SANS NewsBites - Volume: VIII, Issue: 69


The US National Institute's of Standards & Technology's new guidelines for removing sensitive data from old disk drives (the second story under Top of the News) are refreshingly optimistic and very useful.

Correction: Last issue we shared with you NIST's list of industries that are directly impacted by vulnerabilities in SCADA and process control systems. Thanks to all the readers who pointed out that NIST left out two really important industries. Here's the corrected list: (1) electric, (2) water, (3) oil and gas (pipelines, too), (4) chemical, (5) pharmaceutical, (6) pulp and paper, (7) food and beverage, (8) discrete manufacturing (automotive, aerospace and durable goods), (9) air and rail transportation, and (10) mining and metallurgy industries.

Reminder: Next Friday (September 8) is the deadline for early registration saving for the SCADA Security Summit and for Network Security 2006 (both in Las Vegas). The hotel deadline is also Sept. 8.
Details: SCADA Security: http://www.sans.org/scadasummit_fall06/
Network Security 2006: http://www.sans.org/ns2006/

*************************************************************************
SANS NewsBites                     September 01, 2006                    Volume: VIII, Issue: 69
*************************************************************************
TOP OF THE NEWS

   UK Home Office Says ID and Passport Database Intrusions Did Not Come From Outside
   NIST Issues Guidelines for Sanitizing Used Media
   Mobile Devices Hold On to Old Data

THE REST OF THE WEEK'S NEWS

  ARRESTS, CONVICTIONS & SENTENCES
   T-mobile Attacker Gets One Year Home Confinement
   Man Pleads Not Guilty in Cyber Attack on Health Clinic Systems
  SPYWARE, SPAM & PHISHING
   Phishers Turning to SMS
  COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
   BSA Wants Government to Put Teeth in Software Piracy Enforcement
   Microsoft to Patch Windows Media DRM Against Application that Bypasses Protections
  VULNERABILITIES, ATTACKS, INTRUSIONS, DATA THEFT & LOSS
   Unpatched Hole in IE 6.0 SP1
   GCN.com to Host Forum on Red Storm Rising Story
   AT&T Acknowledges Online Customer Data Breach
   Stolen Laptops Hold Dept. of Education Employee Information
  MISCELLANEOUS
   Storm Domain Profiteers
   eGold.com Plays with Images to Foil Phishers
   AOL Caught Out by StopBadware.org


********* Sponsored by SANS Network Security 2006 in Las Vegas **********

How Good Are The Courses at SANS Network Security 2006? Ask the alumni.

++ "I have attended courses by several of SANS rivals, and SANS blew them away." - Alton Thompson, US Marines
++ "This is the only conference/training I've ever attended at which I learned techniques and found tools I could apply immediately." - Dwight Leo, Defense Logistics Agency, DLA
++ "This program provided the opportunity to learn from many of the people who are defining the future direction of information technology" - - Larry Anderson, Computer Sciences Corp.
++ "The SANS classes have been uniformly excellent. To learn as much through traditional classes would have entailed weeks away from work." - - David Ritch, Department of Defense

SANS best instructors all come together at Network Security 2006 in Las Vegas, October 1-9. 37 immersion courses; big exposition; free evening classes, much more. See: http://www.sans.org/ns2006/caag.php

******* And By SANS Voucher Credit Program To Make It Easier ************

"Maximize your Training Budget!"
"SANS Program that pays you credits and delivers flexibility"
Do you have remaining fiscal 2006 education funds?
Are you looking for a creative way to finance training?
Visit: http://www.sans.org/info.php?id=1328

*************************************************************************

TOP OF THE NEWS

UK Home Office Says ID and Passport Database Intrusions Did Not Come From Outside (31 August 2006)
The UK Home Office admits that the ID and passport service database has experienced five security breaches in as many years, but maintains that the breaches were caused by civil service staff and did not come from outsiders. Four of the breaches were due to staff accessing the database for unauthorized purposes. Each of the instances resulted in the dismissal of the employee responsible. The fifth security breach was reportedly due to a technical failure in a legacy system; that system has been replaced. Concern surrounding the database is high, as the UK's ID card project will result in a huge database of sensitive information, including biometric data, about UK citizens. Opponents of the ID card system point to last spring's infiltration of the Department for Work and Pensions system that resulted in the theft of personal data belonging to 13,000 civil servants and their subsequent use in making false tax credit claims. The opponents are concerned the ID card database will prove even more enticing to identity thieves.
-http://www.zdnet.co.uk/print/?TYPE=story&AT=39282044-39020375t-10000025c
[Editor's Note (Ullrich): Governments are asking to collect more and more data, without considering the effort necessary to safeguard this data. Data is not only an asset; as many businesses have learned, it can also a big liability.
(Schultz): If I read this news item correctly, it sounds as if the UK Home Office is trivializing the break-ins because they were "only" caused by insiders. Apparently this office does not appreciate the extremely high levels of risk that insider attacks pose. ]


NIST Issues Guidelines for Sanitizing Used Media (30 August 2006)
The National Institute of Standards and Technology (NIST) has released Special Publication 800-88, "Guidelines for Media Sanitation." The draft guide addresses sanitation techniques for magnetic, optical, electrical and other media types. NIST is careful to note that the "guide is intended to assist organizations and system owners in making practical sanitation decisions based on the type of information on their system media. It does not, and cannot, specifically address all known types of media however; the described draft sanitation decision process can be applied universally to all forms of media and categorizations of information."
-http://www.fcw.com/article95849-08-30-06-Web&printLayout
-http://csrc.nist.gov/publications/nistpubs/800-88/SP800-88_Aug2006.pdf
[Editor's Note (Ullrich): A reassuring quote from the NIST report: "Studies have shown that most of today's media can be effectively cleared and purged by one overwrite...". This should put some minds at rest about the time required to do multiple writes for large disk systems. A difficult case remains where a defective disk can no longer be overwritten and has to be returned to the manufacturer for a warranty claim. Companies have been successful in negotiating warranty terms that do no longer require the defective disk to be shipped back.
(Honan): This is a welcome document and one that every IT manager should read as many organisations fail to implement appropriate procedures on how to dispose of old media. In particular good practise dictates backup tapes should be removed from the backup schedule as they near their end of life, however these old tapes can expose sensitive data if not sanitised properly. ]


Mobile Devices Hold On to Old Data (31 & 30 August 2006)
Following the directions that come with mobile devices, such as phones and PDAs, to remove data before selling or recycling them is not enough to ensure the next person who holds the device will not be able to see your private information. Data can still be retrieved from phones that have been reset. A security software company that purchased 10 used smartphones and PDAs on eBay found sensitive, personally identifiable information on nearly all of them. The company plans to return all the phones to their original owners and has kept all the data it retrieved from the phones on a computer not connected to its corporate network. Some companies have provided stronger data wiping functions in their newer devices.
-http://www.theage.com.au/news/Technology/Software-Can-Resurrect-Cell-Phone-Info/
2006/08/31/1156816976190.html

-http://software.silicon.com/security/0,39024888,39161863,00.htm
-http://www.vnunet.com/vnunet/news/2163176/pdas-sold-ebay-loaded-sensitive



************************ Sponsored Links: *******************************

1) Register today for Mu Security's SANS 'Ask The Expert Webcast': 'Eliminating Vulnerabilities Before Attackers Know They Exist' http://www.sans.org/info.php?id=1329

*************************************************************************

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS & SENTENCES


T-mobile Attacker Gets One Year Home Confinement (29 August 2006)
Nicholas Lee Jacobsen has been sentenced to one year of home detention and ordered to pay US$10,000 in restitution to T-mobile for breaking into a T-mobile computing system and accessing the records of hundreds of T-mobile customers, including those of a US Secret Service agent. Jacobsen accessed the names and Social Security Numbers (SSNs) of approximately 400 T-mobile customers when he broke into the system in 2004.
-http://news.bbc.co.uk/2/hi/technology/5294412.stm
-http://www.smh.com.au/news/Technology/TMobile-Hacker-Gets-Home-Detention/2006/08
/29/1156816881114.html



Man Pleads Not Guilty in Cyber Attack on Health Clinic Systems (29 August 2006)
Jon Paul Oson has pleaded not guilty to charges of damaging protected computers. Oson was formerly employed at San Diego's Council of Community Health Clinics, but allegedly quit his job after receiving a disappointing evaluation. Oson allegedly broke into computer systems at two southern California health clinics and erased patient and billing data. Some patients did not receive the care they needed as a result of the attacks. Oson is being held in lieu of US$75,000 bail; a hearing is scheduled for September 5. If convicted of charges against him, Oson could face up to 20 years in prison and fines of up to US$500,000.
-http://www.signonsandiego.com/news/metro/20060829-9999-1m29hacker.html


SPYWARE, SPAM & PHISHING


Phishers Turning to SMS (31 August 2006)
Phishers have begun using SMS messages as an attack vector. Users have reported receiving SMS messages purporting to confirm that they have signed up for a dating service and notifying them they will be charged US$2 a day until they cancel the order at a certain web site. That site downloads a Trojan horse program onto their phones, allowing it to be controlled by the attackers. The practice has been dubbed SMiShing.
-http://www.varbusiness.com/showArticle.jhtml;jsessionid=MHD2BBOZMX1E2QSNDLPCKHSC
JUNN2JVN?articleId=192500765&printableArticle=true

-http://www.networkworld.com/news/2006/082806-mcafee-warns-of-smishing.html
[Editor's Note (Honan): This development indicates how profitable Phishing has become. Firstly there is an inherent cost barrier for sending Phishing messages via SMS as there is a charge per text message. Secondly even if compromised accounts or stolen credit cards are being used, the criminals are exposing themselves to more risk. So the returns from victims must be substantial enough to justify the initial outlay. In a similar vein proposals, to charge for emails in an attempt to reduce SPAM and Phishing may not prove to be enough of a barrier to criminals. ]


COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT


BSA Wants Government to Put Teeth in Software Piracy Enforcement (30 August 2006)
The Business Software Alliance (BSA) wants the UK government to establish penalties for businesses using unlicensed software. At present, companies found not to be in compliance are able to purchase licenses and end the problem. The BSA would like to see penalties added as an incentive to encourage the use of licenses from the start and reduce the level of software piracy in the UK. The BSA would like the government to impose a fine to go along with the cost of purchasing the licenses. In Ireland, judges are free to impose penalties as they see fit in accordance with the offense. Individuals trafficking in pirated software are already subject to harsher penalties. The BSA would also like to see the government educate the public about software licenses. Roughly 80 percent of the cases in which the BSA intervenes are due "to negligence and not to malice."
-http://www.theregister.co.uk/2006/08/30/fine_software_pirates_says_bsa/print.htm
l

(1 September Update): Anger over call to fine unlicensed software users
-http://news.zdnet.co.uk/business/legal/0,39020651,39282111,00.htm
[Editor's Note (Grefer): Given that more than 80 percent of the cases in which the BSA intervenes are due "to negligence and not to malice," why is the BSA so keen on getting the government to impose penalties? ]


Microsoft to Patch Windows Media DRM Against Application that Bypasses Protections (29 August 2006)
Microsoft will patch its digital rights management (DRM) software, Windows Media DRM, after learning of an application that allows users to remove DRM protection from digital media files. The application in question was purportedly created to allow users to convert DVDs to digital media files they can save on computer hard drives; a message on the web site where it is posted maintains it is designed to allow "fair use rights" to the media individuals have already purchased.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=security&articleId=9002838&taxonomyId=17&intsrc=kc_top

-http://news.bbc.co.uk/2/hi/technology/5294750.stm


VULNERABILITIES, ATTACKS, INTRUSIONS, DATA THEFT & LOSS


Unpatched Hole in IE 6.0 SP1 (31 August 2006)
A heap overflow vulnerability in Internet Explorer 6.0 SP1 could allow attackers to create denial of service conditions and possibly execute arbitrary code. Users are encouraged to use an alternative browser until a fix is available. The flaw affects IE 6.0 SP1 on Windows 2000, XP and 2003. An exploit for the flaw has been published.
-http://isc.sans.org/diary.php?storyid=1661
-http://www.securityfocus.com/archive/1/archive/1/444504/100/0/threaded


GCN.com to Host Forum on Red Storm Rising Story
GCN.com will host an online forum with senior writers Dawn Onley and Patience Wait to answer questions about their recent story "Red Storm Rising" regarding China's cyber assaults on US government and military computer systems.
-http://www.gcn.com/forum/qna_forum/41835-1.html?topic=security


AT&T Acknowledges Online Customer Data Breach (30 August 2006)
AT&T has acknowledged that cyber intruders accessed personally identifiable information, including credit card data, belonging to approximately 19,000 customers who used the company's online shopping site. The breach affects people who purchased DSL from the online store. AT&T notified the credit card companies immediately upon learning of the breach and has notified affected customers by phone, email and regular mail. AT&T is working with law enforcement on the investigation.
-http://australianit.news.com.au/articles/0,7204,20301936%5E15318%5E%5Enbv%5E,00.
html

-http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1213279,0
0.html

-http://news.com.com/2102-1029_3-6110765.html?tag=st.util.print
-http://news.bbc.co.uk/2/hi/technology/5297710.stm


Stolen Laptops Hold Dept. of Education Employee Information (30 & 29 August 2006)
Two laptop computers stolen from the Washington, DC offices of professional services contractor DTI on August 11 contained the SSNs of 43 Department of Education employees "who were assessing grant applications for
[the department's ]
Teacher incentive Fund." The data were not encrypted. DTI vice president Bruce Rankin has spoken with all but two of the affected individuals regarding the theft and has been in email contact with the others. Police were informed immediately once DTI became aware of the theft and the Department of Education was notified soon after. Security cameras captured footage of a suspect in the burglary; a reward is being offered for the computers' return.
-http://www.fcw.com/article95848-08-30-06-Web&printLayout
-http://govexec.com/dailyfed/0806/082906p1.htm


MISCELLANEOUS


Storm Domain Profiteers (30 August 2006)
A number of domains related to tropical storm Ernesto have already been set up, suggesting that fraudsters are getting ready to take advantage of concern for people affected by the storm should disaster strike. Similar web sites appeared in the wake of the December 2004 Tsunami and last year's Hurricane Katrina. Many of the Katrina-related domains set up last year appeared to be used for "domain parking," or setting up a domain to reap profits from advertisers who want to place ads on sites people are likely to visit. Some people also set up the domains so they can profit from selling them to others. Because the national Weather Service publishes its list of storm names in advance, many storm names have already been registered as domains by people hoping to profit from them.
-http://www.networkworld.com/news/2006/083006-ernesto-fraudsters.html?fsrc=rss-se
curity

-http://isc.sans.org/diary.php?storyid=1650&isc=436dda48a4920f1bf285f28bb6fd8
dd4



eGold.com Plays with Images to Foil Phishers (31 August 2006)
eGold.com has deployed a trick to protect users from phishing sites. eGold is a digital gold currency that allows users to transfer ownership of the precious metal. eGold.com uses a whitelist of sites permitted to use its images; sites known to be phishing sites get an image that advertises boldly that the site is fraudulent. The technique could also be tweaked to warn users who are redirected to legitimate sites from known phishing sites after handing over their personal details.
-http://blog.washingtonpost.com/securityfix/2006/08/using_images_to_fight_phishin
g.html



AOL Caught Out by StopBadware.org (29 August 2006)
StopBadware.org has chastised AOL for its AOL 9.0 software, which allegedly includes bundled software and lacks transparency about the added components. StopBadware.org would like AOL to be more forthcoming about the software components included with its client and to provide users with a straightforward way of declining the components and uninstalling them if they are already on their computers. Among StopBadware.org's complaints: AOL installs ViewPoint media player without informing the user and it adds the AOL toolbar to Internet Explorer without explicit disclosure.
-http://www.theregister.co.uk/2006/08/29/aol_badware_warning/print.html
-http://www.itnews.com.au/newsstory.aspx?CIaNID=36381


******************* The Editorial Board of SANS NewsBites ***************

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent language consultant based in Clearwater, Florida.

*************************************************************************

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/