SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume X - Issue #45

June 06, 2008

Next Wednesday is the deadline for early registration discounts for SANSFIRE 2008 (July 22-31) - the only Washington DC program where seats are still available (but not many) for the new Penetration Testing courses. Also Security Essentials, CISSP Prep, Hacker Techniques, Forensics, Auditing and 21 other courses: http://www.sans.org/sansfire08
Alan

---

TOP OF THE NEWS

Software Update Caused Emergency Shutdown at Nuke Plant
Number of Identity Theft Reports Unaffected by Breach Notification Laws
UC Irvine Students' Tax Returns Filed Fraudulently; United Healthcare Identified as Source of Data Leak

THE REST OF THE WEEK'S NEWS

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Walter Reed Breach Might Be Due to P2P Software
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
June's Patch Tuesday Will Offer Seven Microsoft Security Bulletins
Update Available to Address ActiveX Flaws in HP Instant Support
Sun Microsystems Releases Fixes for Six Vulnerabilities
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Stolen AT&T Laptop Holds Unencrypted Management Compensation Data
Stolen Computer Holds Canadian Farmers' Data
Metasploit Briefly Affected by ARP Cache Poisoning Attack
MISCELLANEOUS
BT's Secret Phorm Trial Caused Some Browsers to Crash
Study Tracked People by Cell Phone for Six Months
China's Golden Shield Surveillance Society
LIST OF UPCOMING FREE SANS WEBCASTS

---

*************************************************************************

TRAINING UPDATE
- - Wash. DC (7/22-7/31) (SANSFIRE 2008) http://www.sans.org/sansfire08
- - Singapore (6/30-7/5) http://www.sans.org/singapore08/
- - Boston (8/9-8/16) http://www.sans.org/boston08/
- - and in 100 other cites and on line any time: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Software Update Caused Emergency Shutdown at Nuke Plant (June 5, 2008)

Flaws in a software update caused the Hatch nuclear power plant in Baxley, GA to shut down in early March of this year. The software update was made on just one computer on the plant's business network. That computer monitors chemical and diagnostic data from one of the plant's primary control systems. A spokesperson said the emergency system reacted as it was designed to and that the security and safety of the plant were never in danger. Although technicians knew of the two-way communication between some computers on the corporate and control networks, the engineer who installed the update was not aware that reboot on the corporate side would force a reset on the control side. Network connections between the affected servers have since been severed.
-http://www.washingtonpost.com/wp-dyn/content/article/2008/06/05/AR2008060501958_
pf.html
[Editor's Note (Northcutt): Not terribly amazing, nor is this the first time:
-http://www.cdi.org/nuclear/kurchatov.cfm
-http://findarticles.com/p/articles/mi_m1511/is_n5_v17/ai_18199114
-http://www.nbcsandiego.com/news/15415516/detail.html]

Number of Identity Theft Reports Unaffected by Breach Notification Laws (June 5, 2008)

A study conducted by researchers at Carnegie Mellon University found that data breach notification laws in the US have not reduced the number of reported cases of identity theft. The research was based on data supplied by the Federal Trade Commission (FTC). Forty-three states have enacted data breach notification laws over the last five years, but according to a state-by-state analysis, they have had no effect on reports of identity theft made to the FTC. Gartner's Avivah Litan notes that while reports of data breaches are becoming more prevalent in the news, the laws have prompted some organizations to focus on compliance instead of security, so that they may pass an audit, but not be in step with the spirit of the law. Researchers acknowledge that their data sample is incomplete and based on a self-selecting population.
-http://www.csoonline.com/article/383313/Researchers_Notification_Laws_Not_Loweri
ng_ID_Theft
-http://www.theregister.co.uk/2008/06/05/breach_disclosure_effects/print.html
[Editor's Note (Paller): What a silly study. It measures the wrong outcome. What matters about data breach notification is what it does to the quality of defenses. As many security officers will testify, mandatory data breach notification has been the catalyst that allowed them to implement far better defenses. Gartner's John Pescatore said it best (in NewsBites earlier this week): "turns out that the power of bad press is very impressive."
(Schultz): From a scientific perspective, this study is badly flawed. Unfortunately, many players in the information security community have not had much scientific training, and are thus, unfortunately, likely to accept the results of and conclusions from this study at face value. Additionally, Litan's comments are unsupported by scientific data. Consequently, I urge readers to interpret all statements in this news item as speculative, not factual.
(Kreitner): I'm hoping to live long enough to see greater realization that pursuing compliance as an end in itself is hypocrisy. Instead, I'd like to see us track trends in security outcomes in terms of frequency and impact of security incidents and then work back upstream in the process chain to correlate those incidents with use or non-use of various security practices. Only then will we have a rational basis for informing our security. ]

UC Irvine Students' Tax Returns Filed Fraudulently; United Healthcare Identified as Source of Data Leak (June 2 & 4, 2008)

United Healthcare has been pinpointed as the source of the data leak that exposed personally identifiable information of 1,132 University of California Irvine (UCI) graduate students. The breach affects UCI graduate students who used the UCI Graduate Student Health Insurance program. The breach came to light in February, 2008 when a number of students attempted to file their tax returns electronically only to be informed by the IRS that their returns had already been filed and their refunds collected. All 155 people who experienced the problem used the aforementioned healthcare program; the breach affects students enrolled in the program for the 2006-2007 academic year.
-http://www.newuniversity.org/main/article?slug=identity_thefts_traced_to156
-http://www.csoonline.com/article/381513/UnitedHealthcare_Data_Breach_Leads_To_ID
_Theft
[Editor's Note (Northcutt): The worst thing about this kind of security flaw is that it messes with people's lives. ]

---

********************** SPONSORED LINK *********************************

1) Upcoming SANS webcast on June 17 at 1pm EDT. Tool Talk Webcast: A Million Little Pieces: Detecting Fraudulent Transactions, Register Today. http://www.sans.org/info/29434

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

Walter Reed Breach Might Be Due to P2P Software (June 3, 2008)

A message briefly posted to the Walter Reed website suggests that the data security breach at Walter Reed Army Medical Center may be due to P2P applications. The breach exposed personally identifiable information of approximately 1,000 patients, although no medical information was exposed. Col. Patricia Horoho, commander of the Walter Reed Health Care System, posted a message that said "I need everyone to ensure that they are not loading or downloading programs that are not authorized by the command as it increases our vulnerability and possibly can cause a breach in protected information being shared." The message is no longer up on the site.
-http://www.darkreading.com/document.asp?doc_id=155501
-http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1316003,00.h
tml
-http://www.roseindia.net/community/spyware/dangers_of_peer_to_peer_systems.shtml
-http://www.fbi.gov/cyberinvest/cyberedletter.htm

-http://weblog.infoworld.com/securityadviser/archives/Fixing_the_Internet_Final.p
df]

[Editor's Note (Northcutt): The cost of monitoring software is so very low, this cannot be excused. P2P really does not have a place at work, we need to get serious and start taking some of the lowest hanging fruit off the table, else the Internet (due to the state of the endpoints ) can truly considered to be broken.
(Veltsos): For those in law enforcement or government, the free tool P2P Marshall will detect the use of P2P clients and report which files were shared.
-http://p2pmarshal.atc-nycorp.com/index.html
(Kreitner): Rather than this sort of plea from management which probably does little to change behavior, I much prefer the approach the US Air Force has taken with over 500,000 of its Windows desktops: remove local admin rights from normal users to restrict installation of software not included in the enterprise standard software image for that platform. It's about stabilizing the technology by putting up an electric fence to control who can change what.
(Grefer): A screenshot is available at
-http://security.blogs.techtarget.com/files/2008/06/walterreed.JPG]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

June's Patch Tuesday Will Offer Seven Microsoft Security Bulletins (June 5, 2008)

Microsoft's June Patch Tuesday will comprise seven security bulletins. Three of the bulletins have maximum severity ratings of critical; those bulletins address vulnerabilities in Bluetooth, Internet Explorer, and DirectX. Three others have maximum severity ratings of important and address flaws in WINS, Active Directory, and PGM. The seventh bulletin has a maximum severity rating of moderate and is a kill bit update. All seven bulletins are slated for release on Tuesday, June 10.
-http://news.cnet.com/8301-10789_3-9959752-57.html
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9093958&intsrc=hm_list
-http://www.microsoft.com/technet/security/bulletin/ms08-jun.mspx

Update Available to Address ActiveX Flaws in HP Instant Support (June 4, 2008)

HP has released an upgrade to address ActiveX remote code execution flaws in HP Instant Support, an application that comes preinstalled on HP PCs. HP Instant Support allows automatic updates to the PCs' drivers and software. The vulnerability affects HP Instant Support HPISDataManager.dll versions 1.0.0.22 and earlier running on Windows machines; users are urged to upgrade to version 1.0.0.24.
-http://www.theregister.co.uk/2008/06/04/hp_support_app_multiple_vulns/print.html
-http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01422264

Sun Microsystems Releases Fixes for Six Vulnerabilities (June 4, 2008)

Sun Microsystems has released a software update and workarounds for half a dozen vulnerabilities in versions 4.0.2 and earlier of its Sun Java System Active Server Pages. The vulnerabilities could be exploited to let attackers log on, gain root access, look at and delete files and execute arbitrary code.
-http://www.gcn.com/online/vol1_no1/46395-1.html?topic=security&CMP=OTC-RSS

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Stolen AT&T Laptop Holds Unencrypted Management Compensation Data (June 5, 2008)

A laptop stolen on May 15 from an AT&T employee's car contains unencrypted "AT&T management compensation information, including names, Social Security numbers (SSNs), and
[some ]
salary and bonus information." Affected employees were notified eight days after the theft. The breach affects people throughout the US.
-http://www.networkworld.com/community/node/28453

Stolen Computer Holds Canadian Farmers' Data (June 5, 2008)

A laptop stolen from a programmer working for the Canadian Canola Growers Association contains personally identifiable information of approximately 32,000 Canadian farmers. The compromised data include bank account numbers and social insurance numbers of farmers who have applied for Agriculture Canada's advance payment programs. Those affected by the breach have been notified by letter. Security measures on the stolen laptop include strong password protection and a biometric fingerprint reader.
-http://www.cbc.ca/canada/manitoba/story/2008/06/05/canola-information.html
[Editor's Note (Veltsos): Sometimes, knowing a little about security can be more dangerous than not knowing at all. The General Manager of the organization was quoted as saying that the strong password and the fingerprint reader would prohibit anyone else from accessing the data on the laptop. ]

Metasploit Briefly Affected by ARP Cache Poisoning Attack (June 3 & 4, 2008)

Attackers hijacked the Metasploit website for a short time on Monday June 2, using an ARP cache poisoning attack. The attack works by altering the ARP cache in such a way that it redirects packets to a compromised server the attackers are controlling. All of the ARP caches on the same network were altered as well. Metasploit creator H.D. Moore said he addressed the problem "by setting a static ARP entry and notifying the ISP. ...Metasploit servers were not compromised."
-http://www.theregister.co.uk/2008/06/03/metasploit_hijack/print.html
-http://www.heise-online.co.uk/security/Hacker-tools-website-hacked--/news/110854
-http://blogs.zdnet.com/security/?p=1242&tag=nl.e550

MISCELLANEOUS

BT's Secret Phorm Trial Caused Some Browsers to Crash (June 5, 2008)

A recently leaked report from British Telecom (BT) says that a secret trial run of technology used by online advertising company Phorm caused problems for some unsuspecting customers. In September and October 2006, BT allowed Phorm to deploy technology on its network that placed JavaScript code into every web page downloaded by the 18,000 users in the trial. The script sent data back to Phorm, allowing the company to develop a user profile and then send that user targeted advertisements. Some users experienced flickering problems when the script was sending the data to Phorm, and some experienced browser crashes. In some cases, the JavaScript appeared in the users' posts in web forums. A US ISP is scheduled to test a similar technology, but legislators have called for its postponement due to a possible violation of privacy laws.
-http://blog.wired.com/27bstroke6/2008/06/isp-spying-made.html

Study Tracked People by Cell Phone for Six Months (June 4, 2008)

A study of 100,000 people's movements based on cell phone use found that nearly 75 percent stayed within a 10-mile radius of home over the course of six months. The study was conducted by Northeastern University in Boston without participants' knowledge in an unnamed European country; in the US, such a study would be illegal. The locations were noted whenever the people sent or received a phone call or text message. Precise locations were not known; locations were tracked through the nearest cell phone tower. The information gathered about people's travel patterns could be used to help design transportation systems or predict the spread of disease.
-http://news.bbc.co.uk/2/hi/science/nature/7433128.stm
-http://www.msnbc.msn.com/id/24969880/
Details and related material,:
-http://www.iop.org/EJ/article/1751-8121/41/22/224015/a8_22_224015.pdf

-http://www.nature.com/nature/journal/v453/n7196/full/nature06958.html
(full access to the nature.com article requires a fee)

China's Golden Shield Surveillance Society (May 29, 2008)

China is using people tracking technology developed in the US in its "Golden Shield" high tech surveillance and censorship program, creating a culture in which the government can track every move people make with closed circuit TV cameras and high level facial recognition technology. There are questions about whether or not the export of those technologies violates a law passed shortly after Tiananmen Square that forbids US companies to sell products in China that enable "crime control or detection." The technologies are also used to manipulate difficult situations, like the March protests in Tibet, so those opposing governmental positions look bad, while the government appears benign.
-http://www.rollingstone.com/politics/story/20797485/chinas_allseeing_eye/print

UPCOMING SANS WEBCAST SCHEDULE

SANS Special Webcast: Testing; vulnerabilities, defenses and configuration
WHEN: Tuesday, June 10, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Jerry Shenk
-http://www.sans.org/info/28714
Sponsored By: Core Security
-http://www.coresecurity.com/


This webinar will arm you with all the necessary plans for using penetration testing to investigate your organization's vulnerabilities, defenses and configurations - including lab testing your processes - to help you understand what the finished product should look like.

Internet Storm Center Webcast: Threat Update
WHEN: Wednesday, June 11, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Johannes Ullrich
-http://www.sans.org/info/28719


This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.

Tool Talk Webcast: A Million Little Pieces: Detecting Fraudulent Transactions
WHEN: Tuesday, June 17, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Brian Contos
-http://www.sans.org/info/28729
Sponsored By: ArcSight
-http://www.arcsight.com/


Today's business is digital across the board, relying on digital processes, communications, assets, and commerce. This has spawned a massive increase in fraud. We read about it nearly every week, and in almost every case, the problem seems obvious in hindsight. Societe Generale, with $7 billion in trading fraud, is the current poster child. Too often, fraud could have been detected and stopped if only someone noticed the connection between several activities, each of which was fine in isolation. Taken together, however, they paint a picture of fraud.

SANS Special Webcast: Endpoint Security: Point- Solution or Protection Platform
WHEN: Tuesday, June 24, 2008 at 3:00 PM EDT (1900 UTC/GMT)
FEATURING: Stephen Northcutt and Dan Teal
-https://www.sans.org/webcasts/show.php?webcastid=91963
Sponsored By: CoreTrace
-http://www.coretrace.com/


Join SANS President Stephen Northcutt as he reviews the key features in endpoint security that really matter, how to shop for the best products, and why implementing defense in depth on your organization's endpoint is a best practice.

Ask the Expert: Lessons from the Fontline: Avoiding Costly Breach Investigation Mistakes and Downtime
WHEN: Thursday, June 26, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Ed Skoudis
-http://www.sans.org/info/28754
Sponsored By: Mu Security
-http://www.mudynamics.com/


This webcast will discuss some of the most egregious mistakes made by enterprises and network operators who have suffered costly and/or embarrassing security breaches.

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/