SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume IX - Issue #32
April 20, 2007
The first story in this issue covers a ground-breaking Congressional hearing yesterday. More than 150 newspapers and magazines have published stories about it. Check out the subcommittee chairman's opening statement posted at
TOP OF THE NEWSCongress Grills US Agencies On Attacks at State and Commerce Depts. And On Weak Federal Cyber Security
Apple Releases Fourth OS X Security Update This Year
THE REST OF THE WEEK'S NEWSQLEGAL MATTERS
Two Arrested in UK for Wireless Piggybacking
Fifth Conviction in P2P Crackdown
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
IRS Not Taking Adequate Steps to Address Wireless Security
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
VA Tech Domain Names are Being Exploited by Squatters
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Stolen UCSF Server Holds Cancer Research Subject Data
Ohio State Univ. Employee and Student Data Breached in Separate Incidents
STATISTICS, STUDIES & SURVEYS
UK Consumers Down on Data Security
TJX Sales Up Six Percent in March: Consumers' Actions Speak Louder Than Words
Access to Student Loan Database Temporarily Suspended
ISP Cuts Off Subscriber for Posting Vulnerability Details
Update: Satellite Hijacking
Update: Credit Report Freezes
**************************** Sponsored By SANS ******************************
SANS Voucher Credits
Maximize your Training Budget
Save 15-30% on SANS training & certification Visit
http://www.sans.org/info/6056 or Email Vouchers@sans.org
New Attack Patterns: The 40 handlers of the Internet Storm Center (isc.sans.org) are better informed about how the sophisticated new attacks work than any group other than the criminals carrying them out. If your job is protecting systems against the new wave of more sophisticated attacks, you will want to come to SANSFIRE 2007 in Washington in the last week in July. There the Internet Storm Center handlers will be giving numerous free evening briefings, exclusively for the SANSFIRE attendees, on what they have uncovered about how newest hacker techniques work.
Course list for SANSFIRE: http://www.sans.org/sansfire07/
TOP OF THE NEWS
Congress Grills US Agencies On Attacks at State and Commerce Depts. And On Weak Cybersecurity (April 19, 2007)The House Homeland Security Committee's subcommittee on Emerging Threats and Cybersecurity held a hearing on April 19 that put weaknesses in federal cyber security in stark relief. "We don't know the scope of our networks," said subcommittee chairman Langevin, "We don't know who's inside our networks. We don't know what information has been stolen. We need to get serious about this threat to our national security." The purpose of this hearing was to afford House members the opportunity to understand how deeply federal systems have been penetrated and what the Department of Homeland Security and others are doing to stop the compromises. The hearings focused on last year's attacks on networks at the State Department and the Commerce Department. Both House members and witnesses agreed that agencies in compliance with FISMA requirements are not secure. Agency witnesses said FISMA measures the wrong things and Congresswoman Senior security coordinator for the State Department's Bureau of Diplomatic Security Donald R. Reid said that State Department computer systems were breached when an employee in Asia opened a Word attachment to a targeted email. The Microsoft Word document exploited a zero-day vulnerability inthat was not patched by Microsoft for months.
[Editor's Note (Schultz): It is good that the hearings didn't focus on FISMA compliance. That would have been a waste of time. FISMA and real world security have little in common. ]
Apple Releases Fourth OS X Security Update This Year (April 19, 2007)Apple has issued an update for Mac OS X to address 25 security flaws. The most serious of the flaws could let attackers take control of unpatched systems. However, none of the vulnerabilities is known to have been exploited. Apple has released a security update for Mac OS X every month so far this year.
[Editor's Note (Skoudis): That's a lot of vulnerabilities, and a large number of patches! I just looked at the descriptions of each issue at the Apple website as well as the corresponding CVEs. They are very sparse, providing little details compared with other vendor descriptions of security flaws and estimations of risk. I'm rather disappointed with Apple in the lack of details they provide about each issue. ]
*************************** Sponsored Link: *******************************
1) Now is the perfect time to check out Stonesoft with a FREE StoneGate IPS trial! http://www.sans.org/info/6061
THE REST OF THE WEEK'S NEWSQ
Two Arrested in UK for Wireless Piggybacking (April 17, 18 & 19, 2007)Police in the UK arrested two people in separate incidents for using wireless Internet connections without authorization. Both were arrested within the last month, and both were arrested while using a laptop computer in a parked car. Law enforcement officials could pursue charges under the Computer Misuse Act, which would have a maximum penalty of five years imprisonment; however, in both these cases, police charged the individuals under dishonesty laws instead. Two years ago, another man was given a 12-month conditional discharge for a similar offense.
[Editor's Note (Schultz): As I have mentioned several times previously in editorial comments, wireless piggybacking is just beginning to surface as a computer crime-related issue. It is, however, bound to become a major issue in many countries in the next two to three years.]
Fifth Conviction in P2P Crackdown (April 16, 2007)A Georgia man faces up to five years in prison for distributing copyrighted content over a peer-to-peer (P2P) filesharing network. Sam Kuonen pleaded guilty to charges of conspiracy to commit copyright infringement and criminal copyright infringement in violation of the Family Entertainment Copyright Act. Kuonen's arrest came as part of the US Department of Justice's Operation D-Elite, a crackdown on copyright infringement enabled by Elite Torrents, a P2P network that offered music, movies, software and games, sometimes before they were available in stores. Federal agents shuttered Elite Torrents in May, 2005. Kuonen apparently uploaded digital content to a network for others to download. He is the fifth person to be convicted in Operation D-Elite. In addition to the possible five years in prison, Kuonen could also face a fine of US $250,000 and three years of probation.
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
IRS Not Taking Adequate Steps to Address Wireless Security (April 17, 2007)Wireless technology at Internal Revenue Service (IRS) offices around the country is not adequately protected, according to a report from the IRS Inspector General. The assessment examined 20 buildings in 10 cities and found four instances where attackers could have breached the security of wireless systems with little or no trouble. According to the Inspector General, the IRS is not monitoring use of wireless technology effectively. In 2003, an audit found that unauthorized wireless devices were connected to the IRS network. The recommendations that came out of that audit included establishing policies and procedures for wireless technology and scanning for unauthorized devices. The new audit found evidence of one unauthorized wireless network and indications that similar situations existed at three other facilities.
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
VA Tech Domain Names are Being Exploited by Squatters (April 18, 2007)At least 25 new domain names relating to Virginia Tech University have been registered within days of the tragedy. While some of the sites may have good intentions, there is also a likelihood that scammers will prey on people's grief and sympathy, stealing funds supposedly donated or even stealing information to commit identity fraud. Users are urged to take the usual precautions when receiving unsolicited email and should verify the validity of charities by phone. Some people have been trying to sell the domain names on eBay, but the online auction company has taken measures to prevent the sales.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Stolen UCSF Server Holds Cancer Research Subject Data (April 18, 2007)A server stolen from a locked office at the University of California, San Francisco (UCSF) contains personally identifiable information of an undetermined number of individuals who had participated in research studies about causes of and cures for cancer. The compromised information includes names, Social Security numbers (SSNs) and in some cases, personal health data. UCSF is using backup files to determine whose information was compromised. The server was stolen on March 31 and 3,000 letters were sent out on April 16; the university plans to send out more letters as more research study participants are identified.
Ohio State Univ. Employee and Student Data Breached in Separate Incidents (April 18, 2007)Cyber intruders gained access to an Office of Research database on an Ohio State University (OSU) computer, potentially exposing personally identifiable information of more than 14,000 current and former faculty and staff. The intrusions occurred on March 31 and April 1; university IT staff detected the breaches on April 2 and all access to the compromised database was cut off. The compromised data include names, SSNs, employee ID numbers and dates of birth. Although the database contained more than 190,000 records, the university believes just 14,000 were compromised. Those affected by the breach have been sent letters. In a separate incident, two laptop computers stolen from an OSU professor's home in February hold personally identifiable data belonging to approximately 3,500 current and former chemistry students. (We would like to clarify that Ohio State University (OSU) is in Columbus, OH and is not Ohio University (OU), which is in Athens, OH. OU disclosed last year that it had suffered several large data security breaches.)
STATISTICS, STUDIES & SURVEYS
UK Consumers Down on Data Security (April 17, 2007)A survey of 1,200 UK consumers found that more than half are reluctant to shop at businesses, both online and brick-and-mortar, that have experienced security beaches. Forty-five percent do not believe banks and retailers are taking adequate measures to safeguard customer data. Over all, 14 percent of respondents said they had been victims of data theft. One third of the respondents did not offer personal information online, yet 11 percent of them had still experienced identity fraud. Eighty percent of the respondents said they would expect to receive immediate notification in the event of a breach. Ipsos MORI conducted the survey on behalf of Secerno.
TJX Sales Up Six Percent in March: Consumers' Actions Speak Louder Than Words (April 13 & 14, 2007)Interestingly, sales at TJX-owned stores increased six percent in March, despite the disclosure of a massive data security breach earlier this year. One shopper said he felt that because of the breach, which exposed 45.7 million credit and debit cards, the stores were likely taking greater precautions to safeguard customers' data. For other shoppers, the prospect of the bargains to be had at the stores offset concerns about data theft. In addition, TJX's stock was trading last week at US $28, just US $2 shy of where it was prior to the report of the breach. According to a survey from Javelin Strategy & Research, 77 percent of respondents said they would stop shopping from businesses that suffer significant data security breaches, something that seems to contradict shoppers' actions.
[Editor's Note (Pescatore): For publicly traded companies, especially retail. Revenue reporting is subject to so many variables that every one of the studies that tried to tie public notice of incidents to stock price or market capitalization is completely meaningless. The retail sales factors that vary each quarter provide swings of much greater magnitude than any of the "effects" attributed to security incidents. Banks that have incidents are a different story, as they can very easily see if they lose an account due to an incident. Many banks say they have definitely seen this effect (including getting the blame for retailers exposures), while in retail it is hard to find any retail business that can tie an incident to sales fluctuation. ]
Access to Student Loan Database Temporarily Suspended (April 15 & 18, 2007)The US government has, for now, barred college loan companies from accessing the National Student Loan Data System, a database that contains personal information of millions of college students who have borrowed money for school. The move comes in response to reports that some of the companies have searched the database in ways that violate federal privacy laws. The Department of Education will conduct a review to determine whether or not the database has been misused
[Editor's Note (Pescatore): some of the worst online identity theft exposures have been due to not restricting (or at least quickly noticing) this kind of misuse. The weaknesses are often in the registration and role/privilege mapping processes - or lack thereof. ]
ISP Cuts Off Subscriber for Posting Vulnerability Details (April 17, 2007)UK Internet service provider (ISP) BeThere has cut off access to a college student who posted details of a flaw that could be exploited to compromise subscribers' security. Sid Karunaratne allegedly posted a demonstration of how the ISP's broadband routers could be remotely accessed through backdoors. The flaw could be exploited "to telnet into a modem and sniff users' VPN credentials and modify DNS settings." The posting included a password necessary to exploit the vulnerability; it was taken down after two days. BeThere managing director Dana Pressman said that "according to
investigation, the modem vulnerability did not exist prior to
[the student's ]
accessing without permission and then publishing certain confidential passwords which were not otherwise available." BeThere cancelled Karunaratne's account for violating terms of service. The vulnerability has not yet been repaired.
Update: Satellite HijackingIn our last edition of NewsBites, we mentioned the Tamil rebels and their use of satellite transmission and asked for experts to write in and provide information. Over 20 people wrote in, to summarize:
- - Satellites are just repeaters and typically have almost no security
- - Satellites may be vulnerable to cyber exploit and carry very little fuel - so if a hacker were to start firing the navigation thrusters the satellite could be out of fuel very rapidly and would be useless
- - There is a related story involving an Iranian television show shut
down by rogue transmissions. If your organization relies on satellite transmission, you may want to start researching alternatives.
Update: Credit Report FreezesLast week we ran a story about new legislation in Washington state allowing residents to places security freezes on their credit reports. Reader Alan Amesbury wrote to let us know similar legislation exists in Minnesota and that this is not limited to residents of those two states. According to the Experian web site, this right exists in California, Colorado, Connecticut, Delaware, Florida, Hawaii, Illinois, Kansas, Kentucky, Louisiana, Maine, Minnesota, Nevada, New Hampshire, New Jersey, New York, North Carolina, Oklahoma, Pennsylvania, Rhode Island, South Dakota, Texas, Vermont, Washington and Wisconsin.
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.
Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit