SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume IX - Issue #26
March 30, 2007
Valuable progress to report on both major new developments in cyber security:
1. Application security (reducing security bugs at the source): On March 26, more than 120 senior federal and business leaders met in Washington 26 to learn about and discuss both the new national examinations for programmers and progress in improving automated tools for application security. The panels there were the best we have ever seen on application security - including some surprising revelations. The panelists agreed to do it again, as a web cast, on April 4 so people outside Washington can hear and ask questions. Everyone who builds applications or tests applications or wants to see improvements in application security is welcome. Information posted at:
2. White House mandate on standard, secure configurations for Windows XP and Vista: Tim Clark, publisher of Government Executive magazine, with a little help from SANS, is hosting a breakfast/briefing on April 11 for the senior government officials (CIOs, CISOs, and IGs and their staff) who will implement and enforce the mandate. The speakers are the key leaders from OMB, NSA and the Air Force where the idea was proven to work and the problems were discovered. Contractors and software developers are also invited because they will be doing much of the heavy lifting. The invitation is at the end of this issue after the list of NewsBites editors.
TOP OF THE NEWSTJX Intrusions Exposed 45.7 Million Credit and Debit Cards
BBC Program has Child Put Keylogger on MP's Computer
Oracle Suing SAP for Intellectual Property Theft
THE REST OF THE WEEK'S NEWSLEGAL MATTERS
Coroner to Stand Trial for Sharing Restricted Site Password with Journalist
eBay Fraudster Arrested in Budapest
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
US Military Bolstering Cyber Attack Capabilities
POLICY & LEGISLATION
Saudi Arabia Close to Establishing Penalties for Cyber Crime
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Windows Animated Cursor Vulnerability
Exploit Code for Known IE Hole Posted
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Police Recover Laptop Stolen from Nottinghamshire Hospital
Louisiana School District Takes Action After Web Crawler Exposes Employee Data
STATISTICS, STUDIES & SURVEYS
Websense Opinion Poll Highlights Lax Attitude Toward Data Security
Fla. State Computer Systems Shut Down When AC Fails
Giuliani Campaign Quashes SQL Vulnerability on its Web Site
TIP OF THE DAY
INVITATION TO THE APRIL 11 WHITE HOUSE MANDATE/SECURE CONFIGURATION BREAKFAST
************* Sponsored By SANS Log Management Program *****************
Attend the Log Management Summit April 23-25 and learn how to select and implement the right tools in ways that both ensure you meet the regulatory requirements and improve your security. As a bonus you'll hear from organizations that have found they can use log management to improve operational efficiency as well as security.
Even if you cannot come, take a few minutes to complete SANS log management survey and you'll get some really useful data in return.
SANSFIRE 07 in Washington DC Features the Internet Storm Center Experts
No one knows the newest attacks better than the Internet Storm Center Incident Handlers, and they are sharing the newest attacks and defenses in evening sessions during SANSFIRE in Washington DC, July 25-August 7, 2007. Anyone who attends a course can also attend Internet Storm Center Threat Updates. For a list of courses http://www.sans.org/sansfire07/
If you cannot come to Washington or can't wait that long, SANS award winning security training is available in more than 70 cities in nine countries just in the next four months. Better still, you can schedule SANS training on-site or even take it live online or on demand.
*Complete schedule: http://www.sans.org/training/bylocation/index_all.php
*SANS courses on site at your facility: http://www.sans.org/onsite/
TOP OF THE NEWS
TJX Intrusions Exposed 45.7 Million Credit and Debit Cards (March 28 & 29, 2007)According to a recent filing with the US Securities and Exchange Commission (SEC), 45.7 million credit and debit card numbers were compromised through intrusions of TJX computer systems over a period of 18 months. Approximately three-quarters of the card numbers were expired or had some magnetic stripe data masked. The filing says that 455,000 individuals who returned items without receipts also had personal data stolen, including their driver's license numbers. The company became aware of suspicious software on their computers on December 18, 2006, and with the investigatory help of General Dynamics and IBM, by December 21 they had learned that the systems had been breached and the intruder still had access to the system. They notified authorities the next day. The intrusions apparently began in July 2005. The filing also indicated that TJX believed the intruder had the encryption key necessary to decrypt customer data and took great efforts to hide his tracks.
- From the SEC Filing (discussion of the Intrusion begins on page 7):
[Editor's Note (Schultz): By the time everything related to these incidents is through, TJX will have lost many millions of dollars and will also have taken a beating in the public relations area. TJX could have instead devoted an adequate amount of attention and resources to the security risk that it faced. This nasty set of incidents will, unfortunately, serve as yet another powerful "lesson learned" to senior management that neglecting information security can and will lead to catastrophic consequences.
(Liston): I believe we've only seen the tip of this particular iceberg. The fallout from this incident will be reverberating through the financial services industry for many, many years.]
BBC Program has Child Put Keylogger on MP's Computer (March 23, 2007)A six-year-old girl, accompanied by a reporter from the BBC's Inside Out television program, managed to attach a keystroke logging device to an MP's computer. The MP, Anne Milton, had agreed to leave her computer unattended for one minute; the child was able to attach the keystroke logger within 15 seconds. The girl was able to bring the device undetected into the House of Commons.
[Editor's Note (Schultz): I predict that what happened will lead to a radical improvement in the UK Parliament's practice of information security, physical security in particular. After all, if a six year old can do what she did, what could a real saboteur do?
(Liston: Forget General Davis and the NSA. Forty million dollars could buy us a whole fleet of six-year-old girls.]
Oracle Suing SAP for Intellectual Property Theft (March 22, 2007)Oracle has filed a lawsuit against SAP, alleging that employees of a company subsidiary (SAP TomorrowNow) "copied and swept thousands of Oracle products and other proprietary and confidential materials into its own servers." The suit alleges the company used stolen login credentials to purloin gigabytes of customer support software between September 2006 and January 2007. Oracle discovered the theft while investigating significant traffic spikes on its Customer Connect servers. The suit could draw the attention of federal prosecutors, leading to possible criminal action as well as the civil action brought by Oracle. The lawsuit alleges that once in possession of the filched software, SAP was able to offer cut-rate services to Oracle customers and attempt to lure them away.
************************** Sponsored Links: ***************************
1) Join security professionals at the Encryption Summit April 23-25 for the latest on encryption tools.
2) Online threats to personal information surge in 2007. New report provides the latest statistics.
THE REST OF THE WEEK'S NEWS
Coroner to Stand Trial for Sharing Restricted Site Password with Journalist (March 27, 2007)Lancaster County (PA) Coroner G. Gary Kirchner will stand trial for allegedly providing a journalist with a password to a confidential web site. Kirchner faces charges of unlawful use of a computer and criminal conspiracy. The web site contains information regarding emergency communications; access is restricted to law enforcement and authorized officials. A journalist testified at a hearing earlier this week that Kirchner gave her the password so reporters could get their information from the site and stop calling him. If convicted of the charges, Kirchner could face up to 14 years in prison and a fine of US $30,000.
[Editor's Note (Liston): The charges here sound a bit over the top. It seems as though Kirchner's actions weren't as much malicious as they were simply stupid.]
eBay Fraudster Arrested in Budapest (March 26 & 27, 2007)A Bulgarian woman faces up to 30 years in prison and $500,000 in fines for allegedly swindling Americans out of more than US $350,000 through eBay scams. Mariyana Feliksova Lozanova allegedly advertised expensive items on eBay and directed purchasers to wire funds through a phony service called "eBay Secure Traders" in an attempt to lend her scheme legitimacy. The victims never received the items or refunds. Lozanova was apprehended in Budapest, Hungary on March 22 and indicted for conspiracy to commit wire fraud and conspiracy to commit money laundering. She allegedly used aliases to open bank accounts into which the stolen funds were channeled; she has waived extradition.
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
US Military Bolstering Cyber Attack Capabilities (March 28, 2007)Marine Brigadier General John Davis heads a military command at the National Security Agency (NSA) that was established to develop methods of attacking terrorists' computer networks. The techniques are classified and Davis would not say if the US has attacked other networks. The program is run by the Air Force Research Laboratory and has a budget of US $40 million over four years. While this development marks a shift from merely monitoring networks, there are still those who feel there is more to be gained from infiltrating networks to gather intelligence than in attacking them.
[Editor's Note (Liston): This is a very, very slippery slope filled with all kinds of ethical minefields. While I can understand and appreciate the need for this type of exercise, I worry that the oversight that needs to be in place... well... isn't. These types of units often operate in an environment where checks and balances don't exist, or worse still, are left to the discretion of one or two individuals. I sincerely hope this type of activity doesn't come back to haunt us in the future.]
POLICY & LEGISLATION
Saudi Arabia Close to Establishing Penalties for Cyber Crime (March 26 & 28, 2007)Saudi Arabia's Council of Ministers has approved a bill establishing penalties for cyber crimes. The bill was introduced last year by the 150-member Majlis al-Shura, or national consultative. The bill now goes to King Abdullah for ratification. If the bill is enacted, individuals found guilty of breaking into Internet sites to alter or damage them and those found guilty of using cellular phones with camera capabilities to infringe on others' privacy would face prison sentences of up to one year and fines of 500,000 riyals (US $133,500).
[Editor's Note (Schultz): Each country that passes cybercrime legislation such as the legislation being passed in Saudi Arabia helps close one of the many loopholes upon that international computer criminals have traditionally so easily used to escape conviction. ]
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Windows Animated Cursor Vulnerability (March 29, 2007)Microsoft is investigating reports of targeted attacks that exploit a vulnerability in the way Windows handles animated cursor files. The exploit could allow arbitrary code execution. Users could become victims either by visiting a web page that contains the exploit or through a specially crafted email or attachment.
(Dhamankar): I am glad that this was not discovered during a major holiday A very similar problem in the Animated Cursor first hit the world during Christmas of 2004.]
Exploit Code for Known IE Hole Posted (March 26, 2007)Exploit code for a recently patched vulnerability in Internet Explorer (IE) has been posted to the Internet. Microsoft released a patch for the flaw in IE6; the code apparently does not work on IE7. The remote code execution flaw in Microsoft Data Access Components was addressed in February with Microsoft Security Bulletin MS07-009; it had a severity rating of critical.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Police Recover Laptop Stolen from Nottinghamshire Hospital (March 27, 28 & 29, 2007)A laptop computer stolen from King's Mill Hospital in Sutton-in-Ashfield, Nottinghamshire, UK, contains the names, addresses and dates of birth of 11,000 children ages eight months to eight years. The children's families have all been notified. Nottinghamshire police are investigating the March 21 theft and the hospital will conduct an inquiry. Two other computers were stolen at the same time. Update: The computer has been recovered; two suspects have been arrested.
Louisiana School District Takes Action After Web Crawler Exposes Employee Data (March 27, 2007)Personally identifiable information of approximately 380 St. Mary Parish (La.) public school employees was exposed on the Internet when a Yahoo! web crawler obtained the data. The crawler managed to access a database holding staff development rosters from 2002 through 2004. The school district has asked Yahoo! and web page archiving services to remove the data from their cached files and has notified those affected by the breach. The school district's technology department has taken steps to protect public files and web site from archiving engines and crawlers.
[Editor's Note (Liston): The story blames the "incident" on Yahoo!'s "aggressive" web crawler. Anyone who knows how web crawlers work understands what really happened: These people put PII data where it never should have been. If a web crawler could find it, ANYONE could find it.]
STATISTICS, STUDIES & SURVEYS
Websense Opinion Poll Highlights Lax Attitude Toward Data Security (March 27, 2007)More than half of the 100 respondents to Websense's most recent annual opinion poll on data leakage and data ownership believe their companies would not know if information had been willfully or accidentally sent outside the company. Forty-six percent said they allowed family and friends to use work-issued laptop computers and 21 percent admitted they had tried to access protected files. Almost two-third of respondents said they had sent confidential information to unsecure personal web-based email accounts and just over half said they had tried to gain access to a co-worker's email account. The poll was conducted online using Survey Monkey.
Fla. State Computer Systems Shut Down When AC Fails (March 27 & 28, 2007)After a leaking chiller plant caused the air conditioning to fail in 11 Florida state office buildings in Tallahassee, the state's Department of Management Services ordered agencies to shut down computer systems to protect them from overheating. The problem began Monday evening, March 26. Two backup chillers were shipped quickly, allowing the data center to restore service by 2:00 am EDT on Tuesday.
Giuliani Campaign Quashes SQL Vulnerability on its Web Site (March 26 & 27, 2007)Rudy Giuliani's presidential campaign has addressed an SQL injection vulnerability on its web site, JoinRudy2008.com, that could have exposed personally identifiable information submitted by volunteers.
SANS Security Tip of the Day
Don't Click to Agree without Reading the Small PrintSome free software passes your information on to advertisers, changes your PC or downloads other software without asking you. Some suppliers will claim that this is OK because you agreed to this. How? People often click on the "agree" button to accept 20 pages of difficult legal jargon they don't understand. But buried in the middle can be a sentence allowing the software to do whatever it likes. You can argue in court that the terms aren't reasonable, but then it will be too late - the damage has been done and your PC is broken. Learn from other people's pain: if terms and conditions are hard to understand, it is probably deliberate. If it isn't worth the trouble to read the conditions, don't risk using the software.
If you work for a company of 1,000 or more and would like to help distribute SANS Security Tips, please email firstname.lastname@example.org.
=========================================================================||| INVITATION TO THE APRIL 11 SECURE CONFIGURATION BREAKFAST MEETING IN WASHINGTON
Dear friend of SANS:
Securing government networks against attacks and thefts of sensitive data is a hot, hot topic on the management agenda.
It was the subject of an Office of Management and Budget mandate <
last Thursday ordering agencies to use a standard configuration of the Windows operating system.
OMB has told the Homeland Security Department to send out mass security patches for newly found vulnerabilities that agencies then can quickly apply.
Some have doubts that this brand-new strategy will significantly improve security.
We cordially invite you to LEARN ABOUT THIS KEY NEW SECURITY MANDATE by attending a Management Briefing and Breakfast on:
The Five Keys to Implementing OMB's Common Secure Configuration Mandate Defined in the March 22, 2007 OMB Memorandum AND the One Big Pothole to Avoid
Where: (Downtown DC on the Metro- location will be sent to everyone for whom seats can be made available)
When: April 11, 7:30 -10:00 a.m.
Speakers: Kenneth Heitkamp, Assistant CIO, US Air Force, who proved it could be done. A senior official from NSA's vulnerability analysis and operations group. Karen Evans, Administrator for Electronic Government, OMB. Lisa Schlosser, CIO, HUD. Alan Paller, Director of Research, the SANS Institute
Host: Timothy Clark, Editor and President, Government Executive Magazine
Who Should Attend:
-- Federal officials responsible for implementing the new requirement for common secure configurations and for changing procurements to ensure that contractors and vendors supply well-behaved applications starting in June.
-- Federal IG staff responsible for ensuring the mandate is carried out.
-- Contractors and vendors who will supply the critical software and services to get it done.
Price: There is no charge.
Questions we will address:
1. What are the actual security benefits of implementing the common secure configurations? How can you be sure?
2. What actual cost savings can be expected?
3. Is it feasible? Will applications break? Which applications?
4. Does this mean agencies should buy only Windows systems?
5. What are the five most important steps in implementing these requirements?
6. How does intelligent procurement make the process easier?
7. What role do the operating system vendors play?
8. What role does NIST play?
9. Why are application vendors so important to implementation?
10. What opportunities does this create for systems integrators?
11. What responsibilities are placed on systems integrators?
12. Where do you find the exact configurations?
13. How do you automate the process?
14. How do you test for compliance?
15. What are the biggest pitfall you will face?
16. And many more.
Presentations will be tight, and most of the time will be spent in Q&A.
CIOs or their representatives will have priority for half of the 200 seats, but we encourage IGs and others with an interest in this important topic to respond as well. When we reach capacity, we will place others on the priority list for the follow-up event in which the technical details of implementation and troubleshooting wil be discussed in detail.
Please complete the following for each person who would like a seat:
Priority Group: ___ 1, ___ 2, ___ 3, ___ 4
(See below for your priority group)
Agency (if government):) _______________________________________
1. CIOs and/or their designees including CISOs (3 per major agency, 1 for other agencies)
2. IGs or their designees (1 per agency)
3. Senior officers of large integrators
4. Other security professionals
Send the data to 411Briefing@sans.org as soon as possible. We will reply to you by April 5. All available seats will be allocated on April 5.
With best regards,
Tim Clark, Editor and President, Government Executive Magazine
Alan Paller, Director of Research, SANS Institute
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.
Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit