SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume IX - Issue #13
February 13, 2007
TOP OF THE NEWSProposed Legislation Would Require ISPs to Retain Customer Data Indefinitely
House Bill Would Authorize FTC to Establish Data Privacy Requirements for Companies
Internet Storm Center Warns of Zero Day Solaris Flaw
THE REST OF THE WEEK'S NEWSHOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Report Indicates FBI Still has Problems with Lost Laptops
VA Now Says Missing Hard Drive Holds Info. on 1.8 Million
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Indiana State Government Site Security Breach
Korean Web Sites Infect 92,000 PCs with Malware
Parents Puzzled by University Data Breach Notification
STATISTICS, STUDIES & SURVEYS
Attacks Against Mobiles are Up Five-fold But Risk is Small
Researchers Develop Faster Worm Detection Technology
Skype Reads BIOS and Motherboard Serial Numbers
Cyber Security Chief Describes Priorities
******************* Sponsored By ArcSight, Inc. *************************
Free Whitepaper: Addressing Mobile Threats Mobile threats like malware and fraud are on the rise. While these attacks aren't new, their ability to leverage mobile devices is. Learn how to implement an intelligent incident response system that responds to threats in seconds with this free whitepaper. Brought to you by ArcSight, the ESM leader that turns data into action.
Register today for SANS2007 in San Diego to get a place in one of the 56 immersion courses. Here are the Top 10:
1. SANS Security Essentials Bootcamp Style
2. Hacker Techniques, Exploits & Incident Handling
3. Intrusion Detection In-Depth
4. System Forensics, Investigation & Response
5. Assessing and Securing Wireless Networks
6. Securing Windows
7. Auditing Networks, Perimeters & Systems
8. SANS(r) +S(tm) Training Program for the CISSP(r) Certification Exam
9. Perimeter Protection In-Depth
10. Cutting-Edge Hacking Techniques - Hands On
In San Diego: http://www.sans.org/sans2007/
Or study at home or in your own city or in courses at your university:
TOP OF THE NEWS
Proposed Legislation Would Require ISPs to Retain Customer Data Indefinitely (12 February 2007)US Congressman Lamar Smith (R-Tex.) has introduced the Safety Act, which would require Internet service providers (ISPs) to retain all customers' web surfing, IM conversations and email traffic indefinitely. ISPs failing to comply would face fines and a one-year prison term.
[Editor's Note (Ullrich): Why not ask the USPS to make and retain a copy of all letters and postcards? It's about as feasible and invasive as this Safety Act.
(Skoudis): I can understand the desire to have access to such data for law enforcement and investigations. However, I'm very concerned about the security of such data. If a mass data repository of such information stored by an ISP were compromised, there would be huge privacy implications. But, as we know, such large stores of sensitive information are never compromised, right? Oh wait, read almost all of the other articles in this NewsBites and every NewsBites for the past couple of years....
(Schultz): I keep thinking that the trend over the last five or six years of violating privacy here in the US in favor of national security will reach some kind of equilibrium. Whether or not this proposed legislation passes and is signed into law will serve as a good indicator, as this legislation poses a grave threat to the already much-eroded privacy of US citizens. ]
House Bill Would Authorize FTC to Establish Data Privacy Requirements for Companies (9 February 2007)US Congressional representatives Bobby Rush (D-Ill.) and Cliff Stearns (R-Fla.) last week introduced the Data Accountability and Trust Act, which would authorize the Federal Trade Commission (FTC) to establish data privacy requirements for businesses. Companies would be required to conduct vulnerability assessments and develop and implement policies for eliminating data they no longer need. US legislators will be looking at a number of other technology-related bills as well.
[Editor's Note (Schultz): This is the kind of legislation that has been badly needed for many years now. Unless organizations and individuals are required to protect personal and financial data, they are unlikely to do so.]
Internet Storm Center Warns of Zero Day Solaris Flaw (12 February 2007)A zero-day flaw in Sun's Solaris 10 and 11 Telnet could allow attackers to gain remote access to vulnerable computers. The flaw lies in the way telnet uses parameters during authentication; it can be exploited to allow unauthenticated remote logins. SANS Internet Storm center (ISC) recommends disabling Telnet on Solaris systems. In fact, ISC researchers recommend against using Telnet at all, calling it "archaic." Solaris systems installed out of the box come Telnet enabled. Sun is working on a fix for the problem. The vulnerability does not exist in Solaris versions 9 and lower. Internet Storm Center:
[Editor's Note (Ullich): Again: Do not use telnet to administer a system. As a matter of fact: you probably should not administer a system if you think telnet is necessary.
(Skoudis): No way... another telnet flaw in Solaris? There have been several in the last 5 years, and it's sad to see the flow of such flaws continuing.
(Boeckman): The fact that telnet is enabled by default is absurd. Sun should know better. ]
**************************** Sponsored Links ****************************
1) Maximize your Training Budget! Save 15-30% on SANS training & certification! SANS Program that pays you credits and delivers flexibility. Are you looking for a creative way to finance training?
2) Gain total network visibility and secure your internal network. For simple, fast and cost-effective security, view this FREE demo at:
3) OnDemand Webcast: Database Assessment. Learn to find vulnerabilities and attack vectors accurately and efficiently.
THE REST OF THE WEEK'S NEWS
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Report Indicates FBI Still has Problems with Lost Laptops (12 February 2007)According to a report from the Justice Department inspector general's office, the FBI has lost 160 laptops in less than four years. At least 10 of the computers held "highly sensitive classified information" one held "personal identifying information on FBI personnel." Seven of the missing computers were assigned to counterintelligence and counterterrorism divisions. A 2002 audit revealed 317 missing laptops and 354 missing weapons over a 28-month period. The new report follows up on the 2002 audit to track the FBI's progress in addressing the problems that led to the missing laptops. The new report notes a reduction in the rate of lost laptops, but the rate of stolen laptops increased from 17 in a 28-month period to 44 in a 44-month period. "The FBI could not determine ... whether the stolen or lost laptop computers contained sensitive information or classified information."
[Editor's Note (Pescatore): Hey, they also reported 212 weapons lost over the time that they lost 160 laptops! Now, losing portable stuff is going to happen. The report looks in detail at 10 lost laptops that contained sensitive information: 3 were encrypted, ON THE OTHER 7 the FBI did *not* know if encryption was in use or not. That is a bigger problem than losing the laptops. ]
VA Now Says Missing Hard Drive Holds Info. on 1.8 Million (12 & 11 February 2007)The Department of Veterans Affairs (VA) has released additional information about the hard drive that was reported missing from the Birmingham (Ala.) VA Medical Center on January 22. The hard drive, which was used to back up data from an employee's work computer, may contain personally identifiable information of approximately 535,000 VA patients and as many as 1.3 million doctors, both living and deceased. The VA is analyzing the contents of the employee's work computer; the employee is currently on administrative leave. The VA plans to begin notifying individuals whose information may be on the missing hard drive. In its initial disclosure, VA said 48,000 veterans were affected by the breach.
[Editor's Note (Northcutt): This is the third major breach in under a year. Under the three strikes and you are out, rule, perhaps it is time for the senior management slate of the VA to be asked to resign. ]
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Indiana State Government Site Security Breach (10 & 9 February 2007)An Indiana state government web site, www.IN.gov, experienced a security breach that exposed 5,600 credit card numbers of individuals and businesses. Normally, stored card information is encrypted or shortened to the last four digits, but in this case, the entire card numbers were stored in unencrypted form. State technology officials have sent notification letters to the individuals and businesses affected by the breach and have informed the US Secret Service of the attack.
[Editor's Note (Honan): Yet another security breach resulting from credit card information stored contrary to the PCI Standard. Lack of rigorous enforcement of this standard demonstrates that industry self-regulation does not work when protecting consumers. If this continues, governments will have little option but to impose their own standards and requirements on companies storing credit card information. ]
Korean Web Sites Infect 92,000 PCs with Malware (9 February 2007)According to the Korea Information Security Agency, 1,000 Korean online game-related web sites were infected with malware, resulting in 92,000 infected PCs. KISA has informed the sites of the problem and urged them to cleanse their sites of the malware. The attackers' aim was apparently to intercept gamers' IDs and passwords. KISA says 620,000 PCs were attacked targeting a known flaw in Microsoft Windows, but most were protected as they had applied the latest Microsoft patches. The agency also urged computer users to obtain automatic security updates.
[Editor's Note (Ullrich): Would be nice to have US-Cert issue a similar statement for the dolphinstadium.com site. The numbers are similar, and the goal was similar, as well. Maybe it was even the same group. ]
Parents Puzzled by University Data Breach Notification (9 February 2007)A number of Radford, Virginia-area parents with young children have received letters from Radford University (RU) telling them their children's Social Security numbers (SSNs) and dates of birth may have been compromised in a security breach at the university's Waldron School of Health and Human Services. A university spokesperson declined to comment on why the young children's information was in their computer system, but an area television station discovered that the parents who had received the letters had all provided their children's information when enrolling them in a health insurance program. RU at one time had an outreach grant to promote and help families enroll in the program. RU sent out 2,400 notification letters; about 100 RU students were also affected by the breach.
STATISTICS, STUDIES & SURVEYS
Attacks Against Mobiles are Up Five-fold But Risk is Small (13 & 12 February 2007)The Informa Telecoms and Media study of 200 mobile phone operators worldwide found that 83 percent had been hit with malware. The number of attacks marks a fivefold increase over the previous year. However, it is worth noting that of those 200 mobile operators responding to the McAfee-sponsored survey, there were fewer than five attacks affecting more than 100,000 mobile devices. Also, less than five percent of respondents spent more than US $200,000 to clean up a security problem.
[Editor's Note (Honan): Interesting to see that, according to this survey, one of SANS' "10 Most Important Security Threats for 2007" has already happened at least 5 times; "Cell phone worms will infect at least 100,000 phones" see
Researchers Develop Faster Worm Detection Technology (12 February 2007)Penn State University researchers say they have developed technology that can recognize worm outbreaks in milliseconds. Rather than relying on signature or pattern identification, the Proactive Worm Containment system examines packet rates, frequency of connections and diversity of connections to other networks. One of the researchers says the technology can quarantine attacks after just several dozen packets are sent; the Slammer worm sent out 4,000 packets every second.
[Editor's Note (Boeckman): This is approach does not really sound new. Something very similar was done by researchers at MITRE.
Skype Reads BIOS and Motherboard Serial Numbers (11 & 9 February 2007)Skype is reading and storing the BIOS and motherboard serial numbers of its Windows users. The situation was uncovered because of an error message generated when Skype is executed on 64-bit versions of Windows.
Cyber Security Chief Describes Priorities (9 February 2007)Speaking at the RSA conference in San Francisco last week, Gregory Garcia, assistant secretary for cybersecurity and telecommunications at DHS, said he has two priorities for the coming year. First, Garcia will "work with federal agencies to adopt common security policies and practices." Second, Garcia plans to work with the private sector to develop and facilitate the adoption of the National Infrastructure Protection Plan, which will "evaluate security risks on an industry-by-industry basis and outline the steps" necessary to mitigate those risks.
[Editor's Note (Shpantzer): Perhaps we've had enough assessments done... Maybe it's time for enforcement powers and personal accountability, as DHS and its fellow agencies within the federal government try to control their own data, unsuccessfully, as Newsbites documents twice weekly the challenges that the federal space has with securing information. As for the private sector, there are well known risks for each vertical, but the incentives for mitigating those risks are much less well-known, so maybe we can work on that instead of microscoping the already clear risk picture... ]
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.
Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit