SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IX - Issue #56

July 17, 2007

TOP OF THE NEWS

Employees Pose Biggest Cyber Security Risk
Seatle Newspaper Takes On Boeing Over Cyber Security

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Italian Police Arrest Alleged Phishers
Sony Files Lawsuit Against DRM Maker
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Missing TSA Hard Drive Not Encrypted
US $3.3 Million Fine Proposed For Los Alamos Data Leak
Army Still Has a Myriad of Information Systems
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Oracle Quarterly Security Update This Week
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Botnet Herders Targeting iPhone Fans
Disney Movie Club Members' Card Data Stolen
Sewer Employee Fired for Data Theft
Burglars Use Internet to Help Open Safes
MISCELLANEOUS
Details of Greek Vodafone Wireless Taps
Conn. AG Wants Pfizer to Explain Delay in Breach Notification
Global Security Week Scheduled for September 3-9
LIST OF UPCOMING FREE SANS WEBCASTS

---

*********************** Sponsored By SPI Dynamics ***********************

ALERT: "How A Hacker Launches A LDAP Injection Attack!"- White Paper It's as simple as placing additional LDAP query commands into a Web form input box giving hackers complete access to all your backend systems! Firewalls and IDS will not stop such attacks because LDAP Injections are seen as valid data. Download this *FREE* white paper from SPI Dynamics for a complete guide to protection!
http://www.sans.org/info/11166

*************************************************************************

SECURITY TRAINING UPDATE
SANS Network Security 2007 (September 22-30, in Las Vegas) is the largest fall conference on cybersecurity with more than 40 courses and wonderful evening sessions and a big vendor exposition. Most importantly, it brings together the top rated teachers in cybersecurity in the world. How good are they? Here's what past attendees said: "This course has valuable information that can be implemented immediately in the work place." (Christopher O'Brien, Booz Allen Hamilton)
"The quality of teachers, speakers, and even attendees is far superior to any other training event I've attended." (Corinne Cook, Jeppesen)
"SANS provides by far the most in-depth security training with the true experts in the field as instructors." (Mark Smith, Costco Wholesale)
Registration information: http://www.sans.org/ns2007/

**************************************************************

---

TOP OF THE NEWS

Employees Pose Biggest Cyber Security Risk (July 16 2007)

Security Researcher Simple Nomad (aka Mark Loveless) explains how and why end users are the biggest issue in cyber security. "The problem is that you have a sophisticated attack vector, Windows, that they're all using, so you have commonality," he said. "From an attacker's standpoint, it's great. If I develop a Windows exploit all I have to do is get one of these users to click on it." "Whenever a box pops up on the screen, a user will click 'OK' because that makes the box goes away," he added.
-http://www.darkreading.com/document.asp?doc_id=129122&WT.svl=cmpnews1_1

Seatle Newspaper Takes On Boeing Over Cyber Security

In a series of articles, the Seattle Post Intelligencer claims Boeing's cyber security is flawed, saying it has failed both internal and external audits. The articles provide a rare look inside an organizations; attempts to meet the letter and spirit of Sarbanes Oxley (SOX). The five articles and urls are listed here: Computer security faults put Boeing at risk
-http://seattlepi.nwsource.com/business/323923_boeing17.html
Boeing has been stung by a security lapse before
-http://seattlepi.nwsource.com/business/323910_boeingrice17.html
Boeing responses to questions: Round two
-http://seattlepi.nwsource.com/business/323842_boeingqa217.html
Boeing responses to questions: Round one
-http://seattlepi.nwsource.com/business/323843_boeingqa117.html
Businesses say accounting reform costly, onerous:
-http://seattlepi.nwsource.com/business/323905_sox17.html

---

************************** Sponsored Links: ***************************

1) Answer Technical Security Questions to enter to Win Free Trip to SANS Network Security Show in Las Vegas!
http://www.sans.org/info/11171

2) Learn how this innovative, intelligence-led security strategy can proactively address risks in today's online world. New FREE report provides the facts.
http://www.sans.org/info/11176

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Italian Police Arrest Alleged Phishers (July 16, 2007)

Italy's Guardia di Finanza (Military Financial Police) have arrested 26 people in connection with a phishing operation. The scheme used spam that pretended to be a security alert to lure online banking users to a phony Poste Italiane website where they were asked for login credentials.
-http://www.theregister.co.uk/2007/07/16/phish_chip_arrests/print.html
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201001515

Sony Files Lawsuit Against DRM Maker (July 12 & 13, 2007)

Sony BMG has filed a lawsuit against The Amergence Group (formerly SunnComm International) alleging that its MediaMax digital rights management software was defective and harmed Sony customers. In 2005, researchers discovered that DRM software on Sony BMG CDs behaved very much as if it were a rootkit. Sony settled numerous lawsuits filed on behalf of those affected by the problematic DRM software. The US $12 million suit against Amergence is seen as a way to recoup some of those losses. MediaMax software allegedly installed itself on users' PCs even if they clicked "No" at the EULA (end-user license agreement) and it provided no means for removal. The software allegedly could be used to gain unauthorized access to the PCs on which it was installed. Another piece of DRM software used by Sony, Extended Copy Protection from Fortium Technologies (formerly First4Internet), was found to have similar problems. In 2005, Fortium and Sony reached an agreement to release each other from liability.
-http://www.securityfocus.com/brief/547
-http://news.com.com/8301-10784_3-9743413-7.html?tag=nl.e757

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

Missing TSA Hard Drive Not Encrypted (July 16, 2007)

The Transportation Security Administration (TSA) has admitted that data on a missing computer hard drive were not protected, despite an existing order from the Office of Management and Budget (OMB) to encrypt all sensitive data on laptops and portable devices. The TSA became aware the hard drive was missing in May. It holds bank and payroll information for 100,000 employees. The TSA is investigating the drive's disappearance; several TSA employees have already been disciplined.
-http://www.star-telegram.com/464/story/170815.html

US $3.3 Million Fine Proposed For Los Alamos Data Leak (July 13 & 16, 2007)

The US Department of Energy (DOE) has issued a notice proposing civil penalties of US $3.3 million for security problems that allowed a Los Alamos National Laboratory (LANL) employee to take classified documents to her home. The documents were discovered during an unrelated October 2006 drug raid. US $3 million of the fine would be levied against the University of California, which was managing the laboratory when the lax security policies were established. The additional amount would fall to Los Alamos National Security LLC.
-http://rss.msnbc.msn.com/id/19752730/
-http://www.dailycal.org/sharticle.php?id=25422

Army Still Has a Myriad of Information Systems (July 13, 2007)

According to Army military deputy for budget Lt. Gen. David Melcher, the Army has 187 financial management information systems in use, none of which provides adequate data for a reasonable audit. The Army plans to have the ERP-based General Fund Enterprise Business System in place by 2011, which should eliminate at least 45 percent of the existing systems. The Army's business information systems now number 1,615; that number represents a 40 percent decrease over the last few years.
-http://www.govexec.com/story_page.cfm?articleid=37459&dcn=todaysnews
[Editor's Note (Pescatore): Hmm, ERP projects that take 4 years have horrible track records - big bang software megaprojects don't succeed very often. In this case, even in 2011 there will still be more than 100 different financial systems? How will the actual financial information be protected? ]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Oracle Quarterly Security Update This Week (July 13, 2007)

Oracle's quarterly security update, scheduled for release on Tuesday, July 17, will comprise patches for 46 vulnerabilities. Of the 20 flaws in Oracle Database, two are potentially remotely exploitable, as are six of the 14 flaws in the E-Business Suite and three of the four flaws in Application Server. Oracle uses the Common Vulnerability Scoring System (CVSS) to rate the severity of the flaws it patches. The worst score in this batch is 4.8; CVSS's most critical rating is 10.
-http://www.theregister.co.uk/2007/07/13/oracle_patch_alert/print.html
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201001316

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Botnet Herders Targeting iPhone Fans (July 16, 2007)

Botnet herders have put new software on already infected computers that redirects users browsing for iPhones to phony websites. The new malware has been dubbed Aifone.A bot Trojan. The malware also causes pop-ups and banner advertisements on infected computers; clicking on the provided links will take users to the phony sites. People who attempt to buy iPhones from the sites are actually providing the botnet herders with their personal and financial information.
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201001607
-http://www.vnunet.com/vnunet/news/2194290/zombie-botnet-targets-iphone
[Editor's Note (Northcutt):
[ Editor's Comment (Northcutt) Brilliant and it will work for almost every fad that comes along, when your heart is set on acquiring a cabbage patch doll or iPhone, you tend to throw caution to the win. ]

Tip of the Day: If an item is hot fad, don't click on a link in a popup In July 2007, when iPhones were scarce and strongly in demand, Botnet herders put software on already infected computers that redirects users browsing for iPhones to phony websites. The malware caused pop-ups and banner advertisements on infected computers; clicking on the provided links took users to the phony sites. People who attempted to buy iPhones from the sites were actually providing the bad guys with their personal and financial information. You can expect to see something similar for any fad that comes along, when your heart is set on acquiring the latest hot fad, you risk throwing caution to the win. ]

Disney Movie Club Members' Card Data Stolen (July 14, 2007)

Disney has sent letters to an unspecified number of Disney Movie Club members, notifying them that their credit card data were breached. The notification letters were dated July 6. David Haltinner was arrested in a sting operation on May 24 and charged with access-device fraud, a federal felony. Haltinner, an employee of card order processing company Alta Resources, Inc., tried to sell the data to federal undercover agents. Haltinner no longer works at Alta.
-http://www.orlandosentinel.com/business/orl-disneyclub1407jul14,0,7420844,print.
story

Sewer Employee Fired for Data Theft (July 13, 2007)

A Metropolitan St. Louis (Missouri) Sewer District employee was fired after the district learned he had downloaded personally identifiable information of approximately 1,600 current and former employees. The former employee had the information, which includes Social Security numbers (SSNs), on his home computer. He was working in the finance department at the time of the theft and had reportedly suggested that the information could be used against the sewer district if he were ever criticized for poor performance. The sewer district became aware of the breach on June 20. Police and FBI agents were called in, and the man's home searched and computer seized. The employee was fired on June 27, and those affected by the breach were notified by letters sent on June 29.
-http://www.stltoday.com/stltoday/news/stories.nsf/stlouiscitycounty/story/33EFD4
7679FB1BAF862573170067720F?OpenDocument

Burglars Use Internet to Help Open Safes (July 10, 2007)

Burglars in Colorado Springs got some help from the Internet when they found themselves unable to open safes at the Bigg City family fun center. They apparently had the combinations, but did not know how to use them. While all evidence points to the thieves being less than technically astute, they used a computer at an office next door to search for help and ultimately succeeded in opening the safes.
-http://www.theregister.co.uk/2007/07/10/google_safe_cracking_caper/print.html
[Editor's Note (Schultz): This is a bizarre story, but there is a moral here--even seemingly innocuous information can be used for evil purposes if it falls into the wrong hands. (Pescatore): Must be a slow week for security stories in the UK. They could just as easily used a telephone to call the safe company's help desk, nothing Internet here.]

MISCELLANEOUS

Details of Greek Vodafone Wireless Taps (July 11, 12 & 16, 2007)

IEEE Spectrum Online has published the technical details regarding the tapping of the wireless phones of approximately 100 prominent Greek government officials and journalists, including the prime minister. The unauthorized taps began in the months before the August 2004 Athens Olympic games and continued undetected through January 2005. The taps were made through the Vodafone Greece network in Athens. The scheme involved a rootkit installed in a phone exchange. The scheme was discovered when the perpetrators, who remain unknown, interfered with text message forwarding while attempting a software update.
-http://www.heise-security.co.uk/news/92679
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9026898&source=rss_topic17
-http://www.theregister.co.uk/2007/07/11/greek_mobile_wiretap_latest/print.html
-http://www.spectrum.ieee.org/print/5280
[Editor's Note (Ullrich): Among all the trivial "click here" exploits that keep us busy these days, this particular event shows a whole different level of sophistication. It is not clear how critical phone switch software and configuration would be audited for unauthorized modifications. In this case, only a bug in the unauthorized module caused it to be discovered.
(Honan): I recommend that you read the The IEEE Spectrum Online article. It is an excellent read and provides details on how weaknesses in the Vodafone Greece network were exploited to install the rootkit and also highlights the mistakes made by Vodafone in their response to the incident resulting in useful evidence being lost. ]

Conn. AG Wants Pfizer to Explain Delay in Breach Notification (July 14, 2007)

Connecticut state Attorney General (AG) Richard Blumenthal has questions for Pfizer regarding a recently disclosed data security breach. Pfizer allowed six weeks to pass between learning of the breach and notifying those affected. Blumenthal wants to know the company's rationale for the delay. Pfizer became aware of the breach on April 18; notification letters were mailed between June 1 and June 6. The breach occurred when an employee's spouse downloaded file-sharing software onto a company-owned laptop and accessed a file-sharing network. The employee violated company policy by divulging the laptop's password to the spouse. The elapsed time between the breach itself and the notifications was more than nine weeks. The compromised data include SSNs and bonus information. Pfizer officials became aware of the breach when someone contacted them about the information being available on a file-sharing network.
-http://www.theday.com/re_print.aspx?re=c3e7a15d-fa9c-4fad-a32a-405ebbdebcfe

Global Security Week Scheduled for September 3-9 (July 12, 2007)

The third annual Global Security Week (GSW) will take place September 3rd - 9th. GSW is an international event providing information and workshops for professionals and for the general public. This year's theme is Privacy in the 21st Century. Brian Honan will be coordinating this year's GSW from Dublin, Ireland. Awareness events will be held around the world. More information on becoming involved with GSW can be found at the organization's website.
-http://www.siliconrepublic.com/news/news.nv?storyid=single8780
-http://www.globalsecurityweek.com/

LIST OF UPCOMING FREE SANS WEBCASTS

July 18, 2007 Making your Web Applications PCI Compliant
-http://www.sans.org/info/11001
Sponsored by: SPI Dynamics

July 19, 2007 Next-Gen Log Monitoring: Who's Minding the Applications?
-http://www.sans.org/info/11006
Sponsored by: ArcSight

July 25, 2007 Meeting PCI Data Security Standards: It's more than log collection
-http://www.sans.org/info/11011
Sponsored by: Q1 Labs

Be sure to check the following Archived SANS Webcasts:

WhatWorks in Log Management: Regulating Logs Globally
-http://www.sans.org/info/11031
Sponsored by: LogLogic

The Importance of Web Application Security for PCI Compliance
-http://www.sans.org/info/11036
Sponsored by: Watchfire

Reputation-Based Network Security
-http://www.sans.org/info/11041
Sponsored by: Secure Computing Corporation

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/