SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IX - Issue #36

May 04, 2007

Too often, NewsBites points out problems in federal security leadership, so it is a treat this week to have three separate stories about effective federal security leadership. NIST's RFID Security Guidelines are excellent (4th story), and DHS making the CIS configuration testing tool available free to all agencies provides an immediate, cost effective tool (5th story) for advancing the OMB Mandate on secure Windows configurations. In addition, the Department of Energy just announced the availability of financial support (applications due June 19) to research and technology organizations or consortia that can advance the state of the art of security for control systems (last story).
Alan

---

TOP OF THE NEWS

Florida to Replace Touch Screen Voting Systems with Optical Scanners
House Committee Approves Anti-Spyware Bill ... Again
House Subcommittee Letter Presses DHS on Cyber Security

THE REST OF THE WEEK'S NEWS

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
NIST Issues RFID Guidelines
CIS to Release Windows Configuration Assessment Tool
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Digg Ceases to Cease-and-Desist
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
May's Patch Tuesday to Include Seven Security Bulletins
Apple Releases Updated QuickTime to Address Critical Flaw
LOST, STOLEN & EXPOSED DATA
Louisiana State University Laptop Stolen
Maryland Dept. of Natural Resources Thumb Drive Lost
National Health Service (UK) Computer Stolen
Donated City of Champaign Computer Holds Police Data
JP Morgan Backup Tape Lost, Paper Documents Exposed
Virginia Dept. for the Aging Computer Stolen
MISCELLANEOUS
HP Shipping Laptops with Disk Encryption
Funding Opportunity for Secure Control Systems in Energy Sector

---

*********************** Sponsored By Volume Shield **********************

Protect your valuable corporate data -- and stop the use of unauthorized USB storage devices, iPods, and PDAs at your company today! VolumeShield AntiCopy provides a simple, easy-to-use, and powerful endpoint security solution that will control and audit the use of portable storage devices throughout your network.

Try VolumeShield AntiCopy free for 14 days
http://www.sans.org/info/6776

*************************************************************************
Plan now to attend the biggest security training conference ever held, SANSFIRE 2007, with 57 one-to-six day courses, all in Washington, DC, beginning July 22. This program has a large exposition highlighting the security tools and services that matter and many free evening and lunch-time networking sessions to give you answers to new questions and introduce you to people with common interests. SANSFIRE attendees also get insider briefings from the extraordinary incident handlers at the Internet Storm Center
http://www.sans.org/sansfire07/
*************************************************************************

---

TOP OF THE NEWS

Florida to Replace Touch Screen Voting Systems with Optical Scanners (May 3, 2007)

The Florida legislature has approved a law "mandating the replacement of touch-screen
[voting systems ]
with optical scan devices." Florida Governor Charlie Crist introduced the bill and is pleased with the legislature's action, saying, "Florida voters will be able to have more confidence in the voting process and the reliability of Florida's elections." The Election Assistance Commission ruled earlier this week that Florida may use federal funds from the Help America Vote Act to purchase the new voting machines.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9018595&source=rss_topic17
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9018598&source=rss_topic17
[Editor's Note (Schultz): Good for the state of Florida; good for Governor Crist! This is a major step forward in ensuring the integrity of e-voting results. (Pescatore): Good to see some thought being put into what actually are the areas where computers and voting will lead to better voting systems, vs.. just slapping a voting UI on a computer. ]

House Committee Approves Anti-Spyware Bill ... Again (May 1 & 2, 2007)

A House subcommittee approved the Internet Spyware Prevention Act, dubbed I-Spy in March. Rather than attempt to define spyware, I-Spy would make it a crime to place code on a computer without authorization and use it to "intentionally obtain or transmit ... personal information ... or intentionally impair the security protection ... with the intent to defraud or injure a person or damage a protected computer." The measure would provide for prison sentences of up to five years for people convicted of certain spyware activity. The bill now goes before the full House of Representatives. This bill has passed the House twice already; both times, the bill died in the Senate.
-http://news.com.com/2102-7348_3-6180708.html?tag=st.util.print
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9018521&source=rss_topic17

House Subcommittee Letter Presses DHS on Cyber Security (April 30 & May 1, 2007)

A letter from the US House Committee on Homeland Security to Department of Homeland Security (DHS) CIO Scott Charbo asks hard questions about that department's information security practices. Citing an April hearing at which security issues at the Department of State and the Department of Commerce were examined, the letter expresses concerns that similar issues could exist within DHS.
-http://computerworld.com/action/article.do?command=viewArticleBasic&articleI
d=9018399&intsrc=hm_list
-http://homeland.house.gov/SiteDocuments/Charbo.pdf

---

********************** Sponsored Link: ********************************

1) Do you like to study on your own schedule? Want to save money on travel costs? Check out SANS OnDemand online training.
http://www.sans.org/info/6781
*************************************************************************

---

THE REST OF THE WEEK'S NEWS

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

NIST Issues RFID Guidelines (April 27, 2007)

The National Institute of Standards and Technology (NIST) has issued guidelines to help government agencies and other organizations assess and mitigate the privacy and security risks associated with radio frequency identification (RFID) technology. Among NIST's recommendations are using a firewall to separate RFID databases from other IT systems and databases; encrypting radio signals; authenticating approved users; and using metal shields to prevent data skimming.
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=199202262
-http://www.rfidjournal.com/article/articleview/3279/1/1/
-http://csrc.nist.gov/publications/nistpubs/800-98/SP800-98_RFID-2007.pdf
[Editor's Note (Pescatore): Good stuff, 154 pages of it! I think the real key area to worry about is discussed in section 4.4.2 - making sure the reader software is written with protections against attackers pretending to be RFID tags and doing things RFID tags shouldn't do. We have years of history of input software (think web servers and database servers) not building in these protections. (Schmidt): NIST does a wonderful job on every one of these guidelines that they publish. If only organizations would start following these guidelines we would be dealing with far less security incidents. Kudos to NIST! ]

CIS to Release Windows Configuration Assessment Tool (May 1, 2007)

With support from DHS, this summer, the Center for Internet Security (CIS) will release a tool to help US government agencies determine whether or not their Windows-based computers comply with configuration requirements recently issued by the Office of Management and Budget (OMB). Agencies face a compliance deadline of February 2008. CIS's tool will run on each system to check if its settings comply with the requirements; it will not need to be installed on systems. The tool will be provided free of charge to US government agencies.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9018362&in
[Editor's Note (Pescatore): While CIS does very good work, enterprises have to beware of using lots of one-off tools. Using one configuration checker for Windows, another for Linux, another for Macintosh, etc - not a good idea in the long run. Plus, the outputs of security configuration compliance tools need to be integrated into a Vulnerability Management process, not just be yet another silo of vulnerability information. (Paller): John is absolutely correct that weave configuration checking needs to be woven into vulnerability management. The CIS tool actually checks configurations on more than a dozen different operating systems and databases (see the list at www/cisecurity.org). Every time it runs it feeds the results to a central database where the data cane be fed right into vulnerability management systems. The tool is particularly needed by Inspectors General right now because they have to certify that agencies have deployed secure configurations under the current law, and the free CIS tool makes it possible for theme to do that with confidence in their certification. Kudos to DHS for making this tool available across the government. ]

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

Digg Ceases to Cease-and-Desist (May 2 & 3, 2007)

A cease-and-desist letter from the Advanced Access Content System Licensing Administrator (AACS) asking websites and blogs to remove information about a software key that strips next-generation DVD's of their copy protection has resulted in a mass revolt on the popular interactive web site, Digg. The community news website initially complied with the letter, but users kept reposting the stories after they were removed. Digg says it will no longer try to censor the users' stories. The letter indicated that allowing the information to appear against websites and in blogs violates the Digital Millennium Copyright Act (DMCA).
-http://news.bbc.co.uk/2/hi/technology/6615047.stm
-http://www.usatoday.com/tech/webguide/internetlife/2007-05-02-digg-revolt_N.htm?
csp=34
-http://news.com.com/2102-1025_3-6180998.html?tag=st.util.print
-http://www.nytimes.com/2007/05/03/technology/03code.html?ei=5088&en=281b1ae4
687f0fd3&ex=1335844800&partner=rssnyt&emc=rss&pagewanted=print
[Editor's Note (Northcutt): The Digg posting can be found:
-http://blog.digg.com/?p=74
This is going to be an interesting battle for the heart and mind of the Internet, I typed the string "backup hd-dvd v1.00" into Google and a number of sites have been indeed shutdown, as the Digital Millennium Copyright Act (DMCA) only applies to the USA, I am not at all sure this genie can be put back in the bottle. ]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

May's Patch Tuesday to Include Seven Security Bulletins (May 3, 2007)

On Tuesday, May 8, Microsoft will release seven security bulletins to address flaws in Windows, Office, Exchange and BizTalk. At least four of the bulletins have been given a severity rating of critical, and at least one update will require a restart.
-http://www.theregister.co.uk/2007/05/03/patch_tuesday_outline/
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9018590&source=rss_topic17
-http://news.com.com/2102-1002_3-6181296.html?tag=st.util.print
-http://www.microsoft.com/technet/security/bulletin/advance.mspx

Apple Releases Updated QuickTime to Address Critical Flaw (May 2, 2007)

Apple has released an updated version of QuickTime to address a "highly critical" arbitrary code execution vulnerability in the multimedia software. The flaw exists in older versions of QuickTime for both Mac OS X and Windows. The problem lies in the way Quick Time handles Java and could be exploited if vulnerable users visit malicious web sites and through email. The flaw affects users who use iPods on their desktops or laptops. The flaw was discovered by Dino Dai Zovi as part of a hacking challenge at a conference several weeks ago. Users are urged to download QuickTime 7.1.6 as soon as possible.
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=199203215
-http://docs.info.apple.com/article.html?artnum=305446
[Editor's Note (Dhamankar): QuickTime is installed on millions of systems, primarily due to the popularity of the iPod. Therefore, this patch should be applied immediately for Mac or Windows systems to prevent compromise via visiting infected webpages. Kudos to Apple for releasing the patch in less than 2 weeks. I hope Microsoft will release a patch for the DNS server overflow next week. This overflow has already been exploited for three weeks already. Keeping our fingers crossed for quick action by Microsoft! ]

LOST, STOLEN & EXPOSED DATA

Louisiana State University Laptop Stolen (May 3, 2007)

A laptop computer stolen from the home of a Louisiana State University business professor contains personally identifiable information of approximately 750 students. University officials learned of the theft on April 4 and affected students were sent letters on April 15. The compromised data include names, grades and Social Security numbers (SSNs).
-http://media.www.lsureveille.com/media/storage/paper868/news/2007/05/03/News/Sto
len.Laptop.May.Hold.Id.Numbers-2892874.shtml
[Editor's Note (Schultz): Although experiencing a data security theft is nothing to be proud of, at least LSU officials notified those who were potentially affected very quickly. ]

Maryland Dept. of Natural Resources Thumb Drive Lost (May 3, 2007)

A lost thumb drive holds personally identifiable information of approximately 1,400 Maryland Park Service Rangers and Natural Resources Police officers. The Department of Natural Resources (DNR) information dates back to the 1970s and includes names and SSNs. The president of the State Law Enforcement Officers Labor Alliance has written to the DNR secretary to find out why someone was permitted to download that information to the portable device and remove it from the office.
-http://www.baltimoresun.com/news/local/bal-dnrstory0503,0,2665140.story?coll=bal
-local-headlines
[Editor's Note (Schmidt): With the relatively inexpensive availability of "Thumb drives" that have onboard ARM processors that encrypt the data as well as normal encryption tools like PGP this fall under the category of "what was this person thinking". This is especially troublesome as it involved Law Enforcement Data. ]

National Health Service (UK) Computer Stolen (May 2, 2007)

A computer stolen from a National Health Service (NHS) building in the UK contains personally identifiable information of approximately 5,000 Royal Cornwall Hospitals NHS Trust staff members. There were no patient records on the computer. The compromised data include banking details.
-http://www.channel4.com/news/articles/society/health/hospital+staff+warned+after
+theft/491592

Donated City of Champaign Computer Holds Police Data (May 1, 2007)

A computer donated to charity by the city of Champaign, Illinois contains the names and SSNs of 139 of the city's police officers. The city donated 50 computers last year, including five to the Champaign Consortium, a not-for-profit job assistance center. One of those computers appeared not to be working, so it was taken to a computer service shop, where the sensitive data were discovered.
-http://www.news-gazette.com/news/local/2007/05/01/data_about__officers_left_on_d
onated

JP Morgan Backup Tape Lost, Paper Documents Exposed (May 1, 2007)

A backup tape containing personally identifiable information of JP Morgan Chase customers and employees disappeared either while en route to or after arriving at an off-site facility. The tape holds account information and SSNs. The number of accounts affected is estimated to be 47,000. In a separate incident, JP Morgan Chase is investigating claims that documents containing client data were left in trash bags outside their offices in the New York City Area.
-http://www.financialnews-us.com/?page=ushome&contentid=2347681605
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyId=17&articleId=9018384&intsrc=hm_topic
[Editor's Note (Honan): A video on YouTube allegedly is showing the discarded documents
-http://www.youtube.com/v/G_8xRnzQqME]

Virginia Dept. for the Aging Computer Stolen (May 1, 2007)

Computer equipment stolen from the Virginia Department for the Aging contains names, addresses and SSNs of approximately 40,000 people who receive the department's services. The theft occurred on April 18 and notification letters were mailed April 26.
-http://content.hamptonroads.com/story.cfm?story=123820&ran=180020

MISCELLANEOUS

HP Shipping Laptops with Disk Encryption (May 1, 2007)

Hewlett-Packard has begun shipping laptops that come with disk-encryption software. The devices are aimed at "small and midsize businesses that don't ... have the resources to buy and manage an enterprise-size disk environment." Users must provide authentication before the machine will allow them access.
-http://www.networkworld.com/news/2007/050107-hp-laptop-safeboot.html?fsrc=rss-se
curity
[Editor's Note (Northcutt): In a keynote last week I predicted two things on this topic, that Dell would be the first to offer disk encryption on those three pages of checkout (whoops) and that this will be a management nightmare, "but teacher I forgot my passphrase and the crypto ate my homework". ]

Funding Opportunity for Secure Control Systems in Energy Sector

On April 26, 2007, the National Energy Technology Laboratory (NETL), on behalf of the DOE Office of Electricity Delivery and Energy Reliability (OE), issued a Funding Opportunity Announcement (FOA) entitled "Office of Electricity Delivery and Energy Reliability Research and Development" (DE-PS26-07NT43119). The solicitation includes two Program Areas of Interest. The first area, Secure Control Systems for the Energy Sector, invites applications for R&D in any of seven topics to improve the security of control systems for energy transmission and distribution. The second area, Renewable and Distributed Systems Integration, invites applications for R&D and demonstration of the integration of distributed resources for providing power or load management during peak load periods. Applications for this FOA are due June 19, 2007. For more information and to review the Funding Opportunity Announcement, go to:
-http://www.netl.doe.gov/business/solicitations/index.html

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/