SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume X - Issue #54

July 11, 2008

TOP OF THE NEWS

Critical DNS Flaw - Have You Fixed It?
Dutch University Sued by RFID Chip Manufacturer
U.S. Senators Pass New Wiretapping Measure
UK House of Lords Call for Data Breach Disclosure Law

THE REST OF THE WEEK'S NEWS

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
NHS Trusts to Have Third Party Audits
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Trojan Exploits Zero Day Bug in Microsoft Word
Quiet Patch Tuesday for July
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Man Convicted for Attempted US$142m Electronic Fraud
Data Breach Exposes Personal Details of US Supreme Court Justice
Data Center Shut Down by Thieves
STATISTICS, STUDIES & SURVEYS
IRS Claims Tax-related Identity Theft Rose 644%

---

********* The Forensics, eDiscovery, and Incident Response Summit ******

Las Vegas, October 13-14
You have been looking for the best practices in forensics - especially in responding to credit card theft and large scale nation state attacks, and for how to respond to ediscovery demands and major incidents. This Summit brings together people like Bryan Sartin (Cybertrust, Verizon) talking about effective techniques for responding to the latest Payment Card Industry Threats, and Kevin Johnson and Tom Liston (Intelguardians) showing you how to investigate intruders who know your network better than you. Plus a dozen more of the best and brightest in the industry. That's why we call it the Summit. If you do forensics or incident response, this is an important meeting for your career.
http://www.sans.org/forensics08_summit/

*************************************************************************

TRAINING UPDATE
- - Wash. DC (7/22-7/31) (SANSFIRE 2008) http://www.sans.org/sansfire08
- - Boston (8/9-8/16) http://www.sans.org/boston08/
- - Virginia Beach (8/21-8/29): http://www.sans.org/vabeach08/
- - and in 100 other cites and on line any time: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Critical DNS Flaw - Have You Fixed It? (9th July 2008)

A major flaw discovered in the Domain Name System (DNS) has been secretly worked upon for the past few months by computer and software manufacturers and a fix to the problem was announced on Tuesday. Dan Kaminsky of IO Active discovered the flaw while doing some non-security related research and contacted each of the main vendors. In a coordinated effort each of the vendors kept the details of the issue secret while developing the fix. Details of the problem will remain secret until Kaminsky releases more details at Black Hat 2008 in August.
-http://news.cnet.com/8301-10789_3-9985815-57.html
-http://news.bbc.co.uk/2/hi/technology/7496735.stm
-http://www.theregister.co.uk/2008/07/09/dns_fix_alliance/
-http://www.siliconrepublic.com/news/article/10991/cio/security-experts-join-to-f
ix-major-flaw-in-webs-backbone
-http://technology.timesonline.co.uk/tol/news/tech_and_web/article4301557.ece
[Editor's Note (Honan): According to an article in The Register (
-http://www.theregister.co.uk/2008/07/09/dns_bug_student_discovery/)
the flaw was originally discovered 3 years ago by a student, Ian Green, studying for his GIAC Security Essentials Certification (GSEC). Ian's paper is available at
-http://www.sans.org/reading_room/whitepapers/dns/1567.php
(Northcutt): This problem may be old news; but it is time to get it fixed. ]

Dutch University Sued by RFID Chip Manufacturer (8th July 2008)

NXP Semiconductors is suing Radboud University in a bid to prevent the university presenting a paper on cracking the Oyster smartcard, used widely on the London public transport network. Researchers at the university plan to reveal how they hacked and cloned the NXP manufactured MiFare RFID chip used in the Oyster Card at an upcoming security conference to be held in October in Spain. NXP Semiconductors wishes to stop the paper from being published for "safety reasons."
-http://www.vnunet.com/computing/news/2221160/chip-maker-sues-oyster-hackers
-http://news.zdnet.co.uk/security/0,1000000189,39444421,00.htm?r=2
[Editor's Note (Schultz): Who is NXP trying to fool? Almost certainly numerous other individuals and/or organizations currently know how to crack the Oyster smartcard, or if not, they will very soon. Suppressing the dissemination of vulnerability-related information has over time proven at best to be a very temporary fix.
(Northcutt): Great opportunity to see how common the EURO zone really is.
(Pescatore): I dunno, details on a hack for the Dutch version of this came out 6 months ago and the details on this one came out in March. While I certainly hope the presentation will attempt to minimize how much easier they make it for the bad guys, this horse is way out of the barn. ]

U.S. Senators Pass New Wiretapping Measure (9th July 2008)

The U.S. Senate has approved a bill providing legal protection to telecommunication companies that took part in an electronic surveillance program targeting terrorism. The bill, the Foreign Intelligence Surveillance Act (FISA) Amendments Act, was passed by 69 votes to 28 and will now go to President Bush to sign. Critics of the bill claim it allows for warrantless surveillance and eavesdropping on the telecommunications of American citizens and does not have adequate safeguards.
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=208808232
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9108258&source=NLT_SEC&nlid=38
-http://www.washingtonpost.com/wp-dyn/content/article/2008/07/09/AR2008070901780.
html

UK House of Lords Call for Data Breach Disclosure Law (8th July 2008)

The Science and Technology Committee in the United Kingdom's House of Lords has published a follow up report on personal internet security in which they call for the introduction of data breach disclosure laws. The report also calls for a reversal in the rules whereby victims of cybercrime are supposed to report the crime to their banks rather than the police. In addition, the House of Lords wants legislation to be introduced to ensure banks are held responsible for losses resulting from electronic fraud. The committee published a report in 2007 with a number of recommendations which the UK government subsequently did not implement. The recent spate of data breaches, such as the 25 million personal records lost by the HMRC (Her Majesty's Revenue and Customs), has put internet security firmly in the spotlight. The report is available from
-http://www.publications.parliament.uk/pa/ld200708/ldselect/ldsctech/131/131.pdf
-http://www.theregister.co.uk/2008/07/08/peers_cybercrime_shakeup/
-http://news.zdnet.co.uk/security/0,1000000189,39444410,00.htm?r=2
[Editor's Note (Pescatore): Definitely needed. I was one of those who thought the "orgies of disclosure" in the US would lead to desensitization and lead to disclosure "mea culpas" being seen as less expensive than preventing the problem. I was dead wrong - CEOs and boards of directors don't seem to get desensitized to bad press, even though consumers have proven they do. Having one of your competitors or peers go through a disclosure event is one of the best ways to win budget battles.
(Honan): The BBC have a comedy sketch that highlights the issue of who is responsible for losses incurred resulting from identity theft, the banks or the customer
-http://www.youtube.com/watch?v=CS9ptA3Ya9E]

---

THE REST OF THE WEEK'S NEWS

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

NHS Trusts to Have Third Party Audits (8th July 2008)

National Health Service Trusts in the United Kingdom is being urged to engage with independent auditors to ensure appropriate data-handling techniques are being employed by staff. Currently each trust is required to carry out its own "information governance assurance" self-assessments. NHS Trusts are currently rolling our encryption to all computers containing patients' personal data, but acknowledge that they will not have completed the project on time. Marlene Winfield, national patient lead for NHS IT body Connecting for Health, acknowledged the delay in the roll-out of encryption and said "We realize there is going to be a delay before everything is encrypted but we are relying on alternative measures and many more safeguards." She further added that the health trusts have implemented new training and disciplinary measures for staff and that bulk transfer of unencrypted data has been suspended.
-http://news.zdnet.co.uk/security/0,1000000189,39443788,00.htm?r=2

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Trojan Exploits Zero Day Bug in Microsoft Word (10th July 2008)

Microsoft has warned that attackers are actively exploiting a previously unknown vulnerability in Microsoft Word. The vulnerability has been confirmed in Microsoft Word version 2002 with Service Pack 3. Researchers in Symantec are investigating whether other versions are impacted. In a post to the Microsoft Security Response Blog Microsoft states "we are aware of limited, targeted attacks attempting to use the reported vulnerability, but we will continue to track this issue."
-http://www.scmagazineuk.com/Attackers-target-zero-day-Microsoft-Word-bug/article
/112272/
-http://www.theregister.co.uk/2008/07/09/zero_day_word_flaw/
-http://blogs.technet.com/msrc/archive/2008/07/08/vulnerability-in-microsoft-word
-could-allow-remote-code-execution.aspx

Quiet Patch Tuesday for July

For the first time since March 2007 Microsoft's monthly security update does not contain bulletins with a rating higher than important. July's security update contains four bulletins addressing nine vulnerabilities in Microsoft Windows, Exchange Server and Outlook.
-http://www.vnunet.com/vnunet/news/2221097/microsoft-issues-monthly
-http://www.informationweek.com/news/security/app_security/showArticle.jhtml?arti
cleID=208803255

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Man Convicted for Attempted US$142m Electronic Fraud (7th July 2008)

A bank clerk working with HSBC bank has been sentenced to nine years imprisonment for his part in an attempted electronic fraud of STG 72 million (US $142 million). Jagmeet Channa was sentenced to 90 months for conspiracy to defraud and nine years for money laundering. Channa is believed to have been the inside man in the attempted fraud. He used stolen login credentials belonging to co-workers to transfer funds from HSBC accounts to accounts held in third party banks in Morocco and in Manchester, England. HSBC was quickly alerted to the transfers when Channa left one of the accounts he raided with a negative balance. CCTV images were used to eliminate the workers who owned the login credentials that Channa abused.
-http://www.theregister.co.uk/2008/07/07/hsbc_electronic_heist_sentencing/
-http://news.bbc.co.uk/2/hi/uk_news/england/london/7493443.stm

Data Breach Exposes Personal Details of US Supreme Court Justice (10th July 2008)

An employee at the Wagner Resource Group, an investment firm in McLean, VA., exposed the personal details of 2,000 of the company's clients after installing the peer-to-peer software LimeWire onto his computer. The victims include a number of lawyers and Supreme Court Justice Stephen Breyer. The breach was not discovered for six months until a reader of The Washington Post's Security Fix Blog discovered the information on LimeWire and notified the Post.
-http://www.washingtonpost.com/wp-dyn/content/article/2008/07/08/AR2008070802997_
pf.html
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=208808240
-http://blog.washingtonpost.com/securityfix/2008/07/us_supreme_court_judge_data_e
x_1.html?nav=rss_blog

Data Center Shut Down by Thieves (10th July 2008)

A number of websites hosted by Cable & Wireless went offline after thieves stole vital networking equipment from the company's Watford network site. The theft resulted in some prominent websites, such as The Financial Times and Sainsbury's, being unavailable. Cable & Wireless stated it has "experienced unforeseen network issues that have regrettably had an effect on a number of our customers." UK police have highlighted that the theft of metal, such as copper wire found in telecommunications links, is the fastest growing area of crime they currently deal with.
-http://www.theregister.co.uk/2008/07/10/cable_wireless_robbery/
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9108838&source=NLT_SEC&nlid=38
[Editor's Note (Pescatore): Information security people really are *not* good at physical security, and for good reason there has been way less convergence of the two than the hype would have suggested - the two are very different disciplines. However, integration and cooperation between the two is very important. In that vein, everyone go nudge their physical security people to make sure our companies haven't gotten lax on mail room security. We haven't seen Anthrax or mail bombs in a while but that doesn't mean we won't see them again - and theft of computers or sensitive tapes and the like from mailrooms can lead to having to go through a disclosure event. Check out the US Postal Service publication 166 at
-http://www.usps.com/cpim/ftp/pubs/pub166/welcome.htm
for good guidelines. ]

STATISTICS, STUDIES & SURVEYS

IRS Claims Tax-related Identity Theft Rose 644% (8th July)

A report released by the U.S. Internal Revenue Service (IRS) states that tax-related identity theft has had a seven fold increase over a four year period ending September 07. The report also highlights that efforts by the IRS to deal with the victims of the crime can often exacerbate the problem. The number of cases where criminals use the Social Security numbers of their victims to seek fraudulent claims or employment has risen 644% since 2004. The IRS' attempts to deal with the problem often results in delays or frozen refunds to the victims or with them facing collection actions such as liens and levies. Nina Olson, the National Taxpayer Advocate, says "While the IRS is reforming some aspects of its approach to identity theft, its procedures for dealing with victims have been a significant part of the problem,"
-http://www.nydailynews.com/money/2008/07/08/2008-07-08_taxrelated_identity_theft
_rose_644_irs_o.html
[Editor's Note (Pescatore): Well, since in the US we still do online tax filing with nothing more than a reusable PIN, hard to be surprised that tax related identity theft is growing. The IRS has done nothing to raise the bar in security here.
(Schultz): Given all the IRS data security problems that have been identified over the years, these statistics are by no means surprising. At the same time, however, the IRS deserves credit for addressing many of these problems. ]

---

*************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security courses at Minnesota State University, Mankato. He is the President of Prudent Security LLC and also serves as the President of the Mankato Chapter ISSA.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit

http://portal.sans.org/