SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #85

October 27, 2006

1. Has any reader found that enterprise rights management significantly improves security? And has anyone found an effective strategy for securing the data on PDAs and smart phones? For the Secure Storage And Encryption Summit in December (www.sans.org/mclean06/) we have phenomenal user stories of how laptop encryption and back up encryption work (and when they fail and what to do about it) and tips on how to buy and deploy them intelligently. On the other hand, for enterprise rights management, we have not found any users who can demonstrate substantial security benefits. And we are also looking for great user stories on PDA security. Good stories or bad stories are welcome. Email paller@sans.org.

2. Has any contractor of government official figured out a cost-effective way to implement the fourth item in the Office of Management and Budget's encryption and data protection requirement (M06-16) that asks agencies to: "Log all computer-readable data extracts from database holding sensitive information and verify each extract including sensitive data has been erased within 90 days or its use is still required." The whole OMB memo is posted at
http://www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf

Alan

---

TOP OF THE NEWS

RFID Credit Cards Transmit Some Data in Plaintext
Virginia Legislators call for Paper Voting Records

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS & SENTENCES
Floridian Charged in DDoS Attack on Akamai
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Jump Drives Seized During Arrest Belong to LANL
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Office Joins Windows in Microsoft Genuine Advantage Program
Danish Court Orders ISP to Block Access to AllofMP3.com
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
IE7 Flaw Could Allow Spoofed Addresses in Pop-ups
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Stolen Computer Holds Data on Colorado Dept. of Human Services Clients
Thumb Drive Missing from TSA Command Center in Portland Holds Employee Data
Error Exposes Macquarie Univ. Alumni eMail Addresses
Medical Records Contractor Notifies 260,000 of Data Breach
MISCELLANEOUS
Microsoft Makes Sender ID Part of its Open Specifications Promise Program
Chicago Elections Web Site Vulnerability Fixed

---

**************** Sponsored By Core Security Technologies ****************

WIN a $250 BestBuy gift card from Core Security Technologies! Listen to the joint Gartner and SANS webcast as they discuss the future of information security. Register here http://www.sans.org/info/1640

View the webcast and automatically be entered into a drawing for a $250 gift card from Core Security Technologies!

*************************************************************************

Three Great SANS Training Conferences Coming Up (and a $1,000 challenge) San Jose, New Orleans and Washington DC. Shon Harris and Eric Cole will be teaching the CISSP prep courses in San Jose and DC respectively. We'll pay a $1000 prize to any person who is the first to identify a higher rated CISSP prep teacher than Eric and Shon. In DC, Ed Skoudis will be teaching Hacker Exploits, Jason Fossen will be teaching Windows Security, Stephen Northcutt will be teaching comprehensive security management, Josh Wright will be teaching Wireless Security, Mike Poor will be teaching Intrusion Detection, Rob Lee will be teaching Forensics and there are more. The same $1000 challenge goes for every one of them. The faculty sets SANS apart. You have simply never had a better teacher of these topics. Many of those same teachers will also be in New Orleans.

That's why more than 8,000 students have written comments like this one: ++ "I have attended courses by several of SANS rivals, and SANS blew them away." - Alton Thompson, US Marines

+++ New Orleans: Nov. 14-21, http://www.sans.org/neworleans06/event.php
+++ San Jose: Dec. 4-9 http://www.sans.org/siliconvalley06/index.php
+++ Washington DC: Dec. 9-16 http://www.sans.org/cdieast06/event.php
*************************************************************************

---

TOP OF THE NEWS

RFID Credit Cards Transmit Some Data in Plaintext (24 & 23 October 2006)

Academic researchers have found that the new RFID chip-equipped credit cards can transmit sensitive data unencrypted. With the help of an inexpensively-built device, researchers at the University of Massachusetts, Amherst, were able to read a card through the envelope in which it was sent; in some cases, the cardholder's name, card number and expiration date were readable in plaintext. The cards are widely advertised for their convenience of being "no-swipe;" users simply wave the card in front of readers. Some of the companies' ads imply the data on the cards are encrypted. Tests on 20 cards from Visa, MasterCard and American Express found otherwise. The cards can be read through wallets and through clothing. The card issuers maintain that other security measures would prevent the RFID payment system from abuse. The study has been criticized for using a small sample.
-http://news.com.com/2102-1029_3-6128407.html?tag=st.util.print
-http://www.theregister.co.uk/2006/10/24/rfid_credit_card_hack/print.html
[Editor's Note (Pescatore): The fact that all 20 of the ones they tested have problems is indicative of a big problem. This isn't a popularity contest or an election - the fact that the cards are shipped without even using the security capabilities built into the contactless cards is bad, as is the fact that the individual issuers got to decide whether to turn on features to protect card holder data. The industry response is pure old-style spin; the response should have been "this is bad, we are working hard to fix it". ]

Virginia Legislators call for Paper Voting Records (26 October 2006)

Problems with electronic voting machines in Virginia have prompted state legislators to call for verifiable paper audit trails to "ensure the accuracy of electronic voting" in the state. In some jurisdictions in Virginia, a larger font size on ballot summary pages distorted candidates' names, potentially leading to confusion for voters. Virginia's General Assembly recently rejected a bill requiring the State Board of Elections to develop a program to test electronic voting machines and paper records.
-http://www.washingtonpost.com/wp-dyn/content/article/2006/10/25/AR2006102501918_
pf.html
[Editor's Note (Schultz): Yea for the state of Virginia! Trying to assure that elections are fair and accurate should, as I have said so many times before, be an extremely high priority if the democratic process is truly valued.
(Kreitner): Platoons of lawyers are poised to pounce on any e-voting problems, so paper backup until the e-voting machines have been used for awhile without problems seems prudent. ]

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS & SENTENCES

Floridian Charged in DDoS Attack on Akamai (25 & 24 October 2006)

Charges have been filed against John Bombard of Florida for allegedly launching a distributed denial-of-service (DDoS) attack against Akamai DNS servers. Bombard allegedly used an email worm to create a botnet used in the June 2004 attack. Many Akamai client websites were unavailable for a time; Akamai provides caching services for a number of high profile companies. If Bombard is convicted of the charges of "intentionally accessing a protected computer without authorization," he could face up to two years in prison and a fine of as much as US$200,000.
-http://news.com.com/2102-7350_3-6129226.html?tag=st.util.print
-http://www.theregister.co.uk/2006/10/24/akamai_ddos_attack_man_charged/print.htm
l
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9004436&intsrc=news_ts_head

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

Jump Drives Seized During Arrest Belong to LANL (26 October 2006)

Three computer jump drives seized during an arrest at a Los Alamos (NM) mobile home are believed to contain classified information from Los Alamos National Laboratory (LANL). Los Alamos police suspected some of the confiscated items belonged to LANL, that LANL confirmed; the FBI has been called in to investigate the case. A woman living at the mobile home at one time worked as a data entry clerk for a LANL subcontractor.
-http://www.lamonitor.com/articles/2006/10/25/headline_news/news01.txt
-http://federaltimes.com/index.php?S=2313329
-http://www.lamonitor.com/articles/2006/10/26/headline_news/news01.txt
-http://www.techworld.com/security/news/index.cfm?newsID=7197&pagtype=all
[Editor's Note (Shpantzer): Note that the initial raid was not an FBI raid searching for missing classified information but rather a local Los Alamos police response to a domestic violence call to the residence. At that point they happened upon drug paraphernalia and observant detectives noticed the markings on the thumb drives as they processed the crime scene. Then the FBI was called in to specifically look for more evidence of the classified data incident. Perhaps most disturbing is the claim by the arrested resident that he obtained one of the drives from several local men in exchange for methamphetamine. He vaguely remembers that, before erasing the information and using the drive for personal reasons, he saw that the drive contained information about nuclear waste sites around Los Alamos. His parents both work at the lab and will undoubtedly be subject to intense scrutiny as part of the overall investigation.
(Weatherford): here are two breakdowns here. 1) A data entry clerk with a security clearance and a nefarious personal life (I know, I know...don't be naive) and 2) storing classified information on a jump drive. Is that an authorized practice at Los Alamos? I know this is a difficult problem and throwing stones is a dangerous practice but how many of these incidents is it going to take for classified government facilities to have strict and enforceable guidance on the use of thumb drives (and other storage devices) in the work place. How about disabling USB ports on systems that process classified information? While LANL may employ a bunch of rocket scientists...this isn't rocket science and the casual observer might conclude that they are still not taking security seriously.]

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

Office Joins Windows in Microsoft Genuine Advantage Program (26 October 2006)

Microsoft has launched another Genuine Advantage program, this time for its Office productivity and collaboration suite. As of Friday, October 27, users downloading Office Online templates from Office 2007 Microsoft Office System applications will face mandatory anti-piracy checks. Starting in January, Office Update users will be subject to the same requirements.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9004468&intsrc=news_ts_head
[Editor's Note (Schultz): Microsoft's launching yet another "Genuine Advantage" program is only adding fire to fire. The least Microsoft could and should do is in fairness to the public point out that any "advantages" of this program belong to Microsoft, not users.
(Shpantzer): Microsoft did this with Windows a while ago, and we noted in Newsbites the security issue that this raises: If Microsoft prevents users of counterfeit/pirated software from accessing critical security updates, the overall effect is to create a massive, permanently insecure set of computers, running unpatched software. If Microsoft wants to degrade the user experience for pirated software, that's one thing. I would ask them only to allow everybody in the MS software user population to access critical security updates, since Microsoft's paying customers, and Microsoft itself, are all downrange from these unpatched systems. ]

Danish Court Orders ISP to Block Access to AllofMP3.com (26 October 2006)

A Danish court has ordered Internet service provider (ISP) Tele2 to block access to AllofMP3.com, a Russian music-downloading site that has been at the center of a copyright violation controversy. AllofMP3 says what it does is legal, but groups authorized to collect royalties from such businesses say the site violates copyright law. Tele2 plans to appeal the ruling. Visa and MasterCard recently decided not to take payments from AlofMP3.com.
-http://www.theregister.co.uk/2006/10/26/itnueski_banned/print.html

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

IE7 Flaw Could Allow Spoofed Addresses in Pop-ups (26 October 2006)

A flaw in the newly released Internet Explorer 7 (IE7) allows websites to display pop-up ads that contain spoofed addresses. The flaw could be exploited by phishers. The problem exists because the pop-up ads blocks part of the address in the IE7 address bar. Known phishing sites cannot be used in such an attack. Microsoft is investigating the problem.
-http://software.silicon.com/security/0,39024655,39163560,00.htm
-http://www.theregister.co.uk/2006/10/26/ie7_spoofing_bug/print.html

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Stolen Computer Holds Data on Colorado Dept. of Human Services Clients (26 October 2006)

A desktop computer stolen from the Dallas-based Affiliated Computer Systems holds personally identifiable data belonging to certain Colorado Department of Human Services clients. Affiliated Computer Systems operates the Department of Human Services Family Registry. The data on the computer deals with child support payments. The computer was in a secure area monitored by surveillance cameras. Affected clients have been notified. The theft occurred the weekend of October 14/15. Detectives are investigating the theft with assistance from the Colorado Bureau of Investigation and Human Services Department officials.
-http://www.thedenverchannel.com/news/10162004/detail.html
[Editor's Note (Paller): This case provides graphic proof of the need for governments to include clauses in each contract requiring the contractor to put specific security procedures in place. Although this article is about a state case, the federal government's similar unwillingness to demand security excellence in its $65 billion in IT procurement is one of the greatest failures of leadership in the cyber security field. ]

Thumb Drive Missing from TSA Command Center in Portland Holds Employee Data (25 October 2006)

A thumb drive has been reported missing from the Transportation Security Administration's (TSA) command center at Portland (OR) International Airport. Mike Irwin, federal security director at PDX, says it is likely the drive was inadvertently swept into the trash. When the drive was backed up one month ago, it held names, Social Security numbers (SSNs) and other personal data of all current employees and 400 former employees.
-http://www.oregonlive.com/newsflash/regional/index.ssf?/base/news-17/11617955533
4230.xml&storylist=orlocal
[Editor's Note (Northcutt): We need to send that security director back to school, he also said the information wouldn't be of use to terrorists.
(Tan): Information leaks through thumb drives and USB storage tokens is a growing threat, particularly because storage capacity keeps growing. These devices are small, portable and get lost or stolen easily. The risk is not only about data loss. These devices can also be used to introduce malware into your system to steal data if a token is picked up from an unknown source. A good article to read about this:
-http://www.securityfocus.com/news/11397.]

Error Exposes Macquarie Univ. Alumni eMail Addresses (25 October 2006)

Macquarie (Australia) University alumni have expressed anger and disappointment after the university's Alumni Office inadvertently sent all alumni a database of all alumni email addresses. Macquarie University has issued an apology, adding that school "IT services has today reviewed the processes for distribution of alumni correspondence and introduced additional technical and operational controls to ensure that this incident does not recur."
-http://www.australianit.news.com.au/articles/0,7204,20642216%5E15306%5E%5Enbv%5E
,00.html

Medical Records Contractor Notifies 260,000 of Data Breach (24 October 2006)

The Sisters of St. Francis Health Services are sending letters to 260,000 patients whose data were on CDs that were temporarily misplaced. The data breach affects patients from 12 hospitals, 10 in Indiana and two in Illinois. The disks contained patient names, SSNs and other personal data. The disks, which a contractor had copied from hospital files to work on at home, were in a computer bag that was returned to a store. A person who bought the returned bag several days later returned the disks. The incident occurred last summer; St. Francis began the notification process on October 9.
-http://www.msnbc.msn.com/id/15403873/
-http://www.wthr.com/Global/story.asp?S=5578184&nav=9Tai

MISCELLANEOUS

Microsoft Makes Sender ID Part of its Open Specifications Promise Program (25, 24 & 23 October 2006)

Microsoft will make its Sender ID email authentication technology publicly available as part of its Open Specifications Promise program. This means that "users will be able to implement, commercialize and modify Microsoft's patented email authentication technology without having to sign a licensing agreement" and without fear of being sued by Microsoft. Microsoft views the decision as a step in the direction of promoting interoperability within the industry.
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=61962088-39000005c
-http://www.informationweek.com/news/showArticle.jhtml?articleID=193402052
-http://www.microsoft.com/presspass/press/2006/oct06/10-23OSPSenderIDPR.mspx

Chicago Elections Web Site Vulnerability Fixed (24 October 2006)

The city of Chicago is investigating reports of a vulnerability in an elections web site that could have been exploited to access SSNs of 1.3 million registered Chicago voters. The hole has been repaired and a forensic investigator will determine if any information was accessed while the vulnerability existed. The Illinois Ballot Integrity Project alerted election officials to the problem last week. The site holds approximately 780,000 SSNs.
-http://www.smh.com.au/news/Technology/Watchdog-group-finds-security-flaw-in-Chic
ago-elections-Web-sitecity-investigating/2006/10/24/1161455722063.html

---

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/