SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IX - Issue #9

January 30, 2007

As you are probably already sensing, the security field is entering one of its rapid change periods where previous winners are pushed aside and new leaders arise. The cause this time is something most security people have long thought they wanted. Senior management - from bank CEOs to Congressional Committee chairs - have finally awakened to the threat. Sadly, what awakened them is hard evidence of massive failures of some government and commercial security programs.

We'll have management briefings in San Diego covering the most important changes that are taking place, for the people who attend SANS 2007 in late March. This will be a big year for security. SANS 2007 offers 56 courses and a huge expo. It makes sense to be sure all your people have their skills absolutely up to date.
http://www.sans.org/sans2007/event.php

Alan

---

TOP OF THE NEWS

TJX Hit with Class Action Lawsuit
Zero-Day Microsoft Word Flaw
Common Access Cards Improve DOD Network Security
Americans Relatively Unconcerned About Movie Piracy

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Man Gets Home Detention, Probation for Damaging Car Dealership Site
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
PGP Desktop Vulnerability
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Stolen Laptop Holds Kansas Hospital Patient Data
Stolen Laptop Holds Eastern Illinois Univ. Student Information
Stolen Computers Hold Vanguard Univ. Financial Aid Applicant Info.
Stolen Boeing Laptop Recovered
Prudential, Amex and Random House Employees Learn Their Data Are in Stolen Towers Perrin Computers
STANDARDS & BEST PRACTICES
Anti Spyware Coalition Publishes Best Practices Document for Anti Spyware Makers
MISCELLANEOUS
UK Police Struggle to Combat e-Crime

---

********************** Sponsored By ArcSight, Inc. *********************

Free Whitepaper: Security Controls Oversight for Compliance Auditing security operations to comply with Sarbanes-Oxley means you need both a real-time and an historical perspective. Learn how to turn floods of data into accurate, auditable informationwithout adding staffwith this free whitepaper. Brought to you by ArcSight, the ESM leader that turns security data into action.
http://www.sans.org/info/3211

*************************************************************************

---

TOP OF THE NEWS

TJX Hit with Class Action Lawsuit (29 January 2007)

A class action lawsuit, filed in US District Court in Boston, alleges TJX was negligent in maintaining computer security resulting in the misuse of customer information. The lawsuit also claims that TJX failed to disclose the intrusion in a timely manner. TJX runs 2,500 TJ Maxx and Marshall's stores. Credit card and drivers license data was stolen and the company did not disclose the loss for a month. The suit seeks credit monitoring services for those whose information was exposed as well as damages incurred as a result of the breach. TJX chairman Ben Cammarata said the company would not provide credit monitoring because it would not "be meaningful to customers" and that the delay in notification about the breach allowed the company "to contain the problem and further strengthen
[its ]
computer network to prevent further intrusions."
-http://www.boston.com/business/ticker/2007/01/class_action_su_1.html
-http://www.securityfocus.com/news/11438
[Editor's Note (Schultz): Mr. Cammarata's statements and the long delay in notifying customers show a blatant disregard for customers. Perhaps the lawsuit filed against his company will help in changing this attitude.
(Honan): A more direct message to TJX would be for customers to not provide credit card details to TJX because, to paraphrase Mr. Cammarata, it would not "be meaningful to the company." ]

Zero-Day Microsoft Word Flaw (29, 26 & 25 January 2007)

Microsoft is investigating reports of a zero-day attack against a flaw in Microsoft Word. The code execution vulnerability affects multiple versions of Microsoft Word running on various versions of the Windows operating system. The flaw is exploited by tricking users into opening maliciously crafted Word documents; when a document is opened, it places back door Trojans on the user's computer. This is the fourth zero-day vulnerability reported in Microsoft Word within the last two months.
-http://www.computing.co.uk/vnunet/news/2173724/attackers-prey-office-2000-flaw
-http://www.eweek.com/print_article2/0,1217,a=199588,00.asp
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=61984836-39000005c
[Editor's Note (Skoudis): I think all of Microsoft Office needs a massive security overhaul, kind of like what happened with Windows in the transition to XP SP 2. ]

Common Access Cards Improve DOD Network Security (25 January 2007)

The number of successful computer intrusions at the US Department of Defense (DOD) computer networks has declined 46 percent in the last year; Air Force Lt. Gen. Charles Croom attributed the decline to the mandatory use of Common Access Cards (CAC) for DOD network users. DOD networks are probed an estimated six million times a day. Croom is the director of the Defense Information Systems Agency and commander of the Joint Task Force for Global Network Operations. Croom also noted that the number of successful spear phishing attacks against DOD users fell 30 percent in the last year.
-http://www.fcw.com/article97480-01-25-07-Web&printLayout
[Editor's Note (Pescatore): Moving away from reusable passwords will definitely thwart attacks like phishing that are aimed at capturing passwords, which is a very good thing. Of course, we've already seen attacks evolve to trick the user into downloading targeted malware - the attacker doesn't need to capture the password. That does *not* negate the gain of moving away from reusable passwords but it does mean that for those with limited budgets, consuming too much of the budget on a type of authentication may starve other areas that may actually be more critical. For example, if your real problem is vulnerable applications, spending $100 per user on smart cards and card readers may not come close to a much smaller investment in making sure applications have been tested for vulnerabilities before being installed on product systems.
(Schultz): These results should be no surprise for information security professionals. Strong authentication is one of the single most effective security measures.
(Skoudis): The progress here is certainly laudable, and I strongly support the CAC authentication deployment, as well as the stance against OWA. However, whenever I read an article or announcement saying, "successful intrusions have declined 46 percent in the past year," I always think, "successful intrusions... that you were able to detect." We measure what is measurable, and should rightfully be pleased that the trends are going in the right direction. But, don't forget the need to strive to improve our detection capabilities to get a better feel for the size of the iceberg under the water. ]

Americans Relatively Unconcerned About Movie Piracy (26 January 2007)

A survey of approximately 2,600 Americans found that 59 percent believe parking in a fire lane is a more serious offense than downloading copyrighted movies from the Internet without permission. Just 40 percent of those surveyed said downloading movies was a serious offense, although 78 percent said shoplifting a DVD was a serious offense.
-http://www.australianit.news.com.au/articles/0,7204,21121390%5E15306%5E%5Enbv%5E
,00.html
[Editor's Note (Schultz): These are very revealing findings, ones that the Motion Picture Association of America should take to heart, because they show a dire need for an awareness campaign designed to change the public's views about obtaining unauthorized copies of movies.
(Pescatore): Well, blocking a fire lane actually *is* more serious an offense than stealing a movie, digital or otherwise. But this does point out how tightly the idea of "property" is tied to atoms, not bits, in so many cultures and laws. ]

---

************************** Sponsored Links: ***************************

1) Visit Utimaco and Lenovo at RSA Booth 531 to learn about our layered security solution.
http://www.sans.org/info/3216

2) Control the Security of All Things Mobile: Detect, Encrypt, Audit, Report, Managefrom a Single Console
http://www.sans.org/info/3221

3) Download Free Database Vulnerability Scanner Scuba by Imperva. MS-SQL, Oracle, DB2, Sybase
http://www.sans.org/info/3226 Visit Imperva at RSA - Booth # 2632.

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Man Gets Home Detention, Probation for Damaging Car Dealership Site (29 January 2007)

A Florida man has been sentenced to three months of home detention, three years of probation and 300 hours of community service for "a felony violation of intentionally damaging a computer used in interstate commerce." Matthew Tatem was also ordered to pay US $5,000 in restitution. Tatem broke into and damaged the web site of a car dealership where he had experienced difficulty obtaining financing for a new car. The site was restored within three hours.
-http://www.technologynewsdaily.com/node/5836

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

PGP Desktop Vulnerability (29 & 26 January 2007)

A remote code execution flaw has been detected in the PGP Desktop encryption tool. Users are encouraged to upgrade to version 9.5.2. The flaw affects versions prior to 9.5.1, but version 9.5.2 incorporates an additional fix.
-http://www.vnunet.com/vnunet/news/2173564/flaw-found-pgp-encryption
-http://www.itnews.com.au/newsstory.aspx?CIaNID=44982&src=site-marq

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Stolen Laptop Holds Kansas Hospital Patient Data (28 January 2007)

Among the items taken in a burglary at Salina (Kansas) Regional Health Center is a laptop computer that contains personally identifiable information of as many as 1,100 patients. The data include Social Security numbers (SSNs) and medical histories. The hospital has notified the affected patients by mail. The data were stored on the computer because its authorized user travels to different offices in the course of this person's work.
-http://www.saljournal.com/?module=displaystory&story_id=9386&format=prin
t

Stolen Laptop Holds Eastern Illinois Univ. Student Information (26 January 2007)

A desktop computer stolen from the Student Life office of Eastern Illinois University (EIU) holds personally identifiable information, including SSNs, of about 1,400 students. The database on the computer holds fraternity and sorority membership rosters. The university has sent letters to the affected students. EIU police are investigating the theft. The Greek Life secretary was credited with the fact that the breach affected such a limited number of people; she apparently makes concerted efforts to remove outdated information each semester. EIU is in the process of eliminating the use of SSNs as unique identifiers; that plan is expected to be complete in one year. EIU is in Charleston, Illinois.
-http://www.jg-tc.com/articles/2007/01/28/news/news001.prt

Stolen Computers Hold Vanguard Univ. Financial Aid Applicant Info. (26 January 2007)

Two computers stolen from Vanguard University's financial aid office contain personally identifiable information of more than 5,000 financial aid applicants. The computers were stolen in mid-January, but officials did not know until Friday, January 26 that they contained sensitive data, including SSNs, driver's license numbers and lists of assets. The number of people affected is reportedly as high as 10,000, as many of the students are dependent children. The breach affects students who applied for financial aid for the 2005-06 and 2006-07 academic years. The university is notifying those affected by the breach by letter. Vanguard University is in Costa Mesa, California.
-http://www.dailypilot.com/articles/2007/01/26/front/doc45ba618886459435458713.tx
t
-http://identityalert.vanguard.edu/
notification.htm">
-http://identityalert.vanguard.edu/
notification.htm
-http://identityalert.vanguard.edu/

Stolen Boeing Laptop Recovered (27 & 26 January 2007)

A laptop reported stolen from Boeing has been recovered. The laptop was reported stolen in December 2006; it holds personally identifiable information of approximately 382,000 current and former Boeing employees. Boeing Senior VP Rick Stephens reportedly told employees in an email that a consultant had determined that the files were not read after the theft. Boeing fired the employee responsible for the computer shortly after the theft was reported.
-http://seattletimes.nwsource.com/html/businesstechnology/2003541873_bizbriefs26.
html
-http://seattlepi.nwsource.com/business/301406_boeinglaptop27.html
[Editor's Note (Honan): Statements claiming that information was not accessed on missing computers are very misleading and serve to simply put marketing spin on an incident to placate non-technical users. Anyone with forensic tools or disk imaging software can take a copy of the data and use it at their leisure. Simple rule, once physical access is gained to any of your systems = Game over. ]

Prudential, Amex and Random House Employees Learn Their Data Are in Stolen Towers Perrin Computers (25 & 23 January 2007)

The roster of companies affected by the Towers Perrin computer theft continues to grow. Employees at Prudential, American Express and Random House have been notified their personal information could be at risk of exposure following the computers' disappearance. Towers Perrin provides actuarial services for pension plans at Prudential and other companies. A former Towers Perrin employee has been arrested in connection with the theft but the computers have not been recovered. Random House is owned by Bertelsmann, a German company that had contracted with Towers Perrin.
-http://www.gawker.com/news/random-house/random-house-to-employees-oops-we-lost-y
our-social-our-bad-231384.php
-http://www.nj.com/business/ledger/index.ssf?/base/business-5/1169532666221410.xm
l&coll=1

STANDARDS & BEST PRACTICES

Anti Spyware Coalition Publishes Best Practices Document for Anti-Spyware Makers (26 & 25 January 2007)

The Anti-Spyware Coalition (ASC) has released a draft document titled "Best Practices: Factors for Use in the Evaluation of Potentially Unwanted Technologies." The document provides specifics about how software can be analyzed to determine if it is harmful. The ASC has also released a draft document aimed at helping resolve disputes between antispyware companies; that document is titled "Conflict Identification and Resolution Process."
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=61984844-39000005c
-http://www.antispywarecoalition.org/documents/BestPractices.htm
[Editor's Note (Skoudis): The Anti-Spyware Coalition has done some wonderful work here, and has carefully balanced a lot of controversial and political issues. The document does a solid job in establishing a baseline of activities that encompasses what most malicious software does today, and what anti-spyware tools can do to help thwart it. ]

MISCELLANEOUS

UK Police Struggle to Combat e-Crime (26 & 25 January 2007)

Microsoft says police in the UK are not putting enough focus on cyber crime, according to a written submissions provided to the House Lords Science and Technology Committee in advance of an inquiry hearing. Microsoft observed that "cyber crime and related fraud are not presently priority indicators for the police as set by the Home Office." The company notes that attention to cyber crime has waned since the National Hi-Tech Crime Unit (NHTCU) became part of the Serious Organized Crime Agency (SOCA) last year. The UK's Office of Fair Trading says it does not have the expertise to deal with Internet scams. The office is skilled in working with "real world" scams, but on line schemes require a different skill set. A written report from the Metropolitan Police says local forces cannot manage e-crime and calls for the establishment of a "national
[e-crime ]
unit ... to address the problem.
[The unit ]
would act as a central coordination point for police officers across the country." Presently, different e-crimes are handled by different entities, depending on the "level" of the crime.
-http://www.theregister.co.uk/2007/01/26/uk_cybercrime_criticism/print.html
-http://www.zdnet.co.uk/misc/print/0,1000000169,39285627-39001093c,00.htm
-http://www.zdnet.co.uk/misc/print/0,1000000169,39285631-39001093c,00.htm
-http://www.vnunet.com/computing/news/2173370/ecrime-efforts-stall-staff
[Editor's Note (Honan): Unfortunately this state of affairs is not unique to the United Kingdom. Many police computer crime units around the world are overwhelmed by the number of incidents that they have to deal with, both actual computer crimes and traditional crimes where computers are used to assist in the planning or execution of those crimes. In today's world governments need to realise that classifying a crime as computer crime is similar to classifying it as a shoe crime and should resource their law enforcement agencies accordingly. ]

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/