SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume X - Issue #52

July 01, 2008

TOP OF THE NEWS

More Than 630,000 Laptops Lost at Airports Each Year
Companies Need to Invest in IT Risk Management

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Man Convicted in P2P Copyright Infringement Case
Teen Charged in Nugache Worm Case
City Employee Resigns After Password-Sniffing Software Found on Computer
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
US-CERT Issues IE IFrame Warning
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Bank Issues New Cards to All Affected by Hannaford Data Breach
ICANN and IANA Domains Hijacked
Montgomery Ward Parent Company Didn't Inform Customers of Data Breach
Social Security Administration Exposes 20,000 Records
MISCELLANEOUS
Microsoft Retires Windows XP, Will Support OS Through 2014
TERMINATING AN EMPLOYEE WITH PRIVILEGED ACCESS

---

********************** Sponsored By Sourcefire, Inc. ********************

SC Magazine Names Snort(r) "Best Network Security." Learn how Snort is the engine powering the Sourcefire 3D(tm) System. This IPS is different from others because it shows you everything running on your network in real time. It also gives you context for your security events. Know more real threats. No more wild goose chases. Call 1.800.917.4134 today.
http://www.sans.org/info/30423

*************************************************************************

TRAINING UPDATE
- - Wash. DC (7/22-7/31) (SANSFIRE 2008) http://www.sans.org/sansfire08
- - Singapore (6/30-7/5) http://www.sans.org/singapore08/
- - Boston (8/9-8/16) http://www.sans.org/boston08/
- - and in 100 other cites and on line any time: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

More Than 630,000 Laptops Lost at Airports Each Year (June 30, 2008)

More Than 630,000 Laptops Lost at Airports Each Year (June 30, 2008) A Ponemon Institute survey of 106 airports in 46 states found that as many as 637,000 laptops are reported lost each year. Overall, more than 12,000 laptops are reported lost at the airports every week, and 67% are never recovered. The 36 largest US airports account for more than 10,000 lost laptops each week. The laptops are most commonly lost at security checkpoints and departure gates. The survey also included feedback from 864 business travelers: 53% said their laptops held confidential data; 42% said their data was not backed up; 16% said they would do nothing if they lost a laptop while traveling on business; 77% said the chance of recovering a lost laptop was less than ten percent. The study was commissioned by Dell, which has just released "a suite of data protection and asset protection services," including laptop tracking and remote data deletion.
-http://www.dell.com/downloads/global/services/dell_lost_laptop_study.pdf
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9105198&source=rss_topic17
-http://www.crn.com/managed-services/208801451

Companies Need to Invest in IT Risk Management (June 28, 2008)

According to Information Week's 2008 Strategic Security Study, most companies are spending as much or more on IT security than they did last year, but 66 percent believe that their vulnerability to attacks is the same or greater than it was before. The problem lies in the relative lack of effective risk management practices in IT. Because it is virtually impossible for organizations to protect their systems from every conceivable security threat, companies would benefit from the practice of "classifying IT assets, assigning values, evaluating threats, then determining where and how to mitigate risk."
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=208800942

---

************************* Sponsored Links: ****************************

1) Where can you get an overview of industry "best practice" to secure your virtual infrastructure? Find out at the Virtualization Security Summit August 7-8 in Las Vegas.
http://www.sans.org/info/30428

2) Please visit the SANS Buyers Guide when selecting the latest in IT security technologies.
http://www.sans.org/info/30433

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Man Convicted in P2P Copyright Infringement Case (June 27 & 30, 2008)

Daniel Dove has been convicted on charges of conspiracy and felony copyright infringement for operating a website where people uploaded pirated content for others to download. The US Department of Justice says this is the first criminal conviction for peer-to-peer copyright infringement. According to prosecutors, Dove helped distribute the pirated content with BitTorrent technology. He faces up to 10 years in prison.
-http://www.informationweek.com/news/management/legal/showArticle.jhtml?articleID
=208801676
-http://www.theregister.co.uk/2008/06/27/daniel_dove_elitetorrents_guilty_verdict
/print.html
-http://www.usdoj.gov/opa/pr/2008/June/08-crm-574.html

Teen Charged in Nugache Worm Case (June 30, 2008)

A Wyoming teen has been charged in connection with the spread of the Nugache worm. Nineteen year-old Jason Michael Milmont allegedly tricked users into allowing the worm onto their systems through IM spam and Limewire downloads. The AIM messages contained links to sites where people would be asked to download a file, which turned out to be Nugache. Infected PCs were then made to send spam to all AOL Instant Messenger contacts. The botnet was allegedly used to launch a distributed denial-of-service attack against a California online business. Milmont also allegedly updated the software so it logged keystrokes and could steal sensitive financial information from the PCs' users. Milmont faces up to five years in prison and a fine of US $250,000, but has agreed to a plea deal under which he will pay more than US $70,000 in restitution in return for prosecutors asking for a lighter sentence.
-http://www.jacksonholestartrib.com/articles/2008/06/30/news/wyoming/doc48656c8a9
3378754215938.txt
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9104838&source=rss_topic17
[Editor's Note (Northcutt): According to the Register, he wrote some pretty nifty command and control software and had between 5 and 15k computers under his command at any time:
-http://www.theregister.co.uk/2008/06/28/nugache_creator_plea_agreement/]

City Employee Resigns After Password-Sniffing Software Found on Computer (June 26, 2008)

Timothy Nagel resigned from his position of computer support specialist for the city of Bowie, Maryland after a routine security sweep discovered password-sniffing software on his computer. The program was harvesting password data entered into City Hall computers from one of the city network's servers. Staff members were advised to change their passwords. A private company has been hired to investigate the breach.
-http://www.gazette.net/stories/062608/bowinew173015_32357.shtml
[Editor's Comment (Northcutt): I *think* I found an eight year old resume for him, though there could certainly be more than one Timothy Nagel in Bowie. I like to see if I can find any hints of trouble and in this case, I could not:
-http://www.unimind.org/pages/Nagel_Resume4-6.doc

(Guest Editor Nichols): One of the first documents any security professional should have on file in HR is written permission from management to download what could be misconstrued as potentially malicious security related programs. The second is written permission to use them. Without adequate permissions, you set yourself up for a situation like this to occur; and you may be breaking the law. A production system is not a playground for testing security programs. Use a lab environment and always CYA. ]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

US-CERT Issues IE IFrame Warning (June 27 & 30, 2008)

The US Computer Emergency Readiness Team (US-CERT) has issued a vulnerability note warning of an IFrame security flaw in several version of Internet Explorer. Proof-of-concept code for the flaw has been published; the flaw is known to affect IE6, IE7 and IE8 beta 1 and can be exploited by tricking users into visiting a maliciously crafted web site or opening malicious email. Users are urged to disable active scripting until a fix is available. Microsoft is investigating the issue.
-http://www.kb.cert.org/vuls/id/516627
-http://www.informationweek.com/news/internet/browsers/showArticle.jhtml?articleI
D=208801757

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Bank Issues New Cards to All Affected by Hannaford Data Breach (June 30, 2008)

Portsmouth, NH-based Ocean National Bank has decided to reissue new ATM/debit cards to all of its customers whose data were compromised in the Hannaford Bros. supermarket chain data breach. When the bank first learned of the breach earlier this year, it gave its customers the opportunity to request new cards if they wanted them; however, some customers have reported recent fraudulent charges, so the bank plans to reissue cards to all of the approximately 7,000 affected customers. The bank has sent letters to the customers notifying them of the decision. Ocean National Bank has branches in New Hampshire and Maine.
-http://www.seacoastonline.com/apps/pbcs.dll/article?AID=/20080630/BIZ/80630032/-
1/NEWS19

ICANN and IANA Domains Hijacked (June 30, 2008)

A Turkish hacker group managed to hijack domains used by the Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Assigned Numbers Authority (IANA) for a short period of time late last week. The DNS records for the websites were changed to point to the group's own site. The ICANN problem was addressed in less than half an hour, but it took a day or two for the fix to make it through DNS servers around the world.
-http://news.cnet.com/8301-10789_3-9980713-57.html?part=rss&subj=news&tag
=2547-1_3-0-20
-http://www.heise-online.co.uk/security/ICANN-and-IANA-domains-hijacked--/news/11
1026

Montgomery Ward Parent Company Didn't Inform Customers of Data Breach (June 27, 2008)

The credit card information of at least 51,000 people who purchased items from Wards.com was compromised late last year, but customers were never informed of the breach. The data thieves stole the information from a database belonging to Direct Marketing Services, Inc., which bought the Montgomery Ward name in 2004, several years after the company went out of business. Direct Marketing Services apparently followed guidelines from Visa on how to respond to a data breach, which included informing the payment processor and Visa and MasterCard and filing a report with the US Secret Service. However, it appears the guidelines did not informing affected consumers, despite the fact that most states have data breach notification laws on the books. The company now says it plans to inform customers of the breach.
-http://www.cbsnews.com/stories/2008/06/27/tech/main4215439.shtml?source=RSSattr=
SciTech_4215439
-http://www.scmagazineus.com/Report-Montgomery-Ward-fails-to-alert-victims-of-bre
ach/article/111922/
[Editor's Note (Cole): Credit card theft will continue to be a problem. Some tricks are (1) only use one card for credit card purchases on the Internet or in stores and have a low/reasonable credit limit on it; (2) expire your card every 3-6 months to reduce exposure; (3) look at secure card options that generate a unique card number for every purchase. ]

Social Security Administration Exposes 20,000 Records (June 26, 2008)

The personal data, including Social Security numbers (SSNs), of more than 20,000 people were exposed after the US Social Security Administration (SSA) mistakenly included the information on the Death Master File (DMF), according to the agency's inspector general. The DMF is provided to the Commerce Department's National Technical Information Service (NTIS), where it can be purchased by the government, investigators, credit reporting companies and others. The SSA removed the information from the list when it learned of the error, but the information had already been shared with others. In some cases, the data were available for viewing on the Internet.
-http://www.fcw.com/online/news/152975-1.html?type=pf
[Editor's Note (Pescatore): This is one of those "data quality" incidents, not really a security issue, sort of like when the fortune cookie company put the risqu fortunes into the wrong fortune cookies. The SSA has had a phenomenally good security record over the years, and consistently high FISMA grades as a consequence of their strong security program.]

MISCELLANEOUS

Microsoft Retires Windows XP, Will Support OS Through 2014 (June 30, 2008)

As of July 1, Microsoft will no longer be making its Windows XP operating system available to computer makers or consumers. XP will still be made available to small, independent computer makers through July 2009, and to manufacturers of low cost computers such as Asus until 2010. Some manufacturers are taking advantage of a loophole in Microsoft's licensing agreement that allows users to downgrade to earlier versions of operating systems at no cost. The decision to discontinue XP has met with protests from users who are unhappy with Windows Vista. In response, Microsoft has recently announced that it will support Windows XP through 2014.
-http://www.informationweek.com/news/windows/operatingsystems/showArticle.jhtml?a
rticleID=208801694
[Editor's Note (Northcutt): When I was doing the research for my Endpoint security webcast I came to realize that we are pretty much down to whitelisting technology as our last line of defense and that there was essentially no possibility for the "average Joe" to secure their home user and small office endpoint systems. I realize Microsoft is totally dominant, but if they keep misplaying their hand, I would not be surprised to see more and more people take a look at an alternative such as Ubuntu:
-https://www.sans.org/webcasts/show.php?webcastid=91963
-http://www.ubuntu.com/]

TERMINATING AN EMPLOYEE WITH PRIVILEGED ACCESS

In our last issue, Stephen Northcutt pointed out that terminating an employee with privileged access is a tough problem and asked for your suggestions. We want to thank Raymond Parks, Joona Airamo, Jay Libove and Jeffery Williams for their input which is summarized below:

1. The possibility of damage from the individual must be considered in deciding when to revoke privileges - the greater their capacity to do damage, the sooner privileges should be revoked, up to the point that they are told of being fired.

2. The security staff should pay special attention and possibly expand their checks when something like this is about to happen - again depending upon the capacity for damage of the to-be-fired individual. The security staff needs to think of what the individual leaving could do and put in place mechanisms to detect all of those malicious activities.

3. The confidentiality of the personnel action is critically important- there should be no leaks in advance of notifying the individual.

4. Conversely, the individual should not find out they're fired when their password no longer works. The individual will quickly deduce what has happened and management will have squandered any chance of transition help. What's more, revocation of privileges may not be complete in time to prevent the individual from getting around that first unintentional notice.

5. The need for careful timing of announcement with privilege revocation can mean that others who need to take action need to have the tools, processes, and manning to do so on very short notice.

6. If there needs to be a transition period with knowledge transfer - then access can only be granted under two-person control. The person overseeing the individual leaving must be carefully instructed about the need for maintaining that control and must be able to detect malicious actions.*

7. If there is any chance the employee had access to production systems, checking for logic bombs is recommended.

8. You may need to consider changing all passwords. The admin would have had access to all password hashes. This would allow them to brute force attack them to derive original passwords. If you have LANMAN enabled, this will happen quickly. With Rainbow tables (pre-computed hashes), the weaknesses in the MD4 algorithm used in the NT hash will also allow those hashes to be derived in fairly short order. This attack vector should be considered if an admin leaves and there is any doubt or suspicion.

9. In Europe, due to privacy laws you may not be able to inspect removable media when the admin is leaving. It may be best to jointly destroy any removable media or to ask permission to search it. In Europe you also need to consider the person's right to privacy with regards to the reason they are leaving the organisation. It is therefore critical that there are no leaks/rumours regarding the person's termination outside of the key people involved in the process. As a European organisation you can only search removable media belonging to the organisation and not personal media such as MP3 players, USB keys etc that are the individuals private property.

10. Consider a password management system for privileged users such as Cyber-Ark, PowerBroker or BeyondTrust.

11. If you are using full disk encryption consider re-encrypting sensitive data with a different key.

12. Even an imperfect policy, properly followed is better than no policy.

13. The termination process should include physical security whereby the member of staff is physically escorted from the premises to ensure they do no harm and that security guards are briefed and instructed to prevent the person entering the premises again.

*Long ago, I was asked whether having a security policeman watching over the shoulder of the person modifying the security alarm system was two-person control - I suggested that would only work if the SP knew enough to do the work of the alarm technician. Otherwise, the observer was useless to prevent malicious activity by the alarm technician.

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security courses at Minnesota State University, Mankato. He is the President of Prudent Security LLC and also serves as the President of the Mankato Chapter ISSA.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/