SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IX - Issue #38

May 11, 2007

TOP OF THE NEWS

House Committee Approves Bill Mandating Paper Trails on Touch Screen Voting Machines
Man Extradited From Australia on Piracy Charges
Employee Union Files Suit Against TSA Over Lost Hard Drive

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Some Suspected of Purchasing Illegal Content Were Likely Victims of Credit Card Fraud
Six Indicted in Online Bank Theft Case
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Former Marine Used White House and FBI Positions to Steal Classified Documents
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Microsoft's May Updates Address 19 Vulnerabilities
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Univ. of Missouri Database Breached
Scandinavian Bank Cards Hit by Fraudsters
Some Indiana Businesses' Tax ID Numbers Posted to Internet
MISCELLANEOUS
Misplaced Computer Tapes Illuminate Problems with Data Handling
West Point Wins Cyber Defense Exercise

---

************************** Sponsored By SANS ****************************

Interested in retaining the knowledge from your live SANS training? We've got a solution for you, OnDemand's online training Bundles! This is a tactical study tool that uses a combination of learning techniques to reinforce the concepts taught in the course. For more information please email ondemand@sans.org or call (301) 654-7267.
*************************************************************************
A quiz: Why are SANS courses so much better than any others?

A. The teachers are winners of a multi-year competition to find the best teacher of each topic in the world.
B. The teachers are full time practitioners with real world experience.
C. The material is up to date and relevant.
D. The topics are exactly those that are needed to build strong defenses.
E. The courses are hands on so you come out with the confidence to put the material to work as soon as you get back to the office.
F. All of the above.

If you chose F, you know why you should come to SANSFIRE or SANS Network Security. Complete schedule: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

House Committee Approves Bill Mandating Paper Trails on Touch Screen Voting Machines (May 10, 2007)

A US House committee that oversees elections has approved a bill that would require all touch screen voting machines to produce paper receipts for every ballot cast. The measure now goes to the floor. The Voter Confidence and Increased Accessibility Act would also require random audits of election results. The proposed legislation has met with mixed reviews.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9019024&source=rss_topic17
-http://cha.house.gov/images/stories/Documents/hr_811_rep_lofgren_substitue.pdf

Man Extradited From Australia on Piracy Charges (May 7, 2007)

A British man who has lived in Australia for more than 30 years has been extradited to the US to face charges of intellectual property crime. Hew Raymond Griffiths pleaded guilty to criminal copyright infringement offenses; he could face up to 10 years in prison when he is sentenced in June. Griffiths was allegedly the ringleader of a group, known as Drink or Die, who cracked copy protection on a variety of digital content and made it available for distribution at no cost. Griffiths fought extradition for three years. Some believe his extradition marks an important step forward in the fight against digital piracy worldwide; others are concerned that "people are being extradited to the US to face criminal charges when they have never been to the US and the alleged act occurred wholly outside the US."
-http://www.theage.com.au/news/national/australia-hands-over-man-to-us-courts/200
7/05/06/1178390140855.html?page=fullpage#contentSwap1
[Editor's Note (Schultz): The claim that no laws in a country could have been broken because the accused never set foot in that country seems very inappropriate given the nature of computer crime today. This type of crime, including piracy, malicious code, unathorized access, and other types, routinely crosses over international boundaries. ]

Employee Union Files Suit Against TSA Over Lost Hard Drive (May 8 & 10, 2007)

The American Federation of Government Employees has filed a class action lawsuit against the Transportation Safety Administration (TSA) on behalf of TSA employees whose personal information was on a stolen hard drive. The suit asks that the court order TSA to deploy more stringent security precautions, including data encryption and electronic monitoring of equipment holding information about TSA employees. The suit also asks that TSA employees who need time off from work to fix problems caused by the data breach be allowed administrative leave without penalty as well as reimbursement for any financial losses incurred as a result of the data breach.
-http://www.sfgate.com/cgi-bin/article.cgi?file=/n/a/2007/05/08/national/w150926D
86.DTL&type=printable
-http://www.scmagazine.com/us/news/article/656868/union-sues-tsa-data-breach/

---

*************************Sponsored Link:*********************************

1) SANS OnSite Training
Receive bonus seat for SANS OnSite (up to $5100 value) Your Location! Your Schedule! Lower Cost!
Enter today! http://www.sans.org/info/6991
*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Some Suspected of Purchasing Illegal Content Were Likely Victims of Credit Card Fraud (May 10, 2007)

According to a BBC investigation, at least 2,000 people arrested because their credit cards were used to purchase child pornography over the Internet may have been victims of credit card fraud. The arrests stem from a May 2002 action known as Operation Ore; law enforcement officials obtained a list of names associated with credit card numbers that had been used to purchase the illegal content. Two thousand of the people whose names appeared on the list were investigated, but ultimately saw charges against them dropped; another 2,300 have been found guilty.
-http://news.bbc.co.uk/2/hi/uk_news/6641321.stm
[Editor's Comment (Northcutt): Yikes, first you suffer from identity theft, second the thief uses your credit card to buy child pornography, third you are under investigation. I hope they didn't leak the names of the innocent! That is some investigation; the bust was seven years ago:
-http://www.wired.com/politics/law/news/2000/04/35684
-http://archives.cnn.com/2001/LAW/08/08/ashcroft.childporn/index.html]


[Editor's Note (Pescatore): There have been a number of attacks (including some against corporations) where PCs have been taken over, child pornography downloaded and then extortion attempts sent to the PC user/owner. But the bigger enterprise problem is the increasing use of personal PCs for business use, where those personal PCs have all kinds of questionable content on them.
(Ullrich): Malware and stolen identities make the job of child pornography investigators much harder. Today, convictions are relatively easy if illegal material is found on a system. However, once the "a trojan put them there" defense takes hold, it will be harder to prove who actually put the files on the system. ]

Six Indicted in Online Bank Theft Case (May 9, 2007)

Six men have been indicted for bank fraud, wire fraud and money laundering. The men allegedly stole money from online bank accounts between November 2003 and July 2004; the stolen funds totaled US $383,000. The gang allegedly ferreted out login information from backup files they were able to access on people's computers with the help of publicly available free software.
-http://www.theregister.co.uk/2007/05/09/bank_fraud_indictment/print.html

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

Former Marine Used White House and FBI Positions to Steal Classified Documents (May 10, 2007)

Leandro Aragoncillo, who was a career Marine and worked in the White House and for the FBI, pleaded guilty last spring to charges related to the theft of hundreds of classified documents. Aragoncillo apparently gave the documents to others "in an attempt to foster a political coup in the Philippines, his home country." Officials became suspicious of Aragoncillo in March 2005 when he came to the defense of his contact, Michael Ray Aquino, a man from the Philippines who had been arrested after his tourist visa had expired. Alerted to this behavior, Aragoncillo's superiors began monitoring his computer activity and learned he had been accessing and downloading documents that were unrelated to his job.
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=199500751
[Editor's Note (Pescatore): It is much better to install and use smoke detectors *before* the fire starts. It is good to use fireproof materials, too. Obviously, granular access controls and any kind of access auditing was completely missing here.
(Honan): If the information was classified one has to ask how was Mr. Aragoncillo able to access and download documents that were unrelated to his job? The role profile of those who have access to data should be in accordance with the appropriate data classification settings for that data. ]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Microsoft's May Updates Address 19 Vulnerabilities (May 8, 2007)

On Tuesday, May 8, Microsoft released seven security bulletins comprising fixes for 19 vulnerabilities in Windows, Internet Explorer and Office. Three of the flaws addressed are known zero-day vulnerabilities. All seven bulletins have a severity rating of critical, which usually means they can be exploited to gain control of vulnerable machines with little or no user interaction.
-http://news.zdnet.com/2102-1009_22-6182232.html
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=operating_systems&articleId=9018902&taxonomyId=89&intsrc=kc
_top
-http://www.informationweek.com/news/showArticle.jhtml?articleID=199400216
-http://www.microsoft.com/technet/security/bulletin/ms07-may.mspx
[Editor's Note (Ullrich): The SANS Internet Storm Center received more problem reports about these patches than usual. Systems have become unresponsive, and will use up 99% of available CPU time for up to 30 minutes after a reboot. If you run into issues, please let Microsoft know by calling 1-866-PCSAFETY. ]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Univ. of Missouri Database Breached (May 8 & 9, 2007)

Through IP addresses associated with China and Australia, cyber thieves broke into a University of Missouri database and stole 22,396 Social Security numbers (SSNs). Technicians became aware of the attack last week. The breach affects current and former students who were also University employees in 2004. The FBI is investigating the incident.
-http://www.scmagazine.com/us/news/article/656468/hackers-steal-22000-social-secu
rity-numbers-university-missouri-database/
-http://www.columbiatribune.com/2007/May/20070507News054.asp
-http://us.cnn.com/2007/TECH/05/08/missouri.hacker.ap/index.html
-http://www.stltoday.com/stltoday/news/stories.nsf/missouristatenews/story/283B91
2FC21C6E5B862572D5005520FC?OpenDocument

Scandinavian Bank Cards Hit by Fraudsters (May 8 & 9, 2007)

Swedish bank SEB said that at least 10,000 credit and debt cards have been compromised. Attackers managed to gain access to a national computer system that handles card payments for a number of retailers. The card information was stored on the computer system, although it should not have been. More than 1,000 Swedish holders of Eurocards were being issued new cards due to a similar incident.
-http://www.thelocal.se/7245/20070509/
-http://www.thelocal.se/7239/20070508/

Some Indiana Businesses' Tax ID Numbers Posted to Internet (May 7, 2007)

Late in the day on May 2, an employee at Indiana's State Department of Administration inadvertently uploaded the tax identification numbers associated with an undisclosed number of businesses to the Internet. The mistake was noted and the data removed the following morning. In some cases, people's tax identification numbers are the same as their Social Security numbers (SSNs). People whose information was exposed have been sent letters, and the department now requires employees to obtain approval before uploading data to the Internet.
-http://www.indystar.com/apps/pbcs.dll/article?AID=/20070507/BREAK/705070433/1196
/LOCAL

MISCELLANEOUS

Misplaced Computer Tapes Illuminate Problems with Data Handling (May 8, 2007)

Fourteen computer tapes holding nine million records containing sensitive information were missing for two weeks before being located in the incorrect mail bin at a Texas state office building. The data, which are used to verify Medicaid claims, include SSNs and wage information. The tapes were sent from Northrup Grumman, the company responsible for maintaining the mainframe computer holding the original data, to the Texas Medicaid & Healthcare Partnership, which is a coalition of companies that processes Medicaid claims; Affiliated Computer Services (ACS) is the lead contractor. An ACS spokesperson said they were never notified the tapes had been sent and were therefore unable to notify anyone that they were missing. ACS is looking into the possibility of sending information electronically instead. State officials plan to implement new tracking procedures to avoid a repeat incident.
-http://www.chron.com/disp/story.mpl/front/4783956.html
[Editor's Comment (Northcutt): Data tapes are notoriously easy to lose: Bank of America 2005:
-http://www.internetnews.com/storage/article.php/3486036
Ameritrade 2005:
-http://www.msnbc.msn.com/id/7561268/
Time Warner 2005:
-http://www.timewarner.com/corp/newsroom/employee_data_tapes/press_release.html
CitiFinancial 2005:
-http://www.citigroup.com/citigroup/press/2005/050606a.htm
People's Bank 2006:
-http://www.computerworld.com/securitytopics/security/story/0,10801,107661,00.htm
l
And we end with a happy story about some very special lost tapes that were found:
-http://www.cosmosmagazine.com/node/818]

West Point Wins Cyber Defense Exercise (May 3, 2007)

The US Military Academy at West Point has once again earned top honors in the Cyber Defense Exercise (CDX), a National Security Agency (NSA) event pitting teams from the nation's service academies (West Point, Air Force, Naval, Coast Guard and Merchant Marine) against the Red Team, a group of experts acting as malicious cyber intruders. The teams were required to build virtual networks to certain specifications; they were rated on their ability to keep those networks running in the face of attacks. West Point won the competition its first two years, 2001 and 2002.
-http://www.gcn.com/print/26_09/43562-1.html
-http://www.gcn.com/online/vol1_no1/44202-1.html?topic=security&CMP=OTC-RSS
[Editor's Note (Pescatore): Yeah, but Navy won the Army/Navy football game in 2006. Maybe Army would win if they played Madden NFL 2007?]

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/