SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IX - Issue #44

June 05, 2007

Two gifts:
Just released: a longitudinal study of security and audit salaries from 1999 to 2007. If you'll complete the 2007 Salary Survey (it takes 3-6 minutes), we'll give you the executive summary of the longitudinal analysis (telling where salaries went up and down the most, and why). The salary survey is at:
http://www.surveymethods.com/EndUser.aspx?F7D3BFA2FFB4A7

Secure Programming: We've also added a bonus report at the end of this issue. It is called SANS Software Security @RISK: Secure Coding Error of the Month. It is a free educational service for programmers that IT security managers or development managers may distribute to programmers and testers. Each monthly issue takes a recent critical vulnerability - - one that did some real damage -- and shows the exact programming error that allowed the application to be exploited. This first issue focuses on an Apache Webserver error. We are announcing it as part of the run up to the Application Security Summit in Washington later this summer. More info on the Summit at http://www.sans.org/appsummit07/

Alan

PS. Tomorrow (6/6) is the final day for early registration discounts for SANS biggest training program in Washington (SANSFire 2007 July 25 - August 3) Data at http://www.sans.org/sansfire07/

---

TOP OF THE NEWS

Government Security No Better One Year After VA Data Breach
California Considers New Data Security and Breach Notification Law
"Spam King" Arrested

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
ChoicePoint Settlement
Former Manager Pleads Guilty to Stealing Computers
POLICY & LEGISLATION
New Hampshire Law Bans Real ID Bill
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
iTunes Music Files Contain Personal Information
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Critical Flaw in F-Secure Software
Mozilla Issues Advisories for a Half-Dozen Flaws
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Cyber Thieves Steal City Funds
Missing Disk Holds Home Health Care Worker and Client Data
MISCELLANEOUS
Mother's Keylogger Helps Nab Online Predator
Are You Stuck Doing Certification and Accreditation Reports?

---

*********************** Sponsored By ArcSight, Inc. *********************

*Free Whitepaper: Using Advanced Event Correlation to Improve Enterprise Security, Compliance and Business Posture*

An effective event correlation system makes information more manageable and protects critical assets. Learn how your enterprise security platform can help you discover vulnerabilities, correlate relevant event information, detect malicious insiders, demonstrate compliance and improve overall security with this whitepaper. Brought to you by ArcSight, providing security and compliance management solutions that protect your business.

http://www.sans.org/info/8251

*************************************************************************

---

TOP OF THE NEWS

Government Security No Better One Year After VA Data Breach (June 4, 2007)

One year after the theft of a laptop computer holding personally identifiable information of 26.5 million US veterans and active duty members, a study has found that data security in the federal government has not improved. The study surveyed 258 federal employees. Forty-one percent of the respondents use laptops for work. Of those, 48 percent said they received training following the theft of the VA laptop; 16 percent of the respondents said their agencies did nothing in reaction to the theft. According to the study, 58 percent of federal workers who are not official telecommuters still work at home, many using their own, less secure computers. Forty-one percent of those who are not official telecommuters log on to government systems from home.
-http://www.informationweek.com/management/showArticle.jhtml?articleID=199901028&
amp;cid=RSSfeed_TechWeb
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=government&articleId=9023098&taxonomyId=13&intsrc=kc_top
[Editor's Note (Kreitner): It's time for agency executives to implement tougher accountability policies for their people entrusted with information assets. For example, a specific person should be designated as the responsible person for every laptop that is issued. Termination or at least a significant demotion should be the clear penalty for losing it or for failure to follow established configuration, patching, and encryption policies. Only when agency leaders demonstrate a more resolute, tangible and enforceable commitment to improving the security of the information assets within their spheres of responsibility, will things begin to improve.
(Schultz): These findings are not at all surprising. Until US government employees are held accountable for their security-related actions (or lack thereof), they will continue to be deficient in their practice of security. ]

California Considers New Data Security and Breach Notification Law (May 31, 2007)

California state lawmakers are considering legislation that would require any organization in the state that processes credit and debit card transactions to comply with certain requirements regarding data security and breach notification. Merchants would be barred from storing authentication data, including card verification value and personal identification numbers. Merchants would also be required to use strong encryption when storing and transmitting card data. Organizations that experience breaches would be required to reimburse financial institutions for costs incurred, such as notifying customers of the breach and reissuing cards. The bill would also allow financial institutions to provide more detailed information about data security breaches, including what types of data were compromised and where the breach occurred. The bill is presently in committee; if it is approved, it will go before the full state assembly for a vote on June 8. From there, it would require state senate approval and the governor's signature before it becomes law.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=security&articleId=9022358&taxonomyId=17&intsrc=kc_top
[Editor's Note(Schultz): Minnesota has already passed legislation of this nature. If this legislation passes in California, the most populous state in the US, I predict that the momentum for passing national legislation of this nature will grow to the point that it will be difficult to stop.]

"Spam King" Arrested (May 30, 31 & June 1, 2007)

Robert Alan Soloway, known among investigators as the "Spam King," was arrested on May 30 in Seattle, Washington. The 35-count federal indictment includes charges of mail fraud, wire fraud, fraud in connection with electronic mail, aggravated identity theft, and money laundering. Soloway pleaded not guilty to all charges at a court appearance last week; his trial is scheduled to begin on August 6. Soloway, who owned Newport Internet Marketing Corporation, "is accused of offering broadcast email services
[that ]
sent messages with false headers and were relayed using networks of proxy computers or botnets." If convicted of all charges against him, Soloway could face five years in prison and be ordered to pay a fine of US $250,000.
-http://www.theregister.co.uk/2007/05/31/spam_king_arrested/print.html
-http://news.bbc.co.uk/2/hi/technology/6707333.stm
-http://seattlepi.nwsource.com/local/318094_soloway01.html
-http://news.zdnet.co.uk/security/0,1000000189,39287329,00.htm?r=3
-http://www.usdoj.gov/usao/waw/press/2007/may/soloway.html

---

*********************** Sponsored Links: ******************************

1) 2007 SANS Log Management Market Report web cast, June 6th at 1pm EDT. Register today.
http://www.sans.org/info/8256

2) Save Time, Avoid Headaches with one solution. Protect your business from malware with CA Threat Manager.
http://www.sans.org/info/8261

3) Upcoming SANS Special webcast, "Using SIM in your PCI compliance program", June 14 at 1:00 PM EDT, Register today at
http://www.sans.org/info/8266

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

ChoicePoint Settlement (June 1, 2007)

Georgia-based data broker ChoicePoint has reached a legal settlement with the attorneys general of 43 states and the District of Columbia regarding allegations it did not adequately protect consumer data. ChoicePoint acknowledged in February 2005 that it had exposed parts of its consumer database to thieves posing as legitimate businesspeople. ChoicePoint notified more than 145,000 consumers that their personal data had been compromised. Under the terms of the settlement, ChoicePoint will implement stronger methods to guard the privacy of personal information. In addition, the company will abide by new verification procedures to ascertain that an entity requesting information is in fact a legitimate business. The settlement also includes a lump sum payment of US $500,000 to be shared among the states.
-http://sanantonio.bizjournals.com/albuquerque/stories/2007/05/28/daily27.html
-http://www.smh.com.au/news/Technology/ChoicePoint-Settles-With-43-States-DC/2007
/06/01/1180205461106.html
[Editor's Note (Liston): So, based on this, the going price for exposing someone's personal data is $3.45. Heck, I'll pitch in five bucks... Who wants to know my ex-wife's SSN? ]

Former Manager Pleads Guilty to Stealing Computers (May 31, 2007)

A man who once managed the San Jose (Ca.) Medical Group's McKee branch has pleaded guilty to stealing computers and a CD that contained personal medical information of approximately 200,000 patients. Joseph Nathaniel Harris managed the practice between August and September 2004; two computers and the disk were reported missing in March 2005. At that time, the medical group sent letters to approximately 185,000 patients to notify them of the data security breach. The complaint against Harris alleges he stole the computers in late March 2005. Shortly before that theft, computers were also stolen from another of Harris's former employers. All of the stolen computers were all found for sale on Craigslist with email addresses linking them to Harris. The disk was found in Harris's car. Harris was indicted in January 2006. If convicted of all charges against him, Harris could be sentenced to 10 years in prison and fined US $250,000 and ordered to pay restitution.
-http://www.mercurynews.com/ci_6029308?source=most_viewed
-http://sanfrancisco.fbi.gov/dojpressrel/2006/sf011906.htm
-http://sanfrancisco.fbi.gov/dojpressrel/2007/sf053107.htm

POLICY & LEGISLATION

New Hampshire Law Bans Real ID Bill (June 4, 2007)

New Hampshire is joining a growing number of states in passing legislation that rejects the federal government's Real ID Act. The US Congress passed Real ID in 2005. The bill requires that driver's licenses and other state-issued identification cards include a bar code and a digital photograph. Citizens would need compliant cards to enter federal buildings and nuclear power plants and board commercial aircraft. The US government established a May 2008 deadline for compliance; it can be extended on a case-by-case basis through December 2009. New Hampshire's law calls Real ID "contrary and repugnant" to both the state and US constitutions. The governor plans to sign the bill into law soon. Among concerns cited are the cost of implementing the new requirements and the potential violation of citizens' privacy.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=294226&source=rss_topic17
[Editor's Note (Liston): Unfortunately, now that we're one year away from the deadline for compliance, taking a moral stance against Real ID simply looks self-serving. This was "contrary and repugnant" to the Constitution back in 2005 when it was passed. Waiting until now to climb up on a soapbox simply makes it look like states are trying to skirt the issue. ]

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

iTunes Music Files Contain Personal Information (June 1, 2007)

Music tracks sold through iTunes have been found to contain the buyer's personal information. Names, account information, and email addresses are embedded in the purchased tracks, both those with digital rights management (DRM) protection and those without. Some have speculated that this is a measure to fight piracy; if the tracks appear on a file sharing network, they provide a simple way to find out who originally bought the music.
-http://news.bbc.co.uk/2/hi/technology/6711215.stm
[Editor's Note (Ullrich): I don't see this as a problem. Apple adds a buyer's name to the file. The buyer is not supposed to pass on the file as part of licensing restrictions. Simply marking the file with a users name sounds like a very reasonable thing to do.
(Liston): This is, to put it bluntly, much ado about nothing. This meta-data exists in *ALL* iTunes downloads, with or without DRM. People complained about the inability to load DRM crippled songs onto all of their devices, and Apple responded with higher quality, non-DRM music. Now, suddenly, having your name embedded in the non-DRM music file is an issue, when it wasn't an issue when that same song was locked down with DRM. Why? ]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Critical Flaw in F-Secure Software (May 30 & June 1, 2007)

F-Secure has released a security bulletin warning of a critical buffer overflow vulnerability in several of its products that could be exploited to execute arbitrary code or create denial-of-service conditions. The flaw lies in the way the software processes LHA archives, and affects versions of the software for both Windows and Linux. F-Secure's bulletin provides options for mitigating the flaw, including both upgrades and workarounds.
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=62017679-39000005c
-http://www.f-secure.com/security/fsc-2007-1.shtml
-http://www.kb.cert.org/vuls/id/381508
[Editor's Note (Liston): Code to do data parsing or protocol decoding is perhaps the most "dangerous" thing any programmer can write. Doing these things well requires a good, defensive programming mindset which is, in essence, a strong determination to not make ANY assumptions about the data you're being presented. These kinds of errors are especially distressing in software designed to protect systems from attack. ]

Mozilla Issues Advisories for a Half-Dozen Flaws (May 31 & June 1, 2007)

Mozilla has released six security advisories for a variety of vulnerabilities in Firefox, SeaMonkey and Thunderbird. One critical remote code execution flaw affects all three products and could be exploited to cause crashes. Users are being advised to disable JavaScript in Thunderbird and the mail portion of SeaMonkey. Firefox users were also urged to disable JavaScript as a workaround for a high impact cross-site scripting flaw; an updated version of Firefox is available. Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=2891
-http://www.scmagazine.com/us/news/article/661567/mozilla-discloses-six-security-
flaws/
-http://www.theregister.co.uk/2007/06/01/firefox_update/print.html
-http://www.zdnet.com.au/news/security/soa/Mozilla-issues-security-updates-for-Fi
refox-2-and-1-5/0,130061744,339278067,00.htm
-http://www.us-cert.gov/cas/techalerts/TA07-151A.html

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Cyber Thieves Steal City Funds (May 31 & June 1, 2007)

Using information gleaned through a surreptitiously installed Trojan horse program, cyber-thieves attempted to steal nearly US $450,000 from the Southern California city of Carson. The malware sent the purloined information back to the thieves and allowed them to steal bank passwords and wire sums of money to different bank accounts. Carson Treasurer Karen Avilla became aware something was wrong when she found herself unable to log in to the city's bank account. The theft was discovered in time to freeze the majority of the funds; the US Secret Service is tracking the whereabouts of the rest of the money.
-http://www.latimes.com/news/local/la-me-hackers1jun01,0,2083352.story?coll=la-ho
me-local
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=security&articleId=9022498&taxonomyId=17&intsrc=kc_top
[Editor's Note (Liston): The thieves tried for almost $450,000, but actually got away with $45,000 before the city froze assets. How did a keylogging Trojan get installed on her laptop? Avilla "doubts it had the latest security software patch protections." 'Nuff said. ]

Missing Disk Holds Home Health Care Worker and Client Data (June 1, 2007)

A computer disk containing personally identifiable information of Fresno County (Ca.) home health care workers and their clients is missing. The disk was sent via courier from a county office to the office of a software vendor in San Jose. The information on the disk was being used to determine eligibility for healthcare benefits and includes names, addresses and Social Security numbers (SSNs). The data were not encrypted. The courier service reported that the disk had been delivered to the software vendor. The vendor's CEO, however, says the disk never arrived. The county did not require a signature for proof of receipt. This particular vendor works with other counties as well, most of which send their data encrypted via a secure Internet connection.
-http://www.fresnobee.com/263/story/51168.html

MISCELLANEOUS

Mother's Keylogger Helps Nab Online Predator (June 1, 2007)

A UK mother concerned about her son's online activities installed keylogging software on his computer. When she retrieved the data, she learned that a man from the US had been "grooming" her 15-year-old son for abuse. She contacted the police, who in turn notified US Immigrations and Customs investigators. Jason Bower was arrested last November as he boarded a plane bound for England to meet the boy. Bower has pleaded guilty to charges against him and will face a minimum prison sentence of five years.
-http://www.theregister.co.uk/2007/06/01/spyware_mum_foils_pervert/
[Editor's Note (Kreitner): Way to go, Mom!!]

Are You Stuck Doing Certification and Accreditation Reports? (Advertisement)

Are you stuck doing Certification Accreditation (C&A) tasks and don't know how to use FISMA to help make a difference? A new course being offered by SANS at Virginia Beach, VA, Aug 25 - Sept 1, will help you unravel the mysteries of C&A. Laura Taylor, author of the FISMA Certification & Accreditation Handbook, will teach this all new course for you to learn the general concepts required to create the broad knowledge base necessary in order to position your career for segue into any C&A project. Ms. Taylor teaches from experience having successfully managed numerous C&A projects for various U.S. federal agencies towards positive accreditations. For course information and to register for FISMA 101: Certification & Accreditation Concepts, go to
-http://www.sans.org/vabeach07/description.php?tid=1127

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/


==================================

=========================================================================
SANS Software Security @RISK: Secure Coding Error of the Month
Vol. 1, Num. 1 June 3, 2007
=========================================================================

Millions of problems from one coding error.

The apache.org foundation reports that more than 10 million copies its Apache Tomcat package have been downloaded, providing Java servlet functionality for web servers throughout the world. Moreover, Tomcat is frequently used as a standalone web server in high-traffic and high-availability environments where sensitive and valuable information are stored.

So a programming error by one of the Tomcat developers is a BIG error. If it opens a security hole, millions of people now need to patch their systems. It is an even bigger problem because, sadly, thousands or tens of thousands of sites will not install the patch, possibly because no one will tell them about the need to do so, and will become victims of data theft, extortion, and other cyber crimes.

As you read this first edition of SANS Software Security @RISK newsletter, note how little effort would have been needed to avoid the problem.

*****************************************************
Apache Tomcat JK Web Server Connector Buffer Overflow
*****************************************************


What kind of error is it? A buffer overflow.
- -------------

Buffer overflow is one of the oldest types of security vulnerabilities discovered as early as mid sixties. As the name suggests, the vulnerability arises when a programmer allows more data to be crammed into a storage area than the programmer had originally set aside. When the data overflows the reserved area, bad things often happen.

In early March, a critical buffer overflow was disclosed in versions of Apache Tomcat JK Web Server Connector.

This vulnerability is a stack-based buffer overflow. The flaw can be triggered by a long URI input to the mod_jk module. An unauthenticated user can exploit this overflow by sending a large URI to execute arbitrary code of his choice on the server.

Information about the problem of interest to security professionals -- the vulnerable versions of Tomcat, damage that can be done, and exploits in the wild -- have all been well covered in SANS weekly @RISK newsletter and elsewhere (and are referenced at the end of this issue). Here we focus instead on the aspect of the problem relevant to programmers: the programming error that led to this huge problem?


What coding error was responsible for this vulnerability?
- ------------------------------------------------------------------------

Buffer overflows arise because programmers forget to check that the length of data being copied into a buffer is less than or equal to the buffer size.

Let us now look at the vulnerable function that led to the Tomcat overflow.

The buffer overflow was found in the map_uri_to_worker() function that is defined in native/common/jk_uri_worker_map.c file.

#define JK_MAX_URI_LEN 4095 (From jk_uri_worker_map.h)

*************
Function code
*************
const char *map_uri_to_worker(jk_uri_worker_map_t *uw_map,
const char *uri, jk_logger_t *l)
{
unsigned int i;
char *url_rewrite;
const char *rv = NULL;
char url[JK_MAX_URI_LEN+1];

JK_TRACE_ENTER(l);

if (!uw_map || !uri) {
JK_LOG_NULL_PARAMS(l);
JK_TRACE_EXIT(l);
return NULL;
}
if (*uri != '/') {
jk_log(l, JK_LOG_WARNING,
"Uri %s is invalid. Uri must start with /", uri);
JK_TRACE_EXIT(l);
return NULL;
}

###############################
Erroneous Code in this function
###############################

for (i = 0; i < strlen(uri); i++)
if (uri[i] == ';')
break;
else
url[i] = uri[i];
url[i] = '';

What is wrong with this function?
- ---------------------------------

Notice that "uri" is an input to the function. It is being copied into a locally declared variable url. url is a buffer of size 4096. However, the copy operation depends on the size of the input uri. There is no check in the function to stop copying if the length of uri is greater than the maximum length of url buffer i.e. 4096. This results in a stack-based buffer overflow, which is usually the simplest buffer overflow to exploit.

What did it take to fix the vulnerable function?
- ------------------------------------------------

Introduce a check for the length of the uri that is copied into the url variable.
**********
Fixed Code
**********

for (i = 0; i < strlen(uri); i++) {
if (i == JK_MAX_URI_LEN) {
jk_log(l, JK_LOG_WARNING,
"Uri %s is invalid. Uri must be smaller then %d chars",
uri, JK_MAX_URI_LEN);
JK_TRACE_EXIT(l);
return NULL;
}
if (uri[i] == ';')
break;
else
url[i] = uri[i];
}

As you can see, once the length of uri reaches the max length of 4096, the copy operation is terminated.

Take Away:
Programmers who want to avoid this kind of error should follow SANS Secure Programming Rule 01.1.1:
- -------------------------------------------------------------------------

Input Validation - The programmer must securely process inputs from all aspects of the environment, then correctly decode, canonicalize, and validate those inputs.

Source: SANS Secure Coding in C Examination Blueprint, (www.sans-ssi.org/ (rest of url))) More granular rules can be found at that url, as well.

References:
- ----------------

Zero Day Initiative Advisory
http://www.zerodayinitiative.com/advisories/ZDI-07-008.html

SANS @RISK Posting
http://www.sans.org/newsletters/risk/display.php?v=6&i=10#widely1

Apache Tomcat Homepage
http://tomcat.apache.org/

Apache Tomcat Code
http://svn.apache.org/viewvc/tomcat/connectors/tags/jk1.2.x/JK_1_2_20/jk/native/
common/jk_uri_worker_map.c?revision=513250&view=markup

Secunia Advisory
http://secunia.com/advisories/24398/
CVE 2007-0774

The National Vulnerability Database:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0774

============================================================
Copyright 2007, The SANS Institute
You may distribute copies of Software Security @RISK to anyone within
your own organization but you may not post it.