Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume IX - Issue #2

January 05, 2007


Security Tip of the Day
If you have good end-user security tips, that seem to motivate them to act, please share a few of the best for the Tip of the Day project. Email tips@sans.org if you think you might have something that would help. The project will go live when we have 50. Right now we are at 18. You'll get visibility (if you want) and a small financial reward for every one that is used.
Alan

TOP OF THE NEWS

Consequences of Security Breaches: Nuclear Weapons Chief Dismissed
Pentagon Feeling Heat From Hackers
Judge Denies Request for Access to Voting Machine Source Code

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
SEC Freezes Assets of Alleged Hacker/Stock Manipulator
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Microsoft to Release Eight Bulletins on Tuesday
Cross-Site Scripting Flaw in Adobe Acrobat Reader
Google Fixes Gmail Hole
New Year's Worm Spreads Warezov Trojan Variant
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Intruder Used Univ. of Northern Iowa Server to Store Music Files
SC High School Experiences Third Computer Theft
STANDARDS & BEST PRACTICES
Fifty-Seven Percent of Irish Companies Have No eMail and Internet Use Policies
Things to Consider Before you Deploy Full Disk Encryption
STATISTICS, STUDIES & SURVEYS
Data Security Budget Allocations Out of Kilter
MISCELLANEOUS
Personal Emergency Information Exposed on Utilities Site
US Gov. Could Use Airline Passenger Info. to Mine for More Data
The Art of Software Security: Interview


******************* Sponsored By Symark Software ************************

Security and compliance go hand-in-hand. How can you meet compliance requirements and guard against unauthorized access or theft of data? Learn how PowerBroker, the most widely used solution for systems administration and controlling Unix/Linux root privileges, helps you meet data privacy and compliance requirements. Download the FREE White Paper "PowerBroker vs. sudo."
http://www.sans.org/info/2711

*************************************************************************

SECURITY TRAINING UPDATE: Several of the hands-on immersion security training courses at SANS 2007 (San Diego, March 29 - April 4) are starting to fill up. If you want a place, register early. You'll also save hundreds of dollars if you do it in the next few weeks. Full Schedule (53 courses):
http://www.sans.org/sans2007/event.php

*************************************************************************

TOP OF THE NEWS

Consequences of Security Breaches: Nuclear Weapons Chief Dismissed (04 January 2007)

The US Secretary of Energy asked Linton Brooks, Chief of the National Nuclear Security Administration this month, to resign. The Secretary said, the NNSA under Brooks had failed to adequately correct security problems, so "I have decided it is time for new leadership at the NNSA." Brooks had been reprimanded in June for failing to report security breaches.
-http://www.cbsnews.com/stories/2007/01/04/politics/main2332032.shtml
[Editor's Note (Paller): Many US government agencies fail to report security breaches - hurting US CERT's ability to find patterns and give warning, and putting the nation at greater risk. ]

Pentagon Feeling Heat From Hackers (4 January 2007)

Foreign countries, especially nations in the Asia-Pacific region, have intensified their efforts to steal sensitive US defence technology, a Pentagon report says. The Defence Security Service Counterintelligence Office recorded an annual jump of nearly 43 per cent in the number of suspicious foreign contacts reported to US authorities by defence contractors and other defence-related sources. The agency, which helps protect the US defence industry from foreign espionage, said in an unclassified report that spies used phony business offers and computer hackers to target advanced US technology including lasers, sensors, missiles and other systems. The report covered the fiscal year ending September 2005 and is the most recent for which complete statistics are available.
-http://www.first.org/newsroom/globalsecurity/

Judge Denies Request for Access to Voting Machine Source Code (2 January 2007)

A judge in Florida has denied US Democratic congressional candidate Christine Jennings's request to examine the source code of electronic voting machines used in Florida's November election. The suit brought against voting officials in Sarasota County claims there were discrepancies in the way the votes were counted; Jennings lost the 13th Congressional District race by 369 votes. Jennings brought the lawsuit along with voters in the district, where more votes were counted in other races than the one in which Jennings was a candidate. The judge denied the request to examine the source code because it is a trade secret.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=security&articleId=9006988&taxonomyId=17&intsrc=kc_top

[Editor's Note (Pescatore): While open source review of the voting machine code is a good idea in general as a requirement *before* the machines are put to use, hard to see why political candidates should be involved after the fact.
(Schultz): This is another extremely important court ruling concerning e-voting. Which is more important--ensuring the integrity of voting results, or protecting trade secrets of e-voting vendors? The judge in this case ruled that the latter is more important, but this judge may not have the final say given that an appeal is likely to be filed.
(Northcutt): Keep in mind that access to the source code is not the primary issue and would have been unlikely to prove anythign, there is something very smelly here, Jennings lost by 369 votes out of 240,000 cast, so this is a very tight race, further, there is a very odd situation with the Sarasota County numbers, supposedly 18,000 people that voted on other issues chose not to vote on the congressional race.
-http://www.cnn.com/2006/POLITICS/12/20/vote.contest/index.html
We really need to set strict standards for voting machines when there is no manual ballot to count, I am not concerned about the scanning machines, but the more you learn about this subject, the more nervous you get, visit:
-http://www.blackboxvoting.org
and Bruce Schneier's blog
-http://www.schneier.com/blog/archives/2004/11/the_problem_wit.html

(Honan): Hmm, since when has democracy needed to be protected using trade secrets? Of course having access to the source code is one thing, verification that the source code you viewed is the code that has been compiled and installed on your system is another. For those interested, source code for evoting system used in Australia is available at
-http://www.elections.act.gov.au/Elecvote.html]

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

SEC Freezes Assets of Alleged Hacker/Stock Manipulator (28 December 2006)

The US Securities and Exchange Commission (SEC) has charged Evgeny Gashichev, a Russian man and owner of Grand Logistics SA, with breaking into people's computers and using their on line brokerage accounts to boost stock prices. The SEC estimates that Gashichev's company made more than US$350,000 from the scheme. The suspect bought stock in about 20 companies, and then used the compromised brokerage accounts to increase the value of his holdings. Gashichev sold the stock at artificially inflated values. The IP addresses used to make the Grand Logistics trades differ from those used to make the fraudulent stock purchases and those of the legitimate account holders. The SEC has obtained an emergency asset freeze against Grand Logistics.
-http://www.theregister.co.uk/2006/12/28/sec_freezes_stock_scammer_accounts/print
.html

-http://www.sec.gov/news/press/2006/2006-212.htm

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Microsoft to Release Eight Bulletins on Tuesday (4 January 2007)

Microsoft's first Patch Tuesday of 2007 will include eight bulletins for flaws in Windows, Office and Visual Studio. According to the Microsoft Security Bulletin Advance Notification, the most serious vulnerabilities in this batch have been given a severity rating of critical, meaning attackers could exploit them to execute code without any user interaction. Some of the updates will require a restart. Internet Storm Center Note:
-http://isc.sans.org/diary.php?storyid=2003
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9007159&source=rss_topic17

-http://news.com.com/2102-1002_3-6147276.html?tag=st.util.print
-http://www.microsoft.com/technet/security/bulletin/advance.mspx
[Editor's Note (Skoudis): The number of vulnerabilities is pretty discouraging. They just don't seem to be going down with time; quite the opposite appears to be true. There are some bright spots of significantly fewer vulnerabilities in some Microsoft products, like IIS and MS SQL Server. But, overall, there are just a lot of bugs. ]

Cross-Site Scripting Flaw in Adobe Acrobat Reader (4 & 3 January 2007)

A cross-site scripting flaw in Adobe Acrobat Reader 6.x and 7.x could allow attackers to cause malicious code to execute on vulnerable systems. Users can protect their computers from attacks by upgrading to Adobe Acrobat Reader 8.0 or by applying workarounds, which include disabling displaying PDF documents in the web browser, disabling JavaScript and filtering JavaScript in URLs. Internet Storm Center Note:
-http://isc.sans.org/diary.php?storyid=1999
-http://www.theregister.co.uk/2007/01/04/adobe_scripting_flaw/print.html
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9007051&source=rss_topic17

-http://www.kb.cert.org/vuls/id/815960
[Editor's Note (Honan): Adobe's security advisory on this issue is available at
-http://www.adobe.com/support/security/advisories/apsa07-01.html
in which Adobe state they aim to release a patch for this issue on version 7 sometime next week. There is good coverage on the issue at the Internet Storm Centre. Also according to this article this flaw can expose data on local disks
-http://newsletters.zdnetuk.cneteu.net/t/172869/1833106/218791/0/

Google Fixes Gmail Hole (3 & 2 January 2007)

Google says it has remedied addressed a Gmail flaw that could allow maliciously inclined web site operators to steal users' contact lists. The users would need to be signed into Gmail in another window when visiting the infected sites. To exploit the hole, an attacker would need to insert a piece of code into the web site server. Spammers appear to have been exploiting the flaw for some time before it was publicly disclosed. Users can also protect themselves by signing out of Gmail when they are not actively using it. Internet Storm Center Note:
-http://isc.sans.org/diary.php?storyid=1995
-http://www.theage.com.au/news/security/glitches-dent-confidence/2007/01/02/11675
00103904.html

-http://www.usatoday.com/tech/products/cnet/2007-01-03-google-gmail-flaw_x.htm
[Editor's Note (Pescatore): Wikis and Google and Apple continually point out the risks enterprises face when they use consumer-quality technology for critical business processes.
(Skoudis): Related to both the cross-site scripting and Gmail stories: I remember when, a decade ago, we started hearing of cross-site scripting flaws. Many people, at the time, didn't think they were a big deal -- just a clever way of popping up dialog boxes or stealing cookies. But, along with SQL injection, they are a very hot attack vector today. As an industry, we've built browsers, like IE, Firefox, Microsoft Word (yes, it's a browser of sorts), Adobe Acrobat, etc. that are hungry for scripts to run. And, we are increasingly implementing a Cross-Site Scripting friendly world. With the rise of so-called Web 2.0 technology (man, I hate that expression), numerous apps on the Internet allow for one person to share content with thousands of others. In many of the cases on which I'm an incident handler, Cross-Site Scripting rears its ugly head again and again. For a nice description of how worms and viruses can use these vulnerabilities, as well as a decent set of defenses, check out
-http://www.whitehatsec.com/downloads/WHXSSThreats.pdf]

New Year's Worm Spreads Warezov Trojan Variant (2 January 2007)

A worm purporting to be New Year's greetings is spreading a variant of the Warezov Trojan horse program; the worm appears to be spreading rapidly across the Internet. The email arrives with an attachment named postcard.exe or postcard.zip; if Windows users open the attachment, their computers can become infected. Once a machine is infected, it starts sending spam to other computers to spread the worm. Internet Storm Center Notes:
-http://isc.sans.org/diary.php?storyid=1987
-http://isc.sans.org/diary.php?storyid=1988
-http://isc.sans.org/diary.php?storyid=1989
-http://www.vnunet.com/computing/news/2171592/first-worm
-http://news.zdnet.co.uk/security/0,1000000189,39285293,00.htm

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Intruder Used Univ. of Northern Iowa Server to Store Music Files (4 January 2007)

In December, officials of the University of Northern Iowa (UNI) discovered that someone had broken into a server that holds information related to the school's Wellness Recreation Center. The intruder used the server to store music files. The data on the server includes names, addresses and phone numbers belonging to students, faculty and employees who have used the center. UNI uses randomly generated ID codes rather than Social Security numbers (SSNs) as unique identifiers.
-http://chronicle.com/wiredcampus/index.php?id=1790
-http://www.radioiowa.com/gestalt/go.cfm?objectid=BFFAFCD4-41C8-474C-9A44B4316BB5
C517&dbtranslator=local.cfm

SC High School Experiences Third Computer Theft (3 January 2007)

A laptop computer was stolen from a guidance counselor's office at the Academic Magnet High School in North Charleston, South Carolina over the school holiday. The computer holds personally identifiable information of approximately 500 students. School officials have been trying to reassure concerned parents and students by telling them the information is password-protected and encrypted. This is the third computer theft at the school this academic year. The other thefts - three monitors and two laptops from the school's media center and another laptop from the same guidance counselor's office - occurred in November 2006. Police are investigating.
-http://www.wcbd.com/midatlantic/cbd/news.PrintView.-content-articles-CBD-2007-01
-03-0015.html

STANDARDS & BEST PRACTICES

Fifty-Seven Percent of Irish Companies Have No eMail and Internet Use Policies (28 December 2006)

Ireland's Small Firms Association (SFA) says that 57 percent of Irish companies have not implemented email and Internet use policies despite the fact that the companies can be held liable for employees' activities. Not only can Internet and email misuse result in lost productivity, but they can also result in a number of legal issues, including "libel actions, inadvertent entry into binding contracts, breaches of copyright legislation and exposure to sexual harassment and bullying claims."
-http://www.siliconrepublic.com/news/news.nv?storyid=single7554
[Editor's Note (Honan): The Irish Small Firms Association define a small firm as having less than 50 employees. I think the survey reflects the reality many small businesses, both in Ireland and elsewhere, face when doing business. Business survival is the primary concern; policy documents regarding eMail and Internet use take a lower priority.
(Schultz): Honestly, would these results for small businesses be much different in other countries? From what I have seen, small companies are most likely to neglect information security. (Northcutt): I am a bit skeptical of the accuracy of the research of the surveys that produce results like this, however here is a link to an email policy and an email retention policy and if folks familiar with European law could help us tweak these we would be glad to do so:
-http://www.sans.org/resources/policies/Email_Policy.doc
-http://www.sans.org/resources/policies/email_retention.doc]

Things to Consider Before you Deploy Full Disk Encryption (4 January 2007)

What if you have encrypted a Petabyte of data with your secure storage solution and you then learn either the key or the algorithm is not strong enough? Article by Peter Giannoulis advises computer security managers to consider the lifecyle of the system several years after it is deployed.
-http://www.sans.edu/resources/leadershiplab/pitfalls.php

STATISTICS, STUDIES & SURVEYS

Data Security Budget Allocations Out of Kilter (2 January 2007)

An Accenture/IDC survey of US government IT executives found that more than 90 percent say ensuring data security is a top priority for 2007; network infrastructure followed with 80 percent of respondents identifying it as a concern. However, the priorities do not appear to match budget allocations. According to the survey, an average of 10 percent of IT budgets is designated for security.
-http://www.fcw.com/article97197-01-02-07-Web&printLayout
[Editor's Note (Pescatore): Most data security problems occur because applications are built without sufficient security built in. Like most security problems, the best answer is not increasing the security budget to add more security products around security-deficient applications - any more than adding asbestos seat covers is the best way to deal with cars that burst into flames. Increasing the application development budget by 5% to require development or upgrade of secure applications will go a lot further than trying to sprinkle security on after problems occur - and may actually decrease the security budget. ]

MISCELLANEOUS

Personal Emergency Information Exposed on Utilities Site (29 December 2006)

Personal information about Rocky Rapids, Alberta area residents was posted on the Alberta Energy and Utilities Board web site for as long as six months. The information had been gathered for emergency planning in the event of a need to evacuate and included legal land descriptions, phone numbers, work hours and times when children would be home alone. The Office of the Information and Privacy Commissioner of Alberta is investigating.
-http://www.edmontonsun.com/News/Edmonton/2006/12/29/pf-3058974.html

US Gov. Could Use Airline Passenger Info. to Mine for More Data (4 & 2 January 2007)

The US government requires that Australia provide personal information about every airline passenger entering the US on one of its carriers. The information includes names, addresses, phone numbers, email addresses and religious dietary restrictions. In a related story, the US reached a deal regarding EU airline passenger data. The US government has been clear that the information they collect could be used to gather other data on passengers. For instance, if people use credit cards to purchase tickets, their purchase history may be examined; email addresses could be used to inspect passengers' correspondence.
-http://www.theaustralian.news.com.au/story/0,20867,21008391-2702,00.html
-http://www.telegraph.co.uk/news/main.jhtml;jsessionid=VL4HVZGOUZETRQFIQMFCFFOAVC
BQYIV0?xml=/news/2007/01/01/nusnoop01.xml

[Editor's Comment (Honan): Privacy is a right and not a privilege to be revoked by governments when they see fit. This is a major invasion of privacy for those intending to travel to the US, especially as the US has confirmed this information can be shared with other foreign Government agencies. So while an EU citizen's private information is protected when it is stored within the EU under the EU Data Protection legislation, all bets are off once you travel to the US. The following is the information that is transferred under the agreement between the EU and the US; PNR record locator code, Date of reservation, Date(s) of intended travel, Name, Other names on PNR, Address, All forms of payment information, Billing address, Contact telephone numbers, All travel itinerary for specific PNR, Frequent flyer information (limited to miles flown and address(es)), Travel agency, Travel agent, Code share PNR information, Travel status of passenger, Split/Divided PNR information, Email address, Ticketing field information, General remarks, Ticket number, Seat number, Date of ticket issuance, No show history,Bag tag numbers, Go show information, OSI information, SSI/SSR information, Received from information, All historical changes to the PNR, Number of travelers on PNR, Seat information, One-way tickets, Any collected APIS information, ATFQ fields. (Northcutt): these are two different stories; let's take Australia first. That is not news, I am traveling to Australia next month and I had to get a visa, Australia is and has been collecting information on folks from the US for years so at most this is tit for tat. Europe and the US reached an agreement on passenger information in October, but apparently the "news" is that the agreement itself is now available for reading via a Freedom of Information request:
-http://www.eurunion.org/newsweb/HotTopics/PNRAgreemntOct06.pdf
While we are on the subject of privacy and Europe, we got a great comment from one of our readers on the IP address trumped by privacy laws issue from our last issue (
-http://www.sans.org/newsletters/newsbites/newsbites.php?vol=9&issue=1#sID200
):

The EU Directives concerning data privacy have been translated into national laws and it is these laws which apply in such cases. The dissertation which I pointed out to you was influential in changing the planned directives to the final version. As to privacy vs. enforcement of digital rights, may people feel that the issue of enforcing digital rights does not automatically overshadow citizens rights to expect some level of privacy. See for example
-http://www.wired.com/news/technology/1,71544-0.html
However, on this issue I'd like to avoid being part of what is a hot political debate in Sweden. My only concern here is to raise the consciousness of SANS NewsBites readers (and writers) that just because you can see an address, it does not necessarily mean that you can necessary learn who (or what) lies behind that address. Even law enforcement officials have to obey the law. I've also encouraged operators of communication and computing systems to consider the EU directives in terms of the rules regarding retaining and providing data -- for example, if you don't have a business reason to store data it is a good idea not to store it (since this may not only violate some laws {for example Sweden's rules about unnecessarily collecting data}, but it also subjects you to rules about retention and discovery). Of course if you have a legal requirement to store certain data or a legitimate business reason to do so, then you need to thinking about how you store it, how long it is stored, who can access it, how do you protect it, etc. Regards, Prof. G. Q. "Chip" Maguire Jr.
-http://www.it.kth.se/~maguire

The Art of Software Security: Interview

In our December 22, 2006 edition we posted a book review on The Art of Software Security Assessment by Dowd, McDonald and Schuh. The authors have agreed to an interview on the topic and it has a number of their tips and pointer to additional resources, the interview is available here:
-http://www.sans.edu/resources/leadershiplab/interview.php
And the orginal book review is available here:
-http://www.sans.edu/resources/leadershiplab/bookreview_01.php
And if you have addition pointer to great software security books or other resources we would love to hear from you, write Stephen@sans.edu.

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, http://www.sans.edu Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/