SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VIII - Issue #99
December 15, 2006
TOP OF THE NEWS
Death Sentence Upheld for Bank Fraud in ChinaCyber Saboteur Draws Eight-Year Sentence
Exploit Code Posted for Third Word Vulnerability
Microsoft's December Security Release
THE REST OF THE WEEK'S NEWS
LEGAL MATTERSFlorida Teen Arrested for Altering Grades in School Computer
High Court Will Hear McKinnon Extradition Appeal
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
European Commission Concerned About US Handling of EU Passenger Data
SPYWARE, SPAM & PHISHING
Phishing Up 8,000 Percent in Two Years
Rock Phish May Be Behind Half of All Phishing eMail
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Symantec Sues Distributors for Allegedly Selling Pirated Software
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
U of Texas at Dallas Engineering Dept. Database Breached
Stolen Laptop Holds Boeing Employee Data
UCLA Database Breach Affects 800,000
STATISTICS, STUDIES & SURVEYS
Survey: Compliance Consumes Resources
********************* Sponsored By Symark Software **********************
Security and compliance go hand-in-hand. How can you meet compliance requirements and guard against unauthorized access or theft of data? Learn how PowerBroker, the most widely used solution for systems administration and controlling Unix/Linux root privileges, helps you meet data privacy and compliance requirements. Download the FREE White Paper " PowerBroker vs. sudo." http://www.sans.org/info/2456
*************************************************************************
TRAINING UPDATE: Great security courses in Orlando and San Diego -
Orlando: 15 immersion courses, January 13-19 http://www.sans.org/bootcamp07/
San Diego: 30 immersion courses, March 29-April 6 http://www.sans.org/sans2007/
*************************************************************************
TOP OF THE NEWS
Death Sentence Upheld for Bank Fraud in China (14 December 2006)
Zhou Limin, former head of a bank branch in Xi'an, and accountant Liu Yibing collected about $61 million from 30 organizations and 400 individuals for non-existent high interest accounts. China's highest court has upheld their death sentence. This is one of several scandals coming to light as Chinese banks are trying to raise money from foreign investors to modernize operations.[Editor's Note (Northcutt): Least privilege, separation of duties, rotations of duties, spot check audit ..... it is amazing how truly universal the core security principles are. ]
Cyber Saboteur Draws Eight-Year Sentence (13 December 2006)
Roger Duronio, a former UBS Paine Webber systems administrator, has been sentenced to just over eight years in prison for releasing a logic bomb on his former employer's network and causing an estimated US$3 million in damage. The 97-month prison term is the maximum allowed under federal sentencing guidelines. Duronio has also been ordered to pay US$3.1 million in restitution. Duronio was apparently a disgruntled former employee who left his job when his year-end bonus fell short of his expectations.-http://www.theregister.co.uk/2006/12/13/ubs_logic_bomber_sentenced/print.html
-http://www.eweek.com/article2/0,1759,2072394,00.asp?kc=EWRSS03119TX1K0000594
[Editor's Note (Ullrich): This case is a great lesson in what happens if an insider is accused in court. Duronio took every opportunity in court to highlight failures in UBS PaineWebbers' security policies and practices. The actual damages are likely to exceed the $3 Million stated here. UBS spent countless hours restoring files on over 1,000 servers from backups, and was still unable to recover all of the data.
(Honan): Disgruntled employees are very often the source of many insider attacks. As the year end approaches it could be a prudent move on your part to liaise with your HR Department so that you are made aware of any personnel, especially those with administrative rights, who may receive a poor year end review or a less than expected bonus/pay-rise. ]
Exploit Code Posted for Third Word Vulnerability (13 December 2006)
Exploit code for a third vulnerability in Microsoft Word has been published on the Internet. Microsoft has not acknowledged the vulnerability. Microsoft's security release for December did not address two other Word flaws that are being exploited in targeted attacks.-http://www.eweek.com/print_article2/0,1217,a=196431,00.asp
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=security&articleId=9006059&taxonomyId=17&intsrc=kc_top
[Editor's Note (Schultz): The fact that multiple, critical, and currently-unpatchable vulnerabilities in Word are surfacing constitutes an extremely serious security risk. Given that exploits for some of these vulnerabilities are now available, it behooves Microsoft to at least provide some information regarding workarounds, or if no workarounds are available, how long it will be until Microsoft can provide patches. ]
Microsoft's December Security Release (13 & 12 December 2006)
Microsoft's monthly security release comprises seven bulletins that address 11 flaws in its various products. The bulletins include a critical cumulative update for Internet Explorer (IE) and fixes for critical remote code execution vulnerabilities in Visual Studio 2005 and Windows Media Player. The fixes appear to be available for IE 5 and 6 but not for IE 7.-http://www.theregister.co.uk/2006/12/13/ms_patch_tuesday/print.html
-http://www.securityfocus.com/brief/382
-http://software.silicon.com/security/0,39024655,39164663,00.htm
-http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=339272669-1300
61744t-110000005c
-http://www.us-cert.gov/cas/techalerts/TA06-346A.html
-http://www.microsoft.com/athome/security/update/bulletins/200612.mspx
[Editor's Note (Pescatore): Several of the vulnerabilities were unchecked buffers that let an attack remotely execute code on an unpatched machine. A nice New Year's Resolution for software vendors would be to make 2007 the year that at least the top 5 most common stupid programming tricks are really finally removed from their products.
(Ullrich): The interesting story here is that none of the outstanding Office vulnerabilities where patched (1 PowerPoint and 2 Word at the time of the patch release). Microsoft, by mistake, released a patch for Mac:Office, but retracted it the same day ]
************************* Sponsored Links: ****************************
1) Whitepaper - New PCI requirement 6.6 Application Firewall vs. Code Review - Know the costs. Choose wisely.
http://www.sans.org/info/2461
2) Give users access anywhere and security everywhere. Download Check Point's Secure Remote Access White Paper.
http://www.sans.org/info/2466
3) Disk encryption with SafeGuard(R) Easy software provides the ultimate in laptop security.
http://www.sans.org/info/2471
*************************************************************************
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
Florida Teen Arrested for Altering Grades in School Computer (13 December 2006)
A Florida high school senior and class president has been arrested for allegedly breaking into his school's computer system and altering students' grades. Ryan C. Shrouder allegedly used a school board employee's password to gain access to the system. He will be suspended and recommended for expulsion. Two other students have been suspended in connection with the case.-http://www.allheadlinenews.com/articles/7005847659
-http://www.local10.com/news/10528653/detail.html
[Editor's Note (Schultz): According to the local10.com posting, "the arrest affidavit indicated that because Shrouder was a student representative to the school board, he was issued a school board laptop computer that gave him access to the grades." Hopefully, this statement is not true. How could a student be issued a school board laptop that allows access to the grades of this young student's friends and peers? If it is true, it demonstrates an almost unprecedented lack of governance on the part of the school board.]
High Court Will Hear McKinnon Extradition Appeal (12 December 2006)
The High Court in England has agreed to hear Gary McKinnon's extradition appeal on February 13, 2007. McKinnon lost an earlier appeal to his extradition to the US to face charges related to US government computer systems intrusions. If McKinnon loses this appeal, he may appeal to the House of Lords, but he is not optimistic.-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=61974274-39000005c
-http://www.theregister.co.uk/2006/12/12/pentagon_hacker_appeal_date/print.html
[Editor's Note (Ranum): Why can't he just take his slap on the wrist like a man? Then, when it's over he can hit the lecture circuit and become an author. ]
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
European Commission Concerned About US Handling of EU Passenger Data (14 December 2006)
The European Commission has asked the US to ensure that European Union (EU) airline passenger data shared with the US are protected as per European privacy regulations. The US Customs and Border Protection's Automated Targeting System generates a risk profile for passengers and cargo entering and leaving the country. The program allows collected data to be retained for 40 years. US privacy advocates have voiced concern about the program as well. The US and the EU signed an agreement in October that allowed the US greater access to passenger data, but restricted their sharing and retention.-http://www.washingtonpost.com/wp-dyn/content/article/2006/12/13/AR2006121301982_
pf.html
-http://euobserver.com/9/23097
[Editor's Note (Pescatore): The EU has good cause to be worried. We've seen that very few government agencies are able to meet the 90 day sensitive data deletion requirement of OMB's recent M-06-16 guidance. Customs and DHS need to demonstrate how they will meet the requirements to protect and delete this data.
(Schultz): Differences in requirements for protection of personal and financial data have proven to be an almost perpetual and extremely difficult issue between the EU and the US. In general, the EU requires strong protection of such data, but the US does not. The fact that an agreement concerning the protection of passenger data could be reached is thus an extremely significant accomplishment. Still, this agreement ostensibly has kinks that need to be resolved.
(Honan): In light of the much publicised breaches in US Government systems over the past few months, e.g. the Department of Veterans Affairs breach, and the abysmal record many US Government agencies have in meeting FISMA security requirements, you will forgive my skepticism that a letter from the EU is going to keep MY personal data held on US systems any safer.
(Grefer): Please bear in mind that this Automatic Targeting System (ATS) utilized by the DHS' Customs and Border Protection (CPB) also applies to US citizens and not just to this agreement with the EU. Presumably European PNS data per the agreement cannot be retained for 40 years, but all other data likely will be.
-http://www.theregister.co.uk/2006/12/07/us_privacy_safeguards/
The DHS' own privacy impact assessment is available at:
-http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_cbp_ats.pdf]
SPYWARE, SPAM & PHISHING
Phishing Up 8,000 Percent in Two Years (14 & 13 December 2006)
The UK's Financial Services Authority (FSA) says the number of detected phishing schemes targeting bank customers has increased 8,000 percent over the last two years. Apacs security chief Philip Whitaker says the startling increase can in part be attributed to better detection. Losses from phishing schemes were estimated at GBP 4.5 million (US$8.82 million) for the year preceding October 2004; the estimated loss for 2006 is GBP 45.7 million (US$89.6 million).-http://news.bbc.co.uk/2/hi/uk_news/politics/6177555.stm
-http://www.theregister.co.uk/2006/12/14/phishing_fraud_uk/print.html
Rock Phish May Be Behind Half of All Phishing eMail (12 December 2006)
The Rock Phish Kit is a tool that allows people without technical expertise to create and launch phishing attacks. Rock Phish, believed to be either an individual or a group, has developed a variety of techniques to keep a step ahead of filtering methods. Rock Phish targets specific financial institutions in the US and Europe and is believed to be responsible for as much as one-half of all phishing messages.-http://www.infoworld.com/archives/emailPrint.jsp?R=printThis&A=/article/06/1
2/12/HNrockphish_1.html
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Symantec Sues Distributors for Allegedly Selling Pirated Software (14 & 13 December 2006)
Symantec has filed a lawsuit in US District Court in Los Angeles against a group of software distributors it alleges have been selling pirated Symantec products. Symantec is seeking US$15 million. The filing alleges the distributors have "engaged in trademark infringement, copyright infringement, fraud, unfair competition and false advertising." An investigation resulted in the seizure of more than 100,000 disks containing pirated software.-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9006039&source=rss_topic17
-http://www.vnunet.com/vnunet/news/2170929/symantec-sues-software-pirates
-http://www.symantec.com/about/news/release/article.jsp?prid=20061213_01
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
U of Texas at Dallas Engineering Dept. Database Breached (14 December 2006)
The University of Texas at Dallas will send letters to approximately 6,000 current and former students, employees and applicants to inform them their personally identifiable information was compromised. Intruders gained access to a database at the university's school of engineering and computer science. The data include names, Social Security numbers (SSNs), and contact information.-http://chronicle.com/wiredcampus/index.php?id=1779
-http://www.wfaa.com/sharedcontent/dws/news/localnews/stories/DN-utdhack_14met.AR
T0.North.Edition1.3eb1c28.html
Stolen Laptop Holds Boeing Employee Data (13 December 2006)
A laptop computer stolen from a Boeing Co. employee's car holds personally identifiable information of approximately 382,000 current and former employees of the aerospace company. Boeing plans to inform current employees of the theft by email; former employees will receive letters. The data on the computer include home addresses, dates of birth and SSNs. Boeing has experienced several other data security breaches in recent years, including three other laptop thefts that compromised information belonging to more than 160,000 employees. Boeing says approximately 250 of the company's more than 75,000 laptop computers were stolen last year.-http://seattlepi.nwsource.com/local/295769_boeing13.html
UCLA Database Breach Affects 800,000 (12 December 2006)
The University of California, Los Angeles (UCLA) has begun notifying more than 800,000 individuals that their personal information has been compromised. UCLA computer security technicians became aware of the problem on November 21 after they noticed an "exceptionally high volume of suspicious database queries." A subsequent investigation revealed that attackers had been trying to access the information since October 2005 and that they were targeting SSNs. The FBI has been notified. UCLA CIO and associate vice chancellor says the database has been "reconstructed and protected" but did not provide details. Those affected include current and former students, faculty and staff, some applicants, and parents of students and applicants who applied for financial aid. The data include names, SSNs, dates of birth and addresses.-http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomy
Name=security&articleId=9005925&taxonomyId=17&intsrc=kc_top
-http://www.msnbc.msn.com/id/16169453/?GT1=8816
-http://www.mercurynews.com/mld/mercurynews/news/16220549.htm
STATISTICS, STUDIES & SURVEYS
Survey: Compliance Consumes Resources (13 December 2006)
The results of a survey from the Oracle Applications Users Group indicate that 80 percent of organizations with 5,000 or more employees need at least four full-time employees to handle data compliance. Twenty-four percent of the companies needed at least 10 employees to manage compliance issues. In addition, more than 60 percent of companies have not finished implementing Sarbanes-Oxley compliance processes.-http://www.vnunet.com/vnunet/news/2170894/firms-struggling-compliance
[Editor's Note (Pescatore): On Wednesday, the SEC voted unanimously to bring some sanity into the Sarbanes Oxley compliance money burning process. The changes would allow differentiation between areas that would have significant, material impact to a company's financial position and those what would have minor impact. They would also allow businesses to make the determination of which areas were high impact without having to bring in an external auditor. This is a start, at least.
(Ullrich): The money and time spent on compliance doesn't have to be a waste. Compliance is frequently the lever needed to receive resources from management. It's up to the technical and political skill of the security group to use these resources wisely. ]
=========================================================================
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.
Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/