SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume IX - Issue #20
March 09, 2007
If you have worked with code analysis programs from Fortify or Ounce (or others) or with web application testing tools from SPI Dynamics or WatchFire (or others) and would like to share your lessons learned, please email firstname.lastname@example.org today. On March 26 at a CIO/CISO forum on application security, in Washington DC, we will highlight lessons learned in using these tools, as well as the new exam for programmers that measures secure coding skills. We could employ your input or even invite you to speak at the forum.
TOP OF THE NEWSVA CIO Restricts Use of USB Drives
IG Audit Reveals USDA Breach Data Incorrect
Proposed Swedish Wiretapping Law Met with Criticism
Microsoft Says No Security Updates this Month; Fails To Patch Key Vulnerabilities
SEC Suspends Trading of Companies Touted in Pump-and-Dump Scheme
THE REST OF THE WEEK'S NEWSLEGAL MATTERS
Fifth Man Sentenced in LexisNexis Intrusion Case
Korean Police Arrest Malware Purveyor
POLICY & LEGISLATION
Thai Legislature Will Get Look at Amended Cyber Crime Bill
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
IFPI Sues Yahoo! China for Copyright Infringement
STATISTICS, STUDIES & SURVEYS
Gartner Study Sees Sharp Rise in ID Theft and Associated Fraud
Two-Thirds of Companies Lose Data Six Times a Year
Telecommunications Fraud on the Rise
Should Hackers' Evidence be Admissible?
SANS SECURITY TIP OF THE DAY
Don't download sets of pictures from the Internet
************************** Sponsored By Symantec ************************
Learn how Symantec can help you with security and compliance. From one site, view on-demand demos, compliance overviews, and practitioner perspectives on challenges covering endpoint compliance, security information & event management and policy & IT controls. Take a tour and see for yourself at http://www.sans.org/info/4396
How Good Are SANS Courses?
++ "I have attended courses by several of SANS rivals, and SANS blew them away." - Alton Thompson, US Marines
++SANS has the highest quality instructors and the most relevant, current information of any training I have attended. Melodee McHone, Hallmark
++ "This is the only conference/training I've ever attended at which I learned techniques and found tools I could apply immediately." - Dwight Leo, Defense Logistics Agency, DLA
++ "The SANS classes have been uniformly excellent. To learn as much through traditional classes would have entailed weeks away from work." - - David Ritch, Department of Defense
In addition to the big conference in San Diego, programs are scheduled in more than 40 cities in the next few months or you can attend live classes (or on-demand courses) without leaving your home, or you may even study online. Schedule: http://www.sans.org/index.php
TOP OF THE NEWS
VA CIO Restricts Use of USB Drives (March 7, 2007)Veterans Affairs Department (VA) CIO Robert Howard has placed restrictions on the use of thumb drives within the VA. Employees will be permitted to use only those drives issued by the VA CIO's office, and those devices will be limited to 1G or 2G of memory. Furthermore, employees will need to apply for and demonstrate the need for thumb drives before they are issued. This restriction is just one step Howard plans to take to tighten data security at the beleaguered department. He also plans to "eliminate unencrypted messages that travel on VA's network" and proposing to the Office of Management and Budget that the five deputy CIOs at the VA be promoted to "secretaries for different functions," such as information security and strategic planning.
[Editor's Note (Ullrich): Its almost impossible to prevent people from entering a modern office without USB devices. Microsoft provides a knowledge base article with details:
(Multiple): Are iPods and other media players not simply thumb drives that play music? Does the policy stop their use? And without automated tools to verify compliance, this type of policy won't be followed and is therefore misleading and ineffective. The theme of computer security policies should be trust but verify. If you cannot verify automatically, you probably don't have compliance. ]
IG Audit Reveals USDA Breach Data Incorrect (March 6, 2007)According to an audit from the US Department of Agriculture's (USDA) Inspector General, the USDA provided erroneous information in response to a congressional inquiry last July regarding data security breaches. The USDA's response to the inquiry indicated that eight laptop computers had been lost or stolen since 2003. The IG's audit revealed that at least 17 computers were reported missing between October 2005 and May 2006 alone. In addition, the USDA did not notify the individuals whose information was on the missing computers. Those affected include farmers, ranchers, small businessmen and Agriculture Department employees, but a spokesperson for the IG's office could not say how many people were affected. The inquiry arose out of the news about missing hardware from the VA that held information of 26.5 million veterans and active-duty members. The IG's audit attributes the discrepancies to inadequate recordkeeping and "lack of guidance."
[Editor's Note (Schultz): The VA is slowly but surely doing better when it comes to information security, even though this organization has had to learn the hard way. My only concern is that the VA's approach has been to put new security-related policies and procedures in place, something that will do some amount of good, but that does not address the real root cause of the problems the VA has had--lack of senior management governance and oversight.
(Honan): I hope the USDA takes on board the findings from the IG audit. If security incidents are not properly recorded and then subsequently analysed, important lessons will not be learnt on how to prevent the incident from occuring again. Good incident management includes learning from the things you have done wrong and implementing controls preventing them from happening again, similar to the earlier story regarding the VA. ]
Proposed Swedish Wiretapping Law Met with Criticism (March 7 & 8, 2007)Proposed legislation in Sweden would give the National Defense Radio Establishment (FRA) the power to tap cross-border Internet traffic and phone calls without a court order. Current law allows FRA to monitor military radio communications; police may monitor communications only if they believe there is a crime being committed and they obtain a court order. The law would allow FRA to use data mining software to ferret out communications containing keywords. Communications within Sweden would be unaffected by the law. If the law is approved, it would go into effect on July 1.
Microsoft Says No Security Updates this Month; Fails To Patch Key Vulnerabilities (March 8, 2007)According to an advance notice from Microsoft, there will be no security updates released this month. There are at least nine known, unpatched vulnerabilities in Microsoft products. Microsoft says it is investigating vulnerabilities and will release fixes when it feels they have been adequately tested. Microsoft normally releases security bulletins on the second Tuesday of each month. The last month in which Microsoft released no updates was January 2003. While there will be no security bulletins on March 13, Microsoft plans to release an updated version of its Windows Malicious Software Removal Tool as well as several non-security, high-priority updates. Internet Storm Center notes:
[Guest Editor's Note (Swa Frantzen, Storm Center Handler): Note that for five of the vulnerabilities, Microsoft already indicated that the company will *not* produce a patch (not just this month). At best they will get fixed in a service pack, but that is not guaranteed. The worst of the vulnerabilities is, without a doubt, in CVE-2007-0870, as even Microsoft admits, it allows remote code execution and is being used in targeted attacks. Known since Feb 9th, we at the Internet Storm Center were hoping at least this one would get patched. For some reason Microsoft appears to be saying that a vulnerability being exploited in targeted attacks is less urgent for them to fix it. Targeted attacks are - -for those being attacked- the hardest to defend against because AV software doesn't get samples unless the attacked organization(s) find the malware by other means first and then give the AV industry some samples to work from. Hopefully sensitive data handling facilities filter office attachments by now by default.
(Liston): Note: They were GOING to release patches, they just couldn't figure out how to get Vista to let them do it...]
SEC Suspends Trading of Companies Touted in Pump-and-Dump Scheme (March 8, 2007)The US Securities and Exchange Commission (SEC) has suspended trading of 35 companies that have been the subject of pump-and-dump email schemes. The companies affected by this particular action, which will last for 10 business days, are not listed on any exchange and "not subject to the reporting requirements of the SEC Act of 1934." The action is part of the SEC's larger "Operation Spamalot." The SEC estimates that 100 million spam messages touting stocks with the intent to temporarily drive up their value are sent every week.
[Editor's Note (Ullrich): With this action, the SEC is setting a clear signal that they are no longer just watching these pump and dump schemes. While the amounts involved per stock are relatively small, a major fraction of spam is devoted to these schemes. Removing the financial incentive from the scam will go a long way to reduce the spam that goes with it. The scary part about this: Pump-and-Dump spam actually works :-(]
************************** Sponsored Links: ***************************
1) Join security professionals at the Encryption Summit April 23-25 for the latest on encryption tools.
2) Don't miss SANS Ask the Expert Webcast: Mobile Data Security and Accountability: It's About More than Encrypting Bits on Disks on Thursday, March 15 at 1:00 PM EDT (1800 UTC/GMT) Sign up now!
THE REST OF THE WEEK'S NEWS
Fifth Man Sentenced in LexisNexis Intrusion Case (March 6 & 8, 2007)Justin A. Perras has been sentenced to one year in prison for breaking into LexisNexis computer systems. Perras pleaded guilty to conspiracy to commit computer fraud and identity theft. After he leaves prison, Perras will serve three years of probation and 100 hours of community service. Four co-defendants in the case were sentenced in December 2006; three received prison sentences of less than one year and all will serve three years of probation. The group must jointly pay US $105,750 in restitution to LexisNexis and the Port Orange (Fla.) Police Department. According to prosecutors, the defendants gained unauthorized access to the computer systems and made database entries. All of the defendants are restricted from using computers.
Korean Police Arrest Malware Purveyor (March 7, 2007)Police in Korea arrested a man earlier this week for manipulating people's computers. The investigation leading to his arrest was prompted by the puzzling fact that the term "Hero Gye-baek" accounted for 1.6 million Internet searches every day, more than three times the frequency of other popular search terms. It appears the man provided movies, television shows, radio and other digital content through a website. People who used his service were required to download software in which he had allegedly hidden malware that resulted in their searching for that string whenever they logged on to the Internet. The malicious code also changed users' Internet Explorer start pages to a shopping page; the man received a commission if the users made purchases through that page. He allegedly brought in W560 million (US $592,000). The code is difficult if not impossible to remove from infected machines. Two other individuals were arrested as well.
[Editor's Note (Grefer): (Grefer): To put those numbers into perspective, according to the Korean government, the monthly earnings of regular employees in all industries and manufacturing are around 2400 won. In comparison, this was quite a profitable venture; hopefully the penalty will match the crime.
(Honan): This story is a good example of how you can use non-security systems to detect potential security incidents. Your security awareness program should incldue training for users to spot and report unusual activity in the systems they use so that they can be investigated further. ]
POLICY & LEGISLATION
Thai Legislature Will Get Look at Amended Cyber Crime Bill (March 7, 2007)Thailand's National Legislative Assembly will receive an amended version of the draft computer crime bill some time this month. The initial version of the bill came under fire "for the amount of control it gave to authorities." Among the amendments to the bill are a requirement that authorities obtain court authorization before "dealing with suspected illegal activity" and that officials who take on cyber crime cases must have a certain level of technical background and knowledge.
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
IFPI Sues Yahoo! China for Copyright Infringement (March 8, 2007)The International Federation of the Phonographic Industry (IFPI) is suing Yahoo! China for alleged copyright violations. The suit alleges Yahoo! China is making songs available for playing and downloading without permission from record companies. IFPI is seeking US $710,000 in damages. Yahoo! China and IFPI were allegedly close to reaching an agreement when Yahoo! China "walked away from the talks."
STATISTICS, STUDIES & SURVEYS
Gartner Study Sees Sharp Rise in ID Theft and Associated Fraud (March 7, 2007)A Gartner study says that fraud arising from identity theft has risen significantly since 2003. Extrapolation from gathered statistics indicates that approximately 15 million Americans dealt with fraud stemming from identity theft between the middle of 2005 and the middle of 2006. Figures gathered by the Federal Trade Commission (FTC) in its own survey estimated that number to be 9.9 million in 2003. Gartner surveyed 5,000 US adults who use the Internet. Other findings include an increase in the average amount of money lost to fraud from US $1,408 in 2005 to US $3,257 in 2006. The percentage of funds recovered dropped over the same one-year period from 85 percent in 2005 to just 61 percent in 2006.
[Editor's Note (Ullrich): I have of friends who stopped using the Internet for shopping and banking due to either experiencing or hearing about identity theft. In addition to the first-order monetary damage, ID theft causes even larger damages due to loss of trust in technology. The economic damage that could be caused by this loss of trust could easily explode unless companies and agencies responsible for protecting our data wake up and get their act together, implement meaningful two factor authentication schemes. ]
Two-Thirds of Companies Lose Data Six Times a Year (March 7, 2007)Sixty-eight percent of companies surveyed by the IT Policy Compliance Group said they experience data loss or theft six times a year; 20 percent say they lose data at least 22 times a year. Just 12 percent of companies report losing data less that twice a year. The top reasons the companies gave for data loss are user error, policy violations, and Internet threats. The ways in which data were lost include lost devices, email and other electronic communications, and software applications.
[Editor's Note (Schultz): The VA is slowly but surely doing better when it comes to information security, even though this organization has had to learn the hard way. My only concern is that the VA's approach has been to put new security-related policies and procedures in place, something that will do some amount of good, but that does not address the real root cause of the problems the VA has had--lack of senior management governance and oversight. ]
Telecommunications Fraud on the Rise (March 8, 2007)Telecommunications fraud in Ireland is costing Irish businesses 75 million Euros (US $98.5 million) annually and is growing at a rate of 15 percent a year. The crime is often under-reported, as companies can remain unaware of the fraud until their phone systems have already been abused. Codes to access phone systems remotely are often traded on the Internet. Businesses are urged to change PBX (private branch exchange) passwords frequently and to monitor their telecommunications systems for unusual traffic patterns.
Should Hackers' Evidence be Admissible? (February 27, 2007)In a case in which Superior Court Judge Ronald C. Kline was convicted of downloading child pornography based on evidence obtained by someone who had planted a Trojan horse on Kline's computer, Larry Seltzer wonders if the court in this case decided that the seriousness of the crime overrode the fact that the evidence was obtained by illegal means. Seltzer writes that "the legal standard is that evidence
[obtained in this way ]
can still be admissible if it wasn't obtained by the government or an agent of theirs." However, Seltzer points out, the malware used to gather evidence against Judge Kline could just as easily have been used to plant incriminating evidence on a computer.
[Editor's Note (Ullrich): My clear answer in this case is "NO!!". Child porn is a horrible crime. But accusing the wrong people of it is as bad. I don't know of any way to prove that evidence obtained in this manner is not tainted by a vigilante.
(Schultz): This ruling does indeed seem bizarre in that the evidence obtained by the attackers in this case was obtained both illegally and unsystematically. As Seltzer has stated, there is considerable prejudice against individuals known to engage in child pornography or suspected of doing so. This prejudice apparently manifests itself in rulings such as this one.
(Liston): This is a particularly slippery slope. The government is, on the one hand, relying on the ethics of their informant when they simply take the evidence he provided at face value. On the other hand, they're also relying on his lack of ethics in compromising the Judge's machine in the first place.]
SANS SECURITY TIP OF THE DAY
Don't download sets of pictures from the InternetA user downloaded a set of photos of pop icon Paris Hilton for her Windows desktop. Windows asked her to say yes to executing the file when she go it. Assuming it was just pictures, she agreed. Within a couple of hours, she knew something was wrong when her computer started to slow down to the point where she was unable to use it. Even when she rebooted, she couldn't launch her own programs. The IT department determined that she had downloaded a Trojan program along with the photo: her freebie photo had a malicious payload attached that used her computer to send out spam for a bad guy. Her computer had to be rebuilt to eliminate the program. She lost most of the day and a lot of her personal computer settings in the process.
If you work for a company of 1,000 or more and would like to help distribute SANS Security Tips, please email email@example.com.
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.
Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit