SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #80

October 10, 2006

In the past week, two different CISOs have called asking what to do about encrypting laptops and other storage. The one today said "I've got guys beating down my door for a solution." He'll be coming to the Secure Storage and Encryption Summit in Washington December 6-7 because that's where all the sensible solutions will be discussed. The plan is for each attendee to go home prepared to act immediately to protect sensitive data. If you are still deciding on the right solution, please come. If you have already found a solution that works really well, please email me to discuss. (paller@sans.org)

For Summit data and registration: http://www.sans.org/mclean06/

Alan

---

TOP OF THE NEWS

Commerce Dept. Bureau Target of Attacks Through Chinese Servers
Study Says Disclosed Breaches Affect Stock Prices for Up to a Year
European Voting Machines Have Demonstrable Security Flaws

THE REST OF THE WEEK'S NEWS

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Microsoft to Release 11 Security Bulletins on October 10
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
UK TV Documentary Focuses on Data Theft in Indian Call Centers
Missing Laptop Holds Marine Base Resident Information
Missing Hard Drive Holds Air Traffic Controllers' Personal Data
Woman's Identity Stolen from Marriage License on County Web Site
MISCELLANEOUS
South Korea to Offer Safer Alternative to Citizen Registration Numbers
NIST Publishes Draft Guidance for RFID Security
FTC Wins Temporary Injunction Against Online Check Payment Company

---

**********Sponsored By SANS Secure Storage and Encryption Summit ********

User-to-user discussions will focus on mistakes to avoid and the things that work at the SANS Secure Storage & Encryption Summit, December 6-7. There will be ample opportunity to listen, and get your questions answered by those who have already fought the war.
http://www.sans.org/info/1395

*************************************************************************

Major US SANS Training Events in the Next 60 Days

New Orleans ( http://www.sans.org/neworleans06/ ) and

Washington, DC ( http://www.sans.org/cdieast06/ )

How Good Are SANS Courses. ++ "I have attended courses by several of SANS rivals, and SANS blew them away." - Alton Thompson, US Marines ++ "This is the only conference/training I've ever attended at which I learned techniques and found tools I could apply immediately." - Dwight Leo, Defense Logistics Agency, DLA ++ "This program provided the opportunity to learn from many of the people who are defining the future direction of information technology" - - Larry Anderson, Computer Sciences Corp. ++ "The SANS classes have been uniformly excellent. To learn as much through traditional classes would have entailed weeks away from work." - - David Ritch, Department of Defense

Programs are scheduled in more than 40 cities in the next few months or you can attend live classes (or on demand courses) without leaving your home.
Schedule: http://sans.org/index.php

*************************************************************************

---

TOP OF THE NEWS

Commerce Dept. Bureau Target of Attacks Through Chinese Servers (6 October 2006)

Cyber attackers working through servers in China have been targeting computers at the US Department of Commerce's Bureau of Industry and Security (BIS) for more than a month, according to agency officials. BIS oversees US exports of products that have both commercial and military uses. The computers were attacked at night in an attempt to access BIS user accounts when they were unmanned; attackers managed to install rootkits. BIS has decided to replace the infected workstations rather than try to clean them. BIS has also blocked most Internet access; only stand-alone workstations that are not connected to the bureau's internal network are allowed to access the Internet. (please note this site requires free registration)
-http://www.washingtonpost.com/wp-dyn/content/article/2006/10/05/AR2006100501781_
pf.html
-http://www.techweb.com/wire/193105174
[Editor's Note (Paller): BIS controls U.S. exports of commodities, software and technology having both commercial and military uses. It is a rich data source for any organization that wants to learn about new technologies the US military considers important. Titan Rain (the coordinated, multi-year, very successful Chinese attacks on sensitive US government sites is still going strong. And while "Rome burns" agencies are forced to spend huge percentages of their security budgets (80% in one large agency) writing reports for FISMA instead of buying safer systems. ]

Study Says Disclosed Breaches Affect Stock Prices for Up to a Year (9 October 2006)

According to findings from a joint study between an Australian analyst company and a US research company, disclosure of data security breaches can have a significant impact on share prices of publicly traded companies. The study looked at six companies that acknowledged data security breaches. The stock prices of those companies fell an average of five percent within the first month following the disclosure and remained between 2.4 and 8.5 percent below for the eight months following. It took the stocks nearly one year to return to their original levels.
-http://www.webwereld.nl/articles/43234/data-leaks-hit-share-prices-hard.html
[Editor's Note (Schultz): The results of this study dovetail well with previous, similar studies, such as one conducted at the University of Maryland several years ago. They also greatly help security professionals make a strong business case concerning the value of information security--in short, failure to adequately protect data is linked to plunges in stock prices, something that quickly catches senior management's attention.
(Grefer): While this study's results agree with common sense, the study would have been more useful if it employed a control group of companies of similar size and focus in the respective industries to eliminate the possibility that regular market fluctuations coincided and were misinterpreted. ]

European Voting Machines Have Demonstrable Security Flaws (5 October 2006)

According to a report from a group of researchers in the Netherlands, NEDAP/Groenendaal ES3B voting machines present serious security concerns. The machines are widely used in the Netherlands; they are used for elections in Germany, France and Ireland as well. The researchers maintain that if sabotage-minded individuals are "given brief access to the devices at any time before the election, (they) can gain complete and virtually undetectable control over the election results." The researchers also explain how the machine's radio signal could be monitored to detect how people were voting.
-http://www.theregister.co.uk/2006/10/05/e-voting/print.html
-http://www.siliconrepublic.com/news/news.nv?storyid=single7158
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9003958&intsrc=news_ts_head

---

************************** Sponsored Links: ***************************

1) Free Study: Kahn Consulting Evaluates Security Log Files as Evidence with ArcSight ESM
http://www.sans.org/info/1396

2) Using Real-Time Log Analysis to Defend Against Network Attacks and Insider Abuse - Live Webinar http://www.sans.org/info/1397

3) ALERT: "How a Hacker Launches a LDAP Injection Attack Step-by-Step"- White Paper
http://www.sans.org/info/1398

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Microsoft to Release 11 Security Bulletins on October 10 (6 October 2006)

According to Microsoft's Security Bulletin Advance Notification, the company will release 11 security bulletins on Tuesday, October 10. Six are for flaws in Windows, four for flaws in Office and one for a flaw in the .Net framework. All the updates may require restarts.
-http://www.securityfocus.com/brief/323
-http://www.microsoft.com/technet/security/bulletin/advance.mspx
[Editor's Note (Honan): If the past few months have been anything to go by, then expect "0-day Vulnerability Wednesday" to bring a range of new vulnerabilities not addressed on "Patch Tuesday." ]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

UK TV Documentary Focuses on Data Theft in Indian Call Centers ( 8 October 2006)

Channel 4 in the UK ran a documentary showing stolen credit card information from Indian call centers. The National Association of Software and Services Companies (NASSCON) in India disputes the claims of the TV sting.
-http://www.forbes.com/business/feeds/afx/2006/10/08/afx3074649.html
[Editor's Note (Northcutt): We have carried two stories in the past few years about thieves being arrested for data breaches from Indian call centers.
-http://www.sans.org/newsletters/newsbites/newsbites.php?vol=7&issue=37
-http://www.sans.org/newsletters/newsbites/newsbites.php?vol=7&issue=16
The second story details NASSCON creating a database of background checks after the high profile Citibank theft. Finally, the Indian government is considering tighter legislation:
-http://www.gulf-times.com/site/topics/article.asp?cu_no=2&item_no=111678&
;version=1&template_id=40&parent_id=22
My analysis: there is a risk to using Indian call centers, but it probably isn't higher than US call centers, and the Indian government and trade association are working hard to increase both security and the penalty for crime. ]

Missing Laptop Holds Marine Base Resident Information (7 October 2006)

An investigation has been launched into the disappearance of a laptop computer containing personal information of 2,400 residents of the Camp Pendleton Marine Corps base. Lincoln B.P. Management Inc., the company that manages housing on the base, reported the missing computer. Lincoln P.B. is notifying individuals affected by the data security breach.
-http://news.yahoo.com/s/ap/20061007/ap_on_hi_te/missing_laptop
[Editor's Note (Northcutt): I found an interesting article on another side of this continuing problem, businesses making money helping groups secure laptops:
-http://www.philly.com/mld/inquirer/business/15703874.htm]

Missing Hard Drive Holds Air Traffic Controllers' Personal Data (6 October 2006)

A hard drive missing from the Cleveland Air Route Traffic Control center in Oberlin, Ohio contains the names and Social Security numbers (SSNs) of at least 400 air traffic controllers. A Federal Aviation Administration (FAA) spokesperson says the agency believes the drive was encrypted; the FAA is investigating the incident to determine if the drive was stolen. The president of the facility's National Air Traffic Controllers Association says he believes the thief was after the information and not the hardware, which is ten years old.
-http://www.cleveland.com/news/plaindealer/index.ssf?/base/lorain/116012444919787
0.xml&coll=2&thispage=1

Woman's Identity Stolen from Marriage License on County Web Site (5 October 2006)

A Florida woman discovered that her marriage license was viewable on the Orange County (FL) controller's web site after someone applied for a loan in her name, according to a local television report. The license revealed the woman's name, date of birth and SSN, as well as those of her husband. The Orange County comptroller is reportedly paying a vendor US$500,000 to black out all SSNs on the web site by January 2008.
-http://www.local6.com/problemsolvers/10003689/detail.html
[Editor's Note (Kreitner): What about all the people whose personal information continues to be exposed during the rest of 2006 and all of 2007? Why local jurisdictions around the country have chosen to put their constituents' personal information on public websites is beyond understanding. A little common sense would help here. ]

MISCELLANEOUS

South Korea to Offer Safer Alternative to Citizen Registration Numbers (9 October 2006)

South Korean citizens will be able to apply for Internet Personal Identification Numbers, or i-PINs, to use in place of the citizen registration numbers that had been used to verify online identities. Criminals have managed to obtain databases containing the citizen registration numbers, placing people at risk for identity fraud. The numbers reveal individuals' genders, and dates of birth. The new i-PIN numbers will not reveal such data, and users may cancel numbers and apply for new ones if they believe theirs have been compromised. More than one million South Korean citizens were victims of identity fraud as a result of the lax security surrounding the citizen registration number databases.
-http://www.itnews.com.au/newsstory.aspx?CIaNID=37963

NIST Publishes Draft Guidance for RFID Security (3 October 2006)

The National Institute of Standards and Technology (NIST) has issued SP-800-98, Guidance for Securing Radio Frequency Identification (RFID) Systems, a draft report describing the security risks that accompany RFID technology and recommending practices that can mitigate those risks. Thieves with RFID reading devices could harvest data about containers' contents if they are looking to steal particular goods. There are also security concerns if the RFID system is linked to a backend database. Unless the database is protected by access controls, passwords and cryptography, people could use the readers to access the data.
-http://www.fcw.com/article96300-10-03-06-Web&newsletter=yes
-http://csrc.nist.gov/publications/drafts/800-98/Draft-SP800-98.pdf
[Editor's Note (Pescatore): This draft has good coverage of the potential risks. The security recommendations section should add recommendations to make sure all reader/interrogator software has been built to secure software principals and tested for vulnerabilities. Instead, the draft does the Common Criteria kind of thing to specify security functions and patchability - but nothing about forcing the software end of RFID to start off at a higher level of security/quality to reduce the need for patching. ]

FTC Wins Temporary Injunction Against Online Check Payment Company (3 October 2006)

A federal judge has granted the Federal Trade Commission's (FTC) request for a temporary restraining order against Qchex, a company that allows people to create and send checks drawn on any bank account without verifying that individual's' authority to access that account. The checks are created online, emailed and then printed and cashed by the recipients. The FTC alleged that Qchex was acting in violation of federal law. Although the current order is temporary, the FTC will seek a permanent order as well as an order that will force the defendants to surrender any money they made from their scheme. Qchex has agreed to the temporary restraining order.
-http://news.com.com/2102-7348_3-6121911.html?tag=st.util.print
-http://www.ftc.gov/opa/2006/10/qchex.htm

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center, to the Editorial Board.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/