SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IX - Issue #53

July 06, 2007

The GAO Report that leads off this issue is deeply flawed and does not meet that agency's high standards for excellence in analysis or independence. We learned that the report was done by a group at GAO that doesn't usually work in this area, so their flawed analysis is understandable, but still potentially damaging to GAO's reputation and to the nation's cybersecurity. We have included an analysis of the report in this issue for readers who didn't immediately see the flaws. If the flawed report is used to destroy breach notification (as is the intent of many lobbyists pressuring Senators and Congressmen for relief) in cases where the organization's files were compromised through Internet or insider attacks, then this GAO report will be a low point in cybersecurity. We have two specific pieces of evidence proving that stolen credit card data and lost bank credentials led to money flowing directly into the accounts of the terrorists who are buying the bombs. Without tough breach notification legislation, the most powerful force for protecting the privacy and security of sensitive data will be lost.

Alan

---

TOP OF THE NEWS

GAO Report: No Strong Link Between Data Breaches and Identity Fraud
Amendment Would Expand UK Info. Commissioner's Data Security Monitoring
Texas Woman Countersues RIAA

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Man Pleads Guilty to Uploading "24" Premiere Prior to Airing
Former Sandia Worker Used Lab Computer to Stalk Musician
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
US Sends Forensic Help to Estonia in Aftermath of Cyberattacks
POLICY & LEGISLATION
NH Governor Takes a Stand, Signs Law Against Real ID
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
July's Patch Tuesday to Comprise Six Bulletins
BotVoice-A Trojan Narrates its Exploits
Improperly Configured Servers May be Responsible for Widespread MPack Infestation
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
National Information Services Reports Consumer Data Stolen
MISCELLANEOUS
Microsoft Pushing Open Source Vendors to Sign Licensing Agreements

ANALYSIS OF THE GAO REPORT ON BREACH NOTIFICATION

ANALYSIS OF THE GAO REPORT ON BREACH NOTIFICATION

ANNOUNCEMENT: SANS CRITICAL INTERNET THREATS 2007 (THE NEW TOP20)

ANNOUNCEMENT: SANS CRITICAL INTERNET THREATS 2007 (THE NEW TOP20)

---

******************* Sponsored by Centrify Corporation *******************

IT auditors: You can now address PCI, SOX, HIPAA and other regulations that mandate audit trails of user activity on key systems by implementing detailed, centralized logging of user sessions: commands typed, changes made, and all output displayed. Flexible querying helps you create activity reports by user, system, specific commands, or other criteria. Whitepaper explains how.
http://www.sans.org/info/10551

*************************************************************************
SANS TRAINING UPDATE: Las Vegas will be the site of the largest fall cyber security training program. SANS Network Security 2007 September 22-30. http://www.sans.org/ns2007/
Complete schedule of all training can be found at:
http://www.sans.org/training/bylocation/index_all.php
Two other ways to take SANS courses: (1) from your home or office you can learn from top SANS faculty teaching live on line and you asking questions in real time - very cool - called SANS@HOME
http://www.sans.org/athome/
(2) Or have SANS faculty come to your site and shape the course to your specific needs: http://www.sans.org/onsite/
*************************************************************************

---

TOP OF THE NEWS

GAO Report: No Strong Link Between Data Breaches and Identity Fraud (July 5, 2007)

A report from the US Government Accountability Office (GAO) says that although there have been many data security breaches involving personally identifiable information in both the public and private sectors, the breaches have resulted in relatively few cases of identity fraud. The GAO report examines breaches that occurred before 2005; none of the breaches involved government agencies. Of the two-dozen largest breaches reported, only three resulted in fraud on existing accounts and just one led to the fraudulent creation of a new account. "The extent to which data breaches result in identity theft is not well-known, in large part because it can be difficult to determine the source of the data used to commit identity theft." The report goes on to say that notification requirements could be incentives for organizations to implement security measures; however, the security enhancements cost money. An overly broad notification requirement could have the opposite of the desired effect; when consumers are alerted to breaches that pose little risk of data misuse, they are likely to start to ignore the notices, leaving the organizations in the position of the boy who cried wolf. The GAO "recommends the use of a risk-based notification standard to identify the incidents in which the potential for harm exists and the appropriate actions to take."
-http://www.fcw.com/article103156-07-05-07-Web&printLayout
-http://www.gao.gov/new.items/d07737.pdf
[Editor's Note (Paller): Before you even consider relying on this GAO report, please read the analysis of the report toward the end of this issue. The GAO report is deeply flawed.
(Schultz): The GAO has raised a very valid point--notifying individuals of data security breaches when there is only a small chance that the data will be misused could lead to apathy among these individuals. At the same time, however, if an organization that experiences a data security breach has been remiss in securing personal and financial data, that organization is hardly qualified to judge whether or not the chances of the data being misused are sufficiently high to justify notifying those who were affected. Mandatory reporting of data security breaches thus still seems like the right course of action. ]

Amendment Would Expand UK Info. Commissioner's Data Security Monitoring (July 5, 2007)

An amendment to the UK's Statistics and Registration Bill would give the Information Commissioner's Office (ICO) broader authority to monitor data security at the Office of National Statistics. The bill would establish an oversight board for the Office of National Statistics; the amendment would allow the ICO to monitor data security at the board on an ongoing basis. Current policy allows audits only in the wake of a complaint.
-http://www.vnunet.com/computing/news/2193499/powers-watchdog

Texas Woman Countersues RIAA (July 5, 2007)

One woman sued by the Recording Industry Association of America (RIAA) is hitting back. In a countersuit filed in US District Court in Texas, Rhonda Crain alleges the RIAA knowingly employed unlicensed private investigators to obtain evidence against her in the case. Crain's lawsuit alleges the "actions constitute civil conspiracy under Texas common law." The suit asks that the court bar the music companies from employing unlicensed investigators in her case and in all other Texas cases.
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=200900640
[Editor's Note (Northcutt): Wow, at first glance it looks like RIAA and company got sloppy. The actual counterclaim can be viewed here:
-http://www.ilrweb.com/viewILRPDFfull.asp?filename=sony_crain_070703MotAmendAnsCo
unterclaims]

---

************************* Sponsored Links: ****************************

1) How can you effectively address Application Security issues? Find out at the Application Security Summit August 15-16 in Washington, DC.
http://www.sans.org/info/10526

2) Be among the first to obtain the GSSP Certifications for programming in C and Java.
http://www.sans.org/info/10531
*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Man Pleads Guilty to Uploading "24" Premiere Prior to Airing (July 3, 2007)

Jorge Romero has pleaded guilty to uploading four episodes, including the two-episode season premiere, of Fox's TV show "24" to the Internet just days before the episodes were to air. Fox maintains the leak cost them more than US $4 million. Romero admitted to uploading the episodes and advertising their availability on public web sites. Romero has reached a plea agreement with prosecutors; he faces a maximum sentence of three years in prison, a fine of US $250,000 and one year of supervised release.
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=200900099

Former Sandia Worker Used Lab Computer to Stalk Musician (June 30, 2007)

Devon Townsend has admitted to using government computers to stalk Linkin Park lead singer Chester Bennington. Townsend was once an employee at Sandia National Laboratories. While employed there, she used the computer system to access Bennington's email account and gain access to his cell phone records. She used that information to download photographs and voice messages. Townsend has pleaded guilty to charges of stalking and unlawful access to stored communications. She could face up to five years in prison and fines of up to US $250,000 for each count.
-http://www.cbsnews.com/stories/2007/06/30/tech/main3001335.shtml
[Editor's Note (Northcutt): The fact Townsend used Sandia computers is fairly irrelevant, if she had been employed by the county library, she would have used their computers. The National Center for Victims of Crime has a nice page on cyberstalking. Also, if you haven't done it recently, do a Google search for yourself, your spouse, your children or one of those people search pages like
-http://web.public-records-now.com/.
It is a quick way to see how vulnerable you might be.
-http://www.ncvc.org/ncvc/main.aspx?dbName=DocumentViewer&DocumentID=32458]

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

US Sends Forensic Help to Estonia in Aftermath of Cyberattacks (July 3, 2007)

A representative from the US Computer Emergency Response Team (US-CERT) will be in Estonia this week to help sift through the data from distributed denial-of-service (DDoS) attacks against that country's online infrastructure in April and May. The representative will aid Estonia with forensic analysis and with ideas for bolstering protection of its infrastructure against future attacks. A representative from the US Secret Service will also be in Estonia to provide incident response training and help structure future cyber crime investigations.
-http://www.pcworld.com/printable/article/id,134150/printable.html
[Editor's Note (Skoudis): I'm delighted to see the good guys working together on this kind of thing.]

POLICY & LEGISLATION

NH Governor Takes a Stand, Signs Law Against Real ID (July 5, 2007)

New Hampshire's governor has signed legislation that rejects the federal Real ID Act. While Governor John Lynch applauds the idea of keeping citizens safe, he rejects the notion that Real ID will accomplish that goal. Real ID requires all state driver's licenses and identification cards to include electronically scannable bar codes and digital photographs of the cards' holders. The cards would be required for entry to federal buildings and nuclear power facilities and for boarding commercial aircraft. Governor Lynch cites the expense of implementation, the possibility of privacy breaches, and the burden placed on state employees as reasons to reject the law.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9026324&source=rss_topic17
[Editor's Note (Grefer): Given that Europe managed to pull off a similar approach with regards to ID cards and legislation such as the Schengen Agreement, it should be possible to implement something similar in the States. However, it stands to reason that any such US implementation, including Real ID, would be much easier and instill more confidence if something reminiscent of the European Data Protection Directive were in place in the US. ]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

July's Patch Tuesday to Comprise Six Bulletins (July 5, 2007)

According to Microsoft's advanced notification service, the company will release six security bulletins on Tuesday, July 10. The bulletins will address vulnerabilities in Windows, Office, and the .Net framework. Three bulletins have maximum severity ratings of critical, two have ratings of important, and one is rated moderate. All but one of the bulletins address flaws that allow remote code execution; this is puzzling because vulnerabilities that allow remote code execution usually receive critical severity ratings.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9026325&source=rss_topic17
-http://www.theregister.co.uk/2007/07/05/microsoft_july_patch_tuesday/print.html
-http://www.microsoft.com/technet/security/bulletin/ms07-jul.mspx

BotVoice-A Trojan Narrates its Exploits (July 3 & 4, 2007)

The BotVoice-A Trojan horse program speaks to infected users. The Trojan attempts to delete the contents of infected PCs' hard drives, while using Windows Text reader to play a message that lets the user know what is happening. BotVoice-A also disables the Windows registry editor which makes cleaning up the mess it leaves all the more difficult. BotVoice-A uses a variety of methods to spread, including FTP, IRC, P2P networks, USBs and email attachments.
-http://www.theregister.co.uk/2007/07/03/talking_trojan/print.html
-http://www.techworld.com/security/news/index.cfm?newsID=9371&pagtype=all
[Editor's Note (Skoudis): The voice part here is just silly, likely a sign of an amateur having fun at a victim's expense. But, disabling regedit and Task Manager are an increasingly common action of malware, in an attempt to blind tech-savvy users to the malware's activities. To compensate for a broken regedit and Task Manager, practice using the command-line tools reg and tasklist, available in WinXP Pro, 2003, and Vista business/ultimate. ]

Improperly Configured Servers May be Responsible for Widespread MPack Infestation (July 2 & 3, 2007)

Analysis indicates that the reason so many Italian websites became infected with MPack malware was "poor configuration of Apache servers." Just one website with a vulnerable PHP script on an improperly configured server could place all websites hosted on that server at risk of infection. The main Apache process has to be able to read all files, but in this case, it may have been incorrectly configured to write to the files as well. According to the SANS Internet Storm Center (ISC) analysis, "the only proper way to (address this problem) is to run PHP as a CGI program and use chroot and/or seExec with Apache. Only with this will you make sure that one user's web site can't affect everyone else on the site."
-http://www.theregister.co.uk/2007/07/03/mpack_reloaded/print.html
-http://isc.sans.org/diary.html?storyid=3078

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

National Information Services Reports Consumer Data Stolen (July 3 & 4, 2007)

A former employee of a Fidelity National Information Service subsidiary allegedly stole and sold personally identifiable information of approximately 2.3 million consumers. The data included credit card and banking information and Social Security numbers (SSNs). The employee, who has been fired, allegedly sold the information to a data broker, who in turn sold it to a number of direct marketing companies. The subsidiary, Certegy Check Services, has filed a civil complaint against the former employee and the direct marketing companies. "The perpetrator was a senior level database administrator with rights to define and enforce data access permissions. To avoid detection, the employee removed the information from Certegy's facility via physical devices, not electronic means." Fidelity National Information Services is a different entity from Fidelity Investments.
-http://www.scmagazine.com/us/news/article/668983/fidelity-employee-stole-sold-23
-million-consumer-records/
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=200900234
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9026166&source=rss_topic17

MISCELLANEOUS

Microsoft Pushing Open Source Vendors to Sign Licensing Agreements (July 3, 2007)

Members of the Linux vendor community appear to be choosing sides in the question of signing licensing deals with Microsoft to avoid potential patent infringement claims by the Redmond software company. In May, Microsoft alleged that open source technologies infringe on 235 of its patents. At least three vendors have opted not to sign agreements with Microsoft, while at least three have reached such agreements. The specter of a division in the Linux vendor community has some worried that the scenario may give Microsoft the upper hand in pursuing claims of patent violations. Microsoft reached an agreement with Novell that has Novell paying Microsoft a share of SuSe Linux revenue.
-http://www.technewsworld.com/rsstory/58128.html

---

ANALYSIS OF THE GAO REPORT ON BREACH NOTIFICATION

ANALYSIS OF THE GAO REPORT ON BREACH NOTIFICATION

This report is fascinating and worth reading. However, the way the analysis was done might lead to some incorrect conclusions - namely that massive credit card theft via computer attacks seldom leads to fraud. The report mentions that, "...in reviewing the 24 largest breaches reported in the media from January 2000 through June 2005, GAO found that 3 included evidence of resulting fraud on existing accounts and 1 included evidence of unauthorized creation of new accounts. " Yet, the report also mentions that "In addition, in 2005 FTC settled charges with BJ's Wholesale Club in which alleged security breaches resulted in several million dollars in fraudulent purchases using customers' credit and debit card data. As discussed later in this report, FTC has also taken enforcement actions related to data breaches at several other companies, including ChoicePoint, CardSystems, and DSW, in which it uncovered evidence that the breaches resulted in identity theft." The summary mentions three plus one cases, and the details mention four specific cases plus "several other companies." Undoubtedly, some of those other situations include some form of fraud. Perhaps they were left out of the summary counting because either they were not among the 24 largest, or they occurred outside of the 2000-2005 timeframe. Still, they should not be overlooked.

The report looks at the 24 largest breaches over the space of approximately five years. Averaging it out linearly, that's only about 5 per year. As you can see in any NewsBites over this period, there are a much larger number of smaller cases, which this report completely overlooks in its analysis. The report briefly mentions 570 breaches from January 2005 to December 2006, yet only analyzes a small number of the largest of those breaches. But, for the consumers who suffered identity theft, these were not trivial cases.

Furthermore, one of the most common ways that organizations suffering a breach discover the situation involves getting notification from the credit card companies and back-end banks, which employ complex fraud-detection systems. Thus, in a lot of cases, the only way many breaches are identified is based on the detection of fraudulent use. That fact seems to fly in the face of the conclusions of the report.

Also, thieves who break into a company's computer systems to steal credit card information do so for a reason -- to commit fraud. A laptop thief, on the other hand, is often just after hardware for a cheap sale. Conflating the two kinds of cases muddies the waters.

The bottom line here is that the report seems to mix together very different kinds of cases - the deliberate hacking into a company to steal credit cards and the loss or theft of a laptop with sensitive information. It labels both a "breach" and then concludes that most of the cases don't involve fraud or identity theft. However, if these two types of situations were uncoupled and more cases were analyzed in more depth, the number of hacking-related breaches involving fraud would certainly look more damning than the report indicates.

Despite this concern with the analysis, the line of argument above does support a primary conclusion of the GAO report. That is, different kinds of breaches have different likelihood of exposure of data, and therefore perhaps should be treated differently. But, putting aside laptop theft, this does not mean that a computer attack that involves the theft credit cards is unlikely to result in fraud. Quite the opposite is true.

---

ANNOUNCEMENT: SANS CRITICAL INTERNET THREATS 2007 (THE NEW TOP20)

SANS CRITICAL INTERNET THREATS 2007

SANS Critical Internet Threats research is undertaken annually and provides the basis for the SANS "Top-20" report. The "Top-20" report describes the most serious Internet security threats in detail, and provides the steps to identify and mitigate these threats.

The "Top-20" began its life as a research study undertaken jointly between the SANS Institute and the National Infrastructure Protection Centre (NIPC) at the FBI. Today thousands of organizations from all spheres of industry are using the "Top-20" as a definitive list to prioritize their security efforts.

The 2007 Top-20 will once again create the experts' consensus on threats - - the result of a process that brings together security experts, leaders, researchers and visionaries from the most security-conscious federal agencies in the US, UK and around the world; the leading security software vendors and consulting firms; the university-based security programs; many other user organizations; and the SANS Institute.

For reference a copy of the 2006 paper is available online:
-http://www.sans.org/top20
*A list of participants may be found in the Appendix.

CALL FOR SECURITY & ASSURANCE EXPERTS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If you are an administrator/CSO/vulnerability researcher (or similar roles) and are interested in the Top-20 2007 research please contact the Project Manager, Rohit Dhamankar ( dhamankar@sans.org), with the following details:
. Your Name
. The Organization you represent and your role
. Contact Details (inc. email and phone)
. A brief description of your security specialty

---

******************* Upcoming SANS Webcast Schedule ********************

July 10, 2007 GIAC Secure Software Programmer (GSSP) for Java/Java EE Review
https://www.sans.org/webcasts/show.php?webcastid=91321
Featuring: Edward Tracy and Alan Paller

July 11, 2007 Internet Storm Center: Threat Update
http://www.sans.org/info/9526
Sponsored by: Core Security http://www.coresecurity.com/

July 12, 2007 GIAC Secure Software Programmer (GSSP) for C Review
https://www.sans.org/webcasts/show.php?webcastid=91326
Featuring: Robert Seacord and Alan Paller

July 18, 2007 Making your Web Applications PCI Compliant
http://www.sans.org/info/9531
Sponsored by: SPI Dynamics http://www.spidynamics.com/

July 19, 2007 Next-Gen Log Monitoring: Who's Minding the Applications?
http://www.sans.org/info/9536
Sponsored by: ArcSight http://www.arcsight.com/

July 25, 2007 Meeting PCI Data Security Standards: It's more than log collection
http://www.sans.org/info/10486
Sponsored by: Q1 Labs http://www.q1labs.com/

Be sure to check the following Archived SANS Webcasts:

Securing the Castle: From Doors to Data
http://www.sans.org/info/9316
Sponsored by: ArcSight

WhatWorks in Log Management: Regulating Logs Globally
http://www.sans.org/info/9326
Sponsored by: LogLogic

The Importance of Web Application Security for PCI Compliance
http://www.sans.org/info/9336
Sponsored by: Watchfire

*************************************************************************

The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/