SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume IX - Issue #98
December 14, 2007
A little help please. Does any NewsBites reader know a Java programming teacher who is really wonderful? Doesn't have be security savvy - just a great teacher of Java programming. Perhaps at a community college or other school? It's a particularly good opportunity for the teacher. Please email me info at apaller@sans.org
Alan
TOP OF THE NEWS
Top 10 Data Loss StoriesSCADA Security Regulations Could Prove Expensive
Federal Employees Know The Rules and How to Break Them
TJX No Longer a Federal Case
THE REST OF THE WEEK'S NEWS
LEGAL MATTERSFour to be Charged in Dutch Press Agency System Intrusion
Two Sentenced in Italy for Phishing Scheme
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
US-CERT Warns Flaw in Microsoft Office Access Database is Being Exploited
December's Patch Tuesday Addresses Seven Critical Flaws
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Lost CDs Hold Northern Ireland DVLA Data
Stolen Laptop Holds Patient Data; Contractor Violated Policy
MISCELLANEOUS
Two Ottawa Police Officers Face Charges for Unauthorized Data Access
Rogue Servers Send Users to Phony Sites
State of Ohio to Provide Encryption to Schools and Government Agencies
LIST OF UPCOMING FREE SANS WEBCASTS
************************* Sponsored By Cenzic ***************************
Security Test Production Web Applications! Continuously testing your production web applications - without corrupting your applications or their data is NOW possible. With over 400 new application vulnerabilities every month it is imperative to test and re-test all Web applications, and not just the ones in development and quality assurance stages. Learn how.
http://www.sans.org/info/20891
*************************************************************************
TRAINING UPDATE
Where can you find Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, CISSP, and SANS' other top-rated courses?
- - New Orleans (1/12-1/17): http://www.sans.org/security08/event.php
- - San Jose (2/2 - 2/8): http://www.sans.org/siliconvalley08/event.php
- - Phoenix (2/11 - 2/18) http://www.sans.org/phoenix08/event.php
- - Prague (2/18-2/23): http://www.sans.org/prague08
- - and in 100 other cites and on line any-time: www.sans.org
*************************************************************************
TOP OF THE NEWS
Top 10 Data Loss Stories (December 2007)
Scott Berinato's list of the top 10 security breaches of 2007 will put a rueful smile on your face.-http://www2.csoonline.com/exclusives/column.html?CID=33366
SCADA Security Regulations Could Prove Expensive (December 11, 2007)
IT operators at US energy companies say the proposed regulations to bolster the security of their computer systems could mean entirely replacing their current Supervisory Control and Data Acquisition (SCADA) systems. The Critical Infrastructure Protection (CIP) standards are likely to be approved at the December 20 meeting of the Federal Energy Regulatory Commission (FERC) meeting. SCADA systems currently in use may not be able to be adapted to meet the new standards, which include critical cyber asset identification, security management controls, electronic security perimeters, systems security management, and disaster recovery plans. Some of the technology is so old as to be virtually unpatchable. In addition, it is not feasible to simply replace one system with another all at once, as the systems manage the nation's power grid.-http://www.networkworld.com/news/2007/121007-energy-companies.html
[Editor's Note (Pescatore): Gee, remember how expensive car manufacturers said it would be to move gas tanks out of the trunk? Turns out dealing with exploding Pintos was more expensive than reengineering them. Similarly, patching Windows PCs and servers had to be considered part of the cost of owning them once the attacks started taking advantage of lack of patches. Deploying vulnerable systems is invariably more expensive over any 2-3 year window you look at. (Schultz): As one of the referenced articles points out, the right thing to do in this situation appears to be coming up with a plan to phase in newer, more secure SCADA technology rather than to require massive change all at once. But despite the expense of replacing the old technology, replacing it is the right thing to do from a security perspective. Retrofitted security does not work as well as does built-in security. (Northcutt): Expensive is an interesting word. I listened to first hand testimony yesterday from a member of the incident handling team that caught and stopped a hacker who was very close to shutting down Columbia's power grid. I wonder what unplugging an entire country costs? ]
Federal Employees Know The Rules and How to Break Them (December 13, 2007)
A survey from SecureInfo found that even though most federal employees are aware of cyber security threats, they still violate policies that put federal computer systems at risk of attack. When asked if their fellow workers adhere to security policies and procedures, 20 percent said other employees follow them all of the time, 58 percent said they follow them frequently, and 22 percent of the federal workers surveyed said they believe their fellow workers adhere to information security policies no more than half the time. Ninety-seven percent of people surveyed said they were required to take information security training, but only one-third said they remember most of what was taught in the class. Just 48 percent said they were tested on what they had been taught.-http://www.fcw.com/online/news/151066-1.html?topic=security
[Editor's Note (Schultz): What SecureInfo should also have looked at is whether or not information security management had developed or was planning to develop training-related metrics. Additionally, scores on tests are better success indicators than nothing, but there are many much more important potential success indicators, among which positive changes in on-the-job security behaviors after training would be one of the most important. ]
TJX No Longer a Federal Case (November 30 & December 12, 2007)
On November 29, a federal judge denied a request from banks for permission to sue TJX Cos. as a class and transferred the case from federal court to a Massachusetts state court. Judge William G. Young said that the banks' situations were too disparate. The plaintiffs had 10 days from the ruling in which to file an appeal. A footnote to the judge's decision indicated that the position "will need to be reassessed" following a November 11 hearing regarding a Massachusetts Fair Trade statute. The ruling against granting class action status also spoke to the allegations that TJX misled the banks about the security of the data they held; Young did not find compelling evidence that the banks' decisions about issuing cards were influenced by information provided by TJX.-http://online.wsj.com/article/SB119743288731823035.html?mod=googlenews_wsj
-http://www.eweek.com/article2/0,1759,2225933,00.asp?kc=EWRSS03119TX1K0000594
-http://www.eweek.com/article2/0,1895,2232061,00.asp
************************* Sponsored Links: ***************************
1) Stop data leaks and sanitize your servers before they leave your premises. Blancco them today. http://www.sans.org/info/20896
*************************************************************************
THE REST OF THE WEEK'S NEWS
LEGAL
Four to be Charged in Dutch Press Agency System Intrusion (December 13, 2007)
Four people will be charged with breaking into the computer system of Dutch press agency GPD. Three are employees of the Netherlands' Social Affairs Ministry; two of the three are former GPD journalists. The trio allegedly gained access to the system with a password obtained from another former GPD employee. The three who broke into the system allegedly attempted to tamper with news stories. Allegations were made in early November that people had been accessing the GPD computer system without authorization for several months. If they are found guilty of all charges, the four face up to four years in prison.-http://news.monstersandcritics.com/europe/news/article_1380820.php/Dutch_civil_s
ervants_charged_with_hacking_press_agency_computers
[Editor's Note (Northcutt): Looks like this is going to be an interesting story. A more recent release, this impacts at least one Ministry spokesperson and adds more allegations of diddling with the news:
-http://news.monstersandcritics.com/europe/news/article_1371489.php/Dutch_ministr
y_spokespeople_suspended_over_alleged_computer_hacking
-http://english.peopledaily.com.cn/90001/6297891.html]
Two Sentenced in Italy for Phishing Scheme (December 11, 2007)
Two of the 26 people arrested in Italy for participating in a phishing scheme have been sentenced. Sorin Pascu, who is from Romania, received a five-and-a-half year sentence; the ringleader, Marius Braditeanu, received a six-year sentence. The scam involved email messages that appeared to come from Poste Italiane, the country's postal service, "which also offers bank accounts, insurance, and loans." The messages encouraged recipients to submit information that the cyber thieves then used to withdraw money from the victims' accounts.-http://www.washingtonpost.com/wp-dyn/content/article/2007/12/11/AR2007121100954.
html
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
US-CERT Warns Flaw in Microsoft Office Access Database is Being Exploited (December 10 & 12, 2007)
A warning from the US Computer Emergency Readiness Team (US-CERT) says that attackers are actively exploiting a stack buffer overflow vulnerability in the Microsoft Office Access database. The attackers send specially crafted .mdb files to infect users' machines. Many companies already block .mdb files; the file type is blocked by default in most installations of Internet Explorer and Outlook Express. A September 27 article on Microsoft's support website discusses unsafe file types, including .mdb.-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9052538&source=rss_topic17
-http://support.microsoft.com/kb/925330
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=204802012
-http://www.us-cert.gov/current/index.html#microsoft_access_database_file_attachm
ent
[Internet Storm Center Note (Swa Frantzen): The US-CERT story is here:
-http://www.us-cert.gov/current/archive/2007/12/10/archive.html#microsoft_access_
database_file_attachment.
Unfortunately they neglect to refer to a CVE for the vulnerability. So knowing if it's patched or when is impossible based on the available data. ]
December's Patch Tuesday Addresses Seven Critical Flaws (December 11, 2007)
Microsoft's security update for December included seven bulletins to address 11 flaws. Three of the security bulletins address a total of seven critical remote code execution flaws in DirectX, Windows Media Formant runtime, and Internet Explorer (IE); the vulnerabilities in IE are reportedly already being actively exploited. The other four bulletins have severity ratings of important; they address remote code execution, elevation of privilege, and local elevation of privilege flaws in Windows.-http://www.securityfocus.com/brief/642
-http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomy
Name=spam__malware_and_vulnerabilities&articleId=9052379&taxonomyId=85
-http://www.microsoft.com/technet/security/bulletin/ms07-dec.mspx
[Internet Storm Center Note (Swa Frantzen): MS07-066 was also being exploited according to MSFT.
-http://isc.sans.org/diary.html?storyid=3735
-http://www.theregister.co.uk/2007/12/12/dec_black_tuesday_update/]
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Lost CDs Hold Northern Ireland DVLA Data (December 11, 2007)
Two CDs lost in the mail contain personally identifiable information of approximately 6,000 Northern Ireland residents. The unencrypted data include names and addresses of the people as well as the registration numbers, chassis numbers and makes and color of their cars. The CDs were being sent from the Northern Ireland Driver and Vehicle Agency to the UK's main Driver and Vehicle Licensing Agency (DVLA). The agency has sent letters to those affected by the data loss. The data were sent in response to a safety recall for certain automobiles.-http://www.theregister.co.uk/2007/12/11/driver_data_discs_disaster/print.html
-http://news.bbc.co.uk/2/hi/uk_news/northern_ireland/7138408.stm
[Editor's Note (Honan): It is staggering that within a month of the UK Revenue & Customs Service losing two CDs in the post containing data on 25 million people that the Northern Ireland DVLA repeat the same mistakes. Learning from security incidents, whether the incidents are in your own organisation or in others', is valuable in helping improve your information security.]
Stolen Laptop Holds Patient Data; Contractor Violated Policy (December 10, 2007)
Approximately 45,000 patients who were treated at Sutter Lakeside Hospital in Lakeport, California have been notified by letter that their personal information has been compromised. The breach affects certain people who were treated in 2005 and earlier. The data were being transferred from one secure system to another during an equipment upgrade; a contractor violated hospital policy by downloading the data to a laptop computer that was later stolen. The hospital has terminated its relationship with the contractor, who had been hired for a special IT project. The compromised data include names, addresses, dates of birth, Social Security numbers (SSNs), and in some cases billing and diagnosis information.-http://www.record-bee.com/local/ci_7687954
[Editor's Comment (Northcutt): Hmmm, this is a bit on the stealth side, I expected to see an official statement on their web site (
-http://www.sutterlake.org/
) and I do not approve of leaving the contractor unnamed (otherwise someone else might hire him/her.) (Shpantzer): Access control on databases should be the first line of defense, kinda like not blindfolding yourself and pointing a loaded firearm (database) at some random point in space. To flog that analogy further, laptop encryption is a backstop for the inevitable 'stray rounds' from said firearm. ]
MISCELLANEOUS
Two Ottawa Police Officers Face Charges for Unauthorized Data Access (December 13, 2007)
In unrelated cases, two Ottawa, Canada police officers allegedly accessed personal information held in the Canadian Police Information Centre database without authorization. Const. Bob Mamak allegedly violated terms of access to the database and shared the information with another individual; he was suspended with pay for an indefinite period. Const. Dan Bargh allegedly violated terms of access to the database as well; he was reassigned to administrative duties; No criminal charges have been filed. The CPI system is constantly monitored to catch instances of unauthorized access to sensitive data about criminal records and crimes. Earlier this fall, another Ottawa police officer was ordered to forfeit five days' pay for asking others with access to the database to look into records of a car parked in front of his girlfriend's driveway.-http://www.canada.com/ottawacitizen/news/story.html?id=141b8840-effe-4528-98fc-8
fc60c6a2fbb
Rogue Servers Send Users to Phony Sites (December 11, 2007)
Researchers have discovered about 6,800 servers that point Internet users to phony websites. Malware rewrites users' DNS settings, telling their computers to use information from the rogue servers instead of sending requests to the genuine ones. In some cases, the attackers appear to be trying to get users to visit phony sites so they can harvest sensitive data. In other instances, the redirection is aimed at increasing traffic to a particular site.-http://www.theregister.co.uk/2007/12/11/dns_liar_attack/print.html
[Internet Storm Center Handler Note (Donald Smith): Most of what they are describing is done via zlob trojan's designed as codecs. This was covered in several diaries here is one of them.
-https://isc.sans.org/diary.html?storyid=1872]
State of Ohio to Provide Encryption to Schools and Government Agencies (December 11, 2007)
The state of Ohio plans to purchase approximately 60,000 software licenses to provide schools and government agencies with encryption. The software is designed to protect laptop and desktop computers as well as flash drives, CD drives, DVD drives and hard drives. Officials in the state were prompted to make the move to improve data security following the theft of a backup tape containing personally identifiable information, including SSNs, of more than 100,000 state employees and taxpayers. That data security breach could end up costing the state as much as US $3 million. One state worker was docked one week of vacation time as punishment for the incident.-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=storage&articleId=9052304&taxonomyId=19&intsrc=kc_top
[Editor's Note (Pescatore): Good move to address port control at the same time as badly needed laptop encryption. (Shpantzer): Purchasing encryption software is (relatively) easy. Making sure that the various entities at the point of use actually deploy and properly use the encryption is another thing altogether. ]
LIST OF UPCOMING FREE SANS WEBCASTS
Internet Storm Center: Threat UpdateWHEN: Wednesday, January 9, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Johannes Ullrich
-http://www.sans.org/info/20067
Sponsored By: Core Security
This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.
SANS Special Webcast: Things That Go Bump in the Network: Embedded Device Security
WHEN: Thursday, January 24, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Paul Asadoorian
-http://www.sans.org/info/20087
Sponsored By: Core Security
Embedded devices come into your network and appear in many different forms, including printers, iPhones, wireless routers and network-based cameras. What you might not realize is that these devices offer unique opportunities for attackers to do damage and gain access to your network - - and to the information it contains. This webcast will review known embedded device vulnerabilities and cover how these vulnerabilities can be used to gain control of devices, networks, and data - and, more importantly, what can be done about it.
********************************************************************
Be sure to check out the following FREE SANS archived webcasts:
Internet Storm Center: Threat Update
WHEN: Wednesday, December 12, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Johannes Ullrich and John Weinschenk
-http://www.sans.org/info/20062
Sponsored By: Cezic
-http://www.cenzic.com/
This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.
SANS Special Webcast: Pinpointing and Proving Web Application
Vulnerabilities with Eric Cole
WHEN: Monday, December 10, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Dr. Eric Cole
-http://www.sans.org/info/20057
Sponsored By: Core Security
The September "Internet Security Threat Report" from Symantec reported that 61% of all vulnerabilities disclosed in the first half of 2007 were web application vulnerabilities. It's no wonder, since web apps are often highly customized and can be rife with potential security holes. Fortunately, recent advances in penetration testing products can help you to pinpoint and prove web application security weaknesses - even in customized apps.
SANS Special Webcast: Analyzing a Traffic Analyzer: NIKSUN NetDetector/NetVCR 2005
WHEN: Wednesday, December 5, 2007 at 1:00 PM EST (1800 UTC/GMT) FEATURED SPEAKER: Jerry Shenk
-http://www.sans.org/info/20052
Sponsored By: NIKSUN
How deep can traffic inspection reach without hindering data flow and how much data should it store for post-mortem analysis? Join this Webcast to hear senior SANS Analyst Jerry Shenk go over his test results on the NetDectector/NetVCR 2005 and features such as full packet inspection and the ability to call up and review raw data in its native format.
=========================================================================
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/
