SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #75

September 22, 2006

New Orleans is back, and SANS top teachers will be in New Orleans for a special highly interactive SANS training program - a great chance to get more time with these industry leaders and update and turbo-charge your technical skills. November 14-18. Hacker exploits, Windows, SecuritY Essentials, more.
Details: http://www.sans.org/neworleans06/event.php

---

TOP OF THE NEWS

Apple Issues Patches for Controversial Wireless Flaw
House Judiciary Committee Approves Controversial Wiretap Bill
Botnet Worm Spreading Through AOL Instant Messenger
Maryland Gov. Calls for Paper Ballots in November Election

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS & SENTENCES
ChoicePoint Victims Have Yet to See Settlement Money
POLICY & LEGISLATION
AG Testifies in Favor of Requiring ISPs to Retain Customer Activity Logs
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Attacks Exploit Unpatched IE Flaw
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Default Diagnostic Mode Password Used to Reprogram ATM
Life is Good Customer Data Compromised
Computers Stolen from Virginia Medical Center
Gun Permit Holders' Personal Data Exposed
STATISTICS, STUDIES & SURVEYS
NASCIO Releases CISO Survey Results
MISCELLANEOUS
Lawyers Seek Class Action Status for Suit Against Bank of America

---

******************** Sponsored By CACE Technologies ********************

AirPcap is an easy to deploy WLAN (802.11b/g) packet capture solution for Windows. Using Wireshark (formerly Ethereal) for Windows, this USB 2.0 adapter can capture and analyze 802.11b/g wireless traffic, including control frames, management frames, and power information. Wireshark, Windump, and Ngrep are currently supported, and more Open Source tools will soon follow.
http://www.sans.org/info.php?id=1358
*************************************************************************
Network Security 2006 (Las Vegas, Oct. 1-8) is the only place to find all 20 of SANS highest rated teachers. How Good Are The Courses at SANS Network Security 2006? Ask the alumni.
++ "I have attended courses by several of SANS rivals, and SANS blew them away." - Alton Thompson, US Marines
++ "This is the only conference/training I've ever attended at which I learned techniques and found tools I could apply immediately." - Dwight Leo, Defense Logistics Agency, DLA
++ "This program provided the opportunity to learn from many of the people who are defining the future direction of information technology" - - Larry Anderson, Computer Sciences Corp.
++ "The SANS classes have been uniformly excellent. To learn as much through traditional classes would have entailed weeks away from work." - - David Ritch, Department of Defense
See: http://www.sans.org/ns2006/caag.php
***********************************************************************

---

TOP OF THE NEWS

Apple Issues Patches for Controversial Wireless Flaw (21 September 2006)

Apple issued an advisory admitting that wireless flaws are present in Apple notebook computers. The built-in wireless device drivers are vulnerable to exploitation in a manner very similar to the way 3-rd party wireless cards can be exploited.
-http://blog.washingtonpost.com/securityfix
The advisory:
-http://docs.info.apple.com/article.html?artnum=304420

House Judiciary Committee Approves Controversial Wiretap Bill (21 September 2006)

The House Judiciary Committee has approved a bill that would allow the US government to wiretap US citizens' network communications without a court order for three months following a terrorist attack. The Electronic Modernization Surveillance Act would also reduce the amount of information needed to obtain a wiretapping warrant from the US Foreign Intelligence Surveillance Court, and would allow the government to obtain wiretaps on all types of electronic communication. The bill is expected to go before the full house for a vote by the end of this month.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9003513&intsrc=news_ts_head
[Editor's Note (Northcutt): This may be OK as long as there is due process to make sure these powers are not abused. Remember the Patriot Act implementation problems:
-http://www.dailytexanonline.com/media/storage/paper410/news/2003/09/14/StateLoca
l/Critics.Cite.Patriot.Act.Abuse.And.Misuse-465391.shtml?norewrite200609211851&a
mp;sourcedomain=www.dailytexanonline.com
-http://www.cbsnews.com/stories/2003/07/21/attack/main564189.shtml
-http://www.reviewjournal.com/lvrj_home/2003/Nov-05-Wed-2003/news/22521283.html]

Botnet Worm Spreading Through AOL Instant Messenger (19 September 2006)

A worm dubbed Win32.Pipeline is spreading through AOL Instant Messenger. Analysts believe the worm is attempting to create a botnet of infected computers. Computers become infected when users are tricked into downloading an executable file (a program) disguised as a JPEG image. Once installed on a computer, that program communicates with a variety of host computers to download malware onto the infected machine.
-http://www.vnunet.com/vnunet/news/2164531/experts-warn-aol-botnet-threat
-http://www.australianit.news.com.au/articles/0,7204,20445029%5E15306%5E%5Enbv%5E
,00.html
[Editor's Note (Pescatore): These IM worms are sort of at the stage where email phishing was 5 years ago: they don't happen often enough yet so that people still trust the underlying mechanism and fall for the attacks. People have been very trusting of email addresses on inbound email, they are even more trusting of IM screen names that are in their buddy list. Widespread mass phishing attacks made people think twice about who incoming email is really coming from, but IM attacks that stay targeted and don't turn into just giant denial of service attacks can fly below the radar. Since so many businesses pretend they don't really use IM for business purposes, they aren't protecting against these attacks and need to do so. ]

Maryland Gov. Calls for Paper Ballots in November Election (21 September 2006)

Following numerous problems involving electronic voting systems in Maryland's primary election last week, Maryland Governor Robert L. Ehrlich is calling for the state to use paper ballots in the November general election. State Board of Elections administrator Linda H. Lamone called the plan "crazy" and says her staff is prepared to address the problems in time for the upcoming election. Some of last week's problems were due to human error; in nearly all Maryland precincts, election officials had neglected to distribute cards necessary to operate the voting machines. There were also problems with transmitting voting data electronically, which delayed the process of tabulating the results. Election officials are still counting paper ballots from last week's primary. Some memory cards were still in voting machines days after the election. In addition, electronic poll books crashed after checking in just 40 voters and some did not transmit information to other books at the same precinct, meaning registered individuals could have voted more than once. (Please note this site requires free registration)
-http://www.washingtonpost.com/wp-dyn/content/article/2006/09/20/AR2006092001356_
pf.html
[Editor's Note (Schultz): I'll be interested in hearing what Dr. Avi Rubin of Johns Hopkins University has to say about the latest electronic voting fiasco. I'd highly recommend reading his recently published book on electronic voting, _Brave New Ballot_. ]

---

*********************** Sponsored Links: ******************************

1) The Process Control & SCADA Security Summit, September 28 - 30, is a must-attend event for the technical and procurement managers of any organization that relies on automated industrial control systems and for the system integrators and system vendors that support them.
http://www.sans.org/info.php?id=1359

2) Write a strong AUP, then enforce it with iPrism. Download your free e-Policy Handbook with templates.
http://www.sans.org/info.php?id=1360

3) CYBER DEFENSE INITIATIVE 8570 TRAINING EVENT 16-22 OCTOBER, SIVLVER SPRING, MD
First Cyber Defense Initiative (CDI) training event in response to DoD 8570.1 Directive and its implementing manual 8570.01-M.
Visit: http://www.sans.org/info.php?id=1361

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS & SENTENCES

ChoicePoint Victims Have Yet to See Settlement Money (21 September 2006)

Although ChoicePoint agreed in January to a US$15 million settlement in the massive data breach case, the Federal Trade Commission (FTC) has yet to distribute any of the US$5 million designated to compensate victims of identity fraud resulting from the data breach. Approximately 800 individuals have been identified as fraud victims. There are as yet no procedures established for compensating the identified victims.
-http://www.boston.com/business/globe/articles/2006/09/21/ftc_hasnt_paid_victims_
of_breach_at_choicepoint?mode=PF
[Editor's Note (Honan): 800 fraud victims identified thus far. What is in place for future victims resulting from this breach? The problem with personal data is it only expires when you do. ]

POLICY & LEGISLATION

AG Testifies in Favor of Requiring ISPs to Retain Customer Activity Logs (20 & 19 September 2006)

Attorney General Alberto Gonzales testified before a Senate panel that Internet service providers (ISPs) should be required to retain customer logs for longer periods of time to help law enforcement officials combat child pornography. Gonzales said that in this case the need for information trumps privacy concerns. Presently, ISPs retain records for varying periods from a few days to roughly one year. According to the Justice Department, the content of communications would not be preserved and the information would remain in the custody of the ISPs; the government could access the data with "a subpoena or other lawful process."
-http://www.securityfocus.com/brief/309
-http://www.msnbc.msn.com/id/14908278/
-http://management.silicon.com/government/0,39024852,39162580,00.htm
[Editor's Note (Northcutt): The management.silicon.com article is very well written and gives an insight into the vast amount of legislation that is pending. And of course we all need to support the fight against child pornography! I support this legislation as long as the data will be used to prosecute child porn and terrorism and cannot be used for any other purpose. As a control they should add a clause stating that any and every government official convicted of misuse of the data will automatically be sentenced to one year in prison without possibility of early release. ]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Attacks Exploit Unpatched IE Flaw (21 & 20 September 2006)

Microsoft says it will address a serious vulnerability in Internet Explorer in its next scheduled security update release on October 10. Attacks exploiting the flaw have already been detected. The flaw allows attackers to take control of vulnerable computers. Attackers can create web pages that are capable of placing all kinds of malware on people's computers. Microsoft has suggested actions users can take to protect themselves from attacks until a patch is available.
-http://news.bbc.co.uk/2/hi/technology/5365296.stm
-http://www.securityfocus.com/brief/307
-http://www.theregister.co.uk/2006/09/21/ie_exploit/print.html

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Default Diagnostic Mode Password Used to Reprogram ATM (20 September 2006)

Someone reprogrammed an ATM in Virginia to dispense US$20 bills in place of US$5 bills. The machine remained in the revised mode for nine days before a clerk in the store that houses the ATM was alerted to the situation. An investigation determined that the password allowing access to the ATM's diagnostic mode was the default one; the manual for the machine lists this password.
-http://www.securityfocus.com/brief/310

Life is Good Customer Data Compromised (20 September 2006)

A database containing the names, addresses and credit card data of more than 9,000 Life is Good customers has been compromised. The company acknowledged the intrusion on September 19, but did not say when it had occurred. A company spokesperson said affected customers were notified "within days" after the head of the company's customer service department detected the intrusion. Soon after that, access to the web site was shut down and security measures implemented. The incident is being investigated.
-http://business.bostonherald.com/businessNews/view.bg?articleid=158367
[Editor's Note (Kretiner): Looks like Life is Not So Good for some Life Was Formerly Good folks. ]

Computers Stolen from Virginia Medical Center (19 September 2006)

Two computers stolen from the Radiation Therapy Department at DePaul Medical Center in Norfolk, Virginia contain data belonging to approximately 100 patients. The computers were stolen on August 28 and September 11. The hospital is notifying those affected by the breach.
-http://www.wtkr.com/global/story.asp?S=5423927&nav=ZolHbyvj

Gun Permit Holders' Personal Data Exposed (15 September 2006)

The names, addresses, Social Security numbers (SSNs) and other personal data belonging to approximately 25,000 gun permit holders in Berks County, Pennsylvania were inadvertently exposed on the Internet. The Berks County sheriff was attempting to make the list of gun permit holders more secure to comply with a court order. An outside contractor apparently failed to take steps to protect the information over the Labor Day weekend. County Solicitor Alan L. Miller says state law requires they notify all individuals whose data were exposed.
-http://www.tmcnet.com/usubmit/2006/09/15/1898313.htm

STATISTICS, STUDIES & SURVEYS

NASCIO Releases CISO Survey Results (20 September 2006)

The National Association of State Chief Information Officers (NASCIO) has released findings of a survey conducted this summer. Responses came from CISOs or people in equivalent positions in 41 states. Sixty-nine percent of respondents reported having a mix of policy and operational responsibilities. Respondents also said they found it difficult to ask legislatures to fund preventive measures, despite the fact that costs associated with damage control following an incident far exceed proactive costs. In the summary, the report states that "the state CISO role has evolved in recent years from a technical position dealing with perimeter security and related activities to a position of state IT strategy and policy leader."
-http://www.govtech.net/news/news.php?id=101109
[Editor's Note (Schultz): The results of this survey apply to the entire field of information security. Technical prowess is important, but being able to manage a security program, steering it towards the appropriate strategic path and making sure it is getting there has become more critical.
(Northcutt): Here is my best effort to exact useful nuggets from this survey:
-- The overwhelming majority of CISOs report to the state CIO
-- The mix-of-duties statistic quoted above appears to be an artifact of poor survey design, it appears they are primarily policy, funding and overhead staff management from the other questions and also page 17.
-- About 2/3 of state CISO's report they have the power to enforce policy compliance. HOWEVER when asked about the scope of their authority in the state, the majority only have authority in the executive branch, not over all state agencies, a chilling thought.
-- About half hold an information security certification
-- And everything that I just reported is in some doubt since not all the respondents are actually CISOs
-http://www.nascio.org/nascioCommittees/securityPrivacy/public/NASCIO_CISOsurveyR
eport.pdf]

MISCELLANEOUS

Lawyers Seek Class Action Status for Suit Against Bank of America (September 2006)

A law firm has filed a complaint against Bank of America on behalf of a New Jersey resident whose personal data were stolen. The lawyers plan to seek class action status for the suit. In May, 2005, nine people were arrested for selling the financial account information of more than 676,000 individuals; Bank of America customers were among those affected.
-http://www.pralaw.com/ourfirm/news.asp?article=55

---

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center, to the Editorial Board.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/