SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #30

April 14, 2006

Wednesday (April 19) is the last day for early registration discounts
for SANS Security in San Diego (May 11-16). San Diego is a unique
opportunity for immersion training in security and advanced audit
techniques: you get the same great SANS teachers as in the big national
conferences, with smaller classes. Plus it's right on the Bay.

---

TOP OF THE NEWS

Congressional Committee Chairman Says He Is Interested in Exploring FISMA Revisions
Stolen US Military Computer Hardware Sold at Afghan Bazaar
Air Force Base Web Site Contains Sensitive Air Force One Details

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
Alleged Online Bank Thief Extradited to Spain
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
Border Security Computer System Failure May Have Been Due to Failure to Patch for Zotob in Timely Fashion
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
University Researchers Prove DoS Attacks Against RFID Tags are Possible
Microsoft's April Security Bulletins
ATTACKS & INTRUSIONS & DATA THEFT & LOSS
Security Breach at NJ Medical and Dental School
MISCELLANEOUS
China Mobile Service Provider Cuts SMS Service to Alleged Fraudsters
County Web Sites Exposing Sensitive Data
UK Information Commissioner Issues Guidelines for Sale of Customer Databases

---

********** SPONSORED BY THE NATIONAL DOD 8570 TRAINING PROGRAM **********

Low Cost SANS Training For Meeting The New Certification Requirements

To help boost DoD and US government security, SANS is now arranging on-site training for DoD and other government organizations that need to prepare large numbers of people for 8570 compliance and don't want to spend a lot of money for each student. Programs cover training for any or all of the effective 8570 technical certifications. Minimum 100 students. Email info@sans.org with subject "8570" if you would like to schedule a session at your facility.

If you don't have 100, but still need 8570 certification, use the same email to ask for large group (more than 25) discounts at any of the scheduled SANS conference (www.sans.org). Or even onsite programs for smaller groups.

*************************************************************************

---

TOP OF THE NEWS

Congressional Committee Chairman Says He Is Interested in Exploring FISMA Revisions (10 April 2006)

In response to critics of the Federal Information Security Management Act's (FISMA) effectiveness in helping to secure government IT systems, US Representative Tom Davis (R-Va.), who also chairs the House Government Reform Committee and was the author of FISMA, says he is interested in further discussion of ideas for making the law more effective. Criticism of FISMA focuses on the law's requirement that agencies write certification and accreditation reports rather than actively assess the security of federal IT systems. The law has been called "a paper drill." In April, the Office of Management and Budget (OMB) administrator of e-government Karen Evans said that FISMA is working and that "substantial revision could delay additional progress."
-http://govexec.com/story_page.cfm?articleid=33811&printerfriendlyVers=1&

[Editor's Note (Schultz): Honestly, from what I have seen first-hand, FISMA is more of a paper drill than anything else. It is a game that government agencies and sites play, something that produces reams of documentation, but very few genuine changes as far as security programs go.
(Paller) Many technically savvy government contractors know that the FISMA and DITSCAP reports they write are not leading to significant security improvement. They are frustrated and angry that they are not allowed to use their technical skills to help protect the nation. Instead they charge the government and the taxpayers $100 per hour to fill in Microsoft Word templates for 200 page reports that are never read. We have received requests from the press to talk with contractors (current or retired) willing to be interviewed about this problem. If you are a contractor with FISMA or DITSCAP experience, and want to help make the situation better, call Alan Paller at 301-951-0102 x108
(Kreitner): It is a rare piece of legislation that doesn't produce some unintended consequences. Probably every piece of legislation should be revisited a few years after passage to incorporate learning based on experience gained during its implementation. ]

Stolen US Military Computer Hardware Sold at Afghan Bazaar (10 and 12 April 2006)

According to the Los Angeles Times, computer hardware stolen from a US base in Bagram, Afghanistan is being sold at a nearby bazaar. US forces are looking into the reports, which say that among the hardware are disks that contain data about US soldiers, military defenses and lists of enemy targets as well as names of corrupt Afghan officials. An Associated Press report appears to confirm the allegations that sensitive information is available for purchase. One shopkeeper said in an interview that he was interested in the value of the hardware, not the data they hold.
-http://www.latimes.com/news/printedition/la-fg-disks10apr10,0,3557737,print.stor
y
-http://news.bbc.co.uk/2/hi/south_asia/4905052.stm

[Editor's Note (Grefer): I doubt that said shopkeeper continued to be solely interested in the value of the hardware once he was made aware of the value of the data. He probably just did not know what hidden treasure(s) he held in his hands. ]

Air Force Base Web Site Contains Sensitive Air Force One Details (8 April 2006)

Detailed information about Air Force One, has been found posted on an Air Force base web site. The information includes details about the planes' anti-missile defenses and maps of their interiors. The Secret Service has not commented. As soon as the Air Force learned about the error, it removed the information.
-http://sfgate.com/cgi-bin/article.cgi?file=/c/a/2006/04/08/MNGESI5U6C1.DTL&t
ype=printable
[Editor's Note (Northcutt): There are two sides to this story, please consider:
-http://www.defensetech.org/archives/002315.html]


(Guest Editor Note (Schneier): Some blogs criticized the San Francisco Chronicle for publishing this story because it gives the terrorists more information. I think they should be criticized for publishing this because there's no story here. ]

---

*********************** SPONSORED LINKS *********************************

1) Stop spyware! Try Webroot Spy Sweeper Enterprise for free and assess your spyware risk exposure. http://www.sans.org/info.php?id=1104

2) Free SANS Webcast next week - What Works Webcast:WhatWorks in Vulnerability Management: "Expediting Patching with Nuclear Fuels" Tuesday, April 18 at 1:00 PM EDT (1700 UTC/GMT) http://www.sans.org/info.php?id=1105

3) The SAN@Home program brings the same courses taught at SANS conferences right to your home. Many new classes starting in this month. See http://www.sans.org/athome

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES

Alleged Online Bank Thief Extradited to Spain (10 and 11 April 2006)

Argentina has extradited alleged cyber criminal Jose Manuel Garca Rodrguez to Spain. Garca Rodrguez, who is known online as Tasmania, allegedly stole hundreds of thousands of euros from online bank accounts. If convicted of charges pending against him, he could face up to 40 years in prison. Garca Rodrguez left Spain two years ago and was located in Argentina last July.
-http://www.theregister.co.uk/2006/04/11/argentina_extradites_spanish_hacker/prin
t.html

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY

Border Security Computer System Failure May Have Been Due to Failure to Patch for Zotob in Timely Fashion (12 April 2006)

According to documents obtained by Wired News, a US Customs and Border Protection (CBP) computer failure that caused problems at international airports in the US last August was caused by the decision to delay deployment of a patch that would have protected the system from the Zotob worm. The incident was initially publicly attributed to a virus, then to a routine system failure. However, documents obtained under the Freedom of Information Act (FOIA) indicate agency computers were infected with Zotob the same day the border-screening system was down. The infection of agency computers prompted the application of the patch on hundreds of workstations at airports, seaports and land border crossings around the country. The Zotob worm exploits a vulnerability in Microsoft Windows plug-and-play feature; Microsoft released a patch for the flaw on August 9, 2005. The reason the workstations were not updated immediately, according to the documents, was the concern the patch might not be compatible with their configurations.
-http://www.wired.com/news/technology/1,70642-0.html
[Editor's Note (Ranum): Why on earth would a critical production system be on a shared network such that it'd be exposed to worms, viruses, etc? Production systems do not need to be patched; they should be isolated so that they can be left in an operational configuration. ]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

University Researchers Prove DoS Attacks Against RFID Tags are Possible (11 and 13 April 2006)

Academic researchers at Edith Cowan University in Western Australia have demonstrated that radio frequency identification (RFID) tags can be disrupted by inundating them with an overload of data. The researchers say that even the more sophisticated, next-generation RFID tags are vulnerable to the denial-of-service scenario. "The Australian researchers saturated the frequency range used by the tags, which prevented them from talking to the readers." The attacks were conducted at the range of one meter.
-http://www.zdnet.co.uk/print/?TYPE=story&AT=39263221-39020375t-10000025c
-http://www.computerworld.com/printthis/2006/0,4814,110424,00.html
[Editor Comment (Northcutt): here is a bit more data:
-http://scissec.scis.ecu.edu.au/wordpress/?p=39
I would tend to agree that if you place a transmitter a meter away from an RFID device and its reader, and then spray RF across the frequencies the devices use, that you can make a mess of the system. However, that really isn't news, though it is a great reminder to keep physical security in mind when you design RFID systems. The more important question is what is the true risk, how do you apply the attack. Is it possible to do a hardware hack on a Uniden cordless phone to turn it into a raging RFID DDoS device? Now that would be news!]

Microsoft's April Security Bulletins (12 April 2006)

On April 11, Microsoft released five patches for flaws in Windows and Internet Explorer (IE). MS06-013 addresses a number of flaws in IE including the createTextRange() flaw that has already been exploited by attackers. The problem raised enough concern that several third-party patches for the flaw were developed in the days before Microsoft addressed the flaw. Microsoft also released fixes for two additional critical flaws. One lies in the way Windows Explorer handles Component Object Model objects; the other is in an ActiveX control named RDS.Dataspace.
-http://www.techworld.com/security/news/index.cfm?NewsID=5776
-http://www.microsoft.com/technet/security/Bulletin/MS06-013.mspx
-http://www.microsoft.com/technet/security/bulletin/ms06-apr.mspx

ATTACKS & INTRUSIONS & DATA THEFT & LOSS

Security Breach at NJ Medical and Dental School (9 April 2006)

A computer security breach at the University of Medicine and Dentistry of New Jersey exposed sensitive data belonging to nearly 2,000 students and alumni. The breach was detected on February 24, though it is unclear when it actually took place. University officials kept quiet about the breach during an investigation. Students have been sent letters informing them of the breach and warning that they could be victims of identity fraud.
-http://wcbstv.com/topstories/local_story_099123340.html

MISCELLANEOUS

China Mobile Service Provider Cuts SMS Service to Alleged Fraudsters (12 April 2006)

China Mobile, one of the country's largest mobile service providers, has cancelled SMS service to 19,000 subscribers who allegedly used the text messaging service to send messages intended to defraud the recipients. The company's manager for customer service says they cancel the SMS function once they receive seven or more complaints about a particular number. China Mobile also monitors its contracted Internet service providers (ISPs) and "terminates the cooperation" if they receive more than fifty complaints about a single ISP.
-http://www.australianit.news.com.au/articles/0,7204,18792340%5E15322%5E%5Enbv%5E
,00.html

County Web Sites Exposing Sensitive Data (12 April 2006)

Counties around the US have been posting documents that contain sensitive personal data that could be used to commit identity fraud. The data, including Social Security numbers, driver's license numbers and bank account information, are included in public land records and other documents. The documents are posted on the Internet but not redacted for privacy. Most counties will honor citizens' requests to have their personal information removed.
-http://www.computerworld.com/printthis/2006/0,4814,110453,00.html
[Editor's Note (Kreitner): I find the recent press accounts on this subject troubling. Government personnel are putting forth lame arguments like, the law doesn't require them to redact sensitive personal information from the publicly posted documents ,and that hackers aren't likely to spend the time required to extract the information for illicit use. I hear a lot about smaller government--how about responsible government, common sense government, or trustworthy government? In this electronic age, unnecessarily exposing any citizen's personal information to misuse by anyone or any entity, public or private, is unacceptable--period. ]

UK Information Commissioner Issues Guidelines for Sale of Customer Databases (10 and 12 April 2006)

The UK Information Commissioner's office has released guidelines regarding the sale of customer databases following a business's closure. According to the guidelines, the data can be used only in the manner which was indicated when the information was initially collected; if it is to be used for other purposes, the new owners must obtain express consent from those whose information is in the database. The guidelines also address the length of time the data may be kept.
-http://management.silicon.com/government/0,39024677,39158046,00.htm
-http://www.theregister.co.uk/2006/04/10/ico_database_guidelines/print.html
-http://www.ico.gov.uk/cms/DocumentUploads/Buying_and_selling_databases.pdf
[Editor's Note (Shpantzer): When the dot com era ended, most of the defunct companies had nothing of value left except expensive office furniture and customer databases. It would have been nice to have had those databases tagged with specific privacy policies that endured beyond the sale of the databases to new parties. ]

---

===end===

NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian
Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore,
Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw
Tan, Mark Weatherford

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/