SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #92

November 21, 2006

TOP OF THE NEWS

GAO Information Security Report: Agencies Need to Develop and Implement Adequate Policies for Periodic Testing
UK Passport Security Has Weak Link
EU Project to Address InfoSec Concerns of Interdependent Critical Infrastructure Systems
Exploit Code for Windows Workstation Service Flaw Published

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Man Gets 32 Months for Using MP3 Player to Steal Data From ATMs
Target On-Line Shopping Site May be Sued for ADA Violations
Concerns About Microsoft EULA for Vista
POLICY & LEGISLATION
Proposed Australian Legislation Imposes Penalties for Misuse of Phone Number Database
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Expert Predicts Rootkits will get Tougher in 2007
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
DoS Attacks Cut Kyrgyzstan Off From Net For Several Hours
Computers at French Anti-Doping Lab Allegedly Breached
STANDARDS & BEST PRACTICES
Japan Leads World in Organizations with ISP 27001 Certification
MISCELLANEOUS
Malware Writers Add VM Detection Technology
Fired Ohio University IT Administrators Will Not be Reinstated

---

******** Sponsored By Check Point Software Technologies, Inc. **********

Learn how Check Point VPN-1 gateways provide a truly integrated solution for simple site-to-site VPN deployment and ensure the VPN does not compromise the security of the entire network in favor of connectivity. Join us for an informative webcast - "Communications in a Distributed World: Building VPNs with Security".
http://www.sans.org/info/1831

*************************************************************************

SANS 2007 (SANS' biggest annual conference, San Diego Mar. 29-Apr. 6) just opened for registration. SANS annual conferences stand out from all other programs because of the multitude of learning opportunities in one place (51 courses and lots of exhibits and BOFs)
http://www.sans.org/sans2007/

"Fantastic! Ton's of information. My mind is now Jello- I'll be back next year" Kurt Danielson, National Marrow Donor Program "My 4th SANS conference! Each time the instructors are top-notch and I come away amazed and educated."
Bill Wildprett, Washington State CTED
"This conference really taught me the skills I needed to immediately improve the processes where I work."
Karissa Truitt, AT&T Government Solutions

Or: Washington DC, Dec. 9 (16 courses) http://www.sans.org/cdieast06/ Orlando Bootcamp, Jan. 13 (25 courses): http://www.sans.org/bootcamp07/ Or San Jose, Phoenix, Prague, or Brisbane (5 or 6 courses) See complete list of more than 70 upcoming programs in cities around the world at http://www.sans.org/training_events/

*************************************************************************

---

TOP OF THE NEWS

GAO Information Security Report: Agencies Need to Develop and Implement Adequate Policies for Periodic Testing (October 2006)

A Government Accountability Office (GAO) report found that "federal agencies have not adequately designed and effectively implemented policies for periodically testing and evaluating information security controls." The GAO surveyed 24 US government agencies and their inspectors general (IGs); six agencies were chosen for "in-depth evaluation of their periodic testing and evaluations methods and practices." The GAO recommends the Office of Management and Budget (OMB) "instruct federal agencies to develop and implement policies on periodic testing and evaluation
[and ]
revise instructions for future FISMA reporting by requesting IGs to report on the quality of agencies' periodic testing processes."
-http://www.gao.gov/cgi-bin/getrpt?GAO-07-65

[Editor's Note (Kreitner): Three cheers for the GAO. I hope this gets traction at the agency level. The only intelligent way to manage security controls is to select them, implement them, and monitor them forever after. It's about tightening up everyday operational execution. A periodic audit or C&A exercise just cannot do the job. A few well chosen metrics can be a huge help in monitoring controls and measuring their effectiveness. ]

UK Passport Security Has Weak Link (17 November 2006)

The UK's new passports were designed to be secure with an RFID chip holding personal and biometric data. Although the passports are protected by "an advanced encryption technique," it is still possible for ordinary people with some technical expertise to extract the data from the chip and view the data on a computer. The key for accessing the data comprises the passport number, the passport holder's date of birth and the passport's expiration date; this information is available on a printed page of the passport in machine-readable form. The specifications for the passports are available on a web site and include the information about the composition of the access key. The data on the chip are not encrypted. The communication between the chip and the reader is encrypted, but readers could be purchased for GBP250 (US$475) or less.
-http://www.guardian.co.uk/idcards/story/0,,1950226,00.html
[Editor's Note (Honan): This problem is also compounded as UK and other EU passports can be read remotely as they do not having shielding mechanisms simlar to those employed in US passports preventing them from being read unless they are opened, see
-http://www.theregister.co.uk/2006/10/23/smart_chips_for_smart_crooks/.
The whole e-passport fiasco is a prime example as to how actual security can be undermined by badly thought out requirements imposed by one party, the US Government, on others.
(Guest Editor Swa Frantzen): I fail to see the big deal here ... Passport numbers are on the inside of the book, as are expiration dates. The machine readable format is basically OCR, so adds nothing. And the RFID .... well if you need the data inside, that means you handed over the passport, so you know who'll be reading it. Your picture is inside the passport as well for those to whom you give it. This is playing on the fear of the masses IMHO. ]

EU Project to Address InfoSec Concerns of Interdependent Critical Infrastructure Systems (20 November 2006)

The EU's seven million-Euro (US$8.98 million) Integrated Risk Reduction of Information-based Infrastructure Systems (IRRIIS) project is designed to address the information security threats to large critical complex infrastructures (LCCIs). IRRIIS will look at the information security threats across the spectrum of LCCIs with a focus on their interdependencies. Information security specialists from a variety of fields will work together on the project. "IRRIIS will increase dependability, survivability and resilience of EU critical information infrastructures based on information communication technology."
-http://www.engineerlive.com/power-engineer/operation-and-maintenance/16727/eu-pr
oject-to-protect-electricity-supplies-from.thtml

Exploit Code for Windows Workstation Service Flaw Published (17 November 2006)

Exploit code for a critical vulnerability in Windows 2000 has been published on the Internet. The flaw in the Workstation Service component can be exploited without user interaction, prompting concerns that another worm like Zotob may appear. Microsoft addressed the flaw in a bulletin (MS06-070) released on Tuesday, November 14. A Microsoft representative said the company plans to release an advisory regarding the appearance of the exploit code.
-http://isc.sans.org/diary.php?storyid=1855
-http://isc.sans.org/diary.php?storyid=1874
-http://www.zdnet.co.uk/misc/print/0,1000000169,39284755-39001093c,00.htm

-http://www.microsoft.com/technet/security/bulletin/ms06-070.mspx

---

************************** Sponsored Links: ***************************

1) ALERT: Top 10 Web Application Hacker Techniques- SPI Dynamics White Paper
http://www.sans.org/info/1836

2) Using Real-Time Log Analysis to Defend Against Network Attacks and Insider Abuse - Live Webinar
http://www.sans.org/info/1841

3) "Top 10 Questions You Must Ask Before Purchasing a SIM Solution"-a must-read for SIM shoppers.
http://www.sans.org/info/1846

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Man Gets 32 Months for Using MP3 Player to Steal Data From ATMs (18 & 15 November 2006)

Max Parsons, of Manchester, England, was convicted of using his MP3 player to steal ATM customers' card information. Parsons stole the data by plugging his MP3 player into free standing ATMs; he then created phony cards and used them to make purchases. Parsons was sentenced to 32 months in prison; authorities believe he had accomplices in the scheme.
-http://www.theregister.co.uk/2006/11/18/mp3_player_atm_hack/print.html
-http://www.manchestereveningnews.co.uk/news/s/228/228286_cash_machine_bug_scam_e
xpert_jailed.html
-http://www.timesonline.co.uk/article/0,,29389-2453590,00.html
[Guest Editor's Note (Swa Frantzen): This was basically a phone line tap and apparently the ATM operators didn't bother to use encryption on the phone line. ]

Target On-Line Shopping Site May be Sued for ADA Violations (23 October 2006)

A federal district court ruled that the Target online web site could be sued because it has no audio component to allow accessibility to the blind, thereby violating the Americans with Disabilities Act (ADA). Target had sought to have the class-action lawsuit dismissed on the grounds that a web site was not a place and therefore not subject to ADA requirements. The ruling applies only to businesses that have both brick-and-mortar and on-line sites. The lawsuit was filed by the National Federation of the Blind.
-http://www.inc.com/criticalnews/articles/200610/blind.html

[Editor's Note (Skoudis): While on the surface this article may seem unrelated to information security, it could have some major implications for our field. If the lawsuit gets traction, we will likely see a scramble for organizations to make their websites ADA compliant for blind and deaf users, certainly a laudable goal. However, if such technical changes aren't done carefully, they could introduce security weaknesses. Computer attackers would be delighted to attack an application via an alternative interface that was slapped together without careful security scrutiny and testing. So, ADA compliance is a good thing, but make sure all of your user interfaces get careful security testing. ]

Concerns About Microsoft EULA for Vista (20 November 2006)

Mark Rash, a well known attorney specializing in cyber issues, posted an article demonstrating how the Vista EULA pushes contract law to the limit.
-http://www.securityfocus.com/columnists/423
[Editor's Comment (Northcutt): This is a must read, a very high quality article. The thought of intentionally making an operating system something that can be disabled over the Internet makes a wonderful legal discussion, but I kept thinking about the ever so clever hackers out there and the potential to somehow, someway, shut down millions of machines across the Internet. ]

POLICY & LEGISLATION

Proposed Australian Legislation Imposes Penalties for Misuse of Phone Number Database (21 November 2006)

Australian legislators are considering a bill that would impose a fine of as much as AU$66,000 (US$50,819) or a two-year prison sentence for misuse of a database containing information about everyone in Australia with a phone number. The Integrated Public Number Database contains current contact information for all listed and unlisted phone numbers. An industry standard aimed at restricting business use of the database has met with a number of delays.
-http://australianit.news.com.au/articles/0,7204,20792270%5E15306%5E%5Enbv%5E,00.
html
[Editor's Note (Honan): Hopefully this legislation will be sufficient to be viewed by businesses as a deterrent rather than a cost of doing business. ]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Expert Predicts Rootkits will get Tougher in 2007 (17 November 2006 )

ISS Xforce's Oliver Friedrichs predicts polymorphism and rootkit technology will get even more sophisticated in 2007 since criminals are paying a lot of money to malicious code developers. His biggest concern is virtual machine wrappers for malware. He referenced Joanna Rutkowska's Blue Pill and pointed out both AMD and Intel are creating virtual machine enabled chips.
-http://news.yahoo.com/s/cmp/20061118/tc_cmp/194500004
[Editor's Note ( Northcutt ): The best explanation of Blue Pill and VM enabled chips is from Steve Gibson. The first few pages of this are fluffy, but on page 5 he starts to get down and dirty:
-http://www.grc.com/sn/SN-054.pdf]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

DoS Attacks Cut Kyrgyzstan Off From Net For Several Hours (16 November 2006)

A series of denial-of-service (DoS) attacks on main providers in Kyrgyzstan earlier this month cut the entire country off from the Internet for several hours. The attack apparently came from servers outside the Republic; the attacks preceded a rally calling for the resignation of the current president.
-http://www.ospint.com/text/d/3488924/

Computers at French Anti-Doping Lab Allegedly Breached (15 & 14 November 2006)

Computers at a French national anti-doping laboratory have been accessed without authorization. According to L'Equipe, a French daily sports publication, someone broke into the computers, accessed data and then sent letters to the International Olympic Committee (IOC) and the World Anti-Doping Agency (WADA). The letters attempt to discredit the laboratory's testing procedures by including information stolen from the lab. The letters appeared to come from the laboratory, Chatenay-Malabry. A suspect has been identified.
-http://www.washingtonpost.com/wp-dyn/content/article/2006/11/14/AR2006111400389_
pf.html
-http://www.australianit.news.com.au/articles/0,7204,20764331%5E15306%5E%5Enbv%5E
,00.html
-http://www.timesonline.co.uk/article/0,,28910-2453667,00.html

STANDARDS & BEST PRACTICES

Japan Leads World in Organizations with IS0 27001 Certification (14 November 2006)

Of the 3080 organizations worldwide that have achieved ISO 27001 certification, 1761, or 57 percent, are in Japan. In Britain, 323 organizations are certified, and in India, that figure is 246. The US has just 42 certified organizations.
-http://www.australianit.news.com.au/articles/0,7204,20736566%5E15841%5E%5Enbv%5E
,00.html

MISCELLANEOUS

Malware Writers Add VM Detection Technology (20 November 2006)

Malware creators have begun incorporating the ability to detect virtual machines (VM) into their products. A SANS Internet Storm Center (ISC) analyst reported that "three of 12 malware specimens recently captured in _their_ honeypot refused to run in VMware." The malware writers are trying to prevent researchers from testing the malware in a safe setting. The problem can be addressed either by patching the malware so it doesn't look for signs of VM environments, or by making changes to the VM environment that will trick the malware.
-http://isc.sans.org/diary.php?storyid=1871
-http://www.techweb.com/article/printableArticle.jhtml;?articleID=194700014&s
ite_section=700027

[Editor's Note (Skoudis): In addition to mentioning the fine work of Lenny Zeltser, this article cites a presentation that Tom Liston and I gave at SANS FIRE in July 2006 on how to thwart VM detection. In that presentation, Tom and I provide a list of about a dozen undocumented VMX configuration file settings that we uncovered in our research to defeat almost all current methods of VMware detection in the wild (The Red Pill, Jerry, etc). Malware researchers can use the options covered in that presentation to dodge the current generation of VM-detecting malware. Please note, though, that these options break all of those nifty VM tools functions, like drag-n-drop, shared files, and copy-and-paste. On the positive side, most malware researchers don't need those functions when analyzing malware in VM guests. ]

Fired Ohio University IT Administrators Will Not be Reinstated (16 November 2006)

Ohio University Provost Kathy Krendl has rejected a grievance committee's recommendation to reinstate two men fired in the wake of the disclosure of a number of security breaches of university computer systems. While the men were not found to be guilty of "intentional wrongdoing," they were blamed for not taking "the necessary proactive steps to protect confidential information."
-http://www.columbusdispatch.com/news-story.php?story=227147
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=274378&source=rss_topic17
[Editor's Note (Schultz): Slowly but surely attitudes concerning accountability in security-related roles and responsibilities are changing, as shown by the unfortunate recent events at Ohio University. Failure to do what is appropriate for the sake of security is starting to produce increasingly negative consequences. ]

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/