SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume IX - Issue #75
September 21, 2007
TOP OF THE NEWS
OMB, NIST, NSA, DoD Formalize Single Federal Desktop Configuration For Agencies Using WindowsConnecticut State To Sue Accenture Over Tape With State Data Stolen From Consulting Firm
THE REST OF THE WEEK'S NEWS
LEGAL MATTERSDept. of Commerce Agent Allegedly Abused DHS Database
Guilty Plea in Logic Bomb Case
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
VA Still Has Far to Go on IT Security
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
BSA Fines Company US $3.5 Million for Unlicensed Software
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Mozilla Plugs Firefox QuickTime Hole, Again
VMware Updates Address Host of Flaws
Zero-Day Buffer Overflow Flaw in Windows Libraries
Virus Reportedly Found on Maxtor External Hard Drives
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Layered Technologies Customer Data Stolen
University of Michigan Suffers Another Data Security Breach
CastleCops Besieged by Reputation Attack
Vertical Web Media Customer Data Stolen
MISCELLANEOUS
IT Managers Fret Over Mobile Workers
LIST OF UPCOMING FREE SANS WEBCASTS
*************************************************************************
TRAINING UPDATE
Looking at Data Leakage or Encryption, hear lessons learned by the pioneers:
***WhatWorks in Stopping Data Leakage and Insider Threat Summit
http://www.sans.org/leakage07_summit/
***WhatWorks in Mobile Encryption Summit
http://www.sans.org/encryption07_summit/
Where can you find Hacker Exploits and SANS other top-rated courses?
Las Vegas (9/23-9-28): http://www.sans.org/ns2007/event.php
Chicago (11/2-11/7): http://www.sans.org/chicago07/event.php
Tokyo (11/5-11/10): http://www.sans.org/sanstokyo2007_autumn/event.php
London (11/26 - 12/1): http://www.sans.org/london07/">http://www.sans.org/london07/
Washington DC (12/13-12/18): http://www.sans.org/london07/">http://www.sans.org/london07/
New Orleans (1/12-1/17): http://www.sans.org/security08/event.php
How good are the courses? Here's what past attendees said:
"An extraordinary amount of information covered in a week, backed up with excellent documentation for those long winter nights." (Keith Mellism, Canada Life)
"This course has valuable information that can be implemented immediately in the work place." (Christopher O'Brien, Booz Allen Hamilton)
"You will never ever find anything more valuable than SANS super knowledge. Worth the price!!" (Carlos Fragoso, CESCA)
*************************************************************************
TOP OF THE NEWS
OMB, NIST, NSA, DoD Formalize Single Federal Desktop Configuration For Agencies Using Windows (21 September)
To formalize the methods to be used in implementing US government policy on buying "security baked in" more than 700 federal executives and business executives gathered at NIST to hear how to make it work. White House Cyber Czar Karen Evans, NSA's Vulnerability Chief Tony Sager, Gartner's Security VP John Pescatore, NIST ITL Director Cita Furlani, Office of the Director of National Intelligence's Security Chief Sherrill Nicely and DoD's top cyber strategist Michelle Iverson, Microsoft's Chase Carpenter and more than 15 commercial tools vendors provided guidance, tools, demonstrations of effectiveness of the new FDCC (Federal Desktop Core Configuration) and S-CAP (SecuritY Content Automation Process) initiatives.-http://www.gcn.com/online/vol1_no1/45074-1.html
Where to find complete documentation:
[Editor's Note (Paller): Commercial companies like Apple, Intel, CA and HP are also supporting or architecting support into upcoming products (through their systems management platforms) the new S-CAP standard for automating vulnerability discovery and correction. Every large security company is building in S-CAP compliance (though a few are exaggerating when they say they already have it). Several Fortune 100 companies (and one Asian and two European governments) are finalizing strategies for taking advantage of the rapid patching and massive cost savings enabled by the FDCC. FDCC and SCAP are the best examples to date of the US government leading by example and large organizations are taking note. ]
Connecticut State To Sue Accenture Over Tape With State Data Stolen From Consulting Firm (September 19 & 20, 2007)
The state of Connecticut plans to file a civil complaint against the company it says is responsible for the presence of state agency bank account data on a backup tape stolen in Ohio earlier this year. Connecticut Attorney General Richard Blumenthal said that Accenture Ltd. treated the data "like scrap paper." Accenture has contracted with the state of Connecticut since 2002 to automate the state's human resources and financial data. Apparently an Accenture employee took a tape with Connecticut data on it to Ohio, where the company was helping to set up a similar system. The lawsuit alleges illegal negligence, unauthorized use of state property and breach of contract.-http://www.bizjournals.com/masshightech/stories/2007/09/17/daily30.html?t=printa
ble
-http://www.stamfordadvocate.com/news/local/state/hc-19174003.apds.m0122.bc-ct--d
atasep19,0,4112604.story?coll=hc-headlines-local-wire
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201807932
[Editor's Note (Northcutt): This is an important story, we need case law establish, I hope some of the lawsuits can breeze through, it will certainly help companies focus on protecting data.):]
************************* Sponsored Links: ***************************
1) Find out what Seagate knows about secure storage. It could improve your company's security.
http://www.sans.org/info/16961
*************************************************************************
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
Dept. of Commerce Agent Allegedly Abused DHS Database (September 20, 2007)
Department of Commerce special agent Benjamin Robinson has been indicted on charges of making a false statement to a government agency and unlawfully obtaining information from a protected computer. Robinson allegedly accessed a US Department of Homeland Security (DHS) database to obtain information about the whereabouts of his former girlfriend. If convicted of charges against him, Robinson could face up to 10 years in prison and a fine of US $500,000.-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201807903
Guilty Plea in Logic Bomb Case (September 19, 2007)
Yung-Hsun Lin has pleaded guilty to transmitting code that could damage a protected computer. Lin, who goes by the name of Andy, worked as a systems administrator at Medco Health Solutions; fearful that he would lose his job in an expected layoff, Lin planted a logic bomb on the company's computer network. Another administrator discovered the malicious code before it could trigger. If the attack had gone off as Lin had planned, pharmacists would have been prevented from knowing whether or not customers' new prescription would have adverse interactions with their other prescriptions. Medco says cleaning up the problem cost between US $70,000 and US $120,000. If convicted, Lin could be sentenced to 10 years in prison; his plea deal sets non-binding guidelines of a 30 to 37 month sentence.-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201807613
[Editor's Note (Skoudis): News stories like this are very helpful in illustrating to management the infosec threats and issues we face. I frequently get asked questions like: 1) Are logic bombs real? 2) What damage could a motivated insider do to an organization? 3) Why do we have to be so diligent in protecting healthcare information systems? This case provides an excellent illustration to all of these questions, and I plan on citing it a lot in coming months.]
[Editor's Note (Liston): Interesting moral choice here by "Andy." I'm ticked off about potentially losing my job, so taking out grannie with an interaction between her arthritis and heart meds is justified. This guy should be spending way more time behind bars. ]
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
VA Still Has Far to Go on IT Security (September 19, 2007)
The US Department of Veterans Affairs (VA) has not made much progress in improving IT security since the May 2006 security breach in which a laptop and another data storage device containing information of 26.5 million veterans and active duty members were stolen from the home of a VA employee. A report from the Government Accountability Office (GAO) says that the Department of Veterans Affairs has implemented just two of 22 recommendations made by the VA inspector general (IG) following that incident. The report also says the VA needs to improve its asset control; approximately 2,400 IT devices were reported missing from just four VA locations in 2005 and 2006. On a positive note, the VA has begun to deploy software that will prevent unauthorized data storage devices from connecting to their network, and more than 18,000 VA laptops have been encrypted. The agency is also using software to block the sending of Social Security numbers (SSNs) in email messages.-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9037740&source=rss_topic17
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
BSA Fines Company US $3.5 Million for Unlicensed Software (September 18, 2007)
The Business Software Alliance (BSA) has reached an agreement with an unnamed international media company over unlicensed software. The company has agreed to pay a record fine of 2.5 million Euros (US $3.5 million) for "significant shortfalls in software licenses." The company will delete all unlicensed copies of software from its computers and purchase new licenses. The company had apparently been using unlicensed software for an extended period of time. A company spokesperson says it got into this situation "because[it ]
relied on a single individual to keep
[it ]
compliant ... during a period of significant expansion."
-http://www.channelregister.co.uk/2007/09/18/bsa_record_fine/print.html
-http://www.pcworld.com/article/id,137307-c,copyright/article.html
[Editor's Note (Pescatore): As we see more and more use of personally owned computers and PDAs and smartphones being used on corporate networks, this issue of unlicensed software being used for business purposes is going to get even larger. Making sure illegal software is not in use has to extend onto all devices used for business purposes and the costs of providing that assurance has to be included in the evaluation of whether allowing that to happen will really result in positive business benefit. ]
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Mozilla Plugs Firefox QuickTime Hole, Again (September 18 & 20, 2007)
Mozilla has fixed a flaw in Firefox that could be exploited to gain complete access to vulnerable systems and execute code remotely. The flaw lies in the way Firefox handles JavaScript code in QuickTime Media-Link files. Mozilla has pushed out a fix to current users, and an updated version of Firefox can also be downloaded from Mozilla. The update is not a true fix; instead, the browser is blocked from running arbitrary script from the command line. Mozilla released a fix for another QuickTime handling flaw in Firefox in July, but the method used in that fix did not address this problem. The flaw still exists in QuickTime, which remains for Apple to fix. Internet Storm Center:-http://isc.sans.org/diary.html?storyid=3402
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=62032456-39000005c
-http://www.vnunet.com/vnunet/news/2199076/mozilla-takes-second-shot
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9037459&source=rss_topic17
[Editor's Note (Grefer): In the Computerworld article, Petrov also warns of a vulnerability in Windows Media Player allowing attackers to exploit Internet Explorer vulnerabilities via malicious media files, even if the user surfs the web exclusively with a non-Microsoft browser.]
VMware Updates Address Host of Flaws (September 19 & 20, 2007)
US-CERT is recommending that users of VMware products upgrade to newly released versions to protect their computers from a variety of vulnerabilities. The flaws could be exploited to cause denial-of-service conditions, overwrite files, obtain elevated privileges, and execute arbitrary code.-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201807959
-http://www.us-cert.gov/current/index.html#new_vmware_workstation_version_address
es
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9038060&source=rss_topic17
-http://lists.grok.org.uk/pipermail/full-disclosure/2007-September/065902.html
[Editor's Note (Pesactore): this points out a very important issue: virtualization can solve a lot of problems but it can also bring an entire set of very complex new risks. Flaws in hypervisors and virtual machine managers can be catastrophic. Just as we can not rely on virtual LANs to provide security separation (they do provide logical separation, a very different thing), the same is true with server and ultimately PC virtualization - separation of control and auditing will still be required.
(Skoudis): In VMware's write-up about this upgrade, please note that they say, "This release fixes a security vulnerability that could allow a guest operating system user with administrative privileges to cause memory corruption in a host process, and thus potentially execute arbitrary code on the host." Where I come from, we call that "VM Escape," and it is very bad news, undermining a lot of the security assumptions made in some organizations. Note that VMware's text that I quoted here is mentioned in the overall advisory, as well as the detailed release notes for VMware Workstation, Player, and Server products. This text is not included in the detailed release notes of the ESX updates associated with these patches, but ESX is mentioned in the overall advisory right underneath this text. Confusing? Absolutely. Is this an issue for ESX? The overall advisory makes it sound like it is, but the detailed release notes for ESX don't mention this specific security issue. Hmmmm... I couldn't sort it out after spending an hour reading all of the release notes for each product. Either way, there are a good deal of patches and fixes for all of VMware's products here, including ESX, so make sure you download, test, and apply these crucial updates in a timely fashion.
(Liston): For several years now, we've been talking about the potential security implications of VM escape, and we've been pretty much dismissed by VMware. It seemes quite ironic that over the past few months, VMware has released several patches to fix flaws that could be used to create escapes. Not that you could tell without CAREFULLY reading the release notes on the patch though... We've strongly suggested (and will suggest here again) that VMware needs to EXPLICITLY detail the criticality of their patches in an easy-to-understand format. VMware is an industry leader and their products are part of our critical infrastructure. They need to fully embrace that role. ]
Zero-Day Buffer Overflow Flaw in Windows Libraries (September 19, 2007)
A zero-day buffer overflow in the MFC42 and MFC71 libraries in Windows could be exploited to cause a system crash and execute arbitrary code on vulnerable machines. Microsoft is investigating the problem and says it knows of no exploits available to exploit the flaw, which affects "any application that uses the libraries and allows users to manipulate the arguments being passed to the API." Internet Storm Center:-http://isc.sans.org/diary.html?storyid=3397
-http://www.vnunet.com/vnunet/news/2198964/fresh-windows-zero-day-reported
-http://www.theregister.co.uk/2007/09/19/new_vulnerability_reports/print.html
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201807562
Virus Reportedly Found on Maxtor External Hard Drives (September 19, 2007)
Certain Maxtor external hard drives are reportedly infected with malware that searches for gaming passwords and finds and deletes mp3 files. Seagate, which acquired Maxtor in 2006, is investigating; a spokesperson said he has "never heard of a virus that lives in the master boot record." Coincidentally, earlier this week, some Medion laptop computers were shipped with a virus in the master boot record of the hard disk. That particular piece of malware, which has no malicious payload, is 13 years old, while the virus infecting the Maxtor disks was first reported just months ago.-http://www.theregister.co.uk/2007/09/19/maxtor_harddrives_include_virus/print.ht
ml
-http://www.vnunet.com/vnunet/news/2198692/vendor-includes-old-virus
-http://www.techworld.com/security/news/index.cfm?newsID=10092&pagtype=al
l
-http://www.theregister.co.uk/2007/09/17/vista_hit_by_stoned_angelina/
[Editor's Note (Skoudis): It's sad that the un-named spokesman for Seagate, a company that should know a thing or two about hard drives and file systems, said he has "...never heard of a virus that lives in the master boot record." Google has. A search of "virus master boot record" turns up 1.85 million hits:
-http://www.google.com/search?q=virus+master+boot+record.
Let's be generous: maybe he was misquoted. ]
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Layered Technologies Customer Data Stolen (September 19 & 20, 2007)
An attack on a helpdesk application in Layered Technologies' support database has compromised the security of personally identifiable data of as many as 6,000 of the server hosting company's customers. The data include names, addresses, phone numbers and server login details. Layered Technologies is asking all its customers to change their login credentials. The attack occurred on the evening of September 17, 2007.-http://www.theregister.co.uk/2007/09/19/layered_technologies_breach_disclosure/p
rint.html
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9038040&source=rss_topic17
University of Michigan Suffers Another Data Security Breach (September 13 & 19, 2007)
For the third time in one year, the University of Michigan has suffered a data theft. Several weeks ago, backup tapes containing personally identifiable patient information were stolen from the School of Nursing. The compromised data include names, addresses and SSNs. More than 8,000 individuals have been affected by this incident. The university has notified those affected by the theft. University policy requires that any faculty or staff member who becomes aware of a technology security breach should immediately report the incident to an information security coordinator. Serious incidents will then be reported to the University's Information Technology Security Services. The other two incidents of compromised data involved direct cyber attacks; this was the first instance in which storage media were stolen.-http://media.www.michigandaily.com/media/storage/paper851/news/2007/09/19/Crime/
Sensitive.Patient.Data.Stolen.From.Nursing.Building-2977434.shtml
-http://blog.mlive.com/annarbornews/2007/09/tapes_containing_patient_recor.html
[Editor's Note (Pescatore): Many universities have launched aggressive programs to ban use of SSNs as identifiers but they still have many, many legacy applications and legacy files that are using SSNs. They also have huge exposures where credit card information is being handled, as well. Just like most enterprises, much more focus on data discovery and content monitoring/filtering is needed. I keep looking for some open source projects coming out of universities in that area.]
CastleCops Besieged by Reputation Attack (September 18 & 20, 2007)
CastleCops, a group of volunteers dedicated to fighting cybercrime, has become the victim of a reputation attack. The group's website suffered distributed denial-of-service (DDoS) attacks through most of this year, but attackers have recently begun making donations to the group through PayPal with stolen account information. To the people whose accounts are compromised, it appears that CastleCops has stolen their money.-http://blog.washingtonpost.com/securityfix/2007/09/the_danger_of_reputation_atta
c.html?nav=rss_blog
-http://news.zdnet.co.uk/security/0,1000000189,39289509,00.htm
[Editor's Note (Liston): Obviously, CastleCops must be doing something right to have gotten the vermin all riled up... ]
Vertical Web Media Customer Data Stolen (September 19, 2007)
Vertical Web Media has notified an unspecified number of customers that their personal information was compromised in a deliberate attack on the publishing company's network. In August, cyber intruders stole customer credit card information. A customer who noticed unauthorized credit card charges alerted the company to the problem. The attackers apparently worked as a team, accessing the network from various IP addresses around the world, each one operating for a few minutes at a time. The company has notified the FBI of the incident.-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201807539
MISCELLANEOUS
IT Managers Fret Over Mobile Workers (September 21, 2007)
IT managers are struggling to cope with the security threats posed by mobile workers, according to a report by security vendor BigFix. The US-focused study shows that nearly a third of IT managers believe mobile workers leave their company network open to malware attacks. What's more, 45 per cent were dissatisfied with their security configuration management (SCM) software and believe it is failing to tackle the problem.LIST OF UPCOMING FREE SANS WEBCASTS
Ask the Expert: Separated at Birth - Identity and Access Reunited!WHEN: Tuesday, September 25, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Andrew Hay and Stuart Rauch
-http://www.sans.org/info/16176
Sponsored By: Secure Computing
This webcast will focus on the trend toward reuniting Access and Identity and why it is important to consider strong authentication right from the planning phase of a remote access project. We will also review key criteria associated with choosing and deploying two-factor authentication in an enterprise environment.
Ask the Expert: Curing The Common Cold With Log Management
WHEN: Wednesday, September 26, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and A.N. Ananth
-http://www.sans.org/info/16181
Sponsored By: Prism MicroSystems EventTracker
Well, perhaps that is a stretch, but Log Management is incredibly valuable to help solve a host of other real problems in IT beyond simple compliance. Compliance drives most log management purchases but IT Managers are constantly challenged to maximize investments in technology.
Ask the Expert: Payment Card Data Law: The Changing Landscape
WHEN: Wednesday, October 3, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Ben Wright and Tracey Mustacchio
-http://www.sans.org/info/16711
Sponsored By: TraceSecurity
2007 is shaping up to be a landmark in the law on merchant liability for loss of credit and debit card data. A flurry of lawsuits are pending against TJX for the break-in it announced in January. Minnesota enated pioneering legislation imposing new liability on merchants, and as of mid-September California was on the verge of doing something similar.
Ask the Expert: Late-Breaking Computer Attack Vectors by Mike Poor
WHEN: Tuesday, October 16, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKER: Mike Poor
-http://www.sans.org/info/16726
Sponsored By: Core Security
This lively session will discuss recent and anticipated computer and network attack vectors, showing the most powerful tools in the bad guys' arsenal today and predicting where they are headed in the future. Specific topics to be discussed include client-side exploitation and the rise of privilege escalation attacks against Windows Vista and other operating systems.
Ask the Expert: The Evolution of Access Management
WHEN: Wednesday, October 17, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and Howard Ting
-http://www.sans.org/info/16731
Sponsored By: Securent
In this webcast, learn how access control technologies have evolved over the years, the types of access management solutions organizations are evaluating today, and the challenges they face in design and implementation.
=========================================================================
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.
Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/