SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume IX - Issue #45
June 08, 2007
FISMA's last important supporters have finally acknowledged the law is fatally flawed. Tom Davis, the bill's author said at a Government Reform Subcommittee hearing yesterday that the government needs to avoid the "check the box" mentality to security. Since "check the box" reporting is the primary impact of FISMA, the days of writing FISMA reports and pretending agencies are secure are clearly numbered. Karen Evans from the US Office of Management and Budget testified under oath that "If an agency chooses to just comply, if they view it as a paperwork exercise ... the agency will not be secure. If you just look at the letter of the law, you could generate an environment where an agency is cranking out reports. That would not be a secure program." Clearly most agencies fall in the "just comply by generating reports" category. Even the ITAA, representing service providers who have made more than a billion dollars writing useless FISMA reports, agreed, as Phil Bond of ITAA told Congress that a FISMA 2.0 is needed.
On the other hand Karen Evans described to Congress some extraordinary advances in using Federal procurement power to improve security - an essential process ignored by FISMA. She announced a new government-wide procurement of encryption software that also allows state governments to participate, and she reinforced the importance of the new mandatory government-wide program that buys Vista and Windows XP with secure configurations "baked in."
PS. If you know of a large non-governmental organization that is using common secure configurations for their Windows desktops and laptops, please let us know at firstname.lastname@example.org.
TOP OF THE NEWSSubstitute Teacher to Get New Trial in Pop-Up Case
House Passes Another Spyware Bill
Database Security Needs Improvement
THE REST OF THE WEEK'S NEWSLEGAL MATTERS
Guilty Plea in DaimlerChrysler Cyber Sabotage
Teens Arrested in School District Intrusion
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Microsoft Patch Tuesday to Comprise Six Updates
CA Working on Fixes for 10 Flaws
Exploits Published for Yahoo! Messenger ActiveX Flaws
Stealth Techniques Limit Malware Detection
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Attackers Breach Hosting Company Systems
Data on Missing Bank Disk Not Encrypted
Police Data on Stolen Laptop
Lloyds to Deploy Inside Threat Tool
Credit Union Bills TJX $590,000
************************* Sponsored By RSA Security *********************
NEW Data Integrity Strategy Kit for the Financial Industry, featuring a new Burton Group report with actionable information on preventing unauthorized or inappropriate changes to business information. Also included are the Real World Strategies for Protecting Data podcast, and information about RSA File Security Manager and RSA Data Security Manager.
Limited time offer.
Download now! http://www.sans.org/info/8461
Twenty major updated, practical security training opportunities in Portland, OR, Washington DC, Sydney, Brussels, Los Angeles, Virginia Beach, and Las Vegas, all coming in the next 120 days. But you can also bring all SANS courses in house or take them live on line at home. Complete schedule: http://www.sans.org/training/bylocation/index_all.php
TOP OF THE NEWS
Substitute Teacher to Get New Trial in Pop-Up Case (June 7, 2007)The guilty verdict against Connecticut substitute teacher Julie Amero has been set aside. Judge Hillary B. Strackbein granted the defense's request for a new trial. The jury had returned a guilty verdict against Amero on January 5, 2007 for risk of injury to a minor. The prosecution argued that Amero had willfully surfed pornographic websites, resulting in middle school students in the classroom viewing adult images. Amero has maintained that the computer in the classroom was inundated with pornographic pop-ups; whenever she closed one, more would appear in its place. Researchers who became aware of her case conducted a forensic examination of the computer in question that contradicted the prosecution's version of events. The state of Connecticut then ordered new testing of the computer; the findings of that examination agreed with those of the researchers. The PC on which the offensive pop-ups appeared did not have a firewall or security software. Evidence indicates the computer became infected with malware after a user visited a hairstyle website. In setting aside the verdict, the judge dismissed as erroneous testimony from a police detective that Amero had deliberately surfed to a pornographic site; jurors may have based their decisions on that erroneous testimony. No new trial date has been set.
[Editor's Note (Schultz): The ruling against Amero does not appear to be just, nor does the testimony of the police detective appear to be truthful. Judge Strackbein thus deserves kudos for granting a new trial. Unfortunately, cases of this nature are inevitable given the increasing number of computer crime-related statutes. Hopefully, the legal system will at some point in time start to quickly dismiss computer crime charges against innocent persons. Additionally, if schools would adopt reasonable security practices, ugly incidents such as the one involving Amero would be far less likely to occur. ]
I-SPY Prevention Act:
Database Security Needs Improvement (June 4 & 5, 2007)A Ponemon Institute survey of 649 corporate IT departments around the world found that 40 percent of organizations either do not monitor their databases for anomalous activity or do not know if their organization conducts such monitoring. More than half of the organizations reported having 500 or more databases. Fifty-seven percent of respondents said their top security concern was insider threats. Customer and employee data rank third and fourth on the list of data needing to be protected.
********************* Sponsored Links: ********************************
1) It's About More than Encrypting Bits on Disks! Compliance and technology requirements for mobile data security. Ask the Expert archive
2) Learn how to manage access to sensitive applications and data. Register for this informative webinar.
3) ALERT: "How A Hacker Launches A Blind SQL Injection Attack!"- White Paper
4) For folks who live near Portland, OR, four great SANS instructors are coming to your town for immersion training in Intrusion detection, Hacker Exploits, Security Essentials and Security Management:
THE REST OF THE WEEK'S NEWS
Guilty Plea in DaimlerChrysler Cyber Sabotage (June 6, 2007)William A. Johns, who at one time worked as an IT contractor at DailmerChrysler, has pleaded guilty to unlawful computer intrusion. Johns was dismissed from his position in which his job was to install a wireless network at the company prior to the attack in which he deleted passwords and files from wireless devices via a computer kiosk in the visitors' lobby in the DaimlerChrysler Assembly plant in Sterling Heights, Michigan. Johns' actions allegedly cost DaimlerChrysler more than US $29,000. Johns could face up to 12 months in prison and a fine of up to US $250,000.
[Editor's Note (Honan): One has to ask how was Mr. Johns able to access the internal DaimlerChrysler systems from a visitor's kiosk and also why relevant passwords and user accounts were not changed or disabled after his dismissal? If you have to provide computing services for visitors make sure those services are isolated from your production environment. As usual, the remove access permissions and change passwords when dismissing staff and/or contractors rule still applies.]
Teens Arrested in School District Intrusion (June 5, 2007)Two recent graduates of A.J. Moore Academy, a high school in the Waco (Texas) Independent School District (WISD), have been arrested and charged with breaking into the district's computer system. Both teens were charged with breaching a computer system and both remain free on US $1,000 bond. The young men allegedly gained access to sensitive student information, including addresses, parents' names and Social Security numbers (SSNs). One of the teens maintains he did not download any data; however, an affidavit alleges he downloaded a file containing the personal information of 15,000 WISD students.
[Editor's Note (Honan): "Erickson said he had expected WISD officials to thank him for showing them the weaknesses in their system instead of arresting him" - Just like someone would thank him for walking into their house and leaving a message on their refrigerator to tell them their front door was unlocked? I don't think so. No permission = no entry - period! If schools are teaching students how to use computers they should also teach students the ethics of responsible computer use. ]
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Microsoft Patch Tuesday to Comprise Six Updates (June 7, 2007)Microsoft's Security Bulletin Advance Notification indicates that the software company will issue six updates on Tuesday, June 12. Four of the six bulletins will address critical vulnerabilities. All four address remote code execution vulnerabilities with three of the four requiring a restart. The four critical bulletins will address flaws in Windows, Internet Explorer, Outlook Express and Windows Mail.
CA Working on Fixes for 10 Flaws (June 7, 2007)CA is working on patches for 10 critical flaws that were disclosed earlier this week. CA says It was aware of the vulnerabilities before the disclosure and had already begun patch development. All ten flaws are in CA's ARCserve Backup for Laptops & Desktops, all are buffer overflow flaws, and all allow remote code execution.
Exploits Published for Yahoo! Messenger ActiveX Flaws (June 7, 2007)Two zero-day exploits for remote code execution flaws in Yahoo! Messenger's Webcam application have been released. One of the flaws is a boundary error in the Yahoo! Webcam Upload ActiveX control; the other is in the Yahoo! Webcam Viewer ActiveX control. Yahoo! expects to have a fix for the flaws available soon. The flaws have been confirmed in Yahoo! Messenger version 126.96.36.199 and may exist in other versions as well. Internet Storm Center:
Stealth Techniques Limit Malware Detection (June 4 & 5, 2007)Cyber criminals are developing increasingly stealthy techniques to evade detection. The attacks place malicious code on web sites, then keep track of the IP addresses that have visited infected sites; if the same IP address attempts to view the malicious site again, benign content is offered in its stead. The attacks are also capable of identifying "the IP addresses of web crawlers used by URL filtering, reputation services and search engines," and serve legitimate content to avoid being identified as malicious.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Attackers Breach Hosting Company Systems (June 7, 2007)Attackers broke into the computer systems of web host company DreamHost and installed malware on hundreds of websites, including the official site of the Mercury music awards. DreamHost said the intruder or intruders exploited a flaw in its web control panel software. DreamHost has notified affected customers of the breach via email. The attackers attempted to access the company's central database and billing data, but no billing or credit card data were compromised in the intrusion. DreamHost is responsible for more than 500,000 domains. The intrusion affected approximately 3,500 FTP accounts; users were urged to change their FTP account passwords as soon as possible.
Data on Missing Bank Disk Not Encrypted (June 2 & 6, 2007)A computer disk containing names, addresses, dates of birth and mortgage account numbers of 62,000 Bank of Scotland customers is missing. The Bank of Scotland, a subsidiary of HBOS, sends a disk with customer data to a credit reference agency every month. This month, however, the disk was sent through the regular post instead of a secure post service, which is usually the case. Furthermore, the data on the disk sent each month are usually encrypted, but the data on this particular disk were not encrypted. Bank of Scotland has sent letters of apology to affected customers. Another HBOS subsidiary, Halifax Building Society, apologized to 13,000 mortgage customers earlier this year after personal data were stolen from an employee's car.
Police Data on Stolen Laptop (June 1, 2007)A laptop computer stolen from a software company contains personally identifiable information of approximately 97,000 Texas law enforcement agency employees. The company that possessed the computer stores such data for the Texas Commission on Law Enforcement. Affected individuals were notified of the breach by email in May.
Lloyds to Deploy Inside Threat Tool (June 6, 2007)Lloyds TSB plans to install software that can detect anomalous insider behavior. The measure is being undertaken to guard against fraud committed by employees through company computers. In a recent survey, 90 percent of security professionals ranked insider threats among their top three security concerns.
Credit Union Bills TJX $590,000 (June 6, 2007)A Brockton, Massachusetts credit union has billed TJX Companies US $590,000. HarborOne Credit Union says it incurred US $90,000 in costs associated with notifying customers and blocking and reissuing cards compromised in the TJX security breach. The credit union estimates it suffered an additional US $500,000 in damage to its reputation. HarborOne sent the invoice instead of filing a formal lawsuit in an attempt to allow TJX to do the right thing.
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.
Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit