SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #66

August 22, 2006

Security holes in voting machines are at the "top of the news" this week, but the third and fourth stories may prove more vital to security professionals. They tell about IT officials at Ohio University and at AOL who lost their jobs entirely because they "should have taken a much more responsible role in securing the wide area and local area networks." Accountability for security breaches is also the new watchword in the Federal government. The days of writing a security policy, and then griping when it doesn't get implemented, appear to be over. If you have examples that reinforce the trend toward personal accountability in security, please share them (in complete confidence) with us (paller@sans.org)

Alan

---

TOP OF THE NEWS

1. VOTING MACHINE SECURITY
Study Turns Up Problems with eVoting System in Ohio
Maryland Governor Not Convinced eVoting Machines Are Accurate
2. PERSONAL ACCOUNTABILITY FOR SECURITY BREACHES
CIO Resigns and Two IT Executives Fired After Data Breaches
Three AOL Employees Sacked Following Search Query Exposure

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS & SENTENCES
Romanian Police Arrest Internet Fraud Suspects
SPYWARE, SPAM & PHISHING
Florida Man Indicted on Wire Fraud Charges for Setting Up Katrina Phishing Sites
Yahoo Testing Sign-in Seal Service
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
FBI Investigating Theft of 10 Computers from Hospital Management Co.
STATISTICS, STUDIES & SURVEYS
Internet-Related Crime Climbs to New High in Japan
MISCELLANEOUS
In-Q-Tel Investment in Medical Record Mgmt. Co. Raises Concerns
Mozilla Pushes Back Firefox 2.0 Release Date to Address Flaws

---

********************* Sponsored By Imperva Inc. *************************

The Top 5 Online Identity Theft Attacks - Whitepaper. Do your web applications allow hackers access to your user's confidential identity information? Without heavy lifting, you can prevent thieves from impersonating legitimate users for criminal purposes. Learn these top 5 identity attacks and how you can stop them today.
http://www.sans.org/info.php?id=1316

*************************************************************************

How Good Are The Courses at SANS Network Security 2006? Ask the alumni. ++ "I have attended courses by several of SANS rivals, and SANS blew them away." - Alton Thompson, US Marines ++ "This is the only conference/training I've ever attended at which I learned techniques and found tools I could apply immediately." - Dwight Leo, Defense Logistics Agency, DLA ++ "This program provided the opportunity to learn from many of the people who are defining the future direction of information technology" - - Larry Anderson, Computer Sciences Corp. ++ "The SANS classes have been uniformly excellent. To learn as much through traditional classes would have entailed weeks away from work." - - David Ritch, Department of Defense SANS best instructors all come together at Network Security 2006 in Las Vegas, October 1-9. 37 immersion courses; big exposition; free evening classes, much more . Early registration deadline is Friday, August 18.
See: http://www.sans.org/ns2006/caag.php

*************************************************************************

---

TOP OF THE NEWS

1. VOTING MACHINE SECURITY

Study Turns Up Problems with eVoting System in Ohio (21 August 2006)

A report based on a study of a May 2006 primary election in Cuyahoga County, Ohio indicates that the electronic voting system used in the election presents significant concerns about accuracy. Close to ten percent of the paper versions of the votes, or the voter-verifiable paper audit trail, generated by Diebold Election System's AccuVote TSx touch-screen voting equipment were "either destroyed, blank, illegible, missing, taped together or otherwise compromised." According to the report, 72 percent of polling places showed a discrepancy between the voting record on the machine's memory card and the paper ballots the system generated. The report also indicated that printer problems including jamming and improperly loaded paper rolls could present serious accuracy concerns. The report strongly recommended that election workers be trained in the use of the machines, that the printers be tested and that contingency plans be developed. A Diebold spokesperson has questioned the methods used in the study; he maintained the discrepancies were the result of matching memory cards with the wrong sets of paper ballots.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9002610
[Editor's Note (Schultz): A Diebold spokesperson (aka damage control person) has questioned the validity of this report, but after all the problems found in Diebold voting machines over the years, one must at this point wonder how credible such counteraccusions are. ]

Maryland Governor Not Convinced eVoting Machines Are Accurate (19 August 2006)

Maryland Governor Robert L. Ehrlich Jr. has expressed reservations about the accuracy of electronic voting equipment slated to be used in the state's September 12 primary election. State election officials maintain the Diebold electronic voting systems produce reliable results. In 2003, Governor Ehrlich signed a US$55 million contract to put the electronic voting systems in all precincts statewide. Soon after the contract was signed, a researcher at Johns Hopkins University published a report that said the machines had serious security problems. A subsequent review of the machines turned up numerous vulnerabilities, including 26 deemed critical. Governor Ehrlich agreed to honor the contract when he received assurances the problems would be addressed but his policy director, Joseph M. Getty, says the problems have not yet been resolved. (please note this site requires free registration)
-http://www.washingtonpost.com/wp-dyn/content/article/2006/08/18/AR2006081801064_
pf.html
[Editor's Note (Schultz): The Johns Hopkins University researcher is Dr. Avi Rubin, a modern day champion of free elections and democracy. He puts up with incredible harassment for his having reported numerous flaws in voting machines, Diebold voting machines in particular, over the years. One must seriously question the motives of his detractors. ]

CIO Resigns and Two IT Executives Fired After Data Breaches (4 August 2006)

The director of network communications services and the manager of Internet Systems for Ohio University were fired in the wake of five cases of data theft exposing up to 173,000 social security numbers. The CIO also resigned. In their letter of termination, the employees were told, "you clearly should have foreseen the risks and consequences of IT security breaches, and also should have taken a much more responsible role in securing the wide area and local area networks under your responsibility." The university is also dealing with plagiarism charges.
-http://www.computerworld.com/action/article.do?command=printArticleBasic&art
icleId=9002206
-http://news.yahoo.com/s/ap/20060821/ap_on_re_us/university_scandal

[Editor's Note (Schultz): "When it rains, it pours." Although I feel sorry for the individuals who lost their jobs or had to resign as the result of the security breaches at Ohio University, the whole series of incidents there provides a poignant set of "lessons learned" for organizations that neglect security in their computing and network environments. ]

Three AOL Employees Sacked Following Search Query Exposure (21 August 2006)

Three AOL employees involved in the exposure of user search query data are no longer with the company. Maureen Govern, who served as AOL CTO, has resigned; the researcher responsible for the data exposure and that individual's supervisor have both been fired. The supervisor reported to Govern. AOL plans to establish a task force to create best practices for privacy and to examine how long data should be retained.
-http://news.com.com/2102-1030_3-6107830.html?tag=st.util.print
[Editor's Note (Honan): This should be seen as a positive move by AOL. Accountability for information security, especially pertaining to consumer privacy, needs to be made more of an issue in many commercial and government organisations. ]

---

*********************** Sponsored Links: ******************************

1) How do you protect what you can't see? Get total network visibility now. FREE demo at:

http://www.sans.org/info.php?id=1317

2) What's hiding in your encrypted traffic? Read the SSL Scanning whitepaper from Secure Computing to learn about protecting your network.

http://www.sans.org/info.php?id=1318

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS & SENTENCES

Romanian Police Arrest Internet Fraud Suspects (21 & 20 August 2006)

Romanian police have arrested 23 people in connection with an Internet fraud ring. The suspects are accused of setting up phony web sites designed to capture users' email addresses and then subsequently contacting those customers asking them to update personal data which in turn was used to offer non-existent items for sale on the Internet. The accused allegedly stole more than US$120,000. Those convicted could face up to 15 years in prison.
-http://www.smh.com.au/news/Technology/Romanian-police-break-up-Internet-crime-ri
ngs/2006/08/20/1155408079154.html
-http://www.theregister.co.uk/2006/08/21/romanian_id_fraud_clampdown/print.html
[Editor's Note (Ullrich): Romania has been a safe haven for cyber criminals for a long time. A well educated population and little legal employment opportunity make for a dangerous mix. Up to 2003, the country lacked any kind of "cyber crime law" to allow prosecution of such offenses. We can only hope that this is the first of many such arrests. ]

SPYWARE, SPAM & PHISHING

Florida Man Indicted on Wire Fraud Charges for Setting Up Katrina Phishing Sites (21 & 18 August 2006)

A US federal grand jury has indicted Jovany Desir of Miami, Florida, on five counts of wire fraud for creating phishing web sites. Desir's web sites, which spoofed American Red Cross, eBay, PayPal and several banks' sites, were designed to dupe people donating money for relief from Hurricane Katrina into disclosing their financial details. Desir faces maximum penalties of 50 years in prison and a US$1 million fine.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9002606

-http://www.techworld.nl/idgns/926/man-charged-in-hurricane-katrina-phishing-scam
s.html
-http://www.itnews.com.au/newsstory.aspx?CIaNID=36073&src=site-marq
[Editor's Note (Ullrich): Last year, the Internet Storm Center closely monitored a large number of such hurricane related fraud sites. Good to see some of them are finally prosecuted. The number of Katrina-related domain name registrations alone reached approximately 400 domains / day a few days after the hurricane hit New Orleans
-http://isc.sans.org/images/katrina.png]

Yahoo Testing Sign-in Seal Service (18 August 2006)

Yahoo is testing a service it hopes will help users distinguish genuine Yahoo web sign-in pages from phishing sites designed to look like Yahoo sign-in pages. Users have to install the Yahoo sign-in seal on their computers; once installed, the seal will appear on legitimate sign-in screens. The service currently works only with US Yahoo sites and has not yet been officially announced.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=cybercrime_hacking&articleId=9002612&taxonomyId=82
-https://protect.login.yahoo.com/login/set_pref/
[Editor's Note (Schultz): This appears to be a brilliant idea--something that is akin to having digital signatures on email and documents.
(Pescatore): The next versions of the Internet Explorer and Firefox browsers will have white list and black list features built in to differentiate between known good and known bad web sites. Industry would be better off focusing on making sure users can take advantage of those new features, rather than each major web site asking users to download special software - how will users know they aren't downloading bogus "seals"?]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FBI Investigating Theft of 10 Computers from Hospital Management Co. (21 & 17 August 2006)

The FBI is investigating the theft of 10 laptop computers from the offices of Nashville, TN-based Hospital Corporation of America (HCA). The computers hold personally identifiable information of Medicare and Medicaid patients who have received treatment at HCA-managed hospitals in eight states. HCA is conducting an internal review. The US government required the company to keep the records that were on the stolen computers. The break-in is believed to be part of a string of similar thefts; the thieves are likely seeking hardware and not the data stored on drives. Company officials provided no details about when or where the theft occurred.
-http://www.eweek.com/print_article2/0,1217,a=186560,00.asp
-http://www.kansas.com/mld/kansas/news/state/15297743.htm
-http://www.hcahealthcare.com/CustomPage.asp?guidCustomContentID={0159E352-378A-4
0F2-AA8A-F79F59AEFA8E}
[Editor's Note (Pescatore): Theft of hardware (even desktop computers) seems to be on the rise. Economically, it doesn't make much sense - you'd be better off stealing stamps. But, it does mean physical security procedures should be reviewed. Thinking of other threats that went away and might come back, not a bad idea to make sure your mailroom security hasn't fallen below due-diligence for incoming packages and mail - see
-http://www.usps.com/communications/news/security/mailcenter.htm.
(Grefer): This serves as a reminder to use laptop cable locks not just while on the road, but also at the office. ]

STATISTICS, STUDIES & SURVEYS

Internet-Related Crime Climbs to New High in Japan (18 & 17 August 2006)

Statistics from Japan's National Police Agency show Internet-related crime has reached a new high during the first half of 2006; the 1,802 reported cases mark a 12 percent increase over the same period last year. Fraud accounted for the largest portion (40%) of reported Internet crime. Illegal access of computer networks accounted for 265 of the reported cases, a 34 percent increase over last year's figure. These crimes include phishing attacks and illegally accessing people's banking accounts.
-http://search.japantimes.co.jp/cgi-bin/nn20060818a4.html
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9002518

MISCELLANEOUS

In-Q-Tel Investment in Medical Record Mgmt. Co. Raises Concerns (18 & 14 August 2006)

Privacy advocates have expressed concern about venture capital firm In-Q-Tel's investment in Initiate Systems, which sells software used to manage electronic health records. In-Q-Tel is backed by the CIA. Health care providers in the US and in Canada use Initiate Systems indexing software, which locates patients' medical records at various locations with the use of an identifier created from names, birthdates, addresses and other demographic data. Initiate does not have access to the providers' clients' health data.
-http://www.govhealthit.com/article95647-08-14-06-Print
-http://www.theglobeandmail.com/servlet/story/LAC.20060818.PRIVACY18/TPStory/Nati
onal

Mozilla Pushes Back Firefox 2.0 Release Date to Address Flaws (15 August 2006)

Mozilla has moved back the projected ship date for Firefox 2.0, code named Bon Echo, to October 24. The new version of the browser was originally scheduled for a September 26 release, but there are many flaws in Firefox 2.0 Beta 2 that need to be addressed before the final version is ready for public consumption. Firefox 2.0 is reported to include anti-phishing alerts among other features. Due to the delayed release of Firefox 2.0, Mozilla has shortened the release cycle of Firefox 1.5.0.7; it will now be available in early September.
-http://www.informationweek.com/internet/showArticle.jhtml?articleID=192200103&am
p;subSection=Browsers
-http://www.cio.com/blog_view.html?CID=24047

---

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent language consultant based in Clearwater, Florida.

*************************************************************************

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/