SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume IX - Issue #30
April 13, 2007
More Good News! The US Office of Management and Budget mandate, requiring government-wide adoption of secure configurations when agencies install and use Windows XP and Windows Vista, will affect every company selling software, automated equipment, or computer services to the federal government. And in turn that will benefit every company or school or state and local government who buys the software and use the secure configurations. By June of this year, every federal contract will require the supplier to affirm that its software will work effectively without requiring any change to the government standard secure configurations posted at OMB. Inspector Generals have access to Details about the process and pointers to the OMB mandate and the standard configurations are in the first story in this issue. In a startling and promising announcement yesterday, the Ranking Member of the US House Government Oversight and Reform Committee, Congressman Tom Davis, while announcing the federal security grades, said he was looking toward establishing incentives for agencies that make the shift to the secure configurations quickly and broadly. State governments and other national governments are reviewing OMB's initiative to determine whether they, too will make the transition. To understand why it matters and what impact it will have on security, read the blog by the editor of Government Executive Magazine, Timothy B. Clark.
A workshop is scheduled in a few weeks to share the lessons learned in the pilot testing of the secure configurations, in testing and evaluating auditing tools for the configurations, in converting software to work effectively on the secure configurations, and in network access control to ensure only securely configured systems are allowed on the networks. For an early invitation email email@example.com and tell us what role you may have in implementing the mandate, auditing the progress, or making software or services compatible with the standards.
P.S. Letters to the editor of NewsBites at the end of this issue blast Gene Schultz's editorial comment in the last issue about the sysadmin who broke into a computer. Interesting reading.
TOP OF THE NEWSUS Government Secure Configuration Mandate Helps Everyone
Washington State Law Allows Credit Report Freezes for All
US Government gets C- Grade on Security
THE REST OF THE WEEK'S NEWSLEGAL MATTERS
Navy Computer Sabotage Draws One-Year Prison Sentence
Former Morgan Stanley Employee Allegedly Stole Company Data
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Heap Overflow Flaw Reported in Windows Help
Microsoft Releases Critical Updates
Oracle to Patch 37 Flaws Next Week
Symantec Issues Patch for Remotely Exploitable Flaw
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Lost Disk Holds Info. of 2.9 Million Georgia Residents
Computer Stolen from Fla. Child Welfare Agency
SANS SECURITY TIP OF THE DAY
********************** Sponsored By SenSage, Inc. ***********************
Don't buy a security information management (SIM) product without knowing the Top 10 Questions You Must Ask every vendor you are evaluating their product. Get the tough questions about data collection, event data integration, reporting, analysis and accessibility and others. Brought to you by SenSage, the only patented SIM solution that enables regulatory compliance and mitigation of security risks such as insider threats
New Attack Patterns: The 40 handlers of the Internet Storm Center (isc.sans.org) are better informed about how the sophisticated new attacks work than any group other than the criminals carrying them out. If your job is protecting systems against the new wave of more sophisticated attacks, you will want to come to SANSFIRE 2007 in Washington in the last week in July. There the Internet Storm Center handlers will be giving numerous free evening briefings, exclusively for the SANSFIRE attendees, on what they have uncovered about how newest hacker techniques work.
Course list for SANSFIRE: http://www.sans.org/sansfire07/
TOP OF THE NEWS
US Government Secure Configuration Mandate Helps Everyone (12 April 2007)A panel of experts instrumental in the development of the recent Office of Management and Budget (OMB) security mandate regarding standardized configurations of Windows operating systems on government computers helped elucidate the benefits it brings not only to government systems, but also to systems in the private sector. Analysis from the National Security Agency (NSA) indicates that the mandated secure settings block more than 85 percent of common attack vectors. Furthermore, because the agencies are required to deploy secure system configurations, vendors will need to make sure applications work appropriately within those configurations. "Each time a vendor solves the problem for one federal agency, it solves it for all agencies and for every other organization that buys that application and uses the secure configuration." OMB Memo to Agency Heads:
OMB Memo to CIOs:
The Microsoft Windows XP security configurations are at:
and the Microsoft Vista security configurations are at
[Editor's Note (Grefer): It is quite mindboggling how many Windows applications still require to be installed and run with administrator privileges and have major hiccups or do not run at all when installed and run by a non-privileged user. Hopefully this effort will help to remedy this situation. ]
Washington State Law Allows Credit Report Freezes for All (April 9 & 10, 2007)The Washington state legislature has approved SSB 5826, a law giving all residents the right to freeze unauthorized access to their credit reports. The law also provides a means of quickly "thawing" the freeze when people want to obtain a mortgage, apply for a credit card or buy a car. Current law allowed only people whose data were compromised in a security breach or who had already been victims of identity fraud to place freezes on their credit reports. The bill now goes to Governor Chris Gregoire for signing. A similar measure has stalled in the Arizona state legislature.
[Editor's Note (Schultz): What a wonderful piece of legislation. Consumers *should* be in charge of what is done with their credit reports. If and when this legislation is signed into law, it will serve as model legislation for other states and hopefully someday also for the US government. ]
US Government gets C- Grade on Security (April 12, 2007)The annual computer security report cards for federal agencies were released on April 12. The grades reflect how well the agencies have complied with the requirements established by the Federal Information Security Management Act (FISMA). Overall, the government received a grade of C-minus, a step up from last year's overall grade of D-plus. Nine agencies received lower grades than they did last year; NASA fell from a B-minus in 2005 to a D-minus in 2006. Eight agencies received failing grades. The Department of Veterans Affairs did not submit enough information to be awarded a grade. FISMA author Rep. Tom Davis (R-Va.) has a plan to address criticism of the plan, which focuses largely on it being an exercise in paperwork rather than a true measure of computer security. Next year, agencies will receive extra points for beating a "White House deadline for meeting new federal computer security standards," which include "ensur
that any existing or newly purchased personal computers that use Microsoft Windows XP or Vista software platforms include certain default settings."
************************* Sponsored Links: ****************************
1) CALLING ALL SANS ALUMNI!!! Please visit http://www.sans.org/info/ 5731 to get a 15% discount off any SANS OnDemand course, offer ends April 18th. If you have any questions please email firstname.lastname@example.org
2) Security professionals focus on fighting the most common data threats - - Encryption Summit, April 23-25. http://www.sans.org/info/5741
3) Join Utimaco at SANS Encryption Summit, April 23-25 San Jose, CA for the unveiling of the next generation http://www.sans.org/info/5746
THE REST OF THE WEEK'S NEWS
Navy Computer Sabotage Draws One-Year Prison Sentence (April 5, 2007)A former government contractor has been sentenced to one year in prison for sabotaging Navy computers after his company's bid for another project was not accepted. Richard F. Sylvestre has pleaded guilty to one count of damaging protected computers; he could have faced up to 10 years in prison. Sylvestre's company at the time, Ares Systems, had a contract to maintain computers for the Navy's 6th Fleet in Naples, Italy. Sylvestre admitted to placing malicious code on the Navy computers. The computers were used to help submarines navigate and avoid collisions with undersea hazards and other submarines. Sylvestre has also been ordered to pay a fine of US $10,000 and will serve three years probation following his release from prison. He has repaid the Navy US $25,000 for damages.
[Editor's Note (Northcutt):
[Editor's Comment (Northcutt): It is important to memorize a few stories like this one, and share them with others, because most organizations do not give enough attention to the insider threat. It is natural to want to trust your own people. Richard has had access to DoD systems since at least year 2000 as the link below shows, so you have to wonder what else he has done to reduce the security of our nation's computers:
(Ranum): Above and beyond the annoyance factor, this has gigantic implications! First off, how was a single individual able to inject code into such a critical system? It's maddening to think that a single disgruntled idiot was in a position to damage a weapons system that cost between $2 and $4 billion! From what I've seen of how typical government outsourcing and contracting works, there was probably absolutely no control or review over who put what code in where and when. Think about that for a second and it's enough to make you run screaming from the room!
(Grefer): What happened to the checks and balances, such as independent code review, that are supposed to be in place at government agencies. My recollection is that not even the same contractor's staff is supposed to review the code, but rather that of a different contractor. ]
Former Morgan Stanley Employee Allegedly Stole Company Data (April 5, 2007)A former Morgan Stanley employee has been charged with conspiracy for allegedly stealing proprietary information. Ronald Peteka allegedly took hedge fund client data and used them in an attempt to set up a consulting firm with another former Morgan Stanley employee. Peteka allegedly received the information from a former Morgan Stanley computer consultant, Ira Chilowitz, who was arrested in July 2006 and charged with conspiracy, theft and unauthorized computer access. Chilowitz pleaded guilty to the charges in February 2007.
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Heap Overflow Flaw Reported in Windows Help (April 12, 2007)Microsoft is investigating reports of a heap overflow vulnerability in Windows Help that affects Windows XP, Windows Server 2003, Windows NT and Windows 2000. Proof-of-concept code for the flaw has already been released. Attackers could conceivably exploit the flaw to execute arbitrary code; even a failed attack attempt could lead to denial-of-service conditions.
[Editor's Note (Boeckman): I think it is about time we can safely say that Microsoft's trusted computing initiative is not working all that well. Almost every vulnerability that comes out affects Windows 2003 and WinXP SP2. ]
Microsoft Releases Critical Updates (April 11, 2007)Microsoft released four critical security updates on Tuesday, April 10. Three of the updates address security flaws in Windows; the other addresses a vulnerability in Microsoft Content Management Server software. Microsoft also released an updated version of a fix for the animated cursor (ANI) vulnerability. Microsoft originally released that fix a week ahead of schedule, but there were reports that it was incompatible with a handful of third-party programs. The update released earlier this week addresses those incompatibility issues. Microsoft also released one update with a severity rating of important as well as an updated version of its Windows Malicious Software Removal Tool. Internet Storm Center:
Oracle to Patch 37 Flaws Next Week (April 11, 2007)Oracle has said its quarterly security update, scheduled for April 17, will include fixes for 37 vulnerabilities. Seven of the flaws can be exploited remotely. Among the flaws being fixed are 13 for Oracle database products, five for Application Server and 11 for E-Business Suite. Internet Storm Center:
Symantec Issues Patch for Remotely Exploitable Flaw (April 10, 2007)Symantec has released a patch for a remotely exploitable flaw in its Enterprise Security Manager (ESM) tool. The vulnerability lies in the fact that the ESM agent remote upgrade interface does not verify that upgrades are coming from a trusted source. The flaw exists in all versions of the software except 6.5.3, in which the problem is fixed. Users are urged to download the updated version of the software.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Lost Disk Holds Info. of 2.9 Million Georgia Residents (April 10 & 11, 2007)A computer disk lost in transit contains personally identifiable information of approximately 2.9 million Georgia residents who receive services from the Medicaid and PeachCare for Kids health care programs. The data include names, addresses, Social Security numbers (SSNs) and member identification numbers, but no medical information. The CD was lost by Affiliated Computer Systems (ACS), a contractor working for the Georgia Department of Community Health (DCH). DCH has asked that ACS notify all those affected by the breach and help them to monitor their credit reports.
Computer Stolen from Fla. Child Welfare Agency (April 9, 11 & 12, 2007)Police in Ft. Lauderdale, Florida are investigating the theft of a laptop computer from ChildNet, a Broward County child welfare agency non-profit contractor. The stolen laptop holds personally identifiable information of approximately 12,000 adoptive and foster care families. Police believe the thieves wanted the information to commit identity fraud; they have identified one former ChildNet employee as a suspect in the theft. He has been fired. ChildNet plans to notify all those whose data were compromised; parents of children whose data were exposed will be notified as well. The data include financial and credit information, SSNs, driver's license numbers and passport numbers. There are apparently no full backups of the information except for paper documents. ChildNet has taken steps to protect data in the future.
SANS Security Tip of the Day
Change your password oftenEven if you use a strong password, there is still the chance that someone could guess or crack it. For this reason, you should change your password often. Changing your password not only minimizes the chance that someone could access your account, it also shortens the length of time that person would have control of your system.
If you work for a company of 1,000 or more and would like to help distribute SANS Security Tips, please email email@example.com.
Letters to the Editor...
[Editor's Note (Schultz): It is extremely troubling to learn that an overzealous system administrator could get away with breaking into someone else's system, let alone that the evidence obtained from this illegal activity could be considered admissible in court. The ends do not justify the means. Heckenkamp's defense is one of the few, among the many that accused computer criminals have used, that appears to have some merit.]
In Austin, a UT student's mother broke into the apartment of the student's boyfriend after not hearing from her daughter for several days. There she found her daughter cut up into pieces, the boyfriend gone (later found in Mexico with another girl) The boyfriend was later, easily convicted.
Anyway, the boyfriend is appealing ON THE SAME BASIS as this Heckenkamp idiot, that the initial warrant was based on the results of an unwarranted search, performed not by law enforcement, but by someone who was actively being harmed by the perpetrator.
I hope both appeals get tossed on their ear.
Computer Consulting Company (C3)
American courts have consistently held that the Fourth Amendment restrains government, not private citizens, and that evidence obtained by a private citizen (who is NOT acting as an agent for a government officer) is admissible in a criminal prosecution. When an official solicits a private citizen to obtain evidence without a warrant, this evidence is tainted because the private citizen is acting as an agent of the State. This is not the situation here. In this case, the administrator had legal access to the University's networked computers and was not doing anything illegal in breaking into a computer located on the campus and made a part of the University's network.
When Heckencamp connected to the University network, he opened the door for the administrator. Similarly, you will find that the courts have ruled that there is no "reasonable expectation of privacy" on the Internet, where everything goes through multiple routers capable of capturing and storing the information. A university computer is like any machine in a public internet cafe ~ there is no reasonable expectation of privacy. There is no Fourth Amendment violation here.
I agree this defense potentially has merit, unlike the many many others Heckencamp has tried in the past, including the fact that his name on the indictment was in all caps.
| Maybe he finally decided to work with an attorney.
Disclosure: I work for one of the companies he broke into so I've been following the case for a while.
I was appalled by the editor's comment to the news item quoted below from current issue of NewsBites.
There is no reference anywhere in the short news article to UWisc computer policies, but it is virtually impossible for me to believe that UWisc does not have policies in place, as are in place here at IU, to cover this and permit immediate intervention by a sysadmin in such a situation.
I am attaching the current IT-07 draft which has been in effect since 2000 here at IU. In fact, I just exchanged email and phone conversation yesterday with a deputy IT security officer, because I had concerns that certain things were not adequately covered, in our case, we are freaking over lack of control of personally owned computers brought in and plugged into the IU network by staff. The only way we have managed starting five years ago to insure the integrity of our systems is to lock users down and have total admin access immediately as needed. And this is published as policy in the department, on top of IU policy.
This IU policy totally covers any question of the right, legally, of IU sysadmins to intervene as the sysadmin did at UWisc, while still providing a legal framework to insure that privacy is only violated for emergencies or legal requirements. The only legal question or standing the criminal that was uncovered might have is whether there were policies requiring written prior permission to the sysadmin, and even then, were there policy statements covering exigent circumstances.
Any organization that does NOT have policies in place to cover this are idiots. One must be able to intervene and protect the integrity of the network. Prior policy published to users clearly stating the right of sysadmins to intervene and under what circumstances would more than adequately cover such a situation as is reported below at UWisc.
Ronald D. Edge
Director of Information Systems
Indiana University Intercollegiate Athletics
I disagree with the response [Editor's Note (Schultz) to the story "Appeals Court Says Warrantless Cyber Search Was Justified"
If a burglar breaks into a house and reports that he found evidence of a murder, the police are allowed to use anything that they find in the house. The burglar should still be charged.
Maybe the posted story has changed since you used it as a source, but it states
Under the university's policies, to which Heckenkamp assented when he connected his computer to the university's network, Savoy was authorized to "rectif[y] emergency situations that threaten the integrity of campus computer or communication systems[,] provided that use of accessed files is limited solely to maintaining or safeguarding the system.
Based on this (and the rest of the article), the SA was not acting as a burglar, but as an acquaintance with the owners permission to use the house. The actual "break in" is not illegal if permission was given.
I personally have issue with this use of permission, and believe that it should have been challenged as not legal. Obviously the cracker would not have agreed to allow anyone like the SA to access his system. The way that they obtained this "permission" is therefore suspect in my mind.
To summarize, I see no issue with the evidence used in this case. If the FBI had done this it would be different. The only issue is whether the SA and/or University should be charged with a crime.
Elizabeth, NJ, USA
Hi, Eugene! I noticed the comment in the April 10 News Bites. Normally, I would agree with you. If the student lived off-campus and this happened, I think the court would have leaned in Heckencamp's direction for this type of warrantless search. However, he was in a dorm using university resources and must have agreed to abide by one or more acceptable use or student conduct policies related to living in the dorm and using university networks. Most campus dorm agreements include clauses prohibiting illegal activities (drug use and such) and AUPs, of course, prohibit messing with the school's networks or servers. The university systems/network administrator was well within his pervue to hunt down and identify the offending machine within his network, especially as this is a state institution. Of course, this also assumes that the university has these roles well-spelled out in policy and operational documentation.
I doubt very much that the "broke into" the student's computer involved much more than tracking through NAT logs and identifying the MAC-spoofing or IP spoofing being performed by the system in question, and tracking the activity to the specific network connection in the building. At least, that would have been my approach and would have been enough for probable cause to bring a LEO with a warrant into the process for formal forensics and investigation.
Just my $.02. BTW, I really enjoyed your presentations to our ISSA chapter in February. Thanks.
Guy L. Pace, CISSP
Center for Information Services (CIS)
3101 Northup Way, Suite 100
Bellevue, WA 98004
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.
Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit