SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #87

November 03, 2006

TOP OF THE NEWS

Twelve Hundred Dutch Voting Machines Deemed Unusable
Lawsuit Filed Against Hospital Group for Mishandling of Patient Data
GAO Report Urges Establishment of a Cyber Security R&D Agenda
MAJOR FLAWS IN SECURITY PROGRAMS
Exploit Code Can Disable The Windows Firewall
Cisco Fixes flaw in Security Agent Management Center (CSAMC)

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS, SENTENCES & OTHER LEGAL ACTION
Compulinx Owner Indicted on Fraud and Conspiracy Charges
SPYWARE, SPAM & PHISHING
Domain Name Resellers Fail to Filter Out Potential Phishing Sites
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
UK Copyright Laws Need to Change, Says Think Tank
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
JavaScript Vulnerability in Firefox 2 Could Crash Browser
ActiveX Flaw in Visual Studio 2005
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Thieves Disrupt Technology Services
FBI Investigating Malware Infection at PA Water Treatment Plant
Wisconsin HS Student Expelled for Allegedly Breaking into School District Computer System
CORRECTION AND UPDATE: Security Language in the Real ID Act

---

********************* Sponsored By SenSage, Inc. ************************

Data collection, event log integration, reporting coverage, analysis and accessibility, the investigation process - these are just a few of the questions you need answered before you purchase a SIM solution. Find out the answers in SenSage's white paper "Top 10 Questions You Must Ask Before You Buy a SIM Solution." http://www.sans.org/info/1760

*************************************************************************

Security Training Update:

Amsterdam (the Security Essentials class was sold out, but we added another section); Hacker Exploits has only 4 seats left: http://www.sans.org/amsterdam06/
New Orleans: All 12 tracks are open: http://www.sans.org/neworleans06
Washington, DC: All 18 tracks are open: http://www.sans.org/cdieast06/
Secure Storage and Encryption Summit: only 38 seats left: http://www.sans.org/mclean06

Full calendar: http://www.sans.org/training_events/?ref=1433

*************************************************************************

---

TOP OF THE NEWS

Twelve Hundred Dutch Voting Machines Deemed Unusable (31 October 2006)

After tests demonstrated that certain electronic voting machines could allow data to be intercepted from 20 or 30 meters away, the Dutch General Intelligence and Security Service (AIVD) has ruled that the 1,200 machines manufactured by Sdu may not be used in next month's elections. Certain municipalities will have to vote with pencil and paper, though others may choose to use other voting machines. Some people have claimed that machines made by Nedap, which account for 90 percent of voting machines used in the country, are vulnerable to hacking, but AIVD testing found no significant threat.
-http://www.theregister.co.uk/2006/10/31/dutch_votingmachines_inadequate/print.ht
ml
[Editor's Note (Schmidt): This is a recurring theme all around the world and we still are not getting enough traction behind this issue. Granted, it is only one of the many technology security issues but one that needs to be dealt with. See this report to get a deeper sense of what is going on.
-http://www.brennancenter.org/programs/dem_vr_hava_modsecurity.html
(Boekman): Electronic emissions have been a security concern in military environments for a long time, and they are just as applicable to voting machines. Based on the long list of security problems with voting machines in the U.S. I would put this near the bottom of the list of things voters need to worry about here. It is good to see the Dutch take this so seriously. ]

Lawsuit Filed Against Hospital Group for Mishandling of Patient Data (31 October 2006)

A lawsuit has been filed against the Sisters of St. Francis Health Services Inc. for allegedly violating Health Insurance Portability and Accountability Act (HIPAA) regulations and failing to promptly notify individuals whose data were compromised in a security breach last summer. The lawsuit was filed by one man on behalf of all those whose data were exposed. The suit seeks damages for each individual affected in the amount of no less than US$5,000. The breach occurred in July 2006 when a contractor working for the hospital left CDs containing personally identifiable information of 260,000 patients and other people associated with the hospitals in a laptop case that was returned to a store. Those affected were not notified of the breach until October.
-http://www.indystar.com/apps/pbcs.dll/article?AID=2006610310448
-http://www.jconline.com/apps/pbcs.dll/article?AID=/20061031/NEWS09/61031011/-1/A
RCHIVE
[Editor's Note (Schultz): This development may turn out to be extremely significant. I suspect that many organizations that store, process and transmit medical data have done what they could to meet HIPAA requirements, even though considerable ambiguity in how exactly to meet these requirements still exists. A HIPAA violation could result in a certain amount of fines and other penalties, but getting sued by individuals for medical information compromises could end up being much more costly. ]

GAO Report Urges Establishment of a Cyber Security R&D Agenda (1 November/31 October 2006)

According to a report from the Government Accountability Office (GAO) titled Coordination of Federal Cyber Security Research and Development, US government agencies have yet to establish "a federal cyber security research agenda ... as recommended in the National Strategy to Secure Cyberspace." There is little or no coordination or information sharing between agencies regarding security research. Failure to achieve an agenda could threaten the government's ability to protect systems from cyber attacks. The report recommends that the White House Office of Science and Technology Policy develop a timeline for an information security R&D agenda.
-http://www.fcw.com/article96662-11-01-06-Web&printLayout
-http://www.gcn.com/online/vol1_no1/42465-1.html?topic=security
-http://www.govexec.com/story_page.cfm?articleid=35386&printerfriendlyVers=1&
amp;
-http://www.gao.gov/new.items/d06811.pdf

MAJOR FLAWS IN SECURITY PROGRAMS

Exploit Code Can Disable the Windows Firewall (1 November/30 October 2006)

Exploit code that can be used to disable the Windows Firewall on some Windows XP machines has been posted to the Internet. The exploit code could be used against fully patched XP systems running Windows Internet Connection Service (ICS). The firewall is disabled by causing ICS to crash. Some have pointed out that the risk from this code is being exaggerated. There are a number of mitigating factors that would make the flaw difficult to exploit. First, the attacker would have to be within the LAN on which the PC is running. Second, the attack works only on systems with ICS turned on; it is disabled by default. Finally, the attack would have no effect on a third-party firewall.
-http://www.networkworld.com/news/2006/103006-new-windows-attack-can-kill.html
-http://www.vnunet.com/vnunet/news/2167691/experts-downplay-windows
-http://www.theregister.co.uk/2006/11/01/windows_firewall_exploit_hype/print.html
[Editor's Note (Ullrich): Yet another case where a feature designed to provide additional security is vulnerable in itself. Just because a feature (like the very simple DNS "proxy" in this case) is coded to be part of a security feature doesn't mean its coded any better then the systems it is trying to protect. It is important to recognize that while ICS interacts with the Windows Firewall, the two services are enabled independently. You may very well disable ICS without disabling the Windows firewall. On the other hand, using a full featured PC as a firewall and router is not necessarily the most appropriate option. Consider, instead, the use of a cheap dedicated appliance as your firewall. ]

Cisco Fixes flaw in Security Agent Management Center (CSAMC) (1 November 2006)

Cisco has patched a critical flaw in its Security Agent Management Center (CSAMC) that could be exploited to change policies within the application. The system could then be used to launch further attacks. The flaw affects CSAMC version 5.1 with hotfixes earlier than 5.1.0.79 and with Lightweight Directory Access Protocol (LDAP) enabled.
-http://www.crn.com/showArticle.jhtml%3Bj?articleID=193501135
[Editor's Note (Northcutt): I just finished reading Self-Defending Networks by Cisco Press. Page 25 has a caution, "A self-defending network is a very powerful concept. However, be aware that a self-defending network can automatically configure network devices, reroute and deny network traffic, and may result in false positives." So true, but imagine the horror of being able to create a botnet out of enterprise networks because of flaws in their security software.]

---

************************ Sponsored Links: *****************************

1) Security professionals will focus on fighting the most common threats to data at the SANS Secure Storage & Encryption Summit, December 6-7.
http://www.sans.org/info/1761

2) SANS WhatWorks Webcast: Lessons Learned In Deploying Log Management as an Early Warning System at Manulife Tuesday, November 07 at 9:00 AM EST (1400 UTC/GMT)
http://www.sans.org/info/1762

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS, SENTENCES & OTHER LEGAL ACTION

Compulinx Owner Indicted on Fraud and Conspiracy Charges (2 & 1 November 2006)

Two men have been indicted on charges of fraud and conspiracy for using the names, addresses and Social Security numbers (SSNs) of Compulinx employees to obtain loans, credit cards and lines of credit. Terrence Chalk, who owns Compulinx managed services, could face a maximum sentence of 165 years in prison and a fine of US$5.5 million; his nephew, Damon Chalk, could face up to 35 years in prison and a US$1.25 million fine.
-http://news.com.com/2102-7348_3-6131949.html?tag=st.util.print
-http://www.informationweek.com/security/showArticle.jhtml?articleID=193501071&am
p;subSection=Cybercrime

SPYWARE, SPAM & PHISHING

Domain Name Resellers Fail to Filter Out Potential Phishing Sites (31 October 2006)

Some domain name resellers are offering domain names that seem best suited to phishers. Some of the domain names clearly indicate they are intended to be used by certain financial institutions; others employ subtle variations on common names of financial organizations to trick surfers. One of the resellers says it tries to pull questionable domain names from its listings, but it has such a large volume, it cannot filter them all.
-http://www.theregister.co.uk/2006/10/31/domain_resale_market/print.html

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

UK Copyright Laws Need to Change, Says Think Tank (30 October 2006)

The Institute for Public Policy Research (IPPR) says UK copyright law needs to be changed to reflect the times. Currently, people who copy CDs and DVDs they already own onto iPods and other media players are breaking the law. IPPR deputy director Dr. Ian Kerns said, "It is not the music industry's job to decide what rights consumers have. That is the job of the government."
-http://www.silicon.com/retailandleisure/0,3800011842,39163692,00.htm

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

JavaScript Vulnerability in Firefox 2 Could Crash Browser (2 November 2006)

A vulnerability in the way Firefox 2 handles JavaScript code could be exploited to crash the browser. Users would need to be tricked into visiting a maliciously crafted web site. Despite reports to the contrary, the flaw will not allow attackers to execute code on vulnerable systems.
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=61964201-39000005c

ActiveX Flaw in Visual Studio 2005 (1 November 2006)

There are reports that a new flaw in Visual Studio 2005 is already being exploited. Microsoft is investigating the flaw in an ActiveX control known as WMI Object broker that can be exploited to gain control of vulnerable systems. For an attack to succeed, users would need to be tricked into visiting a maliciously crafted web site. Microsoft says this ActiveX control is not included on the default allow list for IE 7. In addition, users "running Visual Studio 2005 on Windows Server 2003 and Windows server 2003 SP1 in their default configurations with Enhanced Security Configuration turned on are not affected" by the flaw.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9004666&intsrc=news_ts_head
-http://news.com.com/2102-7349_3-6131545.html?tag=st.util.print

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Thieves Disrupt Technology Services (1 November 2006)

Thieves broke into the Braham Street data center of Level 3, a secure Internet backbone provider, and stole core router cards. A number of customers lost IP and voice services as a result. In a separate story, vandals damaged cables at a Birmingham BT exchange, cutting service to 35,000 phone lines. Full service was restored approximately 29 hours after the incident occurred.
-http://www.theregister.co.uk/2006/11/01/level3_robbery/print.html
-http://networks.silicon.com/telecoms/0,39024659,39163726,00.htm
[Editor's Note (Northcutt): One of the things I keep trying to get across my Management 512 (Security Leadership) class is that when your ISP is down, you are down. I bet a lot of people are reviewing their Disaster Recovery plans right now. Their spec sheet is right here, with CCTV, proximity cards, biometric scanners, this smells like an insider job:
-http://www.datagate.co.uk/documents/London_1_Gateway.pdf
(Honan): This story is a prime example of where physical and computer security converge, without adequate physical security your virtual security is seriously undermined. If you are in charge of computer security for your organisation make it a point to establish good working relationships with those responsible for physical security. ]

FBI Investigating Malware Infection at PA Water Treatment Plant (31 October 2006)

The FBI is investigating a computer security breach at a Harrisburg, PA water treatment facility. An employee's laptop computer was infected over the Internet and used to install malware on the water treatment plant's computer system. An FBI special agent says the attackers were apparently not targeting the plant, but intended "to use the computer as a resource for distributing e-mails of whatever electronic information they had planned."
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9004659&intsrc=news_list

Wisconsin HS Student Expelled for Allegedly Breaking into School District Computer System (27 & 26 October 2006)

A Janesville, Wisconsin high school student has been expelled for allegedly breaking into the school's computer system and causing problems that led to loss of class and work time across the school district. The student has not been charged or arrested, but is under investigation by local police. The Janesville school district expects to recover damages in court. There is no evidence that any data have been lost or that the student altered passwords, grades or student records.
-http://www.bradenton.com/mld/bradenton/15863962.htm
-http://www.gazetteextra.com/computerbreakin102606.asp

Correction and Update: Security Language in the Real ID Act

Our last NewsBites, Vol. 8, Num. 86, ran an item that said "There is currently no mention of privacy or security in the Real ID Act." This was based on the following quote from the Federal Computer Week article, "John Yacavone, legal services bureau chief with Connecticut's DMV, said there is no provision in the Real ID Act that requires or even mentions information privacy or security data." Well, we need to retract that statement. To set the record straight while the REAL ID act security language could be stronger, it is certainly there. Stephen Northcutt

(Note that the search engine adds session parameters after the first link)
-http://www.senate.gov/pagelayout/legislative/b_three_sections_with_teasers/activ
e_leg_page.htm
- - Search for text 1268
- - Click on H.R.1268
- - Click on "Text of Legislation"
- - Click on link "(H.R.1268.ENR)"

H.R.1268
Emergency Supplemental Appropriations Act for Defense, the Global War on Terror, and Tsunami Relief, 2005 (Enrolled as Agreed to or Passed by Both House and Senate) DIVISION B--REAL ID ACT OF 2005 TITLE II--IMPROVED SECURITY FOR DRIVERS' LICENSES AND PERSONAL IDENTIFICATION CARDS

- - Security and Fraud Prevention Standards:
_202(d) Other Requirements- To meet the requirements of this section, a State shall adopt the following practices in the issuance of drivers' licenses and identification cards:
(7) Ensure the physical security of locations where drivers' licenses and identification cards are produced and the security of document materials and papers from which drivers' licenses and identification cards are produced.
(8) Subject all persons authorized to manufacture or produce drivers' licenses and identification cards to appropriate security clearance requirements.
(9) Establish fraudulent document recognition training programs for appropriate employees engaged in the issuance of drivers' licenses and identification cards.

- - Social Security Number Required:
_202(c)(1) Minimum Issuance Standards - (C) Proof of the person's social security account number or verification that the person is not eligible for a social security account number.

- - Rejection of Other State Issued IDs:
_202(d) Other Requirements- To meet the requirements of this section, a State shall adopt the following practices in the issuance of drivers' licenses and identification cards:
(11) In any case in which the State issues a driver's license or identification card that does not satisfy the requirements of this section, ensure that such license or identification card-- (A) clearly states on its face that it may not be accepted by any Federal agency for federal identification or any other official purpose; and (B) uses a unique design or color indicator to alert Federal agency and other law enforcement personnel that it may not be accepted for any such purpose.

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/