SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume X - Issue #57

July 22, 2008

For DC-area security professionals: This Thursday at 2:30 PM at the Marriott Wardman Park Hotel, Maarten van Horenbeek, is giving a briefing to all the SANSFIRE attendees in Washington called "Is Troy Burning" How the Chinese Attacks Actually Work". We talked him into doing a second one that is open to others in the Washington Area who want to understand the Chinese attacks so they can know what to do about them. Maarten led investigations of the targeted attacks since 2002. He has been able to connect these attacks against various NGOs to a small number of attackers, and determined that the attacks originate from PRC nationals. During his research, he found that the same groups attack US government contractors and US government agencies. The talk will cover the methods used to launch the malware and infect targets, how the malware is controlled and how certain waves of attacks relate to current political events (e.g Falun Gong, Tibet) and more. The fee is $100 but all Department-level federal CISOs can provide federal employees and contractors with a code that makes it free.

Details and registration is at http://www.sans.org/washington_troy/

---

TOP OF THE NEWS

UK Police Data Retention Practices Dealt One-Two Punch
Judge Rules Dutch Univ. Researchers May Publish Report of Oyster RFID Chip Hack
Maryland Police Infiltrated Activist Organizations

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Connecticut Prosecutors Haven't Dropped Charges Against Amero
Former UnitedHealthcare Employee Charged in Data Theft Case
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
MoD Revises Lost Laptop Figures
Gordon Brown Aide's BlackBerry Stolen on China Trip
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
RIM Issues Patch for BlackBerry PDF Vulnerability
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
DDoS Attack on Georgian President's Website
Seattle Home Healthcare Co. Agrees to Pay US $100,000 to Settle HIPAA Violations
Server Stolen from Minneapolis VA Home Holds Residents' Data
MISCELLANEOUS
College Software Texts Found To Teach Insecure Coding
Not Guilty Plea in San Francisco Network Hijacking Case

---

******************** Sponsored By ArcSight, Inc. ************************

Complimentary Whitepaper: Critical Capabilities for Security Information and Event Management Technology, 2008
A detailed Gartner research report that offers valuable analysis you can use to evaluate Security Information and Event Management (SIEM) solutions for your organization!
Gartner's Critical Capabilities for SIEM helps you evaluate solutions through three use cases based on major SIEM capabilities. The areas include ease and speed of deployment, support simplicity and user acceptance.
http://www.sans.org/info/30918

*************************************************************************

TRAINING UPDATE
- - Las Vegas (9/28-10/6) http://www.sans.org/ns2008 NETWORK SECURITY 2008)
- - Boston (8/9-8/16) http://www.sans.org/boston08/
- - Virginia Beach (8/21-8/29): http://www.sans.org/vabeach08/
- - Chicago (9/3-9/10) http://www.sans.org/chicago08 AUDIT & COMPLIANCE
- - and in 100 other cites and on line any time: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

UK Police Data Retention Practices Dealt One-Two Punch (July 21 & 22, 2008)

The UK's Information Tribunal, formerly known as the Data Protection Tribunal, has ruled that individuals with years old trivial offenses may have the information wiped from police computers; presently all convictions remain in the database for 100 years. The Tribunal's judgment refers to five specific cases in which the offenses were many years in the past and have had needlessly negative effects on the individuals' efforts to pursue their careers. The ruling opens the door for anyone who has a conviction for a minor offense in his or her youth and has since remained out of trouble to petition to have the information stricken from the Police National Computer. In addition, the Ethics Group, a government appointed advisory body, said that keeping DNA samples from people arrested but never convicted or charged with a crime is a potential violation of human rights.
-http://www.timesonline.co.uk/tol/news/uk/crime/article4375311.ece
-http://www.mailonsunday.co.uk/news/article-1037033/Police-stop-putting-DNA-sampl
es-innocent-volunteers-database-says-Government-body.html
-http://www.informationtribunal.gov.uk/

Judge Rules Dutch Univ. Researchers May Publish Report of Oyster RFID Chip Hack (July 18 & 21, 2008)

A Dutch judge has ruled that researchers at Radboud University in Nijmegen, Holland may publish their research about the Mifare Classic (Oyster) RFID chip. NXP, the company that manufactures the chips, had filed a lawsuit seeking to prevent the researchers' findings from being published. NXP said that publishing the information would be "irresponsible." The researchers do not plan to include details about how to clone cards that use the chip. The chip is used in Oyster cards, a prepaid smart card system in the UK, as well as in Hong Kong's travel card and the Dutch Rijkspas smartcard. In his ruling, the judge indicated that freedom of speech trumps NXP's commercial interests: "Damage to NXP is not the result of the publication of the article but of the production and sale of a chip that appears to have shortcomings."
-http://www.theregister.co.uk/2008/07/18/university_can_publish_oyster_research/p
rint.html
-http://news.bbc.co.uk/2/hi/technology/7516869.stm
[Editor's Note (Honan): Kudos to the Judge for determining that the problem lies with manufacturers producing systems/devices with security weaknesses and not with those who discover those weaknesses.
(Schultz): Fortunately, reason has so far prevailed in this case. As I said earlier, attempting to suppress knowledge concerning how to crack the Oyster card amounts to little more than a futile attempt at "security by obscurity." ]

Maryland Police Infiltrated Activist Organizations (July 18, 2008)

According to documents obtained through a Maryland Public Information Act lawsuit, Maryland state police have been infiltrating peace and anti-death penalty activist organizations and in some instances, entering the names of some of the members into a law enforcement database of suspected terrorists and drug traffickers, even though the individuals' actions were lawful. Nowhere in the documents is there any indication that the protesters engaged in criminal intent or activity. State police officials maintain that individuals' civil rights were not violated.
-http://www.baltimoresun.com/news/local/bal-te.md.spy18jul18,0,3787307.story

---

************************** SPONSORED LINK *****************************

1) FREE WEBCAST: How Central Michigan University Gains Internal Network Visibility Using StealthWatch - Register Now!
http://www.sans.org/info/30923

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Connecticut Prosecutors Haven't Dropped Charges Against Amero (July 10 & 21, 2008)

Connecticut prosecutors have not dropped charges against substitute teacher Julie Amero despite the fact that the judge in her case vacated a guilty verdict more than a year ago. Amero was charged three years ago with risk of injury to a minor after the PC in her classroom began displaying pornographic pop-ups. Police accused Amero of surfing to pornographic websites, but researchers later used forensics to demonstrate that the pop-ups were caused by malicious code on the computer, not by Amero's actions. The school had not properly updated security software on the machine.
-http://www.securityfocus.com/brief/778
-http://www.theregister.co.uk/2008/07/10/smut_pop_up_teacher_update/
[Editor's Comment (Northcutt): This type of thing came up in June in issue 48 of NewsBites. It certainly illustrates the need for strong policy and procedures for seizure and examination of the suspect computer. If we are going to fire people or charge people criminally, we MUST get our ducks in a row. And what about prevention? You would think schools would be turning to whitelist software to reduce the possibility of anyone installing anything for any reason on their systems:
-http://www.sans.org/newsletters/newsbites/newsbites.php?vol=10&issue=48#sID2
02]

Former United Healthcare Employee Charged in Data Theft Case (July 15, 2008)

Mike Tyrone Thomas, Jr. has been charged with stealing customer data while he was employed in the student resources department at UnitedHealthcare. Thomas allegedly accessed the data in October 2007. In February 2008, 163 University of California, Irvine graduate students enrolled in the university's Graduate Student Health Insurance Program discovered that their tax returns had already been filed; the data thief was likely hoping to collect their refund checks. UnitedHealthcare has notified all 1,100 students whose data were accessed.
-http://www.csoonline.com/article/437668/UnitedHealthcare_Insider_Charged_in_Cal_
Data_Theft?contentId=437668&slug=&source=nlt_csonewswatch

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

MoD Revises Lost Laptop Figures (July 18 & 21, 2008)

The UK Ministry of Defence (MoD) now says that it has lost 658 laptop computers and 121 USB drives since 2004. The 658 laptops were reported stolen; an additional 89 were reported lost. Just 32 of the laptops have been recovered. No distinction was made between the number of USB drives lost or stolen; three of the drives reported missing this year hold secret information and 19 hold restricted information. Earlier, MoD said it had lost 347 laptops over the four-year period. The revised numbers were issued after MoD discovered "anomalies in the reporting process."
-http://www.vnunet.com/vnunet/news/2222068/mod-admits-massive-losses-data
-http://news.bbc.co.uk/2/hi/uk_news/7514281.stm
[Editor's Note (Veltsos): IT departments on tight budgets should consider installing free laptop tracking software as way to locate missing equipment. Such software is by no means foolproof against a tech-savvy thief, but the price is right. The laptop tracking software, Adeona, was developed by the University of Washington and the University of California San Diego.
-http://adeona.cs.washington.edu/]

Gordon Brown Aide's BlackBerry Stolen on China Trip (July 20, 2008)

An aide to UK Prime Minister Gordon Brown fell prey to a likely "honeytrap" scheme in January when his BlackBerry phone was stolen after he brought a woman he met at a disco in China back to his hotel room. The aide was accompanying the PM on the trip; he reported the device missing the next morning. Officials suspect the incident was orchestrated by Chinese intelligence. It was not disclosed whether the device held top-secret information, but even so, it could potentially be used to gain access to the Downing Street server. Blackberrys used by Downing Street staff are password-protected but most are not encrypted. The aide has been informally reprimanded.
-http://www.timesonline.co.uk/tol/news/politics/article4364353.ece
[Editor's Note (Ullrich): A nice reminder to leave electronic devices at home when traveling abroad. And if you are geek enough to take them, being all for sudden popular with women is a dead giveaway for an intelligence operation.
(Northcutt): Classic! If you know anyone going to the Olympics, please share this story with them and suggest they leave their laptops and other electronics at home. This will be a field day for Chinese intelligence gathering. They have been targeting people and are quite ready:
-http://www.sudantribune.com/spip.php?article22984
-http://www.iht.com/articles/ap/2007/07/24/asia/AS-GEN-China-Olympic-Intelligence
.php
(Paller) Or take "travel-tops" and "travel-phones" that are throw-aways without sensitive data or access to sensitive systems.

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

RIM Issues Patch for BlackBerry PDF Vulnerability (July 21, 2008)

Research in Motion has released a patch for its BlackBerry Enterprise server (BES) to address a vulnerability in the PDF distiller component of the BlackBerry attachment service. The flaw could be exploited to gain access to the server by sending users maliciously crafted PDF files. RIM advises administrators working in a Windows enterprise environment to update to BES version 4.1 Service Pack 6 (4.1.6) for Microsoft Exchange Server.
-http://www.gcn.com/online/vol1_no1/46687-1.html?topic=security&CMP=OTC-RSS
-http://www.blackberry.com/btsc/dynamickc.do?externalId=KB15766&sliceId=SAL_P
ublic&command=show&forward=nonthreadedKC&kcId=KB15766

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

DDoS Attack on Georgian President's Website (July 21, 2008)

The website of Georgian president Mikhail Saakashvili was the target of a distributed denial-of-service (DDoS) attack over the weekend, rendering it temporarily inaccessible. Initial analysis of the attack indicates it may have come from Russian attackers. Tension between Georgia and Russia has been escalating due to Georgia's bid for NATO membership as well as the issue of independent republic status for the Abkhazia region of Georgia, which is supported by Russia but not by Georgia.
-http://www.informationweek.com/news/security/cybercrime/showArticle.jhtml?articl
eID=209400218
-http://www.theregister.co.uk/2008/07/21/georgia_presidential_site_ddos/print.htm
l
-http://www.zdnet.co.uk/misc/print/0,1000000169,39450414-39001093c,00.htm

Seattle Home Healthcare Co. Agrees to Pay US $100,000 to Settle HIPAA Violations (July 18, 2008)

Providence Health & Services of Seattle, a home health care services company, has paid US $100,000 to resolve complaints about breaches of information privacy and security rules. The company will also make changes to its policies and procedures to guard against similar incidents. Providence acknowledges that laptop computers, disks and tapes that held patient health records were taken from employees' cars five times in 2005 and 2006. The information on the devices is covered by the Health Insurance Portability and Accountability Act (HIPAA). Providence notified affected patients and the Department of Health and Human Services (HHS). More than 30 patients filed complaints with HHS. The US $100,000 payment is the outcome of a HHS investigation and precludes the need to impose a civil penalty.
-http://www.govhealthit.com/online/news/350464-1.html
-http://www.hhs.gov/ocr/privacy/enforcement/agreement.pdf
[Editor's Note (Ullrich): Some healthcare providers are watching closely to see whether the fines make it worthwhile for them to pay more attention to HIPAA. I am not sure $100,000 is enough to will do the trick. ]

Server Stolen from Minneapolis VA Home Holds Residents' Data (July 18, 2008)

Among the items stolen from the Minneapolis Veterans Home is a backup server that contains personally identifiable information of some of the home's residents and their dependents. Affected individuals are being notified of the theft by the Minnesota Department of Veterans Affairs, which operates the home. Officials were not immediately aware of the server's theft because it was not being used at the time; a newer server had been installed and the missing server was used as a backup. The thieves also took a laptop computer that did not contain personally identifiable information, a Wii game system and other electronic gear.
-http://www.startribune.com/local/25623519.html?location_refer=Homepage:latestNew
s:4
Follow-on: The server held telephone numbers, addresses, next-of-kin information, dates of birth, Social Security numbers and some medical information, including diagnoses for the home's 336 residents. The data "can only be accessed by using a password."
-http://www.startribune.com/local/25652209.html?location_refer=Error

MISCELLANEOUS

College Software Texts Found To Teach Insecure Coding (July 22, 2009)

Texts from O'Reilly, SAMS, Osbourne, Wrox and Pearson Prentice Hall were found to present insecure code to readers - thus contributing to weak secure coding skills. Four individuals were recognized today for their excellent descriptions of insecure code found in programming texts. +Craig Wright of BDO Kendalls in Australia was the overall winner with two first place winners and two honorable mentions. He found errors in: - The Complete Reference: C 4th Ed. (Osbourne) (Particularly good for showing how to find bugs using Safari service) - Programming Embedded Systems in C and C++ (O'Reilly) - C Primer Plus, Third Edition (SAMS) - C in a Nutshell (O'Reilly) +Dr. James Walden of Northern Kentucky University won a first place award for errors found in "Introduction to Java Programming, 7th edition" (Pearson Prentice Hall ) +Brian Zaugg won an honorable mention for found errors in Beginning Ruby: from Novice to Professional (Apress) +Scott March of Interweb Technologies won an honorable mention for errors found in Beginning ASP Databases (Wrox) The actual errors will be posted next week at the SANS web site.

Not Guilty Plea in San Francisco Network Hijacking Case (July 21, 2008)

The network administrator accused of hijacking the city of San Francisco's computer network has pleaded not guilty. The Department of Telecommunication Information Services (DTIS) has not been able to gain access to the network hardware since the incident occurred. The administrator has worked for DTIS for several years.
-http://www.heise-online.co.uk/security/San-Francisco-network-hijacker-pleads-not
-guilty--/news/111135

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescastore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security courses at Minnesota State University, Mankato. He is the President of Prudent Security LLC and also serves as the President of the Mankato Chapter ISSA.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/