SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VIII - Issue #65
August 18, 2006
The lead story contains an important notification by Major General Lord of broad-based US federal IT security failure. As senior officials discover how bad federal security really is, they have begun looking for solutions (some are also looking for scapegoats.) The first and most important change they will make is to begin cutting budgets for policy and report writers, and transfer budget and responsibility to operational technical security projects and professionals who can actually protect their systems. The transformation has already begun. If you have soft skills (policy writing, security awareness, risk assessment, C&A report writing, etc.) and want to have great, long-term job prospects in security, it makes sense to move quickly to add hands-on technical skills so you can lead the teams of people who will be needed to turn the tide against the attackers.
Alan
TOP OF THE NEWS
China Steals Data From Military Computers on NIPRNetMicrosoft Will Release Updated Patch; First Version Had Problems with IE
Survey Finds Laptops, Handhelds Pose Significant Data Security Risk
THE REST OF THE WEEK'S NEWS
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITYDOT Acknowledges Another Missing Laptop
Reward Offered for Info Leading to Return of Missing VA Laptop
SPYWARE, SPAM & PHISHING
Bank of Ireland Customers Fall Prey to Phishers to the Tune of 110,000 Euros
Washington AG Alleges Spyware Act Violations
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Yahoo Fixes Mail Flaw
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Stolen Laptop Holds Info of Williams Sonoma Employees
Stolen Laptop Holds Info of Current and Former Chevron Employees
STATISTICS, STUDIES & SURVEYS
Study: Three-Quarters of China's Computers Hit with Malware in Past Year
MISCELLANEOUS
The Costs of Laptop (In)Security
Lawsuit Seeks Decertification of eVoting Machines in Pennsylvania
EFF Files Complaint with FTC Regarding AOL Search Data
Worm Partially Disables Shanghai
"Evil Twin" Public WiFi Threat
78% of Credit Card Merchants Are Not PCI Compliant
Consumer Reports creates 5,500 viruses for tests
**************** Sponsored By SANS Voucher Credit Program **************
SANS Voucher Credits
"Maximize your Training Budget!
"SANS Program that pays you credits and delivers flexibility"
Do you have remaining fiscal 2006 education funds?
Are you looking for a creative way to finance training?
Visit: http://www.sans.org/info.php?id=1305
*************************************************************************
How Good Are The Courses at SANS Network Security 2006? Ask the alumni.
"I have attended courses by several of SANS rivals, and SANS blew them away." - Alton Thompson, US Marines
"This is the only conference/training I've ever attended at which I learned techniques and found tools I could apply immediately."
- Dwight Leo, Defense Logistics Agency, DLA
"This program provided the opportunity to learn from many of the people who are defining the future direction of information technology"
- Larry Anderson, Computer Sciences Corp.
"The SANS classes have been uniformly excellent. To learn as much through traditional classes would have entailed weeks away from work."
- David Ritch, Department of Defense
SANS best instructors all come together at Network Security 2006 in Las Vegas, October 1-9. 37 immersion courses; big exposition; free evening classes, much more . Early registration deadline is Friday, August 18. See: http://www.sans.org/ns2006/caag.php
*************************************************************************
TOP OF THE NEWS
China Steals Data From Military Computers on NIPRNet (15 August 2006)
According to Major General William Lord, director of Information, Services and Integration in the Secretary of the Air Force Office of Warfighting Integration and Chief Information Officer, "China has downloaded 10 to 20 terabytes of data from NIPRNet." Lord says there is no evidence China has managed to penetrate SIPRNet. Air Force Research Labs are investigating possible defensive tactics.-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn_daily&stor
y.id=41669
[Editor's Note (Ranum): NIPRNet carries CALS (combined army logistic system) and military weather and navigation maps, personnel data, soldier's orders, purchasing, etc, etc, etc. In a sense, NIPRNet *is* the Department of Defense. The only reason some of this data is not classified is because classifying it would be too "inconvenient" and would "impact operations." More importantly, SIPRNet traffic is regularly tunneled over NIPRNet using encrypted IP-over-IP. Can you say "DENIAL OF SERVICE?"
(Paller) Major General Lord is simply saying out loud what White House and DoD officials have known for almost three years; that's how long the hacking and data thefts are known to have been going on. What he did not say was that the same techniques (and attackers) have proven successful in penetrating DoD contractors such as Lockheed Martin and Raytheon, and penetrating many other government agencies including some you would not expect the Chinese military to care about. The failure of federal agencies and contractors to protect sensitive information was instigated by misallocation of resources caused by OMB and Congressional metrics measuring the wrong things. It is time to revitalize FISMA and the C&A process. If Government Reform Chairman Davis doesn't feel the problem is worth his time, he might consider transferring responsibility for FISMA and federal security to the House Homeland Security Committee where Chairman King's targeted subcommittee chairs have fostered real progress in improving security of critical infrastructure control systems. ]
Microsoft Will Release Updated Patch; First Version Had Problems with IE (16 & 15 August 2006)
Microsoft plans to release an updated version of MS06-042 on August 22. Users who applied the original update, released on Tuesday, August 8, and whose machines are running IE 6 with SP1 on Windows 2000 and XP found that Internet Explorer (IE) would crash after visiting certain web sites. The problem occurs when users visit web sites using HTTP version 1.1 along with compression. Microsoft has suggested a workaround and made a hotfix available for use until the new patch is available.-http://news.com.com/2102-1002_3-6106039.html?tag=st.util.print
-http://support.microsoft.com/kb/923762/en-us
[Editor's Note (Schultz): I am not trying to be critical of Microsoft, but once again Microsoft has released a faulty hot fix--yet another case in point for not enabling Windows Automatic Updates. Organizations instead need to carefully test each hot fix before installing it. ]
Survey Finds Laptops, Handhelds Pose Significant Data Security Risk (16 August 2006)
A recent survey of 484 technology professionals indicates that 81 percent of companies in the US lost laptop computers that held sensitive data last year. Handhelds and laptops posed the greatest risk to sensitive data, according to survey results; Universal Serial Bus (USB) sticks, desktops and shared file servers followed. More than half of the respondents said data on USB drives are not protected; twenty percent said at least one USB drive holding data is lost each month at their workplaces. More than half of the companies surveyed said they would not be able to determine what information was contained on missing USB drives and nearly half of respondents said they would not be able to determine the information contained on handheld devices. Sixty-four percent of respondents said they had never compiled an inventory of sensitive consumer or employee data. The survey was a joint effort between the Ponemon Institute LLC and Vontu Inc-http://www.usatoday.com/tech/news/computersecurity/2006-08-15-thumbdrives-stolen
_x.htm
[Editor's Note (Honan): The statistic that strikes me as most worrying from this survey is the large amount of respondents who do not have an inventory of the sensitive data they are supposed to be protecting. Not knowing where sensitive data is located will result in inadequate controls being put in place and a high probability of a breach occurring. ]
********************** Sponsored Links: *******************************
1) SANS WhatWorks webcast 8/21 at 1pm-2pm EDT,"WhatWorks in Log Management:
Critical Considerations in Building & Deploying Global Log Management"
http://www.sans.org/info.php?id=1306
*************************************************************************
THE REST OF THE WEEK'S NEWS
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
DOT Acknowledges Another Missing Laptop (15 August 2006)
The Department of Transportation (DOT) office of the inspector general (IG) has acknowledged that a second laptop computer was stolen from a Miami, Florida-based agent during an agency-sponsored conference in April. The computer, which belonged to the special agent in charge of the Miami office, contains unencrypted case files. DOT's IG has not determined if the laptop holds personally identifiable information. Agency officials initially were told the computer held conference information and only recently learned that it holds case files. Officials from the IG's office began revisiting the case following the theft of a laptop holding personally identifiable data on 133,000 Florida residents; that computer was stolen from an employee's car on July 27. Please note this site requires free registration:-http://www.washingtonpost.com/wp-dyn/content/article/2006/08/14/AR2006081401193_
pf.html
-http://www.miami.com/mld/miamiherald/15274879.htm
Reward Offered for Info Leading to Return of Missing VA Laptop (15 August 2006)
A reward of up to US$50,000 is being offered for information that leads to the recovery of a missing laptop containing personally identifiable information of approximately 20,000 US veterans. The computer was reported missing from the offices of Unisys, a company contracted to monitor insurance claim processing data for the Department of Veterans Affairs (VA). The FBI is leading the investigation into the computer's disappearance.-http://govhealthit.com/article95669-08-15-06-Web
SPYWARE, SPAM & PHISHING
Bank of Ireland Customers Fall Prey to Phishers to the Tune of 110,000 Euros (17 & 16 August 2006)
Bank of Ireland (BoI) customers have lost at least EUR110,000 (US$141,000) to a recent phishing scam. By the time the bank issued a warning about the attack, many people had already supplied their banking details to a phony web site. Reports indicate BoI has so far refused to reimburse customers for money they lost to the scam. BoI has clarified that it will never ask for personal login information in an email and asks that anyone who receives solicitation for such information report it as soon as possible. BoI said customers should never reveal their PINs or passwords to anyone and that the customers are responsible for keeping login details safe. Police are investigating.-http://www.theregister.co.uk/2006/08/17/boi_phishing_attack/print.html
-http://www.siliconrepublic.com/news/news.nv?storyid=single6904
Washington AG Alleges Spyware Act Violations (16 & 14 August 2006)
Washington State Attorney General Rob McKenna has filed a lawsuit against Movieland.com parent company Digital Enterprises alleging violations of the state's Computer Spyware and Consumer Protection Acts. People sign up for a free, three-day trial of the company's software that allows them to download movie clips. After the three days, they are inundated with pop-up demands for payment, generated by software that has been placed on their computers without their knowing consent. The pop-ups, which appear hourly or even more frequently, read "Click 'Continue' to purchase your license and stop these reminders." The pop-ups remain on the screen for 40 seconds and cannot be closed during that time. McKenna also said that computer owners are not obligated to honor contracts entered into by others using their computers.-http://www.theregister.co.uk/2006/08/16/washington_movie_spyware_lawsuit/print.h
tml
-http://www.networkworld.com/news/2006/081406-washington-sues-movie-download-serv
ice.html
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Yahoo Fixes Mail Flaw (16 August 2006)
Yahoo has fixed a flaw in the way Yahoo Mail service handled attachments. Users do not have to take any action to be protected. Attackers could have exploited the flaw by sending malicious JavaScript code that would execute when users opened the specially constructed email. The attackers could then steal users' Yahoo Mail cookies, gain access to their mailboxes and take control of their accounts.-http://www.infoworld.com/archives/emailPrint.jsp?R=printThis&A=/article/06/0
8/16/HNyahoosecurityplug_1.html
-http://www.scmagazine.com/uk/news/article/585600/yahoo-plugs-web-mail-hole/
[Guest Editor Note (Jeff Bryner): Anyone using yahoo mail probably has already noticed that it doesn't always block images that are part of spam mail. ]
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Stolen Laptop Holds Info of Williams Sonoma Employees (17 August 2006)
Williams Sonoma has notified approximately 1,200 current and former employees that their personal information was on a computer stolen from the apartment of a Deloitte & Touche employee. Deloitte & Touche was performing an annual audit of Williams Sonoma's financial statements. The data were not encrypted. Local police are investigating the incident.-http://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2006/08/17/BUG11KJOOV1.DTL&a
mp;type=printable
Stolen Laptop Holds Info of Current and Former Chevron Employees (16 August 2006)
Chevron Corp. acknowledged that a laptop stolen from an independent contractor holds personally identifiable information belonging to an undetermined number of current and former Chevron employees. Chevron has begun to notify people whose data are on the computer and has offered them credit monitoring and identity restoration services. The computer was apparently stolen on Saturday, August 5 and the company was alerted to the theft on Monday, August 7. Law enforcement authorities are aware of the incident. Chevron also sent an email to all employees about the theft in an effort to heighten awareness of the importance of data security.-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9002498
-http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2006/08/16/BUG1EKJ14T1.DTL
[Editor's Note (Honan): Raising security awareness amongst staff after a security incident has occurred will only be effective for a relatively short period of time and is akin to "closing the stable door after the horse has bolted". Effective security awareness programmes ensure staff are continuously made aware of the security risks and threats posed to their organisation and what they should do to mitigate those risks. ]
STATISTICS, STUDIES & SURVEYS
Study: Three-Quarters of China's Computers Hit with Malware in Past Year (14 August 2006)
A survey from China's Ministry of Public Security indicates that nearly 75 percent of computers in the country were infected with malware between May 2005 and May 2006. This marks a six percent drop from last year's figure. The survey compiled the results of 13,824 questionnaires. Vectors of attack included USB drives, portable hard disks and surfing the Internet.-http://china.org.cn/english/scitech/177871.htm
[Editor's Note (Boeckman): At least we are exporting something to China. ]
MISCELLANEOUS
The Costs of Laptop (In)Security (16 August 2006)
The cost of laptop thefts goes far beyond the replacement of hardware. Matrix Capital Bank has spent more than US$50,000 in response to security issues raised by the theft of two laptop computers from its Denver, Colorado headquarters. The bank has two people working full time on monitoring the breach and dealing with customer concerns. They have also installed video surveillance cameras in the offices from which the computers were stolen, hired an independent company to perform a security audit and paid for one year of credit monitoring for all those affected by the data security breach. The VA, which has recently made headlines regarding laptop thefts, has said it plans to encrypt all its laptop and desktop computers. Encryption costs between US$50 and $100 for each machine and can slow down users' access to data.-http://www.denverpost.com/business/ci_4187189
[Editor's Note (Schultz): One of the greatest downsides to encryption is that it can cause data loss if keys are lost or become corrupted. ]
Lawsuit Seeks Decertification of eVoting Machines in Pennsylvania (15 August 2006)
Non-profit group Voter Action has filed a lawsuit asking Pennsylvania's Commonwealth Court to decertify electronic voting machines used in 58 of the states 67 counties. The suit alleges the machines lack a paper audit trail necessary for recounts or resolution of other election problems and that they violate the state's election code and constitution. While Pennsylvania state officials maintain the certified machines are capable of "reconstructing votes based on computer images," the plaintiffs say malfunctions with electronic voting machines have in the past lost votes. Please note this site requires free registration:-http://www.washingtonpost.com/wp-dyn/content/article/2006/08/15/AR2006081501202_
pf.html
-http://government.zdnet.com/?p=2511
[Editor's Note (Boeckman): Since it is becoming pretty clear that we can not trust electronic voting machines, at the very minimum, there should be some sort of paper trail that can be audited. ]
EFF Files Complaint with FTC Regarding AOL Search Data Exposure (15 & 14 August 2006)
The Electronic Frontier Foundation (EFF) has filed a complaint with the US Federal Trade Commission (FTC) asking them to investigate AOL's exposure of 658,000 subscribers' search queries. The EFF says AOL violated its own privacy policy as well as FTC regulations, and asks that the company be made to notify those subscribers whose search queries were included in the list. The EFF also wants AOL to stop logging search data "except where absolutely necessary." The FTC has not said if it will launch an investigation.-http://www.techweb.com/wire/192200201
-http://www.usatoday.com/tech/news/internetprivacy/2006-08-14-aol-eff-ftc_x.htm
Worm Partially Disables Shanghai (17 August 2006)
The worm virus, codenamed Worm.Mocbot.a, is spreading in Shanghai to the point the government web page has posted detection instructions. The worm uses a vulnerability in the Windows XP operating system, MS06-040, to exploit personal computers. Once infected, an IRC network takes over the computer; early data indicates the goal is to steal passwords and financial information. An unfortunate side effect of the worm is the system may become unstable and unable to connect to the Internet. The city has an official anti-virus support office which has already processed more than 800 calls for help. You know you have been infected when you see a warning message labeled "Generic Host Process for Win32 Services," in English with a lot of information in Chinese characters.-http://www.shanghaidaily.com/art/2006/08/17/289379/Worm_virus_breaks_down_city__
039_s_broadband.htm
-http://www.shanghai.gov.cn/shanghai/node2314/node2315/node4411/userobject21ai168
313.html
"Evil Twin" Public WiFi threat (15 August 2006)
Users of Public WiFi networks may connect to wireless access points designed to monitor all of the information transmitted over them. The buzz phrase for these fraudulent access points is Evil Twin. This article recommends disabling automatically connecting to access points and provides step by step instructions. In addition, never disable warning popups, they may be annoying, but they were built into the operating system and applications to protect users.-http://cbs4boston.com/specialreports/local_story_227155439.html
[Editor's Note (Northcutt): For readers with Awareness program responsibilities, this could be a great Tip of the Day. ]
78% of Credit Card Merchants Are Not PCI Compliant (6 August 2006)
Everything you hear about PCI suggests it is great and that it is working, but in fact, most merchants are not compliant. The teeth in the compliance was supposed to be hefty penalties for violations, but institutions are unwilling to pass the fine on to the Merchant with the breach. They are concerned that if they do so, the merchant will not renew with them and absorb the fine as part of the cost of doing business.-http://pcidss.wordpress.com/2006/08/06/78-merchants-dont-know-and-institutions-d
ont-care-about-pci-dss/
Consumer Reports Creates 5,500 Viruses For Tests (16 August 2006)
Consumer Reports is under fire from the anti-virus community for sponsoring the creation of 5,500 new viruses to test anti-virus products. Zone Alarm Internet Security Suite scored high in the test for both virus and spyware. Spybot Search and Destroy scored well for spyware.-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9002499&source=rss_topic17
-http://cbs4boston.com/consumer/local_story_226152410.html
Special Tip: A great discussion on Microsoft Office security and vulnerabilities has been posted on SecurityFocus:
-http://www.securityfocus.com/infocus/1874
[Editor's Note (Paller): This controversy is especially problematic for the leading AV companies because they have traditionally not done well in finding and blocking new viruses quickly. But for goodness sakes, if they don't do well at finding and blocking new viruses, why ae we buying them? They should stop complaining and instead thank Jeff Fox and the editors at Consumer Reports for helping to do important product improvement research for them. ]
***************** The Editorial Board of SANS NewsBites ****************
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.
Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent language consultant based in Clearwater, Florida.
*************************************************************************
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/