SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume IX - Issue #24
March 23, 2007
UPDATE: FLASH REPORT ON THE WHITE HOUSE SECURE CONFIGURATION MANDATE
The White House posted a second memo last night, confirming its mandate that all federal agencies must use secure configurations if they choose to deploy systems that run Windows Vista or XP. The latest memo was signed by the top executive in US government management, Deputy Director of OMB, Clay Johnson and is posted at the White House site, http://www.whitehouse.gov/omb/memoranda/fy2007/m07-11.pdf . The original (March 20) memo from Karen Evans to Federal CIOs is now posted at http://cio.gov/documents/Windows_Common_Security_Configurations.doc .
This initiative matters because it provides the incentive ($65 billion in US government IT purchasing each year) and confidence (agreed upon configurations) to allow every software vendor to ensure and affirm the software they sell works on the secure configurations. That takes the pain out of secure configuration and rapid patching.
On April 11, federal CIOs and their senior staff will be briefed by the Air Force and OMB and NSA seniors on how to take advantage of the new mandate, and the lessons learned in the Air Force pilot implementation involving 575,000 computers. We will ask permission to make the essence of those briefings available to the entire security community, because this initiative will affect every medium and large buyer of computers running Windows software.
TOP OF THE NEWSDHS Lags in Cybersecurity, GAO Says
US Stratcom Chief Call for Stronger Cyber Offense By the US
New Vista Guidelines Represent Closer Collaboration with Government
Technician's Error Erases Disk and Back-Up For $38 Billion Fund
THE REST OF THE WEEK'S NEWSLEGAL MATTERS
Six Arrested in Connection with TJX Data Fraud
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Energy Sector Roadmap Launched
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Gozi Trojan Steals Data from SSL Streams
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Indiana State Web Site Intrusion Affects More Than First Believed
Found Memory Stick Holds Scottish Council Employee Pay Data
STATISTICS, STUDIES & SURVEYS
Half of Corporate Web Traffic Not Work Related
Bot-Infected Computers Proliferate in 2006
Data Loss a Major Fear Among Irish Firms
New Threats Confront Investigators
Oracle sues SAP For Computer Spying
SANS Security Tip of the Day
********************* Sponsored By Symark Software **********************
How do you meet compliance and guard against insider threat at the same time? PowerBroker and PowerKeeper are compliance-based solutions that centralize systems administration while creating and enforcing strong privileged password and security policies. Granular, dynamic password management and audibility ensure a secure access control infrastructure. FREE 30 day trial with full technical support today.
SANS Fire 07 in Washington DC Features the Internet Storm Center Experts
No one knows the newest attacks better than the Internet Storm center Incident Handlers, and they are sharing the newest attacks and defenses in evening sessions during SANSFire in Washington DC, July 25-August 7, 2007. Anyone who attends a course can also attend Internet Storm Center Threat Updates. For a list of courses http://www.sans.org/sansfire07/
If you cannot come to Washington or can't wait that long, SANS award winning security training is available in more than 70 cities in nine countries just in the next four months. Better still, you can schedule SANS training on-site or even take it live online or on demand.
*Complete schedule: http://www.sans.org/training/bylocation/index_all.php
*SANS courses on site at your facility: http://www.sans.org/onsite/
TOP OF THE NEWS
DHS Lags in Cybersecurity, GAO Says (March 21, 2007)According to a new report from the GAO, DHS has still not implemented 25 recommendations needed to fulfill its cyber responsibilities. This report summarized progress in private-sector infrastructure protection, including cybersecurity for the nation's 17 most critical sectors, including energy, financial services, transportation, food, IT and water supply. While the sectors delivered their sector protection plans on time, the GAO said the quality of the plans varied. In response, the private sector participants (representatives of the critical infrastructure companies - most commonly government affairs staff and lobbyists) said that they were hindered by lack of effective leadership by DHS, lack of understanding of the critical infrastructure facilities and operational realities by DHS, delays in obtaining guidance from DHS, and fear of having DHS leak sensitive information on their vulnerabilities and weak spots if those were included in the plans.
US Stratcom Chief Call For Stronger Cyber Offense By the US (March 21, 2007)Marine General James Cartwright, commander of the Strategic Command (Stratcom), told the House Armed Services Committee on March 21 that the US needed a stronger offensive cyber capability. He told Congress that other nations and terrorists hide behind screens - screens that need to be penetrated.
New Vista Guidelines Represent Closer Collaboration with Government (March 19, 2007)A set of security guidelines for Windows Vista provides a checklist of security settings and configurations for enhanced security in the new operating system. Published by Microsoft, the guidelines resulted from a collaboration between Microsoft and the National Security Agency, the National Institute of Standards and Technology and the Defense Information Systems Agency. The guidelines set out a higher level of security for enterprises, which would probably be more advanced than most home users would require. Some vendors claim these settings, especially the more secure SSLF configuration that Microsoft provides, sacrifice user convenience and interoperability with applications. The reality is that competent programmers can nearly always make their software work on the more secure configurations.
The guidelines are posted:
Technician's Error Erases Disk and Back-Up For $38 Billion Fund (March 20 & 21, 2007)In July 2006, a technician's error wiped out data regarding a financial account worth US $38 billion while the technician was reformatting a disk drive at Alaska's Department of Revenue. The technician accidentally reformatted the back-up drive, and when the organization tried to recover the data from back-up tapes, they discovered that they were unreadable. The deleted data were images of supporting documentation Alaskan residents had submitted to demonstrate their eligibility for payment from the Alaska Permanent Fund. It took approximately two months to rescan the 300 boxes of documents. The incident cost the state more than US $220,000.
[Editor's Note (Schultz): This incident once again shows that some of the greatest losses that organizations experience are not due to security per se, but rather to human error. It is thus paradoxical that organizations are devoting more resources to security risk than they did ten years ago, but at the same time they are not really doing more to address human error-related risk. ]
************************** Sponsored Link: ****************************
1) SANS @Home Security 401 Security Essentials: Convenient, cost effective, starts Monday, April 23
THE REST OF THE WEEK'S NEWS
Six Arrested in Connection with TJX Data Fraud (March 21, 2007)Law enforcement agents in Florida have arrested six people for allegedly using data stolen from TJX to buy large quantities of Wal-Mart and Sam's Club gift cards. Warrants have been issued for four other alleged suspects in the scheme, which has cost Wal-Mart and the banks that issued the stolen credit cards more than US $8 million. The scheme was apparently underway in November 2006, before TJX disclosed the intrusions. In January of this year, TJX acknowledged a security breach that affected sensitive financial account information of millions of customers. In February, TJX said it had discovered another set of intrusions indicating data thieves may have been accessing their systems as far back as 2005. The breach also impacted customers of TK Max stores in Ireland and the United Kingdom.
In a separate but related story, a TJX shareholder has sued the company to gain access to documents that detail how the company handled problems that led to the exposure of customer data.
[Editor's Note: Stephen Northcutt and Ben Wright, the attorney that teaches SANS security law course, have posted another op ed on TJX:
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Energy Sector Roadmap Launched (March 6, 2007)US Department of Energy's Office of Electricity and Energy Reliability launched a web-based, interactive Roadmap at the Process Control Systems Forum on March 6. The ieRoadmap (interactive energy Roadmap), is a web-based tool designed to accelerate stakeholder collaboration and track progress in implementing secure control systems in the Energy Sector. Building on the Wikipedia concept, this on-line resource provides an easily accessible mechanism for collecting and sharing information on current projects that support the Energy Sector Roadmap. By matching current activities to priority needs, this tool makes it easier to spot gaps in coverage and identify opportunities for leveraging resources. The site is accessible through
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Gozi Trojan Steals Data from SSL Streams (March 20, 2007)The Gozi Trojan horse program is believed to be responsible for the theft of confidential data from more than 5,000 computer users. Among the compromised data are Social Security numbers (SSNs), on line banking and e-commerce account log in credentials and log in credentials for approximately 300 companies and government organizations. The information was obtained through individuals' home computers compromised by Gozi. The malware was undetected for as long as 50 days. Gozi sent the purloined data to a server in St. Petersburg, Russia, where it was sold. Gozi works by exploiting a buffer overflow flaw in iFrames tags in Internet Explorer to steal data from Secure Sockets Layer (SSL)-encrypted streams. There are at least two more known Gozi variants.
[Editor's Note (Ullrich): Sadly, this story is far from unique. The Internet Storm Center routinely finds keylogger dumps containing gigabytes of data from thousands of users. Many times, user credentials are stolen over and over as they keep changing them after a compromise is noticed. Leaked information found at these sites includes resumes, browsing habits and other data most users would rather keep to themselves. Another sad fact about modern malware like this is that anti-virus is frequently powerless against current and relevant threats.
(Skoudis): From a functionality perspective, this malware is pretty run of the mill. There is a lot of stuff that does the same kind of thing. The interesting point here is that it went undetected for so long. A narrow threat might not get an AV signature for a while, and, compounding the problem, some users still don't update their AV signatures on a regular basis. For home users, make sure you automate signature update as much as possible, and try to prevent them from thwarting the process. Also, you should consider augmenting your signature-based AV tools with some behavior-based functionality or host-based IPS.
(Ranum): This illustrates the problem with poor layering of security. You can add encryption to a bad idea and it remains a bad idea. I forget who first said it, but "Using SSL to deliver data between a desktop PC and a typical website is like using an armored car to deliver money from your sock drawer to a paper bag taped under a park bench." ]
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Indiana State Web Site Intrusion Affects More Than First Believed (March 21, 2007)An audit of an Indiana state government web site prompted by a data security breach revealed that the intrusion compromised personally identifiable data of 71,000 more people than was first believed. In early February, the state discovered that credit card data of 5,600 individuals and businesses has been accessed without authorization. Indiana 's Office of Technology has informed the 71,000 healthcare workers that their personally identifiable information was also compromised in early January. Authorities have reportedly identified a suspect in the intrusion and have initiated legal action.
Found Memory Stick Holds Scottish Council Employee Pay Data (March 20 & 21, 2007)A memory stick found near a bicycle shelter contains nearly 60 documents from the Perth and Kincross (Scotland) Council. The data include pay details of dozens of Council employees. The person who found the device turned it in to a local newspaper. There is no evidence the loss of the device was reported to police. The council is unhappy that the person who found the device did not instead return the device directly to the council.
[Editor's Note (Honan): In The Register's article the council claims "The failure by the finder of the USB device to return it to the council constitutes theft". It may be wise for the council to review their own legal standing regarding storing sensitive data on an unprotected and unencrypted USB key before accusing others of breaking the law. The seventh principle of the UK Data Protection Act requires organisations storing personal identifiable information to ensure "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data." The Data Protection Act is available at
STATISTICS, STUDIES & SURVEYS
Half of Corporate Web Traffic Not Work Related (21 March 2007)Nearly half of all web traffic coming from corporate networks is non-productive, or non-work related, according to security firm ScanSafe. Traffic includes requests for gambling, music, pornography and webmail sites, despite the fact that web filtering blocks were up 8 percent compared with January, according to the firm. Dan Nadir, vice president of product strategy at ScanSafe says that consequences of this uncontrolled use of the web also include "exposure to legal liability, disclosure of confidential information, breaches of compliance requirements and unnecessary bandwidth consumption."
[Editor's Note (Northcutt): Bad journalism. The reporter, Robert Jaques, has only a single source and focuses on a niche vendor (though a unique one). Well known content management filter vendors include Websense, Surfcontrol, 8e6 Technologies and Bluelance. Having said that, the article is directionally correct, a content management system will pay for itself. This is one time you can actually document ROI on a security purchase. Not that if you stop recreational surfing, employees necessarily will work more; they can still play solitaire on their desktop PC, but you will have a savings on bandwidth usage. ]
Bot-Infected Computers Proliferate in 2006 (March 20, 2007)The number of bot-infected computers in Europe, Middle East and Africa (EMEA) increased 130 percent from the 1 million seen during the first half of 2006, according to the latest Internet Security Threat Report, published on March 19 by Symantec. China had the highest density of bot-infected computers -- 26 percent - with most located in Beijing. In the EMEA region, France and Germany had the highest number of bot-infected computers. One ray of good news in this report was that the number of compromised computers in the UK fell from 22 to 11 percent during that period, due to broadband penetration and adoption rather than particular Internet security efforts, according to Symantec. Around 40 percent of the affected PCs were controlled via bot command-and-control computers located in the US, another indication that the US remains both a center and target of cybercrime.
The direct link to the Symantec Threat Report is
while a podcast outlining the key findings is available at
[Editor's Note (Skoudis) I urge you to read not only this article, but also the Symantec publication on which it is based. It's a real eye opener on how the threat we face is global in nature, and getting worse with time. In some ways, it's a rather depressing read, but we need to be armed with its data to make solid business and technical decisions for information security.
(Honan): The report fails to explain a contradiction. It says the number of compromised computers in the U.K. dropped from 22 to 11 per cent due to broadband penetration? Elsewhere in the report it states the high number of infections in other countries such as US, France and Germany were due to the high broadband penetration in those countries. ]
Data Loss a Major Fear Among Irish Firms (March 3, 2007)"Loss of business-critical data" and "downtime of key IT systems" are listed by 75% of Irish IT managers as the greatest risks they face in IT planning. A new survey of European IT managers found that 65 percent of IT managers surveyed expressed concerns about managing distributed data storage, and highlighted a disconnect between managers' risk-awareness and the action they take.
New Threats Confront Investigators (March 14, 2007)The increasing sophistication of online attacks has led to new partnerships between law enforcement agencies and private-sector entities fighting cyber-crime. FBI agent Dan Larkin heads the Pittsburgh, PA-based National Cyber-Forensics & Training Alliance; Larkin says "the idea is to approach all of this with people who have different skill sets, because these fraud groups really have branched out." The Alliance is staffed by 18 agents from the Department of Homeland Security, the FBI and the US Postal Service. The alliance also receives data and assistance from more than 300 private companies and other anti-fraud groups, including students and researchers from the nearby campus of Carnegie Mellon University.
Oracle sues SAP For Computer Spying (March 22, 2007)Oracle has filed suit against competitor SAP, alleging computer fraud and abuse, computer data and access fraud and intentional interference with prospective economic advantage. Oracle detected improper access patterns on its customer support site, originating from the Texas headquarters TomorrowNow, an SAP operating company. Further analysis pointed to unusually high rates and volumes of downloads from the support site.
SANS Security Tip of the Day
Security Tip: Don't Let Personnel Issues Become Security Issues;Terminate Computer Access Before You End a Contract or Tell People They Are Fired.
Shortly before a labor union strike in August 2006, two Los Angeles transportation engineers allegedly disconnected traffic signals at four busy intersections. Subsequently, these disgruntled employees were accused of unauthorized access to a computer, identity theft and unauthorized disruption or denial of computer services. The danger imposed on the public based on these acts was significant even IF there were no accidents as a result of this action. Had the Department of Transportation revoked computer access as soon as it terminated the contracts of the two engineers, LA would have avoided the risk to the public. PS It took the city days to get the traffic control system back to normal.
If you work for a company of 1,000 or more and would like to help distribute SANS Security Tips, please email firstname.lastname@example.org.
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.
Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit