SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IX - Issue #40

May 18, 2007

TOP OF THE NEWS

Online Applications for Travel Visas Halted Over Data Security Worries
Estonian Websites Under Attack
TJ Maxx/TK Maxx Security Breach Cost May Reach US$8.3B

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Former Los Alamos Employee Pleads Guilty to Taking Data
Symantec Sues Eight Companies for Copyright Infringement
Former Computer Repairman Allegedly Stole School Servers
Credit Card Fraudsters Sentenced
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Microsoft Standing Firm on Patent Licensing Deals
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Microsoft Advanced Notice Service Will Add More Details
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Missing Disk Holds Alcatel-Lucent Employee Data
IBM Tapes Lost After Traffic Accident
Chinese Cyber Attackers Targeting Fashion Houses
STATISTICS, STUDIES & SURVEYS
BSA Says Software Piracy Rate Remained Steady
MISCELLANEOUS
Malware For All
CORRECTIONS

---

********************* Sponsored By Symark Software *********************

Demonstrate compliance and guard data from unauthorized access! Security from within is the priority. Symark access control and identity management solutions control access granularly at the systems level while logging events and keystrokes into an indelible audit trail. Get a Free 30 Day Trial of any of our products and receive our famous Fox in the Henhouse poster!
http://www.sans.org/info/7206">http://www.sans.org/info/7206
*************************************************************************
Where can you find courses by SANS best teachers of Hacking, Techniques, Forensics, Intrusion Detection, SceuritY Essentials, Auditing and more?
Brussels: SANS Secure Europe (6 courses): June 25-30
http://www.sans.org/brussels07/">http://www.sans.org/brussels07/
Denver: Rocky Mountain SANS (14 courses): May 31-June 7
http://www.sans.org/rockymnt2007/">http://www.sans.org/rockymnt2007/
Washington DC, SANSFire 2007 (57 courses): July 25-August 3
http://www.sans.org/sansfire07/">http://www.sans.org/sansfire07/

As well as on site at your organization or in 100 other cities:
http://www.sans.org

************************************************************************

---

TOP OF THE NEWS

Online Applications for Travel Visas Halted Over Data Security Worries (May 15 & 17, 2007)

The UK Foreign Office has suspended online applications for some visas after learning that a flaw in certain IT systems allowed applicants to view others' personal information. Exposed data include addresses, dates of birth and passport numbers. An Indian visa applicant first reported the problem in April 2006.
-http://www.bostontoday.co.uk/viewarticle.aspx?articleid=2888216§ionid=40
68
-http://news.scotsman.com/uk.cfm?id=772752007
-http://www.theinquirer.net/default.aspx?article=39627
[Editor's Note (Honan): The fact that this vulnerability existed for over a year without the authorities responding to it is reason for grave concern. What is the point of implementing strict border controls and enhanced checking of government issued travel documentation if the authorities ignore a security hole for terrorists and criminals to exploit allowing them get valid visas?]

Estonian Websites Under Attack (May 10 & 17, 2007)

Web sites throughout Estonia have been under attack for the past three weeks. Riots and protests broke out on April 27 when Estonia removed a Soviet war memorial statue in the capital city of Tallinn. Ethnic Russians protested the statue's removal. Russia is suspected of being behind the attacks, but no accusations have been made. The distributed denial-of-service (DDoS) attacks have hit across the board at government web sites as well as web sites of newspapers, banks and businesses. NATO has sent cyber terrorism experts to Tallinn to help the country improve its cyber defenses.
-http://www.guardian.co.uk/russia/article/0,,2081438,00.html
-http://www.economist.com/world/europe/displaystory.cfm?story_id=9163598
[Editor's Note (Liston): I find this incident to be troubling on many levels. While there is a great deal of disagreement on whether or not the Russian government is participating in this attack, the effectiveness of this DDoS highlights the potential for third-party agitators to potentially exacerbate an international incident. Rapid, accurate and positive attribution of this type of cyber-attack is essentially impossible, which almost invites "interested" third parties to use it as a means of stirring up trouble on an international level.
(Ullrich): During the China-US standoff about the spyplane that was shot down in 2001, Chinese hacker groups defaced US websites and US hacker groups retaliated. None of these attacks amounted to more then a nuisance. It is likely that the attacks against Estonia are similarly inspired by patriotism and not necessarily government controlled. However, as the importance of cyber warfare increases, better methods are needed to determine attribution of attacks. (Honan): Arbor Networks have an interesting entry in their Security to the Core Blog outlining a summary of these attacks as seen by them,
-http://asert.arbonetworks.com/2007/05/estonian-ddos-attacks-a-summary-to-date/.
While TERENA has details on how the European CSIRT community is assisting Estonia in dealing with the attacks,
-http://www.terena.org/news/fullstory.php?news_id=2103]

TJ Maxx/TK Maxx Security Breach Cost May Reach US$8.3B (May 18, 2007)

TJX, the owner of TK Maxx (UK) and TJ Maxx (US), issued an earnings report today that claims the recent security failure, which exposed the credit card details of 45 million customers has cost the company US$12m. The earnings report also refers to a similar charge expected in the next quarter. Outsiders, using estimates developed by the Ponemon institute of $186 per card estimated the total losses at $8.6 billion.
-http://www.itnews.com.au/newsstory.aspx?CIaNID=52299
[Editor's Note (Paller): Multiplying loss numbers from small losses by the 45 million from TJ Maxx is silly. Economies of scale will keep the actual losses at a tiny fraction of the estimate. ]

---

************************** Sponsored Links: ***************************

1) Cenzic will find more "real" vulnerabilities and less false positives than SPI Dynamics or Watchfire
http://www.sans.org/info/7211

2) SANS OnSite Training
Receive bonus seat for SANS OnSite (up to $5100 value) Your Location!
Your Schedule! Lower Cost!
Enter today! http://www.sans.org/info/7221

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Former Los Alamos Employee Pleads Guilty to Taking Data (May 17, 2007)

A woman who used to work for a contractor at Los Alamos National Laboratory as an archivist has pleaded guilty to stealing classified data. Jessica Lynn Quintana admitted to printing out some documents, downloading others onto a flash drive, and taking them all home. She was stripped of her security clearance, and face up to a year in prison and a fine of US $100,000, as well as five years probation. There was no indication as to why she took the data home.
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=199601495

Symantec Sues Eight Companies for Copyright Infringement (May 16, 2007)

Symantec has filed civil lawsuits against eight companies in Canada and the US for allegedly selling pirated copies of its software. The suits allege trademark and copyright infringement, fraud, unfair competition, counterfeit documentation, trafficking, and false advertising. Symantec is seeking damages of between US $4 million and $10 million from each company. The suits also seek permanent injunctions barring the companies from selling pirated products in the future.
-http://www.theregister.co.uk/2007/05/16/symantec_copyright/print.html
-http://www.scmagazine.com/us/news/article/657950/symantec-seeks-55-million-eight
-piracy-lawsuits/

Former Computer Repairman Allegedly Stole School Servers (May 11, 2007)

A man who once worked for a contractor repairing computers at a Houston, TX school district has been accused of stealing machines from the schools. The suspect has not worked for the contractor since February 2007, but he kept his ID badge, which allowed him access to the buildings from which the computers were stolen.
-http://www.khou.com/news/local/houstonmetro/stories/khou070511_tj_computerthefts
.5e2c149b.html
[Editor's Note (Kreitner): This episode illustrates one of the most frequently neglected operational security controls requiring timely human action, namely the termination of physical and electronic access to enterprise assets for departed employees, contractors, vendors, and strategic partners.
(Grefer): Part on any organization's exit protocol should be to collect all physical credentials and to disable and/or revoke any logical credentials and authorizations.]

Credit Card Fraudsters Sentenced (May 10, 2007)

Five people convicted of what UK police called a "sophisticated" credit card fraud scheme have received jail sentences of as long as five-and-a-half years. The group possessed 32,000 stolen credit card numbers. Officials suspect the stolen data came from a US database. The five used the stolen credit card numbers to fund a profligate lifestyle. All have been recommended for deportation upon completion of their sentences.
-http://www.thisislondon.co.uk/news/article-23395784-details/Britain's+biggest+c
redit+card+fraudsters+jailed+for+over+five+years+each/article.do
[Editor's Note (Northcutt): The photo mug shots are priceless, worth clicking on the link. Speaking of link, all the articles on this subject refer to a "link man" from Estonia. This is a new term for me, and I couldn't find it commonly used outside of the article. The following snippet from the story is also illuminating: "The computer encryption systems which were used were very sophisticated and they have to some extent, despite police efforts, defied attempts to decode them." Shucks, in another couple thousand years you'll have it, keep at it is my advice *grin*. ]

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

Microsoft Standing Firm on Patent Licensing Deals (May 14, 2007)

Microsoft is claiming that open source software violates no fewer than 235 of the company's patents, and it wants royalties. Eben Mogle, executive director of the Software Freedom Law Center "contends that software is a mathematical algorithm and, as such, not patentable." A recent unanimous Supreme Court opinion states that patents have been too easily granted over the past two decades, and that some of those granted may be invalid. There are some who believe that software patents would be especially problematic.
-http://money.cnn.com/magazines/fortune/fortune_archive/2007/05/28/100033867/
-http://www.usatoday.com/tech/techinvestor/industry/2007-05-15-microsoft-patent_N
.htm?csp=34

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Microsoft Advanced Notice Service Will Add More Details (May 17, 2007)

Starting in June, Microsoft will provide more details about upcoming security bulletins in its advanced notification service (ANS). Information provided through ANS has been limited to software affected, maximum severity ratings for each bulletin, and whether or not each bulletin would require a restart. As of Thursday, June 7, advance notices will include vulnerability impact and necessary detection information as well as the information noted above. The change was made in response to customers' feedback indicating they want "more time and information ... to plan for testing and deployment." The format of the bulletins has been revised as well.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9019720&source=rss_topic17
-http://blogs.technet.com/msrc/archive/2007/05/16/ans-and-security-bulletin-updat
es.aspx
[Editor's Note (Ullrich): The purpose of these advanced notices is to enable companies to schedule manpower ahead of time. With the current system, one never knew how many critical patches Microsoft would announce. The new system should be more granular, and I doubt it will provide information of value to the "bad guys".
(Honan): Microsoft's monthly release of patches has improved the security of many organisations by allowing them to better plan and prepare for patching their Microsoft based systems. This improvement in the Advanced Notice Service further enhances this capability and Microsoft should be commended for listening to their customer feedback and improving the service. Hopefully other vendors will follow suit. ]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Missing Disk Holds Alcatel-Lucent Employee Data (May 17, 2007)

A computer disk holding personally identifiable information of current and former Alcatel-Lucent employees and their dependents is missing. The disk was prepared by a contractor Hewitt Associates and was scheduled to be delivered to Aon Corp, an insurance company serving Alcatel-Lucent. The disk "was lost or stolen sometime between April 5 and May 3." Alcatel-Lucent learned of the situation on May 7. The data include names, Social Security numbers (SSNs), birth dates and salary information. No customer information was included. The company has launched an internal investigation and has also asked the US Secret Service to investigate. Current employees have been notified of the incident through email; all affected current and former employees will receive notification letters in the mail as well.
-http://www.abcmoney.co.uk/news/17200773596.htm
-http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=104&STORY=/www/story/05-17
-2007/0004591162&EDATE=

IBM Tapes Lost After Traffic Accident (May 15 & 16, 2007)

Computer tapes holding personally identifiable information of current and former IBM employees were lost following a traffic accident near Armonk, NY on February 23, 2007. The tapes were in a contractor's vehicle, en route to a permanent storage location. The contractor has not been named. Some customer account information was also on the tapes. IBM recently sent letters to affected employees notifying them of the situation. IBM also placed an advertisement in a local paper asking for the return of the tapes. A spokesperson declined to say how many people were affected, but did note that some of the tapes were encrypted.
-http://www.theregister.co.uk/2007/05/15/ibm_missing_tapes/print.html
-http://www.scmagazine.com/us/news/article/657949/ibm-loses-tapes-employee-person
al-info/
-http://www.infoworld.com/article/07/05/15/IBM-contractor-loses-employee-data_1.h
tml
[Editor's Note (Liston): "Some" of the tapes were encrypted?!? Being smart enough to know that sensitive data in transit requires encryption, yet not making sure that EVERYTHING was encrypted makes the actors in this particular drama seem far more negligent. ]

Chinese Cyber Attackers Targeting Fashion Houses (May 13, 2007)

Chinese cyber thieves are reportedly breaking into computers at top Italian fashion houses to steal designs, which they then use to make counterfeits before the genuine items get to market. Counterfeiters used to take photographs of shop windows to get their designs.
-http://washingtontimes.com/world/20070512-105632-6516r.htm

STATISTICS, STUDIES & SURVEYS

BSA Says Software Piracy Rate Remained Steady (May 15, 2007)

According to statistics from the Business Software Alliance (BSA), the software piracy rate among businesses worldwide has remained constant at 35 percent since 2003. The piracy rate in China has dropped from 92 percent to 82 percent over the past three years, owing in large part to "government intervention." The rates in the US, the UK and Western Europe have remained steady at 22 percent, 27 percent and 36 percent, respectively. The BSA says governments need to do more to encourage companies to use licensed software.
-http://news.bbc.co.uk/2/hi/technology/6654033.stm
-http://www.theregister.co.uk/2007/05/15/software_piracy_static/print.html

MISCELLANEOUS

Malware For All (May 17, 2007)

As a social experiment, someone bought an ad on Google that offered to infect people's machines with malware. The ad read, "Drive-By Download. Is your PC virus-free? Get it infected here!" Over a period of six months, the ad was clicked on 409 times; it was displayed 259,723 times. That works out to a rate of 0.16 percent. Clicking on the link supplied took users to a .info web site. This particular site did not contain any malicious code. Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=2811
-http://www.theregister.co.uk/2007/05/17/spoof_malware_campaign/print.html
-http://it.slashdot.org/article.pl?sid=07/05/15/2216235
-http://www.eweek.com/article2/0,1759,2132447,00.asp?kc=EWRSS03119TX1K0000594
[Editor's Note (Northcutt): Great story. From memory, the researcher spent a total of 208 dollars. However what is interesting is that some of the convictions for people setting up malicious web sites to load bots on vulnerable web surfing computers explicitly stated they had loaded the code without the user's permission. A 0.16 acceptance rate for a "get out of jail free card;" that gets interesting.
(Schultz): Although a gullibility rate of only 0.16 percent is in theory good, it is still troubling that anyone would be so foolish as to intentionally infect one's own computer. What would be even more interesting would be to compare gullibility rates over time, e.g., at six month intervals, to see if there are any changes and if so, why.
(Liston): It would be interesting to compare the click-through rate on the bogus ad to the click-throughs on, say, an ad for anti-virus or anti-spyware software. ]

CORRECTIONS

From the previous Newsbites

Regarding the story we ran in the last edition of NewsBites about Google's Web-Based Malware study: The researchers identified 450,000 URLs launching drive-by downloads from a set of 4.5 million, which in turn had been culled from a larger set of 7 billion URLs, giving a much lower rate of malware incidence than we indicated. We regret any confusion this may have caused.

Regarding the story we ran in the last edition of NewsBites about attackers using BITS (Background Intelligent Transfer Service) as a vector of infection: We would like to clarify that for a computer to become infected with the Trojan through BITS, there must already be malware present on that machine. We regret our omission and apologize for any problems it may have caused.

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/