SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume IX - Issue #99
December 18, 2007
2008 is going to be an eventful and opportunity-rich year for security professionals. Demand will surge for three new types of skills, and as senior executives in government and industry finally become aware that that their systems have already been compromised and that they do not control those systems, their reaction will create additional "opportunities." An evening workshop is planned, on how to be prepared for and take advantage of these opportunities, at Security 2008 in New Orleans in four weeks. It's open to all who are registered for training at that conference. Check out the courses (Hacker Exploits, Wireless, Security Essentials, Security Leadership. Auditing, CISSP Test Prep, Forensics, more) at http://www.sans.org/security08/event.php. Once you have registered, email me (apaller@sans.org) and I'll send you a summary of the topics we'll cover in the evening workshop.
Alan
TOP OF THE NEWS
Ask.com Lets Users Erase Search DataUK Insurance Company Gets Record Fine for Poor Data Security
Ohio Sec. of State Calls for Replacing eVoting Machines
THE REST OF THE WEEK'S NEWS
LEGAL MATTERSFacebook Sues Canadian Firm for Attempted Data Mining
Seven Arrested in Internet Bank Theft Scheme
Guilty Plea in CA Power Grid Sabotage Attempt
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Missing Laptop Holds UK Parliament Security Details
Data Security Procedures Not Shared with Junior HMRC Staff
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Apple Releases QuickTime and Java Fixes
IE Patch Reportedly Causes Connectivity Problems
HP Offers Temporary Fix for Info Center Software Flaw
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Disk Holding UK Driving Test Results is Lost
Students Allegedly Hack High School Computer System
Deloitte & Touche Employee Data on Stolen Laptop
LIST OF UPCOMING FREE SANS WEBCASTS
************************ Sponsored By Cenzic ****************************
Security Test Production Web Applications! Continuously testing your production web applications - without corrupting your applications or their data is NOW possible. With over 400 new application vulnerabilities every month it is imperative to test and re-test all Web applications, and not just the ones in development and quality assurance stages. Learn how.
http://www.sans.org/info/21051
*************************************************************************
TRAINING UPDATE
Where can you find Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, CISSP, and SANS' other top-rated courses?
- - New Orleans (1/12-1/17): http://www.sans.org/security08/event.php
- - San Jose (2/2 - 2/8): http://www.sans.org/siliconvalley08/event.php
- - Phoenix (2/11 - 2/18) http://www.sans.org/phoenix08/event.php
- - Prague (2/18-2/23): http://www.sans.org/prague08
- - and in 100 other cites and on line any-time: www.sans.org
*************************************************************************
TOP OF THE NEWS
Ask.com Lets Users Erase Search Data (December 11, 2007)
Users of the Ask.com search engine can now request that their search queries be purged from Ask's servers immediately. Other search engines store search histories for as long as 18 months. AskEraser will, when enabled, delete any future search information, including IP addresses, user IDs, session IDs, and query text.-http://newsvote.bbc.co.uk/mpapps/pagetools/print/news.bbc.co.uk/2/hi/technology/
7138260.stm
[Editor's Note (Pescatore) very good to see this move. The next step forward is to make *not* storing the information as the default and require the user to opt-in to allowing such information to be stored. Personally, the first search engine to do so will get all my search business.
(Schultz): In offering this new option. Ask.com has most commendably broken new ground with respect to privacy protection. Other search engine providers now need to follow suit.
(Skoudis): Wow! I like this feature a lot. Search history is a very dangerous and scary thing, as people increasingly search for their own names and interests. Correlating across different searches by a single user can be a hugely valuable information source to discover very sensitive personally identifiable information about people, including their healthcare histories (if they search for their own maladies, which people inevitably do). In fact, one wonders what the HIPAA implications are for large search engine providers (I don't want to name names here) who certainly have healthcare information about their users all summed up in their search histories. The erase history option being pioneered by ask.com is fascinating in this light. ]
UK Insurance Company Gets Record Fine for Poor Data Security (December 17, 2007)
UK insurance company Norwich Union has been fined GBP 1.26 million (US $2.5 million) by the Financial Services Authority (FSA) for failing to provide adequate protection of customer data. Eleven people have been arrested in connection with a scheme in which thieves were able to impersonate Norwich Union customers by calling the company's call center and attempting to cash in policies totaling GBP 3.3 million (US $6.6 million). Some bank account data were exposed. The fine levied against Norwich is the highest ever by the FSA for data security issues.-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9053298&source=rss_topic17
-http://www.theregister.co.uk/2007/12/17/norwich_union_life_fsa_fine/print.html
-http://business.timesonline.co.uk/tol/business/industry_sectors/banking_and_fina
nce/article3062076.ece
-http://dofonline.co.uk/governance/fsa-fines-norwich-union-over-data-losses9288.h
tml
[Editor's Note (Honan): According to The Times article, 'Norwich Union Life informed and then protected present and former directors of its business and its owner Aviva but did not "inform and protect the policyholders who were not connected with the business".' This disregard towards customers is a prime reason why the EU and the UK need to introduce mandatory information security breach disclosure laws.]
Ohio Sec. of State Calls for Replacing eVoting Machines (December 15 & 17, 2007)
In response to a report she commissioned, Ohio Secretary of State Jennifer Brunner has called for replacing all voting machines in the state. According to the report, all five systems used in Ohio contain critical flaws that could be exploited to alter election results. Brunner wants the state to replace the problematic machines with optical scan machines. People gathering information for the study were able to pick locks and gain access to memory cards, use portable storage devices to insert phony votes into machines and in some cases, install malicious software on the machines. Brunner wants the new machines to be ready for use in the November 2008 presidential election.-http://www.nytimes.com/2007/12/15/us/15ohio.html?_r=1&oref=slogin&pagewa
nted=print
-http://www.securityfocus.com/brief/646
[Editor's Note (Pescatore): This is another example of the high cost of buying mission critical technology without having security as a key evaluation criterion. ]
************************* Sponsored Link: *****************************
1) Stop data leaks and sanitize your servers before they leave your premises. Blancco them today. http://www.sans.org/info/21056
*************************************************************************
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
Facebook Sues Canadian Firm for Attempted Data Mining (December 18, 2007)
Facebook has filed a lawsuit alleging that a Canadian pornography company used scripts to gather personal details from its social networking site. The company allegedly made more than 200,000 requests from information on Facebook over a two-week period. The lawsuit was originally filed in June and recently amended to include the identities of three people associated with the servers that tried to access Facebook's site after their identities were obtained through a court order; 14 other defendants remain unnamed. Facebook did not say if the data mining attack was successful.-http://computerworld.co.nz/news.nsf/scrt/01DDB02B3FBCDD31CC2573B400689A2F
-http://www.theregister.co.uk/2007/12/17/facebook_hack_attack_lawsuit/print.html
-http://www.cbc.ca/canada/montreal/story/2007/12/17/tech-facebook.html
[Editor's Note (Skoudis): Although the technical details revealed publicly are very sketchy, this sounds like good, old-fashioned account harvesting, guessing usernames and determining if they are valid based on different error messages that come back. Enterprises need to make sure their authentication error messages for the condition of "bad userID / bad password" are identical with the messages for the "good userID / bad password" condition. Also, I hope the courts tread very carefully here. While the company that tried to do account harvesting in this case sounds quite unseemly, the precedent established here could inhibit development of new, helpful web applications if interpreted too broadly.
(Ullrich): Facebook uses a "robots.txt" file, which should tell well behaved spiders what pages are open to be indexed. Search engines typically obey the robots.txt file. However, the use of robots.txt files does not prevent data mining, and a web application should put limitations in place as to how many pages can be accessed in a given time interval.
(Cole): This is an indicator that we all need to do a better job of protecting our families online. We have all been trained not to talk to strangers and understand the dangers of social engineering. However we need to talk to our families and loved ones over the holidays about the dangers of posting information online. ]
Seven Arrested in Internet Bank Theft Scheme (December 15, 2007)
Seven people have been arrested in India for breaking into bank accounts over the Internet and stealing nearly Rs 12 lakh (US $30,500). He was caught in a cyber cafe in Mahadevapura on November 29; authorities were able to track him down through the IP address of the computer used to make the unauthorized transactions. The ringleader allegedly installed keystroke-logging software on computers at the cyber cafe to obtain the information needed to access the accounts online. The stolen money was transferred to accomplices' accounts. A raid on the suspect's home found details of 100 accounts from a variety of banks.-http://www.business-standard.com/common/storypage_c.php?leftnm=10&autono=307
570
[Editor's Note (Ullrich): Yet another reason not to use random public computers for sensitive work. ]
Guilty Plea in CA Power Grid Sabotage Attempt (December 14, 2007)
A former contract system administrator has pleaded guilty to attempting to shut down the state's power grid. Lonnie Denison was reportedly having troubles at work and angry that his computer privileges had been revoked at the California Independent System Operator (Cal-ISO) data center. Denison broke a glass cover and pushed the emergency "off" switch, effectively isolating California from the rest of the energy market. The incident occurred late on a Sunday evening, a time of relatively low power demand, and took about seven hours to repair at a cost of approximately US $14,000. If he is convicted of all charges against him, Denison could face up to five years in prison and a fine of US $250,000.-http://www.pcworld.com/printable/article/id,140587/printable.html
[Editor's Note (Skoudis): When I read this story, I couldn't help but wonder what the sign next to the big off switch says. Oh, and that switch has got to be red, right?
(Kreitner): One would think that multiple layers of physical security should have prevented anyone from getting near a switch with that level of operational significance, let alone being able to activate it without others being nearby.
(Honan): This story is a reminder that when dealing with disgruntled employees you need to consider physical security and revoke their physical access to key systems and not just their computer access.]
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Missing Laptop Holds UK Parliament Security Details (December 17, 2007)
A missing laptop computer holds sensitive information about a new security system that protects the UK's Houses of Parliament. Physical security has been enhanced at Parliament after members of two separate special interest groups breached House of Commons security in 2004.-http://www.telegraph.co.uk/news/main.jhtml?view=DETAILS&grid=&xml=/news/
2007/12/17/npols517.xml
Data Security Procedures Not Shared with Junior HMRC Staff (December 15 & 17, 2007)
In an ironic twist in the HM Revenue & Customs data loss case, information about how to share information safely was kept from junior staff because it was believed that the manual contained too much sensitive information to be widely distributed. Following the presentation of an interim report on the HMRC data loss, Chancellor of the Exchequer Alistair Darling said that the department needs to establish "clearer lines of responsibility for data."-http://politics.guardian.co.uk/homeaffairs/story/0,,2227999,00.html?gusrc=rss&am
p;feed=networkfront
[Guest Editor's Note (Stephen Hall): These two stories under homeland security were compounded yesterday by a third data loss by the UK. Details here :
-http://news.bbc.co.uk/1/hi/uk_politics/7147715.stm
It is being downplayed as "not as serious" as the HMRC report. However the information contained on the disk drive is perfect for fishing further information. ]
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Apple Releases QuickTime and Java Fixes (December 18, 2007)
Apple has released patches for vulnerabilities in its QuickTime Player for both Mac OS X and Windows. QuickTime 7.3.1 fixes a buffer overflow flaw in the Real-Time Streaming Protocol, as well as a heap buffer overflow in the way QuickTime handles QTL files and unspecified flaws in the QuickTime Flash media handler. Apple has also fixed 18 vulnerabilities in Java for Mac OS X 10.4, also known as Tiger. The Java flaws do not affect Apple's Leopard operating system.-http://www.crn.com.au/News/67055,apple-issues-patches-for-quicktime-player-flaws
.aspx
-http://www.networkworld.com/newsletters/bug/2007/1217bug1.html
-http://docs.info.apple.com/article.html?artnum=307176
-http://docs.info.apple.com/article.html?artnum=307177
[Editor's Note (Skoudis): It has been a really bad year for QuickTime from a security perspective. I've counted at least 7 major security patches for it this year. Make sure you patch QuickTime thoroughly on all of the systems in your enterprise that run it, or else the spyware purveyors and cyber criminals will come hunting for them. (Frantzen of Internet Storm Center): Apple also released a Security Update 2007-009 and an update for the beta Safari for Windows. The security update fixes 41 CVE names in one patch.
-http://docs.info.apple.com/article.html?artnum=307179
-http://docs.info.apple.com/article.html?artnum=307178
-http://isc.sans.org/diary.html?storyid=3760]
IE Patch Reportedly Causes Connectivity Problems (December 17, 2007)
Microsoft is looking into reports that an update for Internet Explorer (IE) released last week is causing some users to be unable to connect to the Internet. Messages posted to several sites indicate that users who applied the fix in the MS07-069 security bulletin were either unable to open IE or could not reach sites once it was open.-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9053300&source=rss_topic17
HP Offers Temporary Fix for Info Center Software Flaw (December 14, 2007)
HP has issued a stopgap fix to protect users of HP notebooks from becoming infected through a vulnerability in the pre-installed HP Info Center software on the company's laptops. The stopgap measure deactivates the software because merely uninstalling HP Quick Launch Buttons, of which the vulnerable software is a component, does not protect users. Attackers can exploit the flaw by luring vulnerable users running IE 6 or 7 to specially crafted web pages. Info Center may not be installed on all HP laptops.-http://www.heise-security.co.uk/news/100625
[Editor's Note (Cole): The more important question is how many people actually use Info Center and if they do not use it why is it installed. Most of the exploits that attackers are using are targeting software that we do not use but were installed anyway. ]
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Disk Holding UK Driving Test Results is Lost (December 17, 2007)
A missing hard drive contains the names, addresses, phone numbers and email addresses of three million UK driving test candidates. While no financial information was contained on the drive, this is just one more embarrassment for the UK government, which has experienced a rash of data security problems in recent months. The disk is missing from a US facility in Iowa.-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9053322&source=rss_topic17
-http://www.theregister.co.uk/2007/12/17/dsa_test_data_loss/print.html
Students Allegedly Hack High School Computer System (December 16, 2007)
An unspecified number of students at Monte Vista High School in Santa Clara County, California allegedly broke into the high school's computer system in an attempt to look at their final exam questions in advance. The intrusion was discovered when a student found a piece of paper in the school library with passwords written on it; the paper was given to the librarian. The students allegedly used a program that allowed them to discover the necessary passwords.-http://www.mercurynews.com/news/ci_7737995?nclick_check=1
[Editor's Note (Skoudis): What these kids did was wrong, and they should be punished for it. However, I read the article and started reminiscing about that old movie War Games from 1983, in which the main character hacked into the school's computer by using a password scribbled down on a piece of paper inside a desk (trivial pursuit question: which password did he use? Next question: which passwords were crossed off the list?). Today, the kids in this case used automated password guessing, but it's still the fundamental weaknesses of passwords that plague us. (BTW, if you are looking for holiday gifts for the geeks in your life, a copy of War Games, Sneakers, and, yes, The Matrix on DVD make perfect stocking stuffers for those who don't already have them.)
Deloitte & Touche Employee Data on Stolen Laptop (December 14, 2007)
A stolen laptop contains personally identifiable information of an unspecified number of current and former Deloitte & Touche employees. The data include names, Social Security numbers (SSNs), and birth dates. Some Deloitte subsidiary employees are affected by the theft as well. The computer was in the possession of a contractor who was scanning pension fund documents for the company. The data are not encrypted. Deloitte has stopped working with the contractor until it "can demonstrate that it has implemented appropriate data security protections."-http://www.scmagazineus.com/Deloitte-partner-principal-confidential-information-
on-stolen-laptop/article/99945/
[Editor's Note: (Schultz): If you read the full story, you'll find that Richard Baker, an ex-employee of Deloitte & Touche, made an almost-too-perfect comment about this incident: ""What is particularly egregious about this situation is that Deloitte is a 'noted' security expert with seminars, whitepapers, service lines, etc. One would think there would be security and encryption standards for all sensitive personal data, whether managed internally or by outside vendors."
(Cole): With all of the traveling, the holiday season offers a prime opportunity for laptop thieves. The trick to protecting a laptop is to have a strong password or authentication in use. Encrypt your critical data with either folder level or full disk encryption. Travel with your system turned off, not in hibernation mode. Backup your critical data before you leave so if your laptop gets stolen you will be able to recover quickly. ]
LIST OF UPCOMING FREE SANS WEBCASTS
Internet Storm Center: Threat UpdateWHEN: Wednesday, January 9, 2007 at 1:00 PM EST (1800 UTC/GMT) FEATURED
SPEAKER: Johannes Ullrich
-http://www.sans.org/info/20067
Sponsored By: Core Security
This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.
SANS Special Webcast: Things That Go Bump in the Network: Embedded Device Security
WHEN: Thursday, January 24, 2008 at 1:00 PM EST (1800 UTC/GMT) FEATURED
SPEAKER: Paul Asadoorian
-http://www.sans.org/info/20087
Sponsored By: Core Security
Embedded devices come into your network and appear in many different forms, including printers, iPhones, wireless routers and network-based cameras. What you might not realize is that these devices offer unique opportunities for attackers to do damage and gain access to your network - - and to the information it contains. This webcast will review known embedded device vulnerabilities and cover how these vulnerabilities can be used to gain control of devices, networks, and data - and, more importantly, what can be done about it.
********************************************************************
Be sure to check out the following FREE SANS archived webcasts:
Internet Storm Center: Threat Update
WHEN: Wednesday, December 12, 2007 at 1:00 PM EST (1800 UTC/GMT) FEATURED SPEAKER: Johannes Ullrich and John Weinschenk
-http://www.sans.org/info/20062
Sponsored By: Cezic
-http://www.cenzic.com/
This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.
SANS Special Webcast: Pinpointing and Proving Web Application
Vulnerabilities with Eric Cole
WHEN: Monday, December 10, 2007 at 1:00 PM EST (1800 UTC/GMT) FEATURED SPEAKER: Dr. Eric Cole
-http://www.sans.org/info/20057
Sponsored By: Core Security
The September "Internet Security Threat Report" from Symantec reported that 61% of all vulnerabilities disclosed in the first half of 2007 were web application vulnerabilities. It's no wonder, since web apps are often highly customized and can be rife with potential security holes. Fortunately, recent advances in penetration testing products can help you to pinpoint and prove web application security weaknesses - even in customized apps.
SANS Special Webcast: Analyzing a Traffic Analyzer: NIKSUN NetDetector/NetVCR 2005
WHEN: Wednesday, December 5, 2007 at 1:00 PM EST (1800 UTC/GMT) FEATURED SPEAKER: Jerry Shenk
-http://www.sans.org/info/20052
Sponsored By: NIKSUN
How deep can traffic inspection reach without hindering data flow and how much data should it store for post-mortem analysis? Join this Webcast to hear senior SANS Analyst Jerry Shenk go over his test results on the NetDectector/NetVCR 2005 and features such as full packet inspection and the ability to call up and review raw data in its native format.
=========================================================================
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/
