SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #63

August 11, 2006

A brief note before NewsBites this Friday.

This was probably the biggest week in history in terms of public data breaches. That's just the tip of the iceberg. The big banks are reporting 5 to 8 fold increases in losses to cyber fraud. Federal agencies and government contractors are finding systems all over that have been penetrated with root kits and very sensitive data stolen. cyber crime is increasing at an increasing rate because it is profitable and because it provides nation state advantages. Many companies are trying to fight back by buying security tools and praying nothing happens. That is foolhardy at best and criminally negligent at worst. Their people cannot ensure a perimeter is secure, cannot find a malicious network trace; cannot run hacker tools to find weak penetration points; cannot harden a Windows or UNIX system. It's embarrassing how easy we make cyber crime.

Yesterday I talked by phone with a woman who asked me how she could persuade her boss that security training for her staff was actually worth the money. The answer is that much of it isn't. It's too often taught at a high level and it isn't practical. But when the trainers have front line, hands-on experience, up-to-the-minute knowledge, and they are extraordinary teachers, then it is worth the money. Trainees come back immediately ready to improve the security of your systems. I gave her the following statements from people who were willing to go on the record saying that SANS training is the most valuable security training they have ever attended. If you want to prove it to yourself, come to SANS network Security in Las Vegas October 1-8. http://www.sans.org/ns2006/caag.php

"This conference provided the opportunity to learn from many of the people who are defining the future direction of information technology" (Larry Anderson, Computer Sciences Corp.)

"I have attended courses by several of SANS rivals, and SANS blew them away." (Alton Thompson, US Marines)

"I have 14 years experience in IT security, and SANS is by far the best technical security conferences I have attended." (Tom Davis, Indiana University)

"This is the only conference/training I've ever attended at which I learned techniques and found tools I could apply immediately." (Dwight Leo, Defense Logistics Agency, DLA)

We have 3,000 similar signed statements from people who attended SANS training. A few more are at the end of this issue.

Alan

---

TOP OF THE NEWS

Sailor Charged with Espionage
More VA Data Missing; Senator Calls for Secretary's Resignation
AOL Search Data Exposure Renews Focus on Privacy Legislation
DHS Urges Windows Users to Apply Patch for Critical Flaw

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS & SENTENCES
Man Indicted for Intercepting Former Bosses' eMail
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Stolen DOT Laptop Holds Data of 133,000 Floridians
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Trojan Encrypts Stolen Data, Relays it Through ICMP Packets
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
More Computer Thefts
Matrix Bancorp Inc.
Vassar Brothers Medical Center
Hattiesburg, MS City Hall
San Antonio Toyota Plant
PSA Healthcare
Wichita State Univ. Computer Intrusions
STATISTICS, STUDIES & SURVEYS
Consumer Reports' 2006 State of the Net Report
Correction: Tuesday's Cal Poly San Luis Obispo Story
More Proof that SANS Training Is the Only One Worth Investing In

---

************** SPONSORED BY SANS NETWORK SECURITY 2006 ******************

Why is Network Security different from all other SANS training programs: 1. It is one of two major "national" conferences with more than 20 immersion tracks, a big product expo, huge numbers of evening programs, and bonus one and two day training programs on the newest and most important changes in security. 2. It is a unique experience -- here's how attendees describe SANS national conferences: "Fantastic! Tons of information! My brain is now Jello - I'll be back next year." (Kurt Danielson, National Marrow Donor Program) "Years of experience downloaded into your brain in 6 days." (Chris Koutras, Titan) "The best aspect of SANS is that it is tailored each year to what I, as an administrator, need to learn. SANS does an excellent job of keeping pace with current technologies, issues and trends." (John Mechalas, Intel) Register before August 18 to save hundreds of dollars

http://www.sans.org/ns2006/caag.php

*************************************************************************

---

TOP OF THE NEWS

Sailor Charged with Espionage (10 & 9 August 2006)

Navy Petty Officer 3rd Class Ariel J. Weinmann has been charged with three counts of espionage for taking a Navy laptop computer holding classified information and trying to sell it to foreign government officials. Weinmann faces additional charges, including desertion, failure to obey a general order, illegally copying classified information and destruction of government property; he allegedly destroyed the hard drive of the stolen computer with a mallet. Commanders have not yet decided whether to send the case to court-martial; if they do, Weinmann could face the death penalty. He is being held at Norfolk Naval Air Station.
-http://www.msnbc.msn.com/id/14275131/
(please note this site requires free registration)
-http://www.washingtonpost.com/wp-dyn/content/article/2006/08/09/AR2006080901704_
pf.html

More VA Data Missing; Senator Calls for Secretary's Resignation (8 August 2006)

Senator Harry Reid (D-Nev.) has called for the resignation of Veterans Affairs (VA) Secretary Jim Nicholson after the VA acknowledged that a desktop computer containing personal data belonging to 38,000 veterans is missing from a subcontractor's office. This disclosure follows the arrests of two men in connection with the May theft of a laptop containing data on 26.5 million veterans and active duty members from a VA employee's home. The laptop was recovered in June and officials do not believe the data were accessed. (Please note this website requires free registration)
-http://www.washingtonpost.com/wp-dyn/content/article/2006/08/08/AR2006080800656_
pf.html
-http://www.cnn.com/2006/POLITICS/08/08/vets.data/
[Editor's Note (Pescatore): Piling on is fun, but forcing the resignation of the secretary of a department because a desktop computer was physically removed from a contractor's office facilities would mean that every politician probably ought to resign as well. ]

AOL Search Data Exposure Renews Focus on Privacy Legislation (10 August 2006)

The recent exposure of search queries of more than 650,000 AOL customers has reinvigorated interest in proposed legislation that could prevent future data exposure. US Representative Ed Markey (D-Ma.) introduced the Eliminate Warehousing of Consumer Internet Data Act (EWOCID) in February, and said this week that AOL's recent blunder only reinforces the need for the legislation. EWOCID would place limits on the amount of personal information held by web sites; it would also require all web site operators to delete personal information, including names, email addresses and in some cases, Internet Protocol (IP) addresses, from their logs "within a reasonable period of time."
-http://www.zdnet.co.uk/print/?TYPE=story&AT=39280702-39020375t-10000025c
-http://www.eweek.com/print_article2/0,1217,a=185796,00.asp
-http://www.theorator.com/bills109/hr4731.html
[Editor's Note (Schultz): Rep. Markey is a modern day crusader for justice. I salute his efforts to require suitable protection of personal and financial information.
(Pescatore): Just tag this as another part of the "opt-in" issue. Many, many companies make use of their customers search string data - AOL just got caught making the information public. Who really owns that search string data? If it is the searcher's, shouldn't they have to give explicit authorization for it to be used for anything? ]

DHS Urges Windows Users to Apply Patch for Critical Flaw (10, 9 & 8 August 2006)

The US Department of Homeland Security (DHS) took the unusual step of issuing a warning about a particularly dangerous vulnerability in Windows and is urging computer users to apply a Microsoft patch for the flaw as soon as possible. The patch accompanies bulletin MS06-040, that addresses a buffer overflow flaw in the Windows Server service that could allow attackers to take control of unprotected computers and execute code with no user interaction. An exploit for this flaw is already being used to attack vulnerable systems. On Tuesday August 8, Microsoft issued 12 security bulletins addressing 23 vulnerabilities, nine of which have a severity rating of critical. Internet Storm Center articles:
-http://isc.sans.org/diary.php?storyid=1582
-http://isc.sans.org/diary.php?storyid=1578
-http://isc.sans.org/diary.php?storyid=1557
-http://www.dhs.gov/dhspublic/display?content=5789
-http://www.newsfactor.com/news/U-S--Warns-of-Windows-Security-Flaw/story.xhtml?s
tory_id=0220026YWR7M
-http://news.com.com/2102-7348_3-6103805.html?tag=st.util.print
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9002275&taxonomyId=18
-http://www.techweb.com/wire/191900653
-http://blog.washingtonpost.com/securityfix/2006/08/microsoft_fixes_23_security_f
l.html
-http://www.microsoft.com/technet/security/bulletin/ms06-aug.mspx
[Editor's Note (Paller): DHS' broad public notice (of a security problem that needs immediate fixing) is a welcome change in policy. For far too long, DHS limited distribution of announcements to a small group of people who asked for them, leaving the general public blissfully unaware, and far too vulnerable. Kudos to Gerge Foresman and Rob Zitz for making DHS' worthy cyber team more valuable to the nation.
(Pescatore): Lots of attention being paid to this one because of the high level of wormability and the existence of exploits. However a lot has changed since the worms of 2003. Today, the bigger worry is quiet targeted exploits going after laggards not shielding or patching vs. big noisy worms that are more denial of service than direct attack.
(Honan): With 1 in 5 home computers not protected by anti-virus software (according to Consumer Reports' 2006 State of the Net Report, the ancient curse "may you live in interesting times" could become relevant for many in the computer security industry in the near future. ]

---

********************** Sponsored Links: ******************************

1) Free software! Patch & Spyware Management! A complete security solution from Shavlik. http://www.sans.org/info.php?id=1257

2) How are you tackling security and network operations? Take the Lancope Challenge and learn how Network Behavior Analysis can help solve your problems. http://www.sans.org/info.php?id=1258

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS & SENTENCES

Man Indicted for Intercepting Former Bosses' eMail (10 August 2006)

William K. Dobson of Salt Lake City has been indicted on two counts of intercepting electronic communications and one count of illegally obtaining information from a protected computer. Dobson allegedly accessed email belonging to two of his former employers at an unnamed company. He allegedly accessed the company's email system after he left and programmed it to reroute the CEO and VP of Engineering's email to an unauthorized inbox. If convicted of all charges against him, Dobson could receive a prison sentence of up to 15 years, be fined as much as US$250,000 and be ordered to pay restitution.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9002331

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

Stolen DOT Laptop Holds Data of 133,000 Floridians (10 & 9 August 2006)

A laptop computer stolen from a US government vehicle in Doral, Florida on July 27 contains personally identifiable information of approximately 133,000 Florida residents. The computer belongs to the Department of Transportation's (DOT) office of the inspector general (IG) and was issued to a special agent in the Miami office. The data include names, Social Security Numbers (SSNs), addresses and birth dates and are not encrypted. Acting IG Todd. J. Zinser said the department plans to notify those whose data are on the computer. Zinser was alerted to the theft on July 31, but did not learn until August 5 that the stolen computer held sensitive data.
-http://www.washingtonpost.com/wp-dyn/content/article/2006/08/09/AR2006080901177_
pf.html
-http://www.fcw.com/article95619-08-10-06-Web
-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn_daily&stor
y.id=41601
[Editor's Note (Pescatore): Later reports from DoT are saying that the laptop had previously been encrypting stored data but because of some ongoing upgrade, the encryption had been disabled. Who knows what really went on, but rushing out encryption of stored data without thinking through all the issues (like indexing and archiving, just to name two common problems) often results in self inflicted wounds or the encryption being disabled. ]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Trojan Encrypts Stolen Data, Relays it Through ICMP Packets (9 & 8 August 2006)

An unnamed Trojan horse program designed to steal information from infected computers sends the data back to the attackers through Internet Control Messaging Protocol (ICMP) packets; most other malware that sends data back uses HTTP packets or email. The Trojan installs itself as an Internet Explorer (IE) helper object and waits for computer users to enter sensitive data. The Trojan encrypts the purloined information before it is placed in the data section of an ICMP packet; the packet appears legitimate to network administrators and egress filters. Internet Storm Center articles:
-http://isc.sans.org/diary.php?storyid=1580
-http://isc.sans.org/diary.php?storyid=1576
-http://www.theregister.co.uk/2006/08/08/phishing_trojan/print.html
-http://www.informationweek.com/security/showArticle.jhtml?articleID=191900166&am
p;subSection=Viruses+and+Patches
-http://www.computerworld.com.au/index.php/id;2086985159;fp;2;fpid;1

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

More Computer Thefts

Matrix Bancorp Inc. (7 & 4 August 2006)

Matrix Bancorp Inc. acknowledged that two laptop computers were stolen from its downtown Denver, Colorado headquarters on July 28. One of the computers holds account information belonging to Matrix Capital Bank customers. The computers are password-protected and the data fully encrypted. Matrix Bancorp is informing affected customers about the theft and is monitoring its databases for signs of suspicious activity. The theft is under investigation; Matrix Bancorp is cooperating with the FBI, Denver police and the federal Office of Thrift Supervision.
-http://denver.dbusinessnews.com/shownews.php?newsid=87862&type_news=latest
-http://denver.bizjournals.com/denver/stories/2006/07/31/daily97.html

Vassar Brothers Medical Center (7 & 4 August 2006)

A hot line set up to address the concerns of people whose information was contained on a laptop computer stolen from Vassar Brothers Medical Center has been overwhelmed with calls. The computer held personally identifiable data on nearly 260,000 of the medical center's patients. The data were not encrypted. The medical center has made arrangements to help those whose data are on the stolen computer to set up fraud alerts.
-http://www.poughkeepsiejournal.com/apps/pbcs.dll/article?AID=/20060804/NEWS01/60
8040343/1006/NEWS
-http://www.poughkeepsiejournal.com/apps/pbcs.dll/article?AID=/20060807/BUSINESS/
60807013

Hattiesburg, MS City Hall (5 August 2006)

Hattiesburg, Mississippi police are investigating a break-in at their City Hall in which thieves took computers and other equipment holding personal data, including names, SSNs and bank information, of several thousand city workers and contractors. The theft occurred in late June. A spokesman for the city said they are hiring an expert to help develop a security plan for City Hall.
-http://www.hattiesburgamerican.com/apps/pbcs.dll/article?AID=/20060805/NEWS01/60
8050305&SearchID=73253128429173

San Antonio Toyota Plant (4 August 2006)

A laptop computer stolen from a San Antonio, Texas Toyota plant contains information about people who have applied for jobs there. The computer belongs to an independent contractor who was testing applicants. Toyota officials believe the thief wanted the computer, not the information it holds; they are notifying those affected by the data security breach. San Antonio police are investigating the theft.
-http://www.woai.com/news/local/story.aspx?content_id=db231cd9-22cb-4335-9256-6ca
e88476600

PSA Healthcare (4 August 2006)

PSA Healthcare acknowledged that a laptop computer stolen from an employee's car holds information including names, SSNs and in some cases, personal health information for approximately 51,000 current and former patients. PSA plans to contact those affected by the theft.
-http://www.forbes.com/businesswire/feeds/businesswire/2006/08/04/businesswire200
60804005479r1.html
[Editor's note (Honan): With identity theft becoming one of the fastest growing crimes, the current motivation for computer thefts may soon switch from the black-market value of the computer to the black-market value of the data stored on the computer. Organizations need to wake up to this changing threats and implement the proper controls and protections to protect this data.]

Wichita State Univ. Computer Intrusions (2 & 1 August 2006)

Wichita State University (WSU) plans to contact people whose personal data were compromised by computer intruders. Three computers at WSU's College of Fine Arts' box office were compromised by intruders looking for a place to store digital music and movie files for file sharing. The computers hold credit card information of approximately 2,000 patrons. A server containing information on approximately 40 graduate school applicants at WSU's psychology department suffered an intrusion through a vulnerability that has since been fixed. The box office intrusion was discovered on June 29; the psychology department intrusion was discovered on July 16.
-http://washington.bizjournals.com/wichita/stories/2006/07/31/daily7.html?t=print
able
-http://www.kansas.com/mld/kansas/news/local/15177587.htm

STATISTICS, STUDIES & SURVEYS

Consumer Reports' 2006 State of the Net Report (8 August 2006)

According to Consumer Reports' 2006 State of the Net report, computer users have a one in three chance of falling prey to viruses, spyware or phishing attacks. The chances of becoming a victim of malware are equivalent to figures from last year's survey, but the actual numbers of spyware and virus infections recorded in the survey have dropped since 2005. Of the two thousand US households surveyed this spring, twenty percent did not have anti-virus software and 35 percent did not have spyware blockers.
-http://www.techweb.com/wire/security/191801800
-http://www.consumerreports.org/cro/electronics-computers/online-protection-9-06/
overview/0609_online-prot_ov1.htm

Correction:

In a story on Tuesday's edition (Vol. 8, Num. 62) about the movement away from SSNs as universal unique identifiers, we misidentified Cal Poly San Luis Obispo and its affiliation. It is part of the California State University (CSU) system. We apologize for the error.

More Proof that SANS Training Is The Only One Worth Investing In

"The industry knowledge of the SANS instructors is without compare and the free night courses add immeasurable value to the conferences." (Ken Rhode, Unapen)

"Excellent conference; I have a ton of stuff to bring back to my company and clients." (John Macy, Network Design Associates)

"The SANS classes have been uniformly excellent. To learn as much through traditional classes would have entailed weeks away from work." (David Ritch, Department of Defense)

"Valuable information to take back to work with me, as well as hands-on testing examples." (Carol Jones, Administrative Office of the US Courts)

"I was very impressed. SANS is geared more towards technical issues and had fewer 'vendor talks' than the other conferences I have attended." (Kathleen Cooper, NationsBank)

"As a SysAdmin, I found this track invaluable. It not only gave me the skills I need to audit my own systems, but also gave me some insight on how to better work with external auditors." (Christopher O'Keefe, CPC)

"It is clear that a great deal of time is spent in creating and maintaining these courses. Content is well presented, relevant and accurate. Delivery is meaningful and energetic." (Sue Farrand, Edgewater Technology)

"As a first time attendee, I am impressed by the smorgasbord of technical sessions, course offerings, and B-O-F meetings. SANS truly wraps up the key issues facing us for ongoing and future activities." (Robert Clay, GTE)

"The fire hose strikes again! My brain hurts!" (Dean Farrington, Wells Fargo)

"There is a group dynamic generated at SANS that I have never encountered at any other class or conference. It's like every waking moment during the seven days I've been here presents an opportunity for questioning, discussing, and learning." (Greg Sobchuk, Fidelity Investments)

"SANS is the only place we could courses for all levels and all skills required by DoD 8570." (George Jenkins, major IT consulting organization servingDoD)

"One of the great things about SANS' big conferences are the vendor exhibits where the people seem to be able to answer questions intelligently." (James Fisher, US Navy)

---

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent language consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit

http://portal.sans.org/