SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IX - Issue #34

April 27, 2007

A second round of Congressional hearings brought into stark relief the abject failure of US leadership in cyber security that continues to allow vast amounts of sensitive information to be stolen from US government computers and from the computers of military contractors. See the first story in this issue for more on what the witnesses said.
Alan

P.S. The 40 handlers of the Internet Storm Center (isc.sans.org) are better informed about how the sophisticated new attacks work than any group other than the criminals carrying them out. If your job is protecting systems against the new wave of more sophisticated attacks, consider coming to SANSFIRE 2007 in Washington in the last week in July. There the Internet Storm Center handlers will be giving numerous free evening briefings, exclusively for the SANSFIRE attendees, on what they have uncovered about how newest hacker techniques work. Course list for SANSFIRE: http://www.sans.org/sansfire07/

---

TOP OF THE NEWS

Second Congressional Hearing Highlights Federal Cyber Security Failure
Lawsuit Seeks Identities of eMail Address Harvesters
Report: Fears that a Data Breach Could Ruin Business

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Card Fraudster Faces More Charges
TJX Faces More Lawsuits
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Ohio University Bans P2P From Campus Network
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Malware Purveyors Exploit Sponsored Links on Google
Flaw Exploited to Hack MacBook Affects All Java-Enabled Web Browsers
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
UK Junior Doctors' Personal Data Exposed
Former Payroll Co. Employee Accidentally Exposes Old Client Data
Neiman Marcus Employee Data Compromised
Purdue Univ. Notifies Students of Data Breach

---

************************** Sponsored By SANS ****************************

SAVE BIG! Get 30% off of any of upcoming courses when you sign up for OnDemand's pre-paid program. Check out our full list of upcoming courses http://www.sans.org/info/6316. For more information or to request a pre-paid from please contact ondemand@sans.org.
*************************************************************************

---

TOP OF THE NEWS

Second Congressional Hearing Highlights Federal Cyber Security Failure (April 26, 2007)

Several of the nation's most respected cyber security experts on Wednesday told the Homeland Security Committee's Emerging Threats and Cyber Security Subcommittee that the US is unprepared to defend its systems or recover from a broad-based cyber attack. "Foreign intelligence agencies must weep with joy when they contemplate U.S. government networks," said James Lewis, director of the technology and public policy program at the Center for Strategic and International Studies, who went on to describe "an unparalleled looting of U.S. government databases."
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9017860
-http://blog.washingtonpost.com/securityfix/2007/04/nations_cyber_plan_outdated_l
a.html?nav=rss_blog
-http://www.darkreading.com/document.asp?doc_id=122732&WT.svl=news2_1

Lawsuit Seeks Identities of eMail Address Harvesters (April 25, 2007)

A lawsuit will be filed on behalf of Project Honey Pot, a service of Unspam Technologies LLC representing 20,000 people around the world in an attempt to uncover the identities of those responsible for harvesting email addresses that are then provided to spammers. Unspam's anti-spam tool has software that generates pages with "spam trap" email addresses. Each time the page is visited, the visitor's IP address and the time and date of the visit are recorded. Because these addresses are never used in any way that could indicate an agreement to receive unsolicited commercial email, the information collected can help make connections between people harvesting the addresses and the spammers who use their lists. The defendants in the lawsuit are listed as John Doe because the plaintiffs want the court to allow them to subpoena records from ISPs associated with the IP addresses they have collected to confirm the harvesters' identities.
-http://www.washingtonpost.com/wp-dyn/content/article/2007/04/25/AR2007042503098_
pf.html

Report: Fears that a Data Breach Could Ruin Business (April 25, 2007)

A new report from McAfee found that of more than 1,400 IT professionals surveyed, a third fear that a major data security breach could put their company out of business. Despite the fact that 60 percent of respondents said their companies had experienced data loss in the last year, they reported spending just 0.5 percent of their IT budgets on data security. Sixty-one percent of respondents believe data leaks are caused by people within the organization, and 23 percent believe those leakages are of malicious intent.
-http://www.computing.co.uk/itweek/news/2188528/breaches-worry-firms
-http://www.securecomputing.net.au/news/50577,mcafee-data-breach-will-cause-major
-corporate-collapse.aspx

---

************************* Sponsored Links: ****************************
SANS Voucher Credits
Maximize your Training Budget
Save 15-30% on SANS training & certification
Visit http://www.sans.org/info/6321 or Email Vouchers@sans.org
*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Card Fraudster Faces More Charges (April 25 & 26, 2007)

A King City, Ontario (Canada) man who is already a suspect in a card-skimming fraud case had numerous new charges filed against him after he was allegedly discovered violating the conditions of his release on bail. Sergeui Kokoouline was serving a conditional sentence for fraud when police found him and his wife, Larissa Piminova, to be in possession of counterfeit credit cards; when the couple's home was searched, police found and seized credit card-making equipment, numerous phony cards and pages of credit and debit card data. The couple faces a combined 238 charges against them.
-http://www.durhamregion.com/dr/business/story/3952141p-4564382c.htm
-http://680news.com/news/local/article.jsp?content=20070425_141204_6068
-http://www.yorkregion.com/News/article/21336

TJX Faces More Lawsuits (April 24 & 25, 2007)

The Massachusetts Bankers Association (MBA) has filed a class-action lawsuit against TJX Companies Inc., seeking to recover damages on behalf of the financial entities who incurred the costs of blocking compromised credit and debit cards and issuing new ones. Bank associations in Connecticut and Maine plan to join the Massachusetts suit. TJX is facing other lawsuits as well. The Arkansas Carpenters Pension Fund, which owns stock in TJX, has filed a suit over TJX's alleged "refusal to provide documents outlining the company's security measures and its response to the data breach." In Canada, a class-action lawsuit has been filed against two retail companies owned by TJX. A woman in Virginia has filed a class-action lawsuit over TJX's refusal to provide affected customers with credit monitoring.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9017758&source=rss_topic17
-http://www.seacoastonline.com/apps/pbcs.dll/article?AID=/20070425/NEWS/70425004
[Editor's Note (Grefer): Abiding by all requirements of the Payment Card Industry (PCI) Data Security Standard (DSS) would likely have helped to avoid a lot of this trouble. The PCI DSS is available for download at
-https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf]

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

Ohio University Bans P2P From Campus Network (April 25, 2007)

Ohio University (OU) has outlawed peer-to-peer (P2P) filesharing over its networks. According to OU CIO Brice Bible, "peer-to-peer file sharing consumes a disproportionate amount of resources, both in bandwidth and human technical support." As of Friday, April 27, OU will monitor the campus network for P2P activity; computers found to be violating the new policy will be cut off from Internet access. OU's policy decision comes in the wake of a wave of "prelitigation letters" from the Recording Industry Association of America (RIAA), sent to colleges and universities, including OU.
-http://www.ohio.edu/students/filesharing.cfm
[Editor's Note (Schultz): Ohio University's decision to ban peer-to-peer networking makes perfect sense. Peer-to-peer file sharing is, after all, anything but conducive to security, and Ohio University has recently been through the proverbial ringer when it comes to security-related incidents. Additionally, although usually well-intentioned, RIAA notifies and threatens organizations that use peer-to-peer networking rather blindly. In one case RIAA sent a threatening letter to an organization that neither allowed nor tolerated peer-to-peer networking. However, that organization had a honeypot network in which certain ports associated with peer-to-peer networking *appeared* to be open. When that organization's legal department sent a letter informing RIAA that there was in reality no peer-to-peer networking, RIAA lamentably did not back down. ]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Malware Purveyors Exploit Sponsored Links on Google (April 24 & 26, 2007)

Cyber criminals have reportedly bought sponsored links on frequently visited Google search pages; the malicious links take users to the sites they intend to visit, but on the way, users are momentarily sent to a malicious site that attempts to download a backdoor and a post-logger on their computers. Part of the problem lies in the fact that when a user rolls a mouse over the sponsored link on the Google search results page, the browser does not display the URL at the bottom of the screen, so the user does not have a clear picture of where the click will lead. Furthermore, the malware site is given a name that makes it appear to be a third-party tracking site so users do not become suspicios. The post-logger targets roughly 100 different banks "by injecting extra html into those banks' response pages to try to coax extra information out of the victim." Google has apparently shut down the account serving the advertisements.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9017862&source=rss_topic17
-http://www.securitypronews.com/insiderreports/insider/spn-49-20070426GoogleAdsLe
dToPCInfections.html
-http://explabs.blogspot.com/2007/04/google-sponsored-links-not-safe.html

Flaw Exploited to Hack MacBook Affects All Java-Enabled Web Browsers (April 25 & 26, 2007)

The remote code execution flaw exploited by the winner of a hacking challenge last week is in Apple's QuickTime media player, not in the Safari web browser, as was first reported. The flaw appears to be exploitable through any Java-enabled web browser. iPod users are also affected. For the attack to be successful, users would need to be tricked into visiting a web site that has malicious Java code. Users will not be protected until Apple patches QuickTime against the flaw; until then, users are advised to disable Java in their browsers. There are unconfirmed reports that the attack used in the challenge at last week's conference was grabbed, because the MacBooks that were being used were connected to an unprotected wireless network.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9017841&intsrc=hm_list
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=199201605

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

UK Junior Doctors' Personal Data Exposed (April 26, 2007)

The UK's Department of Health has apologized for a data leak in the National Health Service's (NHS) Medical Training Application Service (MTAS) that exposed personally identifiable information of hundreds of junior doctors. According to information gathered by the television news channel that reported the story, people could not only view the data but could alter them as well. Furthermore, British Health Secretary Patricia Hewitt was told in a letter from the British orthopaedic trainees association that "We have also had concerns about the security of the site with shortlisters reporting they could access deanery data and applications they had nothing to do with." The Department has launched an investigation.
-http://www.channel4.com/news/articles/society/health/health+department+apologise
s+over+info+leak/471342
-http://www.itpro.co.uk/information-management/news/111579/doctors-private-inform
ation-leaked-on-recruitment-website.html

Former Payroll Co. Employee Accidentally Exposes Old Client Data (April 25, 2007)

Payroll processing company Ceridian Corp. has apologized to employees of a New York advertising company, Innovation Interactive, after personally identifiable information of 150 Innovation Interactive employees was inadvertently made available on the Internet. The data include names, addresses Social Security numbers (SSNs) and salary and checking account information. Apparently, a man who no longer works for Ceridian took payroll files with him by accident when he left the company. The files were inadvertently posted on a web site because they somehow became mixed in with his family photos. Ceridian is looking at records back through March 2006 to see if anyone accessed the data. The breach was discovered by a former Innovation Interactive VP who googled himself, discovered the data and contacted Innovation Interactive. Ceridian has sent letters of apology to affected employees and is offering two years of personal data monitoring.
-http://www.startribune.com/535/story/1144594.html

Neiman Marcus Employee Data Compromised (April 24, 2007)

A notebook computer stolen from a pension consultant holds personally identifiable information of approximately 160,000 current and former employees of the Neiman Marcus Group. The data include names, addresses, SSNs and salary information. The theft affects employees hired prior to August 30, 2005. Neiman Marcus plans to contact everyone whose data were on the computer. Neiman Marcus learned of the theft on April 10, though it had occurred several days earlier.
-http://www.wfaa.com/sharedcontent/dws/bus/stories/042507dnbusneiman.40beadd.html
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9017725&source=rss_topic17

Purdue Univ. Notifies Students of Data Breach (April 24, 2007)

Purdue University has sent letters to 175 people whose data were inadvertently accessible on the Internet until recently. The data breach affects people who were enrolled in a freshman engineering honors course in fall 2001; the exposed data include names and SSNs. The page was on an Internet-connected server; while the university was no longer using the page, several search engines had indexed and cached the data. The page is no longer on the server and Yahoo! and Google have removed the information from their indices and caches.
-http://news.uns.purdue.edu/x/2007a/070424KsanderEngineer.html
[Editor's Note (Northcutt): Word on the street is that Neiman might get a bye from the bad publicity, Astroglide apparently had customer records unprotected on an Internet facing web site and it looks like a hotter story:
-http://www.homelandstupidity.us/2007/04/21/astroglide-data-breach-exposes-custom
er-information/
-http://techwag.com/index.php/2007/04/24/astroglide-suffers-data-breach-this-ough
t-to-be-interesting/]

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/