SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume IX - Issue #19
March 06, 2007
Are you planning to roll out laptop encryption this year or next? By far the best thing you can do to get prepared is talk with people at other organizations who have gone through the process. The only efficient way to do that is to come to San Jose in April for the laptop encryption summit. More than 20 organizations (FMC, Allstate, GWU are examples) that have recently deployed laptop encryption will share what worked and what didn't work and the most important things they wish someone had told them before they started.
Details at http://www.sans.org/encryptionsummit07/
And at that the same hotel at the same time, 20 other users (Cleveland Clinic, JP Morgan, HSBC and Genesis Healthcare are examples) will share the fascinating lessons they learned in implementing log management systems.
Details at: http://www.sans.org/logmgtsummit07/
TOP OF THE NEWSTexas AG Says Disclosing SSNs Illegal
OMB Report Notes Small Strides Toward FISMA Compliance
UK's RFID-Equipped Passports Readable Through Envelope
Anti-Virus Tests: Microsoft One Care Performs Worst
PCI Data Security Standard Lacks Teeth
THE REST OF THE WEEK'S NEWSLEGAL MATTERS
Man Who Hacked Intel has Judgment Set Aside - 12 Years Later
Man Sues Microsoft for Failing to Protect his Privacy
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
DOT CIO Places "Indefinite Moratorium" on Vista, IE 7 and Office 2007
House Panel Hears Testimony on VA Security
SPYWARE, SPAM & PHISHING
Scottish Man Awarded Damages from Spammer
Storm Virus Showcases Failure of Anti Virus Technology
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
WordPress Releases Update After Files Compromised
Apple Releases QuickTime Update
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Thief Stole Credit Card Numbers from Seed Site
Stolen Metro State Computer Holds Student Data
Missing Police USB Returned
SECURITY TIP OF THE WEEK
********************** Sponsored By Symark Software *********************
How do you meet compliance and guard against insider threat at the same time? PowerBroker and PowerKeeper are compliance-based solutions that centralize systems administration while creating and enforcing strong privileged password and security policies. Granular, dynamic password management and audibility ensure a secure access control infrastructure. Sign up for a FREE 30 day trial with full technical support today.
How Good Are SANS Courses?
++ "I have attended courses by several of SANS rivals, and SANS blew them away." - Alton Thompson, US Marines ++SANS has the highest quality instructors and the most relevant, current information of any training I have attended. Melodee McHone, Hallmark
++ "This is the only conference/training I've ever attended at which I learned techniques and found tools I could apply immediately." - Dwight Leo, Defense Logistics Agency, DLA
++ "The SANS classes have been uniformly excellent. To learn as much through traditional classes would have entailed weeks away from work." - - David Ritch, Department of Defense
In addition to the big conference in San Diego, programs are scheduled in more than 40 cities in the next few months or you can attend live classes (or on-demand courses) without leaving your home, or you may even study online. Schedule: http://www.sans.org/index.php
TOP OF THE NEWS
Texas AG Says Disclosing SSNs Illegal (March 5, 2007)Texas Attorney General Greg Abbot ruled last month that disclosing Social Security numbers (SSNs) in public documents violates state and federal laws. Violators could face fines and jail time. The ruling follows an inquiry by the Fort Bend (TX) district attorney regarding the Fort Bend county clerk's management of SSNs in public records. State legislators have responded to county and district clerks' concerns that they will be held criminally liable for exposure of SSNs with a bill that would absolve them of criminal and civil liabilities for disclosing the information and in fact "seeks to allow county and district clerks to continue disclosing such information in the future despite existing federal and state privacy laws." The state AG's ruling would require the clerks to redact SSNs from documents before they are made public. County clerks are upset by the ruling and say removing the data will consume time and money. The Fort Bend County Clerk says "we are the repository of the public record. The public has the right to view and copy and purchase any public record. ... We cannot tell you what to put in a document and what not to; we don't read the documents; we don't know if there is a SSN in it or not." Privacy advocates observe that other states have made significant strides to protect personal data in such situations. Some suggest the counties benefit from selling unredacted documents to list brokers.
OMB Report Notes Small Strides Toward FISMA Compliance (March 2 & 5, 2007)The Office of Management and Budget's (OMB) fiscal report for 2006 indicates that government agencies are making "modest" progress toward meeting standards set by the Federal Information Security Management Act (FISMA). Agencies spent US $5.5 billion to secure a total IT investment of US $63 billion. Just two agencies of the 25 examined received "excellent" ratings for "overseeing the effectiveness of their security procedures." Eight departments received "poor" ratings in that area.
UK's RFID-Equipped Passports Readable Through Envelope (March 5, 2007)Using equipment readily available on the Internet, the Daily Mail was able to construct a device that can read information from an RFID-equipped passport. Within four hours, the Mail managed to download enough information to create a phony passport without opening the envelope in which the new passport was delivered. The RFID chip holds an electronic copy of the photo page from the passport, an electronic photo and a device that ensures the other two files have not been altered. To access these files, the computer needs the key that is printed in the last line of the passport's machine-readable zone on the photo page. The Mail was able to determine the code relatively easily because it virtually always includes the holder's birth date and the passport's expiration date. Furthermore, attackers are not locked out after any number of incorrect attempts.
[Editor's Note (Pescatore): back in the day, when passwords were entered on teletype terminals onto rolls of paper, the teletype would backspace and type Xs over the password to mask it. Clever folks figured out you could read the password anyway if you shone a flashlight on the ink. Physical protection of sensitive data is important - there was just another article pointing out that folks with digital cameras could photograph Vista activation codes from their boxes in retail outlets - oopsie.
(Schmidt): No matter how many times we say things like this can (AND WILL) happen, the warnings get ignored and we wind up with trying to secure things after the fact instead of building things right. Maybe we will need to store our passports in the lead boxes with our Kryptonite from now on.
(Northcutt): Pretty good article, I would take the time to read it. The short version: the passports are delivered in specially marked envelopes, the courier does not ask for ID when delivering it so low tech attack methods work just fine, the key protecting your info is of reasonable size, 192 bits, but is has some relationship to your date of birth and you can try and infinite number of attacks on the RFID chip, it doesn't shut down on the fifth try or whatever. If it wasn't for my frontal lobotomy I might be getting cynical by now, another great write up can be found here:
(Liston): RFID technologies create several new attack vectors, and yet we still attempt to secure them by making the same types of mistakes that we've made for OTHER technologies. ]
Anti-Virus Tests: Microsoft One Care Performs Worst (5 March 2007)A well regarded testing company, AV-Comparatives.org, publishes quarterly reports comparing the effectiveness of various Anti-Virus tools. In its most recent report it found Microsoft's OneCare received the worst core out of seventeen products tested.
The test results:
[Editor's Note (Paller): Don't write off Microsoft in antivirus and other end user protection. Remember Windows 1.0 was a failure, Windows 2.0 wasn't very good; Windows 3.0 took over 90% of the market. ]
PCI Data Security Standard Lacks Teeth (1 March 2007)Columnist Evan Schuman makes a strong case that the Mastercard and VISA's failure to put teeth in PCI compliance was, in part, culpable in the massive data breach at TJX. "The true newsworthy aspect of this news," says Schuman, " is how it illustrates the irrelevance of PCI today, when it comes to retail security."
****************************** Sponsored Links: ***********************
1) Mobile Preparedness for Business Continuity. Are you prepared to turn office workers into mobile workers?
2) Webcast March 15th 11am PT Using Log Management to Drive Operational Insight, Mitigate Risk and Automate Compliance
3) Learn to select and implement the right tools at the Log Management Summit April 23-25.
THE REST OF THE WEEK'S NEWS
Man Who Hacked Intel has Judgment Set Aside - 12 Years Later (March 2 & 3, 2007)A man who once worked for Intel has succeeded in having his arrest and conviction for computer crimes set aside nearly 12 years after the fact. In February 2007, an Oregon court expunged Randal L. Schwartz's conviction; his legal record is now clean. Schwartz was arrested in 1993 for using a program to discover former Intel colleagues' passwords; Schwartz had transferred out of one section of Intel under less-than-happy circumstances and, working as a system administrator, he intended to demonstrate that security had deteriorated since he left his original organization. Following his 1995 conviction, Schwartz was sentenced to five years of probation, 480 hours of community service and 90 days deferred jail time.
[Editor's Note (Skoudis): There are important lessons to be learned from this case and the biggest is to make sure you have explicit permission before doing any vulnerability assessments of a company, even your own employer. Get a signed "Get Out of Jail Free Card" (GOOJFC) in advance. I've put a sample one up at my own website, at www.counterhack.net/permission_memo.html.
(Schultz): I am not sure that justice was served when Schwarz initially ended up with multiple felony convictions for his overzealous, naive actions. Additionally, I do not believe that at the time this incident occurred Intel explicitly forbade actions such as Schwarz's. The lessons learned here are numerous--system administrators must use extreme discretion concerning the powers and accesses they have been given, organizations must create and distribute clear policy statements that cover actions such as Schwarz's, and states must not only have reasonable legislation concerning computer misuse, but must also be reasonable when they consider trying someone under the provisions of such legislation. ]
Man Sues Microsoft for Failing to Protect his Privacy (March 2, 2007)A man in jail "awaiting trial for alleged gun crimes is suing Microsoft for privacy violations." Michael Alan Crooker says when he bought his computer at Circuit City, he was assured that the security features he purchased at the same time would protect his privacy. Instead, when his computer was seized as part of the investigation, it was sent to the FBI's Cryptologic and Electronic Analysis Unit, where agents uncovered personal files, some embarrassing. Crooker maintains he had set Internet Explorer to purge his history every five days, but agents were able to discover evidence of his Internet activity on earlier dates. He also said that the Compaq DriveLock security system should have prevented access to his hard drive. Crooker is seeking US $200,000 from Microsoft and says he has already reached settlements with Hewlett-Packard and Circuit City. Hewlett-Packard owns the Compaq brand.
[Editor's Note (Ullrich): While the person's claim sounds unintelligent to anyone with ten minutes of forensics experience, it is very common that users have a false sense of privacy. This is more serious when it comes to sold and donated disk drives.
(Schultz): There are several fascinating and potentially precedent-setting aspects to this case, perhaps the most poignant of which is whether persons suspected to having committed a crime can and should receive compensation (and also punitive damages) if software they use to obfuscate evidence fails to do so. Will vendors who make encryption and other software be forced to issue caveats informing users of the software's possible limits?
(Liston): My brother told my mom about me getting into the cookie jar when I was 8... even after he promised he wouldn't. I'm suing... The really sad thing here is that it is far cheaper for HP and Microsoft to roll over and pay this clown off rather than fight him in court. ]
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
DOT CIO Places "Indefinite Moratorium" on Vista, IE 7 and Office 2007 (March 2, 2007)Department of Transportation's (DOT) CIO Daniel Mintz has issued "an indefinite moratorium" on Windows Vista, Internet Explorer 7 and Office 2007. A memo obtained by InformationWeek indicates the CIO is concerned about the cost involved in switching to the new products as well as compatibility issues with other software in use at DOT. The memo says "there appears to be no compelling technical or business case for upgrading; ... furthermore, there appear to be specific reasons not to upgrade." The three products in question may be obtained, with approval from Mintz, for testing purposes only. DOT has 15,000 computer users presently running Windows XP Professional; the ban appears to apply to the Federal Aviation Administration (FAA) as well, where 45,000 desktops use Microsoft products.
[Editor's Note (Ullrich): Windows Vista does move the security of Microsoft products forward. However, a more secure operating system still has to be used correctly. If you have a working infrastructure in place: Be careful and weight the risks and benefits of an upgrade against the risks and benefits of staying with your existing OS or migrating to a different OS.
(Honan): It is apparent from reading the coverage of the VA breaches that there are two key elements missing from an effective information management system. These are management commitment and accountability, without these any information security system is doomed to failure and repeated breaches. ]
House Panel Hears Testimony on VA Security (March 1, 2007)Prompted by the recent disappearance of a hard drive from a VA medical center in Alabama, a hearing by the oversight and investigations subcommittee of the House Committee on Veterans' Affairs scheduled to be held later this year was hastily moved up to February 28. The panel heard testimony regarding the VA's failure to take adequate security precautions to protect sensitive data after the widely publicized theft of a laptop containing personally identifiable information of 26.5 million veterans and active duty personnel. The hard drive reported missing from the Birmingham (Ala.) VA Medical Center holds information on 1.8 million veterans and physicians. Maureen Regan, counselor to the VA's inspector general, provided written testimony in which she said "VA still lacks effective internal controls and accountability which leaves sensitive information at risk."
SPYWARE, SPAM & PHISHING
Scottish Man Awarded Damages from Spammer (March 2, 2007)In a landmark case, a Scottish man was granted more than GBP 1,300 (US $2,505) in damages from a spammer. Gordon Dick sued Transcom Internet Services under the UK's Privacy and Electronic Communications Regulations 2003. Transcom twice attempted to settle out of court, but was turned down because the company refused to promise not to violate anti-spam laws in the future. UK spam laws allow legal action only if the spam can be identified as originating in the UK; the law applies only to private email addresses.
Storm Virus Showcases Failure of Anti Virus Technology (5 March 2007)By using more than 54,000 slightly different variants, the storm worm Trojan horse successfully used small changes to evade most anti virus products. This is a technique now used by most current and relevant malware. It demonstrates the futility of counting on anti virus software for protection.
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
WordPress Releases Update After Files Compromised (March 5, 2007)WordPress developers have released an updated version of their blog-publishing tool after attackers altered files on one of the wordpress.org servers. The exploit code could allow remote code execution on systems running recently downloaded copies of WordPress 2.1.1. Developers encourage users to upgrade to version 2.1.2. "Sites that host WordPress blogs should consider blocking access to the compromised files - theme.php and feed.php." The code they added creates backdoors on infected systems. Versions 2.0.x appear to be unaffected. Internet Storm Center:
[Editor's Note (Ullrich): Compromised source code can happen with commercial software as well. Even top players like Microsoft and Cisco had source code stolen from them in the past, showing that it may not have been adequately secured. If you are writing and distributing code, regular audits for unauthorized changes are a must (as is a strict change control system). Otherwise you won't know what is authorized or not.
(Skoudis) It would be nice if WordPress could formulate some Google searches to find users that have loaded the exploited code on their sites, and notify those people. I couldn't glean enough information from the stories to get reliable Google queries on this, but WordPress should have more details. Otherwise, the bad guys will find these sites... guaranteed. ]
Apple Releases QuickTime Update (March 5, 2007)Apple has released an updated version of its QuickTime media player to address eight serious security flaws. The vulnerabilities affect both Mac and Windows users. The flaws could be exploited to give an attacker complete control of vulnerable computers. QuickTime version 7.1.5 is available on Apple's web site. Internet Storm Center:
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Thief Stole Credit Card Numbers from Seed Site (March 3, 2007)A cyber thief broke into the web site of Johnny's Selected Seeds and stole sensitive customer data, including credit card numbers; in all, 11,500 accounts were compromised. Approximately 20 of the stolen card numbers have been used fraudulently. The site is now under 24-hour monitoring to prevent a recurrence; other security measures have also been implemented. Johnny's has notified all people whose account information was stolen. The initial intrusion occurred on February 4, 2007. A company official said "criminals gained access to our internal systems and gathered enough information to allow then to gain access to our web site." The FBI is investigating.
Stolen Metro State Computer Holds Student Data (March 2, 2007)A laptop computer stolen from a faculty member's office at Metropolitan State College of Denver holds personally identifiable student information. The compromised data include names and SSNs of students who took courses from the professor from fall 1999 through fall 2002. The professor may face disciplinary action as a policy established last spring requires "all College reports or studies that access private student information ... were to be approved through the President's Office." In addition, Metro State is in the midst of a project that requires all college-owned laptops to be submitted to the IT department so the data they hold can be reviewed. The school is attempting to notify all affected students by mail.
[Editor's Note (Northcutt): Metro State had another laptop related data breach of 93,000 identities last year:
Their website does point to this nifty, how not to lose your laptop article:
Missing Police USB Returned (March 3, 2007)A USB containing Yamanashi (Japan) Prefectural Police investigation information was mailed anonymously to a news organization, which gave it back to the police. The memory device has been missing since December 2006 and holds personally identifiable information of victims and suspects in approximately 1,300 cases. In October 2006, Yamanashi Prefectural Police were directed not to use private USB drives for work and to delete any work-related information on such devices. The man whose USB drive it was, told his superiors he had removed sensitive data from the drive but did not report it missing.
SECURITY TIP OF THE WEEK
Avoid default installationsMost software and hardware setup procedures are designed to get the product up and running with maximum functionality and minimum effort. One thing that usually slips is security. If you set up your external firewall with the suggested password from the installation instructions, how many others are set up just like that? Take the time to change the defaults that will make the attacker's job just a little bit harder. Make sure to document the changes in a secure way.
If you work for a company of 1,000 or more and would like to help distribute SANS Security Tips, please email firstname.lastname@example.org.
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.
Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit