SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #86

October 31, 2006

Update on Control Systems Hacking and Extortion

Questions were raised about our veracity after we mentioned industrial control systems (that run dams and power plants and pipelines and more) had actually been penetrated by criminals. Yesterday at the Federal Executive Leadership Conference in Williamsburg, VA, a representative of the Intelligence Community confirmed to 200 senior government and industry people that multiple critical infrastructure organizations had been penetrated and threatened with major outages if they did not pay extortion. The additional data made public yesterday was that all known extortion attacks against control systems took place were outside the US. US utilities and pipeline companies will not confirm or deny that they, too, have been victimized and have paid extortion.

Also, for all network defenders, the threat map is changing again. Competition among attackers has led to their targeting a relatively new and very fertile set of target vulnerabilities that nearly every organization has and fewer than three in ten are protecting. We'll announce the new top 20 Internet security vulnerabilities on November 15.

Alan

---

TOP OF THE NEWS

Diebold Replaced Motherboards in 4,700 Maryland Voting Machines
Microsoft Wins Precedent-Setting Spam Case in Germany
Twenty-Four Countries Meet Visa Waiver Program ePassport Deadline

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS & SENTENCES
Finnish Judge Convicts 22 of Copyright Violations
Australia Nets First Conviction Under Spam Act
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Segregation of Data Urged for Real ID Act Information
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Window Injection Flaw in IE 7
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Breaches Compromise Data at Children's Hospital in Akron
Denver DA Warns of Personal Data Stolen Via LimeWire
Gymboree Hired Detective to Track Down Laptop Thief
STATISTICS, STUDIES & SURVEYS
Ireland Cyber Crime Survey Results Due in December
MISCELLANEOUS
FBI Raids Home of Student Who Created Phony Boarding Pass Generator
One Million Chinese ID Numbers are Duplicates

---

********************* Sponsored By Symark Software **********************

Security and compliance go hand-in-hand. How can you meet compliance requirements and guard against unauthorized access or theft of data? Learn how PowerBroker, the most widely used solution for systems administration and controlling Unix/Linux root privileges, helps you meet data privacy and compliance requirements. Download the FREE White Paper "PowerBroker vs. sudo."
http://www.sans.org/info/1659

*************************************************************************

Security Training Update:

Amsterdam (the Security Essentials class was sold out, but we added another section); Hacker Exploits has only 4 seats left: http://www.sans.org/amsterdam06/
New Orleans: All 12 tracks are open: http://www.sans.org/neworleans06
Washington, DC: All 18 tracks are open: http://www.sans.org/cdieast06/
Secure Storage and Encryption Summit: only 38 seats left.
http://www.sans.org/mclean06

Full calendar: http://www.sans.org/training_events/?ref=1433

*************************************************************************

---

TOP OF THE NEWS

Diebold Replaced Motherboards in 4,700 Maryland Voting Machines (27 & 26 October 2006)

Maryland State Board of Elections Chairman Gilles W. Burger is having attorneys look into the possibility that Diebold Election Systems violated the terms of its contracts with the state when it quietly replaced motherboards on 4,700 voting machines in four counties. The boards were replaced to address a problem that caused the machines' screens to freeze. Burger says the board was informed in 2005 that Diebold was conducting a "technology refresh" of some voting machines, but were never told that motherboards were being replaced.
-http://www.usatoday.com/tech/news/2006-10-27-diebold-fixes_x.htm
-http://www.washingtonpost.com/wp-dyn/content/article/2006/10/25/AR2006102501907_
pf.html
[Editor's Note (Honan): The thoughts of a supplier going around and surreptitiously replacing hardware in voting machines does little to instill faith and confidence in the security of either the technology or the supplier.
(Kreitner): Given the recent TV coverage describing how e-voting machines are being stored at poll workers' homes because many local municipalities don't have any budget to pay for e-machine storage, I wonder if Diebold went around ringing doorbells to find the 4,700 machines.
(Schultz): Diebold's actions continually contribute to the growing negative perception of electronic voting.
(Northcutt): If you live in Maryland and you want your vote to count, consider voting via absentee ballot. Electronic voting hassles are not a new problem, a number of studies showed there were significant potential problems before they went ahead and acquired the machines:
-http://www.citypaper.com/news/story.asp?id=6247
And this will certainly add to the headaches for Linda Lamone, State Board of Elections administrator:
-http://www.votetrustusa.org/index.php?option=com_content&task=view&id=83
2&Itemid=113
-http://www.truevotemd.org/litigation_complaint.asp
A final thought: what is a "voting machine?" It could range from a device that scans a paper ballot to something you actually use to vote:
-http://en.wikipedia.org/wiki/Voting_machine]

Microsoft Wins Precedent-Setting Spam Case in Germany (27 & 26 October 2006)

Microsoft has won a case against a spammer in Germany despite that country's lack of an anti-spam law. The unnamed man was found guilty of sending unsolicited email with spoofed Hotmail return addresses without Microsoft's permission; violation of trademark is a criminal offense in Germany. The ruling sets a precedent for legal action against spammers in Germany. The man must also pay damages for the spam sent and the spam received.
-http://www.networkworld.com/news/2006/102606-microsoft-wins-case-against-german.
html
-http://www.heise.de/english/newsticker/news/80142
[Editor's Note (Honan): Germany does have laws covering SPAM, i.e., "Article 7 Gesetz gegen Unlauteren Wettbewerb (UWG)", see
-http://www.oecd-antispam.org/rubrique.php3?id_rubrique=27.]

Twenty-Four Countries Meet Visa Waiver Program ePassport Deadline (27 October 2006)

All but three of the 27 countries participating in the US Visa Waiver Program (VWP), which allows citizens to visit the US without a visa, have implemented e-passports with embedded biometric data. The US Department of Homeland Security (DHS) set October 26, 2006 as the deadline for countries to comply with the ePassport requirement if their citizens wish to continue to take advantage of the VWP. Otherwise, people will need a visa to visit the US. DHS says it will work with the remaining three countries, Andorra, Brunei and Liechtenstein, to help them comply with the requirements. The VWP applies to most citizens of participating countries who are visiting the US for 90 days or less. Travelers may also take advantage of VWP if they have machine-readable passports issued before 10/26/05 or machine-readable passports with digital photographs issued between 10/26/05 and 10/25/06.
-http://www.fcw.com/article96613-10-27-06-Web
-http://www.dhs.gov/xlibrary/assets/vwp_travelerguide.pdf
-http://travel.state.gov/visa/temp/without/without_1990.html

---

************************ Sponsored Links: *****************************

1) ALERT: "How A Hacker Launches A Cross-Site Scripting Attack" - White Paper
http://www.sans.org/info/1660

2) Using Real-Time Log Analysis to Defend Against Network Attacks and Insider Abuse - Live Webinar
http://www.sans.org/info/1661

3) Stop spyware on your network - read our white paper, Defending Against Web-Borne Threats. Click here!
http://www.sans.org/info/1662

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS & SENTENCES

Finnish Judge Convicts 22 of Copyright Violations (30 October 2006)

A Finnish judge has ordered 22 individuals to pay damages of more than EUR420,000 (US$534,000) for violating copyright laws by operating a peer-to-peer file sharing network. The plaintiffs, who included software and media companies, were seeking damages of _3.5 million (US$4.45 million). Individuals were fined between EUR60 and EUR690 (US$76 - -US$877). The people were also ordered to pay investigation and court costs of more than _140,000 (US$178,000). The network, known as Finreactor, was used to share movies, games and software.
-http://www.theregister.co.uk/2006/10/30/finns_convicted/print.html
-http://www.hs.fi/english/article/File+sharing+website+brings+heavy+damages+in+co
pyright+case/1135222603756

Australia Nets First Conviction Under Spam Act (27 October 2006)

Australia has seen its first conviction under its stringent Spam Act of 2003. Clarity1 Pty Ltd was fined AUD$4.5 million (US$3.46 million) and its director, Wayne Mansfield, AUD$1 million (US$768,000) for sending 280 million unsolicited commercial emails over the course of two years. Approximately 25 percent, or 73 million, of the messages were delivered successfully. Australia's Federal Court has also banned Clarity1 from sending unsolicited email in the future.
-http://www.theage.com.au/news/Technology/Australian-business-fined-over-spam-ema
ils/2006/10/27/1161749298339.html

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

Segregation of Data Urged for Real ID Act Information (23 October 2006)

Speaking at a recent conference, Center for Democracy and Technology executive director Leslie Harris urged government entities to keep databases of information gathered by motor vehicle departments to verify individuals' identities separate from other computer systems. The DMVs are required to store electronic copies of documents such as birth certificates to ensure that each individual is issued no more than one license. There is concern that because of the amount spent on creating the systems for the DMVs required under the Real ID Act of 2005, state officials could be tempted to use the information for other purposes to get the most from its spending. Harris suggested that DHS include privacy protection in their regulations for implementing the Real ID Act. There is currently no mention of privacy or security in the Real ID Act.
-http://www.fcw.com/article96547-10-23-06-Web
[ Editor's comment (Northcutt): DMVs are VERY bad places to store sensitive personal data; check this out:
-http://www.cdt.org/privacy/030131motorvehicle.shtml]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Window Injection Flaw in IE 7 (30 October 2006)

Reports are circulating that another security-related flaw in Microsoft's recently-released Internet Explorer 7 (IE 7) has been detected. The flaw, which is the same window injection vulnerability that has plagued earlier versions of IE for several years, allows attackers to spoof the contents of a pop-up window on a trusted web site. Microsoft has never issued a patch to address the flaw; a company spokesperson says Microsoft does not consider it a vulnerability. This is the third security-related flaw to be reported in IE 7 since its release on October 19.
-http://news.com.com/2102-1002_3-6130614.html?tag=st.util.print
-http://www.eweek.com/article2/0,1895,2047195,00.asp

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Breaches Compromise Data at Children's Hospital in Akron (30 & 28 October 2006)

A breach of two computer databases at Children's Hospital in Akron, Ohio has compromised personal information belonging to approximately 230,000 patients and family members and 12,000 individuals who have made donations to the hospital. Hospital officials became aware of the intrusion on September 6, but did not contact the FBI until October 20. Consultants initially told the hospital the breaches were not significant, but the hospital later became aware the breaches were more serious than first believed. The hospital began sending out notification letters on October 25 to those whose data were compromised; all the letters are expected to be sent by October 30.
-http://www.theregister.co.uk/2006/10/30/ohio_hospital_hack/print.html
-http://www.centredaily.com/mld/centredaily/news/nation/15871658.htm
-https://www.akronchildrens.org/cms/site/16e6640c0d4a89d8/index.html

Denver DA Warns of Personal Data Stolen Via LimeWire (28 October 2006)

The Denver district attorney's office is warning that thousands of people could be at risk of having their personal information stolen if they or someone who uses their computer has installed the LimeWire file-sharing program. A routine theft investigation at a Denver apartment turned up tax records, bank account information and on-line bill paying information for approximately 75 people and businesses across the country. The information appears to have been stolen from people's computers through LimeWire. Either someone figured out how to exploit the software to access all files on people's computers, or the victims of the theft had not taken adequate precautions to secure their information. The Denver DA's office urges people to uninstall LimeWire and other file-sharing programs from their computers.
-http://test.denverpost.com/nuggets/ci_4564807
-http://www.9news.com/acm_news.aspx?OSGNAME=KUSA&IKOBJECTID=8cf3b55e-0abe-421
a-00db-6dc555c93c82&TEMPLATEID=0c76dce6-ac1f-02d8-0047-c589c01ca7bf

Gymboree Hired Detective to Track Down Laptop Thief (27 October 2006)

San Francisco-based Gymboree hired a private detective to track down the person who stole three laptop computers that contain personally identifiable information of 20,000 Gymboree employees. Gymboree has provided police with information on someone it believes to be a suspect in the case. Gymboree sent letters to all affected employees this month informing them of the theft. The data on the computers are unencrypted and include names and SSNs. Although the thefts were reported to San Francisco police promptly, the police did not offer much hope the computers would be recovered. The practice of hiring private investigators on cases such as Gymboree's appears to be on the rise. Law enforcement agencies do not have the manpower to investigate all such thefts. Just three percent of missing laptops are ever recovered, according to a study from the Ponemon Institute; the study also found that 81 percent of the companies participating in the study had laptops missing or stolen last year.
-http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2006/10/27/BUG
QPM0HOO1.DTL&type=printable
[Editor's Note (Honan): Installation of software such as Computrace (
-http://www.absolute.com/)
and Ztrace (
-http://www.ztrace.com)
would save these companies a lot of money on private investigator fees. ]

STATISTICS, STUDIES & SURVEYS

Ireland Cyber Crime Survey Results Due in December (27 October 2006)

ISSA Ireland and University College Dublin (UCD) have launched a cyber crime survey that will collect data from end user organizations regarding types of cyber crimes experienced, the effect cyber crime has had on loss of business and productivity, methods used to detect cyber crimes and how the organizations respond to cyber crimes. The data will be collected through November; the results of the study will be published in mid-December. The survey will likely be repeated in future years.
-http://www.siliconrepublic.com/news/news.nv?storyid=single7270
[Editor's Note (Honan): Having hard, reliable facts and statistics focused on your constituency can be invaluable in deciding how to best spend your infosec budget. If you are an Irish based reader I urge you to partake in this study to help us all better allocate those precious budget.]

MISCELLANEOUS

FBI Raids Home of Student Who Created Phony Boarding Pass Generator (30 October 2006)

FBI agents seized computers and other equipment from the home of an Indiana University graduate student who created a phony airline boarding pass generator. Christopher Soghoian created the web site to demonstrate how easy it would be for determined individuals to circumvent security measures. He received a visit from the FBI on Friday, October 27, at which time agents asked him to take down the site. When Soghoian tried, he found the site had already been removed. The raid on his home occurred early Saturday, October 28; Soghoian was not at home at the time.
-http://www.securityfocus.com/brief/342

One Million Chinese ID Numbers are Duplicates (23 October 2006)

China's Ministry of Public Security (MPS) is taking steps to address the problem of duplicated identity numbers. The 18-digit numbers are assigned to Chinese citizens when they turn 16; each number is supposed to be unique, but it is estimated that 1 million people have duplicated numbers. Because the numbers are linked to so much of people's lives, including bank accounts, education certificates and crime records, being misidentified can pose serious problems. There have been complaints of people being unable to apply for driver's licenses because someone with the same number has already been granted a license.
-http://news.xinhuanet.com/english/2006-10/23/content_5239972.htm

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/