SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume IX - Issue #29
April 10, 2007
New Attack Patterns: The 40 handlers of the Internet Storm Center (isc.sans.org) are better informed about how the sophisticated new attacks work than any group other than the criminals carrying them out. If your job is protecting systems against the new wave of more sophisticated attacks, you will want to come to SANSFIRE 2007 in Washington in the last week in July. There the Internet Storm Center handlers will be giving numerous free evening briefings, exclusively for the SANSFIRE attendees, on what they have uncovered about how newest hacker techniques work. Course list for SANSFire:
TOP OF THE NEWSTwo Arrested for Technology Export Violations
NH House Votes to Ban Real ID Act
FCC Order Takes Steps to Protect Telecom Customer Data
Appeals Court Says Warrantless Cyber Search Was Justified
THE REST OF THE WEEK'S NEWSPOLICY & LEGISLATION
Breach Disclosure Laws Vary from State to State
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
AACS Developers Say They've Plugged Key Leak, For Now
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Turbo Tax Site Flaw Exposes Sensitive Data
Microsoft Issues Hotfix for Third-Party Problems with ANI Patch
Trojans Propagate Through Fear
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Stolen Laptops Contain Chicago Public School Teachers' Data
Backup Tapes Lost in Transit
Web Site Defacement May Have Compromised Customer Data
SANS Security Tip of the Day
********************* Sponsored By ArcSight, Inc. ***********************
Free Whitepaper: Solving the NOC/SOC Collaboration Puzzle.
Until now, when Network Operations Centers and Security Operations Centers wanted to cooperate, the lack of shared, automated toolsets made the process cumbersome and expensive. Now you can learn how to integrate and manage network operations, security and compliance with this free whitepaper.
Brought to you by ArcSight, the ESM leader that turns data into action.
New developments in Encryption for Laptops and other Devices
TOP OF THE NEWS
Two Arrested for Technology Export Violations (April 3, 5 & 6, 2007)US federal prosecutors have charged Cirrus Electronics founder Parthasarathy Sudarshan on charges of export violations, international arms trafficking, being an agent for a foreign government and conspiracy. Sudarshan allegedly shipped US computer technology to three Indian government agencies to be used in weapons systems. The US Commerce Department restricts exports to these agencies. The equipment includes heat-resistant memory chips, microprocessors, capacitors and semiconductors used in missile guidance and firing systems. A US court has rejected Sudarshan's request for bail. Also arrested was Cirrus Electronics international sales manager Mythili Gopa. Two other people have been indicted in the case, but not arrested.
NH House Votes to Ban Real ID Act (April 6, 2007)In a 268-8 vote, the New Hampshire House approved a bill rejecting the federal Real ID Act. New Hampshire Governor John Lynch says he will sign the bill into law if it passes the Senate. The states have been given until December 31, 2009 to comply with the Real ID Act, which requires them to establish uniform national licensing standards and link their databases. Individuals whose licenses do not conform to the standard will be barred from entering federal buildings and boarding airplanes. The law has met with criticism because it is intrusive and is costly to implement; in addition, the linked database of driver's license data would be a treasure trove for identity thieves. Apparently 26 states have similar measures opposing Real ID in the works.
FCC Order Takes Steps to Protect Telecom Customer Data (April 3, 2007)The US Federal Communications Commission (FCC) has issued an order that places tighter restrictions on telecommunications companies regarding the release of customer records. Carriers may not release customer records unless the customer provides a password. Otherwise, the records may be sent to the address of record or provided by the telecom company calling the telephone number of record. Companies are also required to inform customers about changes made to their accounts and must obtain customer consent before sharing data with a third party. The order comes in the wake of the Hewlett-Packard pretexting case, in which a private investigator obtained phone records of company directors, employees and journalists in an effort to determine the source of an information leak at the company. The US Telecom Association is unhappy with the order, calling it "an extremely anti-consumer outcome."
[Editor's Note (Schultz): If the US Telcom Association calls this a negative event for consumers, this merely shows that this organization is anything but on the side of consumers.
(Grefer): The U.S. Telecom Association's position, especially regarding marketing, might be acceptable to consumers in Germany and other parts of Europe where incoming calls are free, since the full cost of calls is born by the calling party, but not in the U.S. where such calls are also inflicting cost on the party that is being called.]
Appeals Court Says Warrantless Cyber Search Was Justified (April 6, 2007)The US 9th Circuit Court of appeals denied Jerome Heckencamp's attempt to have his computer crime convictions overturned. In 2004, Heckencamp was sentenced to eight months in prison for a variety of computer crimes, including breaking into the Qualcomm computer system. Heckencamp was a student at the University of Wisconsin (UWisc) at Madison. The school was notified in December 1999 that the Qualcomm intrusion had been traced to their network. A UWisc system administrator tracked the intrusion to Heckencamp's dorm room and in the process determined that the same computer was being used in an attempt to break into the university's mail server. The administrator blocked the suspect computer's IP address, but Heckencamp changed it. The administrator then broke into the computer to determine if it was the same one with a different IP address; his aim was to protect UWisc computer systems from intrusion. He found evidence that the computer was one and the same. The FBI then obtained a warrant, seized the computer and found evidence that the machine was responsible for a number of intrusions and defacements. Heckencamp's attempt to overturn his convictions was based on the fact that the initial search of his computer was conducted without a warrant and therefore a violation of his Fourth Amendment rights. The court ruled that the warrantless search of the computer was justified by the "special needs" exception to the Fourth Amendment.
[Editor's Note (Schultz): It is extremely troubling to learn that an overzealous system administrator could get away with breaking into someone else's system, let alone that the evidence obtained from this illegal activity could be considered admissible in court. The ends do not justify the means. Heckenkamp's defense is one of the few, among the many that accused computer criminals have used, that appears to have some merit. ]
*************************** Sponsored Links: ***************************
1) Learn about using/implementing automated log management technologies at the Log Management Summit April 23-25.
2) Online threats to personal information surge in 2007. New report provides the latest statistics.
THE REST OF THE WEEK'S NEWS
POLICY & LEGISLATION
Breach Disclosure Laws Vary from State to State (April 9, 2007)Although California's data breach notification law has probably garnered more attention than any other data breach legislation in the country, 32 other states have their own versions of such laws. The variety of requirements creates a legal morass for organizations conducting interstate business, as the requirements for notification and data handling vary from state to state. One provision that appears in virtually all data breach notification laws is that even if an organization outsources customer data management, the organization is liable for data breach fallout. In most states, if the customer data are encrypted, the organizations are not required to notify customers. One notable exception is Pennsylvania, where the bill says "an entity must provide notice of the breach if encrypted information is accessed and acquired in an unencrypted form, if the security breach is linked to a breach of the security of the encryption or if the security breach involves a person with access to the encryption keys." Eighteen states allow notification exemptions if the investigation of the breach indicates that the data are unlikely to be misused. Other states allow notification exemptions if the customer data are redacted; for example, credit card numbers can be truncated so that they are no longer usable by someone who views them. Several states also have laws governing the secure disposal of paper documents containing customer data. Of the 33 states with data breach notification laws, just 22 hold their governments to the same level of responsibility to which businesses are subject.
[Editor's Note (Pescatore): In February, Senators Leahy and Sanders of Vermont introduced a draft bill "The Personal Data Privacy and Security Act of 2007" that would set a national standard and override local legislation. Hmm, PDPSA isn't a very catchy acronym, so it probably has no chance to pass... The proposed bill goes way beyond notification and tries to delve into mandating security programs a la Gramm-Leach Bliley, which means a lot more energy goes towards post cards to customers than to actually protecting data. ]
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
AACS Developers Say They've Plugged Key Leak, For Now (April 9, 2007)Developers of the Advanced Access Content System (AACS) say they have addressed a leak that allowed people to strip next-generation DVDs of their copy protection. In late 2006, it was reported that the code on PC-based DVD players had been cracked to allow access to keys to unlock digital rights management (DRM) software on high definition DVDs. AACS developers have worked with device manufacturers to deactivate old encryption keys and replace them with new ones. Users will not be able to watch HD DVD or Blu-Ray disks until they upgrade the software on their devices.
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Turbo Tax Site Flaw Exposes Sensitive Data (April 9, 2007)A Nebraska woman attempting to access previous returns through the Turbo Tax web site discovered that she had access to returns of three other people with the same last name and first initial. The exposed data include SSNs (Social Security numbers) and bank account routing numbers. The problem lies in the Turbo Tax web site; the company has taken down the particular link that led to the data exposure and is investigating the issue.
[Editor's Note (Pescatore): This is the consumer version of the enterprise problem of outsourcing storage of sensitive data or consuming web services and using Web 2.0 applications vs. just using local applications and local storage. The Intuits and Googles and Microsofts of the world who are increasingly storing and processing sensitive customer data (not just storing their pictures) really need to get some type of industry self-regulation going to adhere to higher levels of consumer data protection. ]
Microsoft Issues Hotfix for Third-Party Problems with ANI Patch (April 9, 2007)Microsoft's out-of-cycle patch for the ANI vulnerability (MS07-017) is apparently causing problems with some third party applications. Microsoft released a hotfix for problems encountered by Realtek HD Audio Control Panel simultaneously with MS07-017. Now it appears that three other applications, German tax calculator ElsterFormular, TUGZip, and CD-Tag also have problems with the patch. The problems cause users to get a message that reads "The system DLL user32.dll was relocated in memory. The application will not run properly." Microsoft will "push out" an updated hotfix along with its scheduled second Tuesday security update to address the problems encountered by the other applications. Microsoft Automatic Updates will install the hotfix only on computers running the software. The Windows and Microsoft Update web sites will offer the fix only if the computers are running those particular applications. The fix is also available to download from Microsoft's web site. Internet Storm Center:
[Editor's Note (Skoudis): These are fairly small problems for a very important, out-of-cycle patch. I hope people don't read too much into these minor issues and think that these are a lesson that out of cycle patches are somehow to be avoided. This patch was vital and its timeliness much appreciated, given the widespread exploitation that was occurring through the ANI flaw. I applaud Microsoft for having the guts to go out of cycle with this one. ]
Trojans Propagate Through Fear (April 9, 2007)Malware purveyors are preying on people's fears about war in the Middle East to help propagate Trojan horse programs. Email message subject lines suggest the US has begun a war with Iran. The Trojans are repacked variants of known malware, Trojan.Peacomm, also known as Storm Trojan, and W32.Mixor. Internet Storm Center note:
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Stolen Laptops Contain Chicago Public School Teachers' Data (April 6, 8 & 9, 2007)Chicago Public Schools (CPS) is planning to notify current and former employees that their personal information was on two laptop computers stolen from an office at CPS headquarters on April 6. The breach affects approximately 40,000 current and former employees who contributed to the Teacher Pension Fund between 2003 and 2006. The data include names and SSNs, but not addresses or dates of birth. CPS plans to email current employees and post information on the web for former employees. Surveillance cameras have an image of a suspect in the robbery and there is a US $10,000 reward for information leading to the return of the stolen computers. This is the second time in less than a year that CPS has had to inform employees about a data breach. In November 2006, personally identifiable information of 1,740 former employees was exposed in a staff mailing about health insurance.
Backup Tapes Lost in Transit (April 6, 2007)A locked shipping case containing backup tapes from Florists' Mutual Insurance Company parent company Hortica has been lost in transit. Hortica provides employee benefits and insurance to companies in the horticultural industry. The container disappeared en route from a secure off-site facility to company headquarters in Illinois. UPS informed Hortica that the case was lost on April 5, 2007. Hortica has changed its backup procedure to eliminate the need for transportations by common carriers. The data on the tapes include names, SSNs, driver's license numbers and bank account numbers.
[Editor's Note (Pescatore): Remember to encrypt those bits in motion, even if the motion is because of tapes in a delivery truck. ]
Web Site Defacement May Have Compromised Customer Data (April 5, 2007)Security Title Agency in Phoenix, AZ is warning customers that their personal information was put at risk of theft when the company's web site was defaced several weeks ago. Security Title stores customer information on the same server that hosts its web site. Security Title says there is no indication the intruders stole information, but they cannot be certain they did not. The company is providing customers with free credit monitoring.
SANS Security Tip of the Day
Be skeptical and trust your instinctsPeople often post false or misleading information concerning their identities and interests. In most instances, this is done with good intentions as a way to avoid disclosing personal information. However, there are also people who fabricate information with malicious intent. If you ever feel threatened or uncomfortable with someone you encounter online, take the time to report the incident. Most social networking sites like MySpace provide several mechanisms for reporting inappropriate behavior.
If you work for a company of 1,000 or more and would like to help distribute SANS Security Tips, please email firstname.lastname@example.org.
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.
Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit