SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume IX - Issue #28
April 06, 2007
TOP OF THE NEWSCourt: Personal Computer at Work Does Not Guarantee Reasonable Expectation of Privacy
IRS Data Not Adequately Protected, Says IG
IRS Still Has Security Weaknesses to Address, Says GAO
UK Fraud Victims Must Now Report Crimes to Banks
THE REST OF THE WEEK'S NEWSWORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Patch Tuesday to Include Five Updates
Yahoo! Addresses ActiveX Buffer Overflow Flaw in IM
ANI Flaw is Being Actively Exploited
ANI Flaw Can Be Exploited Through Firefox, Too?
Microsoft Addresses Criticism Regarding Timing of ANI Patch
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
UCSF Server Security Breached
ABN Amro Reimburses Four Customers for Phishing Losses
Two-Factor Authentication Won't Last
New Technique Cracks 104-bit WEP Key in Under a Minute
SANS Security Tip of the Day
*************************** Sponsored By SANS ******************************
Join Storage, Security and Database professionals at the Log Management Summit April 23-25. Get help in selecting and implementing the right log management tools to ensure you meet regulatory requirements and improve security as well as improve operational efficiency.
SANSFIRE 07 in Washington DC Features the Internet Storm Center Experts
No one knows the newest attacks better than the Internet Storm Center Incident Handlers, and they are sharing the newest attacks and defenses in evening sessions during SANSFIRE in Washington DC, July 25-August 7, 2007. Anyone who attends a course can also attend Internet Storm Center Threat Updates. For a list of courses http://www.sans.org/sansfire07/
If you cannot come to Washington or can't wait that long, SANS award winning security training is available in more than 70 cities in nine countries just in the next four months. Better still, you can schedule SANS training on-site or even take it live online or on demand.
*SANS courses on site at your facility: http://www.sans.org/onsite/
TOP OF THE NEWS
Court: Personal Computer at Work Does Not Guarantee Reasonable Expectation of Privacy (April 4 & 5, 2007)A federal appeals court has ruled that a man using his personal computer at work did not have a reasonable expectation of privacy. Michael Barrows was sentenced to six-and-a-half years in prison for having child pornography on his personal computer, which he was using at work. Barrows was treasurer for the city of Glencoe, Oklahoma. Inconvenienced by having to share a computer with the city clerk, Barrows brought in his personal computer to use at the office. The city clerk, experiencing trouble opening a Quickbooks document, solicited the help of a reserve police officer who had helped resolve computer problems in the past. Barrows was not at work, but it was determined that his computer was the source of the problem. The helper noticed Barrows's computer was running a file-sharing program and, without a warrant, began to look at various files; he allegedly found child pornography. A warrant was subsequently issued and the hard drive of Barrows's computer seized. Barrows said he intended for his personal computer to remain private while he used it at work, but the court disagreed, saying he had connected it to the workplace network and not installed a password.
[Editor's Note (Pescatore): This appears to have still left it open whether if he had installed a password or otherwise protected his personal content, he may have had a case. On the other hand, there have been court rulings that bringing your own locked toolbox into work did not mean that the employer couldn't search the toolbox.
(Schultz): I am continually amazed by the logic that accused computer criminals use in their defense. The logic used in this case is no exception. How can someone who brings a personally-owned computer filled with child pornography to work rightfully claim that he is somehow entitled to an expectation of privacy not afforded to other employees who used city-owned computers? ]
IRS Data Not Adequately Protected, Says IG (April 5, 2007)According to a March 23, 2007 report from Treasury Inspector General for Tax Administration J. Russell George, "the IRS is not adequately protecting taxpayer data on laptop computers and other portable electronic media devices." In the three-and-a-half year period from January 2003 through June 2006, nearly 500 IRS laptops were lost or stolen. Many of the incidents were not reported to the IRS computer security office. While there is "limited definitive information" about the data on the missing and stolen computers, the IG's office tested 100 laptops currently in use at the IRS and found 44 with "unencrypted sensitive data, including taxpayer data and employee personnel data." IRS Commissioner Mark Everson says the agency has installed automatic encryption software on almost all laptops currently in use and all laptops have been issued locks. (Please note this site requires free registration)
IRS Still Has Security Weaknesses to Address, Says GAO (April 4, 2007)According to a report from the Government Accountability Office (GAO), the IRS "has made limited progress toward correcting or mitigating previously reported information security weaknesses at two data processing sites." Two-thirds of previously identified weaknesses are still present. Areas of progress include improving password controls on servers and "enhanced audit and monitoring efforts for mainframe and Windows user activity." Problems yet to be addressed include inadequate access controls, inadequate segregation of duties and the lack of an implemented agency-wide information security program, which is required by the Federal Information Security Management Act (FISMA). GAO developed two sets of recommendations - one for the Commissioner of Internal Revenue "to take several actions to fully implement a comprehensive agency-wide information security program," and another set, limited in its scope of distribution, with recommendations for "actions to be taken to correct ... specific information security weaknesses."
[Editor's Note (Pescatore): This actually points out the bigger issue: the security programs at government agencies have a horrendous time moving forward once deficiencies are identified. The problem usually is *not* that remediation efforts don't get started, it seems it is that they rarely get finished. Much of the issue has to do with how the government allocates budgets and procures products and services - it is as if you were forced to drive 10,000 miles to get your oil changed every 3,000 miles. ]
UK Fraud Victims Must Now Report Crimes to Banks (March 30, 31 & April 2, 2007)As of April 1, 2007, the UK's Fraud Act 2006 directs that, "in most cases, consumers will be required to report check, plastic card and online fraud offenses to their" financial institutions rather than to police. Those institutions will then forward the information to the authorities as they see fit. The change was made "to reduce the level of bureaucracy involved in fraud recording and to streamline reporting and the initial investigation of such crimes." There is concern that the banks will use this new position of authority to hide the actual incidence of fraud. Furthermore, banks lack the "knowledge, expertise and powers" to handle the cases. The rules affect England, Wales and Northern Ireland.
************************* Sponsored Link: ****************************
1) Take the 2007 Log Management Survey and be eligible to win a Nintendo Wii system. Click here to take the survey.
THE REST OF THE WEEK'S NEWS
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Patch Tuesday to Include Five Updates (April 5, 2007)Microsoft's scheduled security release for April will include five updates. Four of the updates are for Windows, and at least one of those updates has a severity rating of critical; these updates will require a restart. The fifth update is for Microsoft Content Management Server, and it has a severity rating of critical as well; this update may require a restart. The release does not include a fix for a known flaw in Microsoft Word that is already being exploited. The updates will be released on Tuesday, April 10.
[Editor's Note (Boeckman): The Word vulnerability that is still not patched was identified on February 15 and is being actively exploited from remote sites. If you use Microsoft Office and Internet Explorer, you are almost always in the situation where there is some horrendous zero day and no patch. ]
Yahoo! Addresses ActiveX Buffer Overflow Flaw in IM (April 4 & 5, 2007)Yahoo! has fixed a remote code execution vulnerability in its instant messaging (IM) tool. A buffer overflow flaw in an ActiveX control in Yahoo! Messenger audio control could have a variety of outcomes - the user could be disconnected from chat or IM sessions involuntarily. To exploit the flaw, attackers would need to manipulate users into viewing maliciously crafted HTML code. Users who installed Yahoo! Messenger before March 13 should update their software. The flaw affects Yahoo! Messenger versions 5, 6, 7 and 8.
ANI Flaw is Being Actively Exploited (April 5, 2007)Attackers have been exploiting the ANI vulnerability to steal World of Warcraft (WoW) accounts. The going rate for a WoW account ($10) used to participate in the online fantasy game, exceeds that of a credit card and its verification data ($6). Earlier this year, one group apparently used the flaw to put code on a Superbowl (an American football championship game) web site that surreptitiously downloaded malware onto users' computers. The malware remained dormant until those users ran WoW, when their login credentials would be stolen. Other attackers are luring users to infected web sites with the promise of revealing pictures of Britney Spears.
ANI Flaw Can Be Exploited Through Firefox, Too? (April 4 & 5, 2007)While Microsoft has released a patch for the ANI flaw in Windows, Firefox 2.0 may also be vulnerable to the exploit. Although the person who notified Microsoft of the exploit claims to have demonstrated that IE7 and Firefox could both be hijacked, some controversy exists. IE7 runs in low-privilege mode, so the attack gave the attacker access to all the files on the system, but not the power to alter them. Firefox, however, does not have a low-privilege mode, allowing attackers to overwrite files. There are presently no exploits to attack Firefox in the wild. Mozilla is considering releasing a work-around to protect users. Mozilla is quick to point out that the vulnerability does not lie in Firefox but in Windows; the vulnerability can be exploited through Firefox.
Microsoft Addresses Criticism Regarding Timing of ANI Patch (April 4, 2007)Although Microsoft was alerted to the animated cursor flaw in December 2006, the company didn't release a patch until April 3, 2007. Mark Miller, who directs the Microsoft Security Response Center (MSRC), says the lag represents time spent developing and testing the patch. The reason Microsoft was able to release the patch early is that it was already scheduled for release on April 10, said Miller, eschewing suggestions that the company made the patch a priority only after learning that the vulnerability was being actively exploited. Part of Microsoft's patch development process involves examining similar vulnerabilities to the one being patched. Another animated cursor flaw was patched in January 2005; Microsoft is analyzing why the development process of that patch missed the newly patched vulnerability.
[Editor's Note (Pescatore): The cost to businesses due to low quality patches has greatly exceeded the cost of attacks that occurred before a QAed patch is released. Four months is certainly on the long end, but really isn't unreasonable for many software products. ]
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
UCSF Server Security Breached (April 4 & 5, 2007)The University of California at San Francisco (UCSF) has begun the process of notifying 46,000 university and medical center students, faculty and staff that their personal information was compromised when someone intruded into a university server. The data include names, Social Security numbers (SSNs) and bank account numbers. The university became aware of the intrusion in late March and took the compromised server offline.
ABN Amro Reimburses Four Customers for Phishing Losses (April 3, 2007)Netherlands-based bank ABN Amro is compensating four online banking customers who lost funds in a man-in-the-middle attack while using two-factor authentication. The victims received phishing emails with attachments; when the attachments were opened, they installed malware on the computers, so the next time the users tried to conduct banking business online, they were redirected to a spoofed site where attackers used their temporary, token-supplied passwords to withdraw funds from their accounts.
Two-Factor Authentication Won't Last (March 27, 2007)A panel at the recent e-Crime Congress in London said two-factor authentication will not reduce phishing levels. Ross Anderson noted that two-factor authentication is vulnerable to man-in-the-middle attacks and predicted "Some banks will introduce it, it will be quickly broken and then quickly forgotten."
[Editor's Note (Pescatore): Gee, odd that all those password generator tokens are still in use in businesses after all these years. Two factor authentication isn't the only thing required to get phishing down to a dull roar, but it will definitely be part of the mix. The real issue is making users pay for the tokens; that will not last.
(Schultz): I am surprised and disappointed by Professor Anderson's remarks. No security solution is perfect, nor will its value endure forever. But banks can get ahead of the perpetrator community for a while, perhaps much longer than Professor Anderson's pessimistic predictions suggest, by adopting two-factor authentication in financial transactions. Certainly this is far better than doing nothing. ]
New Technique Cracks 104-bit WEP Key in Under a Minute (April 4, 2007)Researchers have written a paper describing a technique that lets them extract a 104-bit Wired Equivalent Privacy (WEP) key in less than one minute. The technique requires the capture of 40,000 packets, roughly one-tenth the number required by earlier techniques, and offers a 50 percent probability of recovering the key within one minute. By doubling the capture period, the researchers say the probability climbs to 95 percent.
SANS Security Tip of the Day
If you're not sure you've seen an incident, report it anywayMost security folks (and IT folks, for that matter) would rather hear about a problem from you than to figure it out afterwards while troubleshooting a system failure. If a phone call from User Support doesn't sound quite right, if a common email announcement is just a little off, or if a caller on the phone is too stressed to remember his or her password - don't be pressured and don't be rushed. Rush and pressure are among the "social engineering" hacker's best tools. Ask for help! Call your supervisor, call your IT group, and call your InfoSec group on the spot for assistance. You are as responsible (or more) to the whole company as you are to the one person on the phone! Don't let one person's stress jeopardize the organization's information security.
If you work for a company of 1,000 or more and would like to help distribute SANS Security Tips, please email email@example.com.
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.
Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit