SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume IX - Issue #25
March 27, 2007
Did you ever wonder whether the programmers who write important applications know how hackers attack programs and have the skills to write code without common security errors that lead to vulnerabilities? The Secure Programming Skills Assessment (SPSA), announced yesterday by a large consortium of leading organizations, is designed to provide the answers. If you work with programmers, get them to try the sample tests and review the test blueprints and provide feedback. Official test administration begins in August. The first story in this issue has articles from the Washington Post, Computerworld, and ComputerWeekly. Details at http://www.sans-ssi.org/index.php
TOP OF THE NEWSProgrammers To Be Rated On Secure Coding Skills
Florida Congressional Candidate Seeking Access to Suspect Voting Machines
Ireland's Information Commissioner Warns Schools on Biometrics
THE REST OF THE WEEK'S NEWSLEGAL MATTERS
Seven Held in Connection with Telecom Network Intrusions
Man Pleads Guilty to Breaking Into eBay Accounts
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Cal. Sec. of State Takes Steps to Protect Citizens from ID Theft
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Microsoft Looking into Windows Mail Remote Code Execution Flaw
Flaw in Windows Proxy-Setting Search Could be Exploited to Hijack Traffic
Vista Hides Extensions of Known File Types
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Missing Laptops Hold Health Care Data
Stolen Hard Drives Hold Patient Data
Suspect in Indiana Gov Site Intrusions May Have Breached Sites in Other States
STATISTICS, STUDIES & SURVEYS
Overseas Software Development Poses Threat, Say Studies
Finjan Web Security Trends Report for Q1 2007
Half of Internet Users Feel Responsible for Protecting Their Data Online
DOD Investigating Electronic Thefts from Military Pay Accounts
NOT REALLY NEWS BUT THE EDITOR'S COMMENTS ARE GOOD
Image-Based Spam Responsible for Growing Message Size
********************* Sponsored By ArcSight, Inc. ***********************
Free Whitepaper: "Selecting a SIM Solution for Compliance".
Meeting compliance regulations doesn't mean sacrificing your security budget. Discover the best practices - based on actual customer experiences - that should be an integral part of your evaluation process when assessing a SIM. Brought to you by ArcSight, the leader in security, compliance and insider threat.
SANSFIRE 07 in Washington DC Features the Internet Storm Center Experts
No one knows the newest attacks better than the Internet Storm Center Incident Handlers, and they are sharing the newest attacks and defenses in evening sessions during SANSFIRE in Washington DC, July 25-August 7, 2007. Anyone who attends a course can also attend Internet Storm Center Threat Updates. For a list of courses http://www.sans.org/sansfire07/
If you cannot come to Washington or can't wait that long, SANS award winning security training is available in more than 70 cities in nine countries just in the next four months. Better still, you can schedule SANS training on-site or even take it live online or on demand.
*SANS courses on site at your facility: http://www.sans.org/onsite/
TOP OF THE NEWS
Programmers To Be Rated On Secure Coding Skills (26 March 2007)A consortium of organizations from the US, India, Japan, and Germany have joined with the SANS Institute to launch a series of security tests for application programmers. The tests enable programmers them to find the gaps in their security skills and to allow employers and buyers of software to be more confident the people writing applications know how to avoid the common security problems. Initial testing begins August 14, 2007. Sample tests and test blueprints are already posted at www.sans-ssi.org.
Florida Congressional Candidate Seeking Access to Suspect Voting Machines (March 24 & 26, 2007)A Florida Congressional election in November 2006 gained national attention "when it became apparent that more than 18,000 votes were not recorded." Christine Jennings, who lost the seat by 369 votes, is contesting the election and is waiting to hear if Florida's First District Court of Appeals will grant an expert in electronic voting technology access to the machines used in the election. If the court does not grant access, a Committee on House Administration task force could order that access be permitted. Florida election officials were apparently warned of problems with certain voting machines last summer, but did not address them before the November 7 election.
[Editor's Note (Northcutt): These are updates to the ongoing story, but what an important story it is. You would think there would be a bit more focus when the race was lost by 369 votes and there are 18,000 votes "missing". Just say "no" to paperless voting machines. ]
Ireland's Information Commissioner Warns Schools on Biometrics (March 23, 2007)Ireland's Information Commissioner's office is coming down hard on schools rumored to have implemented student fingerprinting. The schools were told they need a good reason for establishing fingerprinting programs and the Information Commissioner's Office has said it will use its powers to remove such systems where it feels the schools have overstepped their bounds. Of seven schools who received letters, five were just considering implementing the technology; two have not yet responded. The Information Commissioner's office has issued guidance on biometrics in schools to help the schools understand their responsibilities in complying with the Data Protection Acts of 1988 and 2003. School programs will be assessed on a case-by-case basis and all implementations will require Privacy Impact Statements. Schools were also informed that they need parental consent to gather fingerprints from minors and that all students must be provided a means of opting out of the program without any penalties or reduced access to services.
[Editor's Note (Schultz): Obtaining fingerprints from students for the purpose of recording school attendance seems very extreme. As news of this and similar news item circulates, I fear that it will create a backlash against the use of biometric authentication.
(Honan): Under Article 8 of the European Convention on Human Rights an individual's right to privacy is protected. As such this is a welcome move by the Irish Data Protection Commissioner as it sends a clear message to organisations that they need to determine all the implications implementing technology can have on the rights and privacy of individuals. ]
************************ Sponsored Links: ******************************
1) Security professionals focus on fighting the most common data threats
- - Encryption Summit, April 23-25.
2) Protect your company from phishing expeditions. New FREE report has the facts.
3) Test your secure programming skills. Sample tests. Blueprints.
THE REST OF THE WEEK'S NEWS
Seven Held in Connection with Telecom Network Intrusions (March 23, 2007)Police in the Philippines have detained seven individuals for questioning in connection with a series of telecommunications network intrusions in that country, the US, Canada, Australia and three European countries. The scheme involved breaking into the telecommunications networks and selling the connections for a fee; telecommunications companies have incurred losses as a result.
Man Pleads Guilty to Breaking Into eBay Accounts (March 19 & 21, 2007)An Australian man has pleaded guilty to breaking into 90 eBay accounts and using them to steal AU $42,000 (US $34,000). Dov Tenenboim also broke into email accounts and a bank. Tenenboim advertised non-existent iPods through the hacked eBay accounts and pocketed the money from the fraudulent sales. If he is convicted on all charges against him, Tenenboim could face up to 11 years in jail and fines of AU $9,900 (US $8,007). Tenenboim apparently guessed most of the eBay account passwords.
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Cal. Sec. of State Takes Steps to Protect Citizens from ID Theft (March 26, 2007)The California Secretary of State's office has closed off parts of its website after becoming aware that it was selling Uniform Commercial Code (UCC) documents that contain Social Security numbers (SSNs). The documents often contain addresses and signatures as well. Secretary of State Debra Bowen has taken a number of steps to safeguard sensitive data. These include halting the bulk sale of UCC documents until all but the last four digits of SSNs have been removed from all UCC records and placing a warning on the web site telling people not to include SSNs with UCC forms filed with her office.
[Editor's Note (Ullrich): Yet another reason to do away with SSN's as "passwords" to your identity. SSN's should only be used as unique identifiers ("username") and not to provide access ("password") to a persons identity. ]
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Microsoft Looking into Windows Mail Remote Code Execution Flaw (March 26, 2007)Microsoft is investigating reports of a remote code execution vulnerability in Windows Mail that affects PCs running Vista. Users tricked into clicking on maliciously crafted links could find programs executing without any sort of warning. Vista's limited deployment mitigates the risk posed by this vulnerability.
Flaw in Windows Proxy-Setting Search Could be Exploited to Hijack Traffic (March 25, 2007)A problem with the way in which Windows PCs obtain proxy settings could be exploited to hijack traffic. Windows PCs search for proxies using the Web Proxy Autodiscovery Protocol (WPAD). It is a simple matter for an attacker to register a proxy server on a network using the Windows Internet Naming Service (WINS) or other network services. Redirecting traffic through a maliciously crafted proxy server could allow an attacker to view all the traffic and manipulate it before it is sent on its way. The urgency of the problem is somewhat mitigated by the fact that an attacker would need access to the targeted network. The attacker needs to have local access, physical or wireless, and cannot be carried out from the Internet.
[Editor's Note (Ullrich): The most likely exploit scenario involves public networks (coffee shop, airport wifi). Once you are done with your laptop full disk encryption project (or maybe before that), think about how to protect your users while they connect to such untrusted networks. Of course, networks at security conferences are part of it. ]
Vista Hides Extensions of Known File Types (March 23, 2007)Windows Vista apparently hides extensions for known file types by default, just as its predecessors do. Attackers could exploit this practice by creating files with double extensions to execute malware.
[Editor's Note (Northcutt): The story and blog comment are true. Vista abstracts even more of the OS details. Propeller heads like many of the NewsBites readers find that a problem; the administrative workers and home users of the world will probably appreciate it once they get used to the interface because it gives them more control over defaults as the link below shows. In any case, right click and properties still works and I am sure it is just a matter of time till someone writes a shell for techies with enough power for us to screw up our operating systems beyond belief and then spend a day recovering (and call it fun):
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Missing Laptops Hold Health Care Data (March 24, 2007)Two missing laptop computers hold personally identifiable information of approximately 31,000 Group Health Cooperative Health Care System patents and employees in the Seattle area. Compromised data include names, addresses, SSNs and Group Health ID numbers. The computers disappeared in late February and early March of this year. Affected individuals have been notified by mail.
Stolen Hard Drives Hold Patient Data (March 23, 2007)Approximately 19,000 current and former patients of the Swedish Urology Group in the Seattle area have been informed that their personal information has been compromised. Three hard drives used to back up the practice's data were stolen from a locked office on March 10; there were no signs of forced entry, suggesting that the perpetrator may have had a master key. The data go back as far as four years in some cases. The drives contain physician and staff information as well as patient data.
Suspect in Indiana Gov Site Intrusions May Have Breached Sites in Other States (March 22, 2007)Investigators from Indiana's Office of Technology believe they have identified a suspect in a security breach that exposed the SSNs of 71,000 health care workers as well as credit card data belonging to 5,600 individuals and businesses. Investigators are pursuing criminal charges. The individual responsible for these attacks is also believed to have breached government systems in other states,
STATISTICS, STUDIES & SURVEYS
Overseas Software Development Poses Threat, Say Studies (March 26, 2007)A report from the Center for Strategic and International Studies (CSIS) and a forthcoming study from the US Defense Department (DOD) both suggest that the growing trend of using software developed outside of the US puts the country at risk. Both "call for new policies and procedures to mitigate potential threats from software containing malicious code." Among the suggestions: become aware "of the software supply chain," carefully check out the companies that are developing the software, and test the code. The DOD report is slated to be released in April.
[Editor's Note (Pescatore, with Paller and Grefer affirming): Since a huge percentage of the code in most software products from most US-based software vendors was written overseas, it makes no sense to focus any more on off-shore software suppliers than on-shore. Instead of being xenophobic, test all custom software and require all commercial software vendors to provide evidence of such testing regardless of what flag they carry. ]
(Honan): No matter where the source of the software, US or non-US, in-house or outsourced, unless you trust the source code and indeed the compiler for that code, you do need to be aware "of the software supply chain".]
Finjan Web Security Trends Report for Q1 2007 (March 26, 2007)Finjan's most recent Web Security Trends Report finds that most malware on the Internet emanates from the US and the UK, "shatter
the myth that malicious code is primarily being hosted in countries where e-crime laws are less developed." In addition, embedded malicious code is found not just on shady web sites, but also in advertisements on legitimate web sites. URLs for advertisements lead the pack when it comes to hosting malicious code; as much as 80 percent of embedded malware is found in advertisements. Web masters may not always be aware of the ads that pop-up on their sites, as they may have purchased services that push the ads onto the web sites. Finjan's study analyzed more than 10 million unique URLs. More than 80 percent of detected malicious code was obfuscated, rendering traditional, signature-based and pattern-matching malware detection systems ineffective.
Half of Internet Users Feel Responsible for Protecting Their Data Online (March 25 & 26, 2007)A joint survey from Get Safe Online and the BBC News website found that 48 percent of adult Internet users in the UK believe they are responsible for safeguarding their personal data online. The survey received responses from 2,441 individuals. Sixteen percent believe that the responsibility for protecting personal data rests with banks, and 13 percent feel the responsibility falls to their Internet service providers (ISPs). Half of the respondents do not have anti-spyware and 13 percent of broadband users to not have firewalls. Twelve percent of respondents had been victims of fraud within the last year.
[Editor's Note (Schultz): Frankly, I am surprised that as many as 48 percent of adult Internet users in this survey reported feeling responsibile for protecting their own data. Getting users to realize that they are partly or mostly responsible for protecting their own data is, I suspect, a nearly impossible task, yet if this could be done, it would make a huge difference in lowering susceptibility to the major Internet-related risks that plague everyday users. ]
DOD Investigating Electronic Thefts from Military Pay Accounts (March 23 & 24, 2007)According to US DOD reports, more than 20 service members had money siphoned from their military pay accounts. The Defense Finance and Accounting Service's "myPay" program allows service members to manage their pay data online. Services include being able to designate accounts for direct deposits. The theft of the funds is likely due to keystroke loggers and other spyware having infiltrated the home computers of affected service members. The stolen money has been returned to the affected accounts.
[Editor's Note (Northcutt): Earlier in this issue is a story about Tenenboim being convicted of breaking into eBay accounts by guessing passwords. Be careful in attributing this DoD attack to keystroke loggers and spyware, it may well be a lack of computer security awareness. ]
NOT REALLY NEWS BUT THE EDITOR'S COMMENTS ARE GOOD
Image-Based Spam Responsible for Growing Message Size (March 26, 2007)A study from SoftScan indicates that the average size of spam email has grown more than 75 percent since last September, from an average of 6.62kb to an average of 11.76kb. The increase in message size is attributable to the growing incidence of image-based spam. The increase could result in higher costs to companies that must pay for the bandwidth to receive the messages and in some cases, must pay for the costs of archiving the spam.
[Editor's Note (Honan): Hosted anti-spam services are a viable option to consider in your battle against SPAM. Not only do you alleviate the headache and overhead of maintaining and managing your own Anti-SPAM solution but you also keep SPAM away from clogging up your bandwidth.
(Pescatore): Actually, I think ever-lengthening email disclaimers are equally to blame. Why don't companies have to have disclaimer voice messages inserted at the end of every phone call made from a corporate phone?
(Ullrich): My own personal mail server receives about 98% spam last time I checked. Without spam, I would probably be able to use a shared system and save money just on the power bill. I am considering no longer accept e-mail from users I don't explicitly approve. ]
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.
Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit