ/.d/2/_th/J_2_9D/_s.7_0_A/7_0_1OB?PC_7_2_5
JM_contentid=2007%2F04%2F0110.xml&PC_7_2_5JM_parentnav=LATEST_RELEASES&P
C_7_2_5JM_navid=NEWS_RELEASE#7_2_5JM

LANL Warns Employees of Possible Data Compromise (April 20, 2007)

Los Alamos National Laboratory (LANL) learned on March 28 that a subcontractor who worked on a security system in 1998 had posted the names and SSNs of 550 lab employees on its web site. When the subcontractor was made aware of the situation, the data were quickly removed from the site. The data were apparently being used as part of a demonstration software program. LANL has sent letters to those individuals affected by the data exposure.
-http://www.freenewmexican.com/news/60494.html

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Nortel Warns of Vulnerabilities (April 20, 2007)

Nortel has released software upgrades to address a handful of vulnerabilities in its VPN and secure routing products. The flaws could be exploited to access a corporate VPN, obtain administrative access to a VPN router or crack VPN passwords.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=security&articleId=9017378&taxonomyId=17&intsrc=kc_top
-http://www130.nortelnetworks.com/go/main.jsp?cscat=BLTNDETAIL&DocumentOID=56
7877&RenditionID=&poid=null

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Cards Readers Found on ATMs in Three California Supermarkets (April 20, 2007)

Employees at three WinCo supermarkets in the Inland area of southern California found evidence that card readers had been placed on ATMs in the stores; people who used the ATMs within the last month are being urged to check their bank statements. Card reading devices were recovered from machines at stores in Pomona and Moreno Valley; Velcro found on a machine at a store in Temecula indicated a reader had been in place but had been removed before authorities arrived.
-http://www.pe.com/localnews/inland/stories/PE_News_Local_S_scam21.ac606b.html
-http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=104&STORY=/www/story/04-20
-2007/0004570587&EDATE=

Stolen Laptop Holds Proprietary Information About Unreleased Films (April 20, 2007)

A laptop computer stolen from a Rutland, Vermont movie production studio contains a considerable amount of proprietary information. The information includes material from two movies that are scheduled to be released later this year. It is unlikely the laptop's content was the thieves' target; surveillance video indicates they were on a "drunken rampage." Other offices in the same complex were burglarized as well.
-http://www.rutlandherald.com/apps/pbcs.dll/article?AID=/20070420/NEWS01/70420037
1/1002/NEWS01

STATISTICS, STUDIES & SURVEYS

BSA Survey Finds UK SME's Lax on Software Licensing (April 20 & 23, 2007)

A survey commissioned by the Business Software Alliance (BSA) found that the UK has "the most lax attitude toward software licensing in Europe." According to the survey, 41 percent of respondents in the UK do not believe that unlicensed software poses a risk. Although 97 percent of respondents say their software is legal, the BSA maintains that as many as 27 percent of businesses in the UK are using unlicensed software. Companies found to be using unlicensed software can face fines of GBP 10,000 (US $20,000) and in some cases significantly more. Nearly all of the businesses surveyed did not believe that it was a problem to use old software.
-http://www.channelweb.co.uk/crn/news/2188356/uk-smes-put-shame-illegal
-http://www.zdnet.co.uk/misc/print/0,1000000169,39286773-39001084c,00.htm

MISCELLANEOUS

Blackberry Outage Blamed on Software Update (April 23, 2007)

The Blackberry outage last week was caused by an insufficiently tested software update. The problems caused by the update "prevented all communications between the system's database and cache." Blackberry maker Research in Motion's (RIM) attempt to move to a back-up server failed, and Blackberry users in the US were without service for approximately 12 hours on Tuesday evening April 17 and Wednesday morning April 18. RIM says it has taken steps to improve its testing procedures, monitoring and recovery to prevent a repeat of the incident.
-http://www.vnunet.com/vnunet/news/2188270/patent-reform-biflawed-updated
-http://www.usatoday.com/tech/news/2007-04-20-blackberry-outage_N.htm?csp=34
[Editor's Note (Pescatore): That same week, Intuit had an embarrassing availability issue on its online tax filing site and also vows to improve its testing procedures. While everyone is reviewing their final QA or Certification/Accreditation procedures for approving updates to operational systems so this doesn't happen to you, use the opportunity to make sure application vulnerability and security configuration assessment becomes a standard part of that process.
(Honan): Those companies depending on the Blackberry network as an alternative means of communication in the event of a disaster should take heed of this event and examine how else their key personnel communicate with each other during a disaster which also impacts the Blackberry network. ]

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/