SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IX - Issue #49

June 22, 2007

Next Wednesday, June 27, is the last day to receive the $150 tuition fee discount for security training at SANSFIRE in Washington DC.
http://www.sans.org/sansfire07/

---

TOP OF THE NEWS

DHS CIO Singled Out for Failure to Address IT Security
Stored Communications Act Violates Fourth Amendment
Pentagon eMail System Break-In
Blackberry Ban for French Government Officials

THE REST OF THE WEEK'S NEWS

SPYWARE, SPAM & PHISHING
Spamhaus Puts Austrian Domain Name Registrar on Blocklist
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Apple Patches IPv6, Apple TV Flaws
MPack Detected on More Than 10,000 Websites
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Ohio State Office Interns Took Backup Tapes Home Nightly
London Stock Exchange Alert System Attacked
MISCELLANEOUS
UK Watchdog Says Orange and Littlewoods Violated Data Protection Act
Atlanta Hospital Audited for HIPAA Compliance
Court Says No To Voting Machine Source Code Review

---

********************* Sponsored By ArcSight, Inc. ***********************

*Free Whitepaper: ArcSight Perspectives on Risk* Cyber attacks. Incident management. Legal issues. Security trends. The subjects are diverse, but the one powerful message is that security is the most important issue your company faces. Learn to make better decisions about risk management with this free collection of articles. Brought to you by ArcSight, the leader in compliance and security management.
http://www.sans.org/info/9391

*************************************************************************

SANS TRAINING UPDATE: In the next 120 days SANS training will be available in more than 30 cities in five countries with the biggest programs in Washington DC at the end of July and Las Vegas the end of September. Complete schedule at:
http://www.sans.org/training/bylocation/index_all.php
Two other ways to take SANS courses: (1) from your home or office you can learn from top SANS faculty teaching live on line and you asking questions in real time - very cool - called SANS @HOME
http://www.sans.org/athome/
(2) Or have SANS faculty come to your site and shape the course to your specific needs: http://www.sans.org/onsite/

*************************************************************************

---

TOP OF THE NEWS

DHS CIO Singled Out for Failure to Address IT Security (June 20 & 21, 2007)

Recent testimony centering on more than 800 IT security incidents at the Department of Homeland Security (DHS) has caused House Homeland Security Committee Chairman Rep. Bennie Thompson (D-Miss.) to question whether DHS CIO Scott Charbo should continue in his position. Thompson is skeptical that "Charbo is serious about fixing vulnerabilities in the department's information technology systems." Thompson was vexed that it took external auditors to point out to DHS that their IT systems have serious security problems. Thompson said DHS should serve as an example to the rest of the government. Additionally, Thompson says that "a 'do as I say, not as I do' policy is a recipe for disaster, and if we are serious about the security risks facing our networks, then we need to start acting and stop posturing." GAO chief technologist Keith Rhodes tested DHS systems over the last year and said he "would label
[DHS ]
as being at high risk."
-http://computerworld.com/action/article.do?command=viewArticleBasic&articleI
d=9025420
-http://www.govexec.com/story_page.cfm?articleid=37256&dcn=todaysnews
-http://www.gcn.com/online/vol1_no1/44521-1.html?topic=security&CMP=OTC-RSS
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=199906038

Stored Communications Act Violates Fourth Amendment (June 19, 2007)

A US federal appeals court upheld a lower court ruling that said law enforcement agents need warrants to seize web-based email. The Sixth Circuit Court of Appeals said webmail users have a "reasonable expectation of privacy" regarding the content of messages stored on a remote host. The original 2006 ruling, unsuccessfully appealed by the US government, said the Stored Communications Act (SCA) violates the Fourth Amendment. The SCA had been used for 20 years to access stored email without a warrant.
-http://www.theregister.co.uk/2007/06/19/webmail_wiretaps_appeal/print.html
-http://www.heise-security.co.uk/news/91363

Pentagon eMail System Break-In (June 21, 2007)

A June 20 cyber intrusion at the Pentagon has resulted in disrupted email service for approximately 1,500 unclassified users. Parts of the Pentagon's email system were taken offline after they learned of the intrusion. The incident is under investigation. Defense Secretary Robert Gates said he was personally unaffected because he does not use email.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9025442&source=rss_topic17
(Issue discussed approximately 1/3 page down)
-http://www.defenselink.mil/transcripts/transcript.aspx?transcriptid=3996
-http://www.forbes.com/feeds/ap/2007/06/21/ap3846552.html

Blackberry Ban for French Government Officials (June 19 & 20, 2007)

Citing data security concerns, the French government has renewed its call for officials and their advisors to stop using Blackberries. Alain Juillet, senior economic intelligence advisor to the prime minister, says data transmitted to and from the devices could be intercepted. Blackberry developer Research in Motion (RIM) disagrees, pointing to their use of the 256-bit Advanced Encryption Standard (AES) to protect data transmitted across their networks.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9025310&source=rss_topic17
-http://www.ft.com/cms/s/dde45086-1e97-11dc-bc22-000b5df10621.html
[Editor's Note (Schultz): It sounds as if there is little if any factual basis behind the French government's decision. At the same time, however, even if data interception is unlikely, there are plenty of other security-related vulnerabilities in BlackBerries that if unpatched can cause a wide variety of undesirable outcomes. ]

---

************************* Sponsored Links: ****************************

1) Upcomimg SANS Ask the Expert webcast, June 26th at 1pm EDT "Securing the Castle: From Doors to Data", Register today.
http://www.sans.org/info/9396

2) How can you effectively address Application Security issues? Find out at the Application Security Summit August 15-16 in Washington, DC.
http://www.sans.org/info/9401

3) Upcoming WhatWorks webcast on Log Management, June 27th at 1pm EDT. Register Today.
http://www.sans.org/info/9406

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

SPYWARE, SPAM & PHISHING

Spamhaus Puts Austrian Domain Name Registrar on Blocklist (June 21, 2007)

Austrian domain name registrar Nic.at has been placed on Spamhaus's blocklist because it allegedly supplied service to known phishing domains. The domains reportedly belong to a Russian phishing group that had used .hk (Hong Kong) domains until that registrar began cracking down on shady practices. The Austrian registry has reportedly been less than cooperative, indicating concerns should be addressed to the domain owners and that they need proof to support claims that the domains in question had been registered in names of non-existent people and paid for with stolen credit card information. The listing of Nic.at is merely symbolic, however; no email is blocked. The purpose of the listing is to draw attention to the situation.
-http://www.theregister.co.uk/2007/06/21/austrian_registrar_phishing_row/print.ht
ml
-http://www.spamhaus.org/sbl/sbl.lasso?query=SBL55483
[Update from Bill Stearns at the Internet Storm Center): Update, 7/21: Nic.at has started to suspend phishing domains:
-http://www.spamhaus.org/organization/statement.lasso?ref=7]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Apple Patches IPv6, Apple TV Flaws (June 21, 2007)

Apple Computer has released an update for Mac OS X. Version 10.4.10 addresses a flaw in the IPv6 protocol's handling of type 0 routing headers. The flaw could be exploited to reduce network bandwidth. The flaw affects Mac OS X versions 10.4.x, but not prior versions. Apple also released an update for Apple TV. Version 1.1 has a buffer overflow flaw that could be exploited to cause denial-of-service conditions or allow arbitrary code execution.
[Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=3006]


-http://www.securityfocus.com/brief/532
-http://www.theregister.co.uk/2007/06/20/critical_appletv_patch/print.html
-http://docs.info.apple.com/article.html?artnum=305712
-http://docs.info.apple.com/article.html?artnum=305631
[Editor's Note (Skoudis): I strongly believe that IPv6 implementations are going to be a ripe area of vulnerabilities and exploits in the next few years. We've spent the last 20 years debugging IPv4 stacks the hard way. Now, with the massively complex IPv6 and some rather messy implementations, we're going to be facing some rough waters. Macintosh and OpenBSD (
-https://www.kb.cert.org/vuls/id/986425)
are just the tip of what I think will be a rather large iceberg. ]

MPack Detected on More Than 10,000 Websites (June 20, 2007)

The MPack kit has been detected on at least 10,000 websites worldwide. MPack attempts to install keystroke logging malware on site visitors' computers. MPack is sold by Russian hackers for US $1,000 and comes with one year of technical support. The websites infected with MPack are often legitimate ones. This most recent infestation is believed to have come when attackers managed to infiltrate computers at a large Italian website hosting company. The malware detects the browser being used and hones its attack accordingly.
[Internet Storm center:
-http://isc.sans.org/diary.html?storyid=2991
-http://isc.sans.org/diary.html?storyid=3015]


-http://news.bbc.co.uk/2/hi/technology/6221306.stm
[Editor's Note (Skoudis): That last point (detecting the browser type to hone the attack) is an interesting touch, and shows the increasing sophistication of these commercialized attacks. ]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Ohio State Office Interns Took Backup Tapes Home Nightly (June 20, 2007)

Further investigation into the stolen backup tape containing personally identifiable information of tens if not hundreds of thousands of Ohioans has revealed that interns had been bringing such tapes home on a regular basis. According to established procedures, someone from the office would bring home Ohio Administrative Knowledge System (OAKS) backup tapes on a daily basis. (OAKS is Ohio's payroll and accounting system.) That policy was in place because of the high cost of having the tapes stored elsewhere. The data on the tape stolen from an intern's car on June 10 were not encrypted. Ohio Governor Ted Strickland has directed that the data be encrypted from now on. The backup tape storage policy has been changed so that the tape is now sent to another state facility.
-http://www.columbusdispatch.com/dispatch/content/local_news/stories/2007/06/19/B
YEDATA.ART_ART_06-19-07_A1_N9728JD.html
[Editor's Note (Schultz): A similar incident involving an organization that had a policy of having employees bring backup tapes home with them occurred just several years ago. It is well time that organizations start learning from the past security-related mistakes of others. ]

London Stock Exchange Alert System Attacked (June 20, 2007)

The London Stock Exchange was hit with a denial of service attack that caused problems for a share price alert service. Flooded with hundreds of thousands of false alerts, the LSE was unable to generate legitimate alerts for its users for approximately 48 hours. A spokesperson for the LSE says the problem has been fixed.
-http://www.telegraph.co.uk/money/main.jhtml?xml=/money/2007/06/20/cnlse120.xml
-http://www.managementconsultancy.co.uk/computing/news/2192455/london-stock-excha
nge-hacking

MISCELLANEOUS

UK Watchdog Says Orange and Littlewoods Violated Data Protection Act (June 21, 2007)

The UK Information Commissioner's Office says that the mobile phone company Orange and the home shopping firm Littlewoods have both engaged in information processing practices that violate the Data Protection Act. At Orange, new employees were permitted to share user names and passwords to access the IT system. Littlewoods continued to send marketing emails to a customer who has expressly asked them to stop sending her such messages. Both companies have signed formal undertakings saying they will comply with the Act.
-http://news.bbc.co.uk/2/hi/business/6227748.stm
-http://www.out-law.com/page-8165
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9025437&source=rss_topic17

Atlanta Hospital Audited for HIPAA Compliance (June 19, 2007)

The recent revelation that the US Department of Health and Human Services (HHS) targeted Atlanta's Piedmont Hospital with a Health Insurance Portability and Accountability Act (HIPAA) compliance audit has stirred concern among other hospitals around the country about exactly what information HIPAA auditors will seek. "Neither Piedmont nor HHS officials have publicly confirmed the audit or spoken about it." Reports indicate Piedmont was provided a list of 42 items of interest to HHS and given 10 days to supply the information requested.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9025253&source=rss_topic17
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=296723&source=rss_topic17

Court Says No To Voting Machine Source Code Review (June 19, 2007)

A candidate in a disputed Florida US congressional seat election has lost a bid to have the source code for the touch screen machines used in that election examined. Christine Jennings, who lost the election to Vern Buchanan, wanted the code checked to see if it could be the cause of apparent voting irregularities. Jennings maintains approximately 18,000 votes were not counted in the election; she lost the election by fewer than 400 votes. Jennings may have further recourse, however, as the alleged undervote is being investigated by both a US House Committee on Administration appointed task force and the Government Accountability Office (GAO). Recently enacted legislation in Florida has banned the use of touchscreen voting systems in the state.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9025252&source=rss_topic17

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/