SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume IX - Issue #31
April 17, 2007
Security-savvy programmers are needed to review the blueprints for the national exams on secure programming and provide ratings of the secure programming rules on importance and frequency. If you are a programmer and know a good bit about how to avoid the common security errors (in C or Java for this round), please email firstname.lastname@example.org with subject "review and score blueprints." And say whether your skill is in Java or C or both. Thanks.
THIS WEEK'S NEWSLEGAL MATTERS - INSIDER CRIME
Contractor Allegedly Stole Port of Tampa Employee Data
Former Social Security Administration Employee Charged in Connection with Identity Fraud Case
UK Policeman Gets Jail Time for Stealing Data from National Police Database
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Higher Ranking Officers May be Involved in Japanese Defense Data Leak
POLICY & LEGISLATION
Singapore's Parliament Passes Anti-Spam Law
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Microsoft Investigating Reports of Attacks Exploiting DNS Flaw
Cisco Patches Multiple Vulnerabilities in Wi-Fi Products
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Newspaper Publisher Accused of Stealing Proprietary Data
Stolen Bank of America Laptop Holds Employee Data
STANDARDS & BEST PRACTICES
Will the PCI Data Security Standard Withstand the Test of Time (and TJX)?
Tamil Rebels Hijack US Satellite Signal
THE REST OF THE WEEK'S NEWS
************************ Sponsored By Symark Software ***********************
Trying to meet regulatory compliance and guard against insider threat at the same time? PowerBroker and PowerKeeper are compliance-driven solutions that protect heterogeneous IT environments by creating and enforcing strong "privileged" password and security policies. Granular, dynamic, password management and audibility ensure a secure access control infrastructure.
FREE 30 day trial with full technical support!
New Attack Patterns: The 40 handlers of the Internet Storm Center (isc.sans.org) are better informed about how the sophisticated new attacks work than any group other than the criminals carrying them out. If your job is protecting systems against the new wave of more sophisticated attacks, you will want to come to SANSFIRE 2007 in Washington in the last week in July. There the Internet Storm Center handlers will be giving numerous free evening briefings, exclusively for the SANSfIRE attendees, on what they have uncovered about how newest hacker techniques work.
Course list for SANSFIRE: http://www.sans.org/sansfire07/
THIS WEEK'S NEWS
Contractor Allegedly Stole Port of Tampa Employee Data (April 13, 2007)A contractor at the Tampa (Fla.) Port Authority has been arrested for allegedly stealing the personal information of people who hold Port of Tampa access badges and using it fraudulently to apply for credit cards. Daniel E. Glenn has been charged with offense against intellectual property to defraud or obtain property. While working as a computer technician for Tampa Port Authority contractor Siemens Building Technologies, Glenn allegedly told Port Authority employees he needed access to the security badge database to repair corrupted data. He then allegedly copied information of thousands of access badge holders and applied for credit cards in the names of approximately 20 individuals. Law enforcement agents recovered the stolen data from Glenn's home. He has been suspended with pay from Siemens while the company investigates the allegations.
[Editor's Note (Kreitner): Let this kind of episode be a warning to managers everywhere to have strict "need to know" policies in place when it comes to granting access privileges. ]
Former Social Security Administration Employee Charged in Connection with Identity Fraud Case (13 April 2007)A former Social Security Administration employee has been charged with disclosing personally identifiable information taken from a government computer. Jennifer Batiste allegedly passed the stolen data to Craig Harris, who used them to commit identity fraud to the tune of US $2.5 million. Batiste is charged with conspiracy, accessing a protected computer to conduct fraud, and disclosure of a Social Security number (SSN). If convicted on all charges, she could be sentenced to as many as 15 years in prison. Harris pleaded guilty last fall to charges of conspiracy and unlawful possession of a means of identification. When he is sentenced in July, he could face up to 10 years in prison. Batiste allegedly received US $20 for each query she ran that obtained information for Harris.
UK Policeman Gets Jail Time for Stealing Data from National Police Database (April 12 & 16, 2007)A UK police officer who provided personal information from a national police database to a known violent offender has had his sentence increased to nine months in jail. James Andrew Hardy was originally given a 28-week suspended sentence and 300 hours of community service; Hardy pleaded guilty to malfeasance in a public office for accessing the police national computer database with the intent of providing Martin Jolley with personal information of three people. An appeal from the Attorney General increased his punishment to nine months in jail. Jolley wanted the information to take retaliatory measures against certain individuals. Jolley also pleaded guilty to counseling and procuring Hardy to commit the crime. Hardy's sentence could have been 18 months, but the court took into account time served while awaiting trial and his promptness in completing his community service.
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Higher Ranking Officers May be Involved in Japanese Defense Data Leak (April 5 & 17, 2007)Two weeks ago, we reported that Japanese prefectural police were investigating the discovery of top-secret defense information on a computer at the home of a Maritime Self-Defense Force petty officer. Now it appears the information was inadvertently copied to the disk when the petty officer copied pornographic images from a colleague's computer. Police also discovered the information had been shared with another petty officer. Because those officers do not have authorization to access the top-secret military information about Aegis destroyers, authorities suspect one or more senior officers may be involved in the sharing of the obscene images. Police and MSDF investigators are trying to determine the source of the information leak.
POLICY & LEGISLATION
Singapore's Parliament Passes Anti-Spam Law (April 12 & 13, 2007)Singapore's Parliament has passed a law it hopes will reduce spam email and SMS messages. A 2003 study from Singapore's Infocomm Development Authority (IDA) found that spam messages were costing workers approximately S $23 million (US $15.2 million) in lost productivity annually. The Spam Control Bill establishes guidelines for businesses that wish to conduct direct electronic marketing; senders must provide a way for recipients to opt-out of receiving future unsolicited commercial messages. Businesses will not be permitted to charge for the opt-out service. Members of Parliament are concerned that the measure might not go far enough. Approximately 80 percent of spam originates outside the country. To require opt-in measures for Singapore businesses puts them at a disadvantage. Furthermore, some feel it would be preferable to have an opt-in clause instead of an opt-out clause, shifting the onus of responsibility from the customers to the businesses. "The bill defines spam as electronic messages sent more than 100 times with the same or similar subject-matter during a 24-hour period, or more than 1,000 times during a 30-day period or more than 10,000 times during a one-year period." The legislation does not make sending such messages a criminal offense.
[Editor's Note (Grefer): Europe requires opt-in and does not seem to be at a disadvantage. In any case, given the global nature of spam, national laws (including the US CAN-SPAM Act) tend to not only lack sufficient bite but also end up not having jurisdiction.
(Honan): Despite the shortcomings in this law, any moves by Governments to outlaw spam should be welcomed. ]
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Microsoft Investigating Reports of Attacks Exploiting DNS Flaw (April 13 & 16, 2007)Microsoft is investigating reports that attackers are actively exploiting a buffer overflow flaw in the DNS service for Windows Server operating systems. Affected software includes Widows 2000 Server Service Pack 4 (SP 4) and Windows Server 2003 SP 1 and SP 2. "A stack-based buffer overrun in the DNS Server's remote procedure call (RPC) interface" could allow remote code execution "in the security context of the DNS, which by default runs full privileges." Internet Storm Center:
Cisco Patches Multiple Vulnerabilities in Wi-Fi Products (April 13, 2007)Cisco has issued two security advisories regarding vulnerabilities in its Wi-Fi products. The first advisory warns of multiple vulnerabilities in Cisco's Wireless Control System (WCS) that could be exploited to expose information and allow escalation of privileges and unauthorized network access. The second advisory warns of multiple vulnerabilities in Cisco's Wireless LAN Controller (WLC), routers and access points that could put vulnerable systems at risk of denial-of-service, information disclosure and access control list changes, as well as the possibility of an attacker gaining full administrative privileges. Patches are available for the flaws. Internet Storm Center:
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Newspaper Publisher Accused of Stealing Proprietary Data (April 14 & 15, 2007)In March, Par Ridder, publisher of the St. Paul (Minn.) Pioneer Press abruptly left that job to become publisher of its rival newspaper, the Star Tribune, in Minneapolis. Pioneer Press has filed a lawsuit alleging that Ridder violated a non-compete agreement by taking the job and that he took significant amounts of proprietary data, including budgets and advertising pricing data. The lawsuit asks that Ridder and other Pioneer Press executives who moved to the competing newspaper along with him be barred from working at the Star Tribune for one year. A Pioneer Press staffer dispatched to Ridder's new office with the intent of retrieving his Pioneer Press laptop arrived at Ridder's new office just a week after he announced his departure found someone copying information from the laptop. He was ultimately asked to wait in the lobby for an hour. When he brought the laptop back, there was evidence that nearly "all the data had been copied to an external storage device that day."
Stolen Bank of America Laptop Holds Employee Data (April 13, 2007)A laptop computer stolen from a Bank of America (BofA) employee holds personally identifiable information of an unspecified number of current and former BofA employees. Compromised data include names, addresses, dates of birth and Social Security numbers (SSNs). BofA has sent letters to individuals whose data were compromised; the letter says there is no indication the information has been misused and offers recipients two years of free credit monitoring. Limited information has been made available regarding the circumstances of the theft because it is under investigation.
STANDARDS & BEST PRACTICES
Will the PCI Data Security Standard Withstand the Test of Time (and TJX)? (April 2007)The Payment Card Industry Data Security Standard (PCI DSS) was developed jointly by Visa, MasterCard, American Express and other credit card companies to help businesses take steps to secure customer card data; possibly just as importantly, it was developed to demonstrate that the industry is capable of self-regulation and to stave off rumblings of government intervention. However, the disclosure in January of a massive data security breach at TJX companies may reignite the push for federal legislation. As of January 2007, just 36 percent of merchants were compliant with the PCI standard. Despite the convenience of a single standard, PCI is still evolving and companies face a number of uncertainties regarding the intricacies of compliance. For the PCI standard to survive, the companies it was designed to benefit must prove to legislators that it will prevent data security breaches.
[Editor's Note (Northcutt): This is a rare touch of excellence in journalism in our industry, nice job Sarah Scarlet! Folks, this is a must read, and then pick up the phone can call your bank, ask for member services and ask if they can prove they are PCI compliant. Or when you are getting ready to place an order with LL Bean, or Victoria's Secret, ask them if they are PCI compliant and how they prove that. You want to know that before you give them your credit card number. Ten years ago if you someone told me about the "song of the incurables" I would have thought they were nuts, but we have the Center for Internet Security templates and testing tools, we have PCI and they clearly establish due diligence and the majority of folks still turn a blind eye. Sadly, I expect TJX will shake it off and be right back in the forefront of business.
(Kreitner): The PCI DSS is one of the more detailed and thus less ambiguous data security standards available, which facilitates effective and consistent audits. Despite the significant economic power the payment card industry giants wield over merchants and others to enforce the standard, this story illustrates how challenging it can be to establish and enforce a tough standard without the force of law behind it. However, I hope the legislators look at the PCI DSS successes as well as failures before coming to the conclusion that legislation is necessary.
(Shpantzer) The PCI standard is one of the better out there, however some companies are getting away with doing virtually nothing but stalling via repeated audits by several auditing firms in a row, while not remediating any of the findings. Their processing banks may be tolerating this since there is so much business being done with the non-compliant customer that the risk/reward scenario skews the decision making process away from taking away processing on a proactive basis. ]
Tamil Rebels Hijack US Satellite Signal (April 13, 2007)Rebel independence fighters in Sri Lanka have been pirating the services of a US satellite to send radio and television broadcasts to other countries. In 1997, the US government identified this particular group, the Liberation Tigers of Tamil Eelam, or LTTE, as a terrorist organization. The satellite belongs to Intelstat, a US company. Intelstat officials have been meeting with technical experts and Sri Lanka's Ambassador to the US to discuss measures the company it is taking to prevent the satellite's unauthorized use. The rebels maintain they are not accessing the satellite illegally.
[Editor's Note (Northcutt): These two stories left me with a feeling of what the heck, there was no discussion of how. If we have a reader that is fully clued in please drop a note to Stephen@sans.edu and share the clue. In the mean time, we can say the following, uploading and downloading information from a satellite is fairly complex:
Most of the focus on satellite security seems to be preventing someone that is not a paid subscriber from being able to decode the material:
An addressable encoder/decoder is required, which means the rebels must have one and know how to use it and it probably looks something like this:
**************************** Sponsored Links: *****************************
1) Risk of online identity theft increases in 2007. New report provides the latest statistics. http://www.sans.org/info/5766
2) FREE Webcast "Network Visibility-The Key to PCI Compliance." Register to learn how you can get the security, visibility, accountability and measurability necessary to help achieve PCI compliance. http://www.sans.org/info/5771
3) Join Utimaco at SANS Encryption Summit, San Jose, CA April 23-25 for the unveiling of the next generation http://www.sans.org/info/5776
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.
Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit