SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #98

December 12, 2006

As a holiday present we've included the consensus Top Security Trends for 2007 as the last item in this letter.

---

TOP OF THE NEWS

Second Vulnerability in Microsoft Word
Organized Crime Trawling for Students
Unprotected Computer Leads to Police Raid
NASA Blocks Word Document Attachments

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Teen Uses Skills from Police-Mandated Course to Steal Funds
Three Convicted for Microsoft Software Piracy Scheme
Two-Year Sentence for Stealing Credit Card Data from Political Site
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
DHS Supervisor Arrested for Immigration Fraud
Colorado Awards Laptop Encryption Contract
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
December's Patch Tuesday Will Not Address Word Flaws
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Vermont Health Care Providers' Personal Information Exposed
MISCELLANEOUS
FTC Mails 1,400 Claim Forms to ChoicePoint Data Breach Victims
BONUS SECTION
The Ten Most Important Security Trends of the Coming Year

---

********* Sponsored By Check Point Software Technologies, Inc. *********

Give your users anywhere access and everywhere security with proven remote access security solutions from Check Point Software. Our solutions provide comprehensive endpoint security with integrated intrusion protection, secure VPN connectivity, central management, and remote access auditing and analysis. To learn more download the White Paper: Secure Remote Access for the Distributed Business.
http://www.sans.org/info/2416

*************************************************************************

Great security courses in Orlando and San Diego - Orlando 15 immersion courses January 13-19
http://www.sans.org/bootcamp07/

San Diego 30 immersion courses March 29-April 6
http://www.sans.org/sans2007/

*************************************************************************

---

TOP OF THE NEWS

Second Vulnerability in Microsoft Word (11 December 2006)

Microsoft has acknowledged a second vulnerability in Word that is already being exploited. The flaw is similar to one disclosed last week; both flaws allow attackers to download malware onto vulnerable machines. The new flaw affects just Word 2000, 2002, 2003 and Word Viewer 2003; last week's flaw affects Mac versions of Word as well.
-http://www.theregister.co.uk/2006/12/11/0-day_word_flaw/print.html
-http://www.techweb.com/showArticle.jhtml?articleID=196603174&cid=RSSfeed_Tec
hWeb

Organized Crime Trawling for Students (8 December 2006)

According to a report from McAfee, organized crime rings are recruiting potential cyber criminals with tactics that bear similarities to those used by the KGB to recruit spies during the Cold War. Promising students are reportedly receiving offers to finance their educations in return for being plants in businesses targeted by the crime groups. The groups find the students in chat rooms and discussion sites.
-http://technology.guardian.co.uk/news/story/0,,1967226,00.html
-http://www.theregister.co.uk/2006/12/08/vxer_milkround/print.html
-http://news.bbc.co.uk/2/hi/technology/6220416.stm
[Editor's Note (Boeckman): Once again, Microsoft has put their customers in an untenable situation, since most organizations would not be able to function with out sharing Word documents.
(Ullrich): I don't think this is an accident. Eastern European crime groups appear to be heavily seeded with former intelligence officers. ]

Unprotected Computer Leads to Police Raid (7 December 2006)

A Denver (CO) woman was surprised when four armed Boulder County sheriffs with a search warrant knocked on her door and demanded she turn over her computer. The woman's computer was apparently infected and being used to make fraudulent purchases with a stolen credit card. The woman said she had removed a firewall from her computer because it made the machine run too slowly.
-http://www.thedenverchannel.com/news/10486347/detail.html
[Editor's Note (Ullrich): This sentence form the article made me smile: "Investigators said someone hacked into Winkler's computer, stole her IP address ..." I hope the investigators applied more technical insight then reflected in this quote.
(Skoudis):While I'm not thrilled about police spending their time busting the wrong person, I am happy to have this story as an example I can cite when explaining to my non-technical friends the importance of solid security principles (running a personal firewall, installing up-to-date anti-virus and anti-spyware tools, keeping systems patched, etc.). Going forward, when they say it's just too hard to do, I plan on saying, "Well, it's better than having armed police bust down your door!"
(Grefer): If you are an end-user and your computer suddenly starts to run slow, do NOT turn off your firewall. Rather, run antivirus and antispyware scans. Starting points might be the offerings at
-http://free.grisoft.com,
-http://www.safer-networking.org,
and
-http://www.lavasoftusa.com/products/ad-aware_se_personal.php.
They all offer their tools free of charge for personal home use and are reputable sources. ]

NASA Blocks Word Document Attachments (7 December 2006)

NASA has taken Microsoft's advice to heart (see story below) and implemented a policy that blocks incoming Microsoft Word documents as attachments to email. The policy applies the to agency's core computer network and will remain in effect until Microsoft issues a patch for the vulnerability.
-http://www.msnbc.msn.com/id/16095705/
[Editor's Note (Skoudis): This is a good idea, given that Microsoft has announced that patches for the Word problems will not be included in this month's batch of patches. Such solutions aren't perfect, but they can help to step the tide somewhat if your enterprise culture will let you filter Word documents.
(Ullrich): Don't just hunt the vulnerability of the day. Organizations need to figure out how to deal with attachments in general, not just word documents. Most malicious attachments are executed by users without exploiting any vulnerabilities.
(Frantzen): If you face a risk of targeted attacks, it's smart to always block Microsoft office attachments. Since it will be a long time before Microsoft fixes this problem, attackers may use their spare time during the holidays to abuse the vulnerability or spread code abusing it, and the holidays mean many defenders will be out of the office. As was shown last year with the WMF vulnerability, the holiday season is a terrible time to have 0-days floating about. ]

---

************************* Sponsored Links: ***************************

1) Don't let phishing ruin the holidays for you and your customers. Get the facts in this FREE REPORT.
http://www.sans.org/info/2421

2) Use NetFlow to gain valuable network visibility to protect and optimize your network security. Download FREE White Paper "Network Behavior Analysis (NBA) in the enterprise."
http://www.sans.org/info/2426

3) The Center for Internet Security is currently looking for experts to provide feedback security configuration benchmarks for MySQL, SQL Server 2005, Microsoft Office, Check Point Firewall, Juniper, and Vista. Interested? Contact John Banghart at 703-716-0199 (jbanghart@cisecurity.org).

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Teen Uses Skills from Police-Mandated Course to Steal Funds (11 December 2006)

A teenager sentenced by police to take a computer training course to address anti-social behavior admitted that he used his newly acquired knowledge to break into people's bank accounts and steal close to NZ$45,000 (US$31,000). The offenses he committed earlier include kidnapping, aggravated robbery and threatening behavior.
-http://rawstory.com/news/2006/Teen_learned_how_to_hack_computers__12112006.html

Three Convicted for Microsoft Software Piracy Scheme (11 & 8 December 2006)

Three people have been convicted in connection with a software piracy scheme that defrauded Microsoft of more than US$60 million. Mirza and Sameena Ali "were convicted on 30 counts of conspiracy, mail fraud, wire fraud and money laundering.
[Keith Griffen ]
was convicted on nine" similar counts. The three fraudulently purchased Microsoft software at a discounted educator's rate and resold it at a profit. The trio face the possibility of hefty fines and lengthy sentences when they are sentenced in March 2007.
-http://www.vnunet.com/vnunet/news/2170606/trio-convicted-60m-software
-http://milwaukee.bizjournals.com/seattle/stories/2006/12/04/daily33.html

Two-Year Sentence for Stealing Credit Card Data from Political Site (8 December 2006)

Jeremy Hammond has been sentenced to two years in prison for stealing credit card data. Hammond broke into the website of a conservative political activist group and downloaded credit card data of approximately 5,000 people who had made purchases through the site, or had made contributions to the group. Hammond had planned to use the card information to make donations to organizations opposed by the site but changed his mind. Hammond was also ordered to pay US$5,250 in fines and restitution.
-http://www.chicagotribune.com/news/local/chicago/chi-0612080286dec08,1,689768.st
ory?coll=chi-newslocalchicago-hed&ctrack=1&cset=true

[Editor's Note (Skoudis): Credit card theft remains a major issue. Just last Friday, I got an automated call from my bank, one of the biggest in the world, about a fraud warning. The voice mail was comically synthetic, with a tinny machine mispronouncing my name, urging me to call my bank at a phone number that didn't match the one on my credit card. Given the rise of VoIP phishing, I was instantly suspicious. I called the number printed on my card. As it turns out, the call was legit, and there was a real fraud warning on my card. I was disappointed in my bank for opening themselves to VoIP phishing this way. If you get a fraud warning call, do not dial back to the number in the voice mail. Instead, call only the number printed on the back of your card, or, if the card isn't available, call the number on your last statement. ]

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

DHS Supervisor Arrested for Immigration Fraud (8 & 1 December 2006)

A US Department of Homeland Security (DHS) supervisor and US Citizenship and Immigration Services employee has been arrested for allegedly selling citizenship to hundreds of immigrants over the last 10 years. Robert T. Schofield allegedly took more than US$600,000 in bribes to commit naturalization fraud. Earlier in his career, Schofield was investigated for "conduct unbecoming" due to a relationship with a woman who was part of a criminal investigation. He was demoted, fled the US and made US$36,000 in unauthorized charges on a government-issued credit card. At some later date, he returned to the US and eventually obtained the position he held until several weeks ago.
-http://www.familysecuritymatters.org/terrorism.php?id=474039
-http://www.washingtonpost.com/wp-dyn/content/article/2006/11/30/AR2006113000603_
pf.html
[Editor's Note (Schultz): If the allegations against Schofield are true, this poignantly shows the importance of performing thorough background checks, not only when individuals are applying for employment, but also afterwards. People comprise the greatest risk in both the computing and non-computing arenas. ]

Colorado Awards Laptop Encryption Contract (11 December 2006)

Utimaco was awarded the Colorado statewide contract for laptop encryption. The contract allows cities and non-profits to take advantage of the contract cost savings.
-https://www.gssa.state.co.us/BdSols.nsf/6f4073ad00fbd5c187256f8d007e733a/e172acf
f6f3bdefa8725723e007cb00a?OpenDocument

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

December's Patch Tuesday Will Not Address Word Flaws (11 & 7 December 2006)

Microsoft's monthly security release for December will include five bulletins addressing flaws in Windows and one bulletin for Microsoft Visual Studio. The highest severity rating among these bulletins is Critical; some of the updates may require restarts. Microsoft will not be addressing the Word vulnerabilities in the December 12 update.
-http://www.microsoft.com/technet/security/bulletin/advance.mspx
-http://www.vnunet.com/vnunet/news/2170608/word-flaw-left-patch-tuesday
[Editor's Note (Boeckman): Once again, Microsoft has put their customers in an untenable situation, since most organizations would not be able to function with out sharing Word documents. ]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Vermont Health Care Providers' Personal Information Exposed (8 December 2006)

A contractor's error left the names and Social Security numbers (SSNs) of hundreds of Vermont health care providers exposed on the Internet. The information was inadvertently made available on a web site where the state of Vermont had posted a request for bids to become the state's health insurance administrator. Vermont Human Resources Commissioner Linda McIntire said the data were available on the site between May 12 and June 19, 2006, but an unnamed doctor said her SSN was still available as recently as last week.
-http://www.wcax.com/global/story.asp?s=5790220&ClientType=Printable

MISCELLANEOUS

FTC Mails 1,400 Claim Forms to ChoicePoint Data Breach Victims (7 December 2006)

The US Federal Trade Commission has mailed claim forms to 1,400 individuals who incurred out-of-pocket expenses as a result of data aggregator ChoicePoint's massive security breach in the fall of 2004. One third of the US$15 million settlement reached in January 2006 has been designated to reimburse affected consumers. The reparation forms must be postmarked by February 4, 2007 to be considered for reimbursement.
-http://www.techweb.com/showArticle.jhtml?articleID=196602483
-http://www.consumeraffairs.com/news04/2006/12/ftc_choicepoint.html

BONUS SECTION

The Ten Most Important Security Trends of the Coming Year

Experts Predict the Future
The Ten Most Important Security Trends of the Coming Year

Mobile Devices
1. Laptop encryption will be made mandatory at many government agencies and other organizations that store customer/patient data and will be preinstalled on new equipment. Senior executives, concerned about potential public ridicule, will demand that sensitive mobile data be protected

2. Theft of PDA smart phones will grow significantly. Both the value of the devices for resale and their content will draw large numbers of thieves.

Government Action
3. Congress and state governments will pass more legislation governing the protection of customer information. If Congress, as expected, reduces the state-imposed data breach notification requirements significantly, state attorneys general and state legislatures will find ways to enact harsh penalties for organizations that lose sensitive personal information.

Attack Targets

4. Targeted attacks will be more prevalent, in particular on government agencies. Targeted cyber attacks by nation states against US government systems over the past three years have been enormously successful, demonstrating the failure of federal cyber security activities. Other antagonistic nations and terrorist groups, aware of the vulnerabilities, will radically expand the number of attacks. Targeted attacks on commercial organizations will target military contractors and businesses with valuable customer information.

5. Cell phone worms will infect at least 100,000 phones, jumping from phone to phone over wireless data networks. Cell phones are becoming more powerful with full-featured operating systems and readily available software development environments. That makes them fertile territory for attackers fueled by cell-phone adware profitability.

6. Voice over IP (VoIP) systems will be the target of cyber attacks. VoIP technology was deployed hastily without fully understanding security.

Attack Techniques
7. Spyware will continue to be a huge and growing issue. The spyware developers can make money so many ways that development and distribution centers will be developed throughout the developed and developing world.

8. 0-day vulnerabilities will result in major outbreaks resulting in many thousands of PCs being infected worldwide. Security vulnerability researchers often exploit the holes they discover before they sell them to vendors or vulnerability buyers like TippingPoint.

9. The majority of bots will be bundled with rootkits. The rootkits will change the operating system to hide the attack's presence and make uninstalling the malware almost impossible without reinstalling a clean operating system.

Defensive Strategies
10. Network Access Control will become common and will grow in sophistication. As defending laptops becomes increasingly difficult, large organizations will try to protect their internal networks and users by testing computers that want to connect to the internal network. Tests will grow from today's simple configuration checks and virus signature validation to deeper analysis searching for traces of malicious code.

How these trends were determined
Twenty of the most respected leaders in cyber security developed this list. First each proposed the three developments that they each felt were most important. Then they compiled the list of more than 40 trends and voted on which were most likely to happen and which would have the greatest impact if they did happen. That resulted in a prioritized list. To validate their prioritization, they asked the 960 delegates at SANSFire in Washington to each prioritize the 40 trends. More than 340 did so. The SANSFire delegates' input reinforced the experts' prioritization and helped target the Top Ten.

Experts involved with the project
_ Stephen Northcutt, President of the SANS Technology Institute
_ Johannes Ullrich, CTO of the Internet Storm Center
_ Marc Sachs, Director of Internet Storm Center
_ Ed Skoudis, CEO of Intelguarians and SANS Hacker Exploits course director
_ Eric Cole, author of "Hackers Beware" and SANS CISSP Preparation Course Director
_ Jason Fossen, SANS Course Director for Windows Security
_ Chris Brenton, SANS Course Director for Firewalls and Perimeter Protection
_ David Rice, SANS Course Director for Microsoft .Net Security
_ Fred Kerby, CISO of the Naval Surface Warfare Center, Dahlgren Division
_ Howard Schmidt, President of ISSA
_ Rohit Dhamankar, editor of the SANS Top 20 Internet Security Vulnerabilities and @RISK
_ Marcus Ranum, inventor of the proxy firewall
_ Mark Weatherford, CISO of Colorado
_ Clint Kreitner, CEO of the Center for Internet Security
_ Eugene Schultz, CTO of High Tower Software
_ Koon Yaw Tan, Security Expert for the Singapore Government
_ Brian Honan, Irish Security Consultant
_ Roland Grefer, Security Consultant
_ Lenny Zeltzer, Security Practice Leader at Gemini Systems.
_ Alan Paller, Director of Research at the SANS Institute

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/