SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume IX - Issue #46
June 12, 2007
Registration just opened for the Application Security Summit, August 15-16 in Washington DC. Featuring dozens of users (from major banks, aerospace companies, more) sharing lessons learned and their experiences with all the main tools and with building security into the life cycle, plus and expert briefings on new developments in application security.
TOP OF THE NEWSOMB Provides Procurement Contract Language to Support Standard Desktop Configuration
Retailers Complain About PCI Data Security Requirements
India to Get IT Privacy Watchdog
THE REST OF THE WEEK'S NEWSLEGAL MATTERS
Yahoo! Sued Over Role in Chinese Journalist's Arrest
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Estonia Says Cyber Attacks are Terrorist Acts
SPYWARE, SPAM & PHISHING
Anti-Spam Groups Hit with DDoS Attacks
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Trojan Hides in Phony Security Bulletin
Yahoo! Issues Update for Messenger Flaw
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Pfizer Employee Data Exposed
University of Virginia Data Breach
New Hampshire Hospital Data Breach
University of Iowa Graduate Program Data Breach
********************* Sponsored By SenSage, Inc. ************************
WEBCAST and FREE WHITEPAPER: "Using SIM in your PCI Compliance Program." Hear how SIM technology functions and can be used to effectively meet a number of the requirements within the twelve areas of the PCI DSS. Brought to you by SenSage, the only patented SIM solution that enables regulatory compliance and mitigation of security risks such as insider threats. Register at http://www.sans.org/info/8586
SANS TRAINING UPDATE: In the next 120 days SANS training will be available in more than 30 cities in five countries with the biggest program in Washington DC at the end of July and Las Vegas the end of September. Complete schedule at: http://www.sans.org/training/bylocation/index_all.php Two other ways to take SANS courses: (1) from your home or office you can learn from top SANS faculty teaching live on line and you asking questions in real time - very cool - called SANS @HOME
Or have SANS faculty come to your site and shape the course to your
specific needs: http://www.sans.org/onsite/
TOP OF THE NEWS
OMB Provides Procurement Contract Language to Support Standard Desktop Configuration (June 5, 2007)A March 22, 2007 memo from the US Office of Management and Budget (OMB) requires all agencies to migrate to the standard desktop for Windows XP and Vista by February 1, 2008. A more recent memo from OMB provides the agencies with language to use in the procurement process to ensure the hardware and software they purchase supports the standard configuration. The recommended language clarifies expectations that "the provider of information technology shall certify applications are fully functional and operate correctly as intended on systems using the Federal Desktop Core Configuration." It goes on to state that "the standard installation, operation, maintenance, update and/or patching of the software shall not alter the configuration settings," and "applications designed for normal end users shall run in the standard user context without elevated system administration privileges."
[Editor's Note (Pescatore): Note that OMB is requiring that all XP and Vista desktops use the standard secure configuration, not that all desktops be XP or Vista. The key to this latest OMB memo is that software vendors need to make sure they design their applications to run on those configurations. OMB does need to address the verification/certification issue - how do Government agencies assure that the apps do so, other than by just asking the vendors?
(Kreitner): To test application compliance four steps are needed: (1) confirming a system's configuration compliance with the std, (2) install the application and determine if any configuration parameters have been changed, (3) obtain a contractual commitment from the application vendor that operation and updating the application will not change anything, with appropriate penalties and (4) periodically check the system to make sure the std configurations are still in place. (Paller): This language isn't just for federal agencies. Any organization with more 1,000 computers (and some smaller ones) should be using a standard desktop configuration and if they choose the federal one they can be confident that patch testing is being done adequately. The new procurement language should be used by any medium or large organization buying software anywhere in the world.
(Skoudis); This is certainly a good move, and I applaud it. However, it also likely brings an interesting ability to malware purveyors: locally fingerprinting government machines. Depending on how specific and specialized these configs are, if malware gets on a box, it can check for the .gov settings. "But," you say, "the bad guys can already determine that based on the network address of the machine." However, with this move, the attackers might be able to detect government systems taken home and used off of broadband connections, where network defenses are typically minimal. Again, standard configs are good, but they might bring this fingerprinting ability. ]
Retailers Complain About PCI Data Security Requirements (June 11, 2007)Representatives of retailers attending the recent ERIexchange conference voiced frustration at the amount of the security burden they must shoulder under the Payment Card Industry (PCI) Data Security Standard. Among their complaints are the costs associated with compliance and the possibility of alienating customers by making paying with credit cards more complicated. Some feel the credit card companies that developed the PCI standard should have involved retailers more closely on the standard's implementation. Merchants that accept credit cards are expected to be compliant by June 30. Those not in compliance could face fines of up to US $500,000 and the possibility of not being able to take credit cards for payment.
[Editor's Note (Schultz): In a way I am sympathetic with the retailers' views and in a way I am not. Some of the provisions of PCI-DSS, particularly the ones related to level 1 compliance, seem unduly picky. At the same time, however, it should come as no surprise that organizations are complaining about the costs involved in complying with security-related standards and regulations. If these organizations had better security practices in the first place, there would be no need for such standards and regulations.
(Pescatore): The Payment Card Industry has formed the PCI Standards Council to try and foster more involvement but there has been very little movement as yet.
(Skoudis): The PCI standards are not some lofty goal that is really hard to meet. They represent a minimum baseline for organizations accepting credit cards. In some of the investigations I'm working, organizations who handle information far, far more important than PCI are arguing, "But we met the PCI standards." But, keep in mind that PCI represents a bare minimum for credit card accepting companies. If you handle even more important data, your security practices should _exceed_ PCI. (Grefer): Apparently the complaining merchants have not yet experienced egg in their face from an incident that was tracked back to a lack of PCI compliance.
(Kreitner): This is the kind of pushback that is to be expected when tightening up the security of information. Get over it, folks. Better information security is not free. ]
India to Get IT Privacy Watchdog (June 7 & 8, 2007)Indian IT industry group NASSCOM will establish an organization to oversee the privacy and security of the country's IT outsourcing industry. The Data Security Council of India (DSCI) will be an independent organization from NASSCOM and should help assuage foreign security concerns because India does not have data protection laws that mirror those of the countries whose organizations send their IT work to India. "The DSCI will develop common minimum standards for privacy and security policies, offer certification, enforce a code of ethics and best practice, and punish any breaches by Indian IT and BPO companies."
[Editor's Note (Pescatore): This is good to hear, as long as the DSCI provides transparency into its oversight operations. Now, where is the equivalent in other countries - including the US?]
************************ Sponsored Links: *****************************
1) Learn how Siemens/BBC uses flow-based anomaly detection & network performance monitoring to secure internal networks. Register for this FREE webinar "Securing Your Enterprise Through Network Visibility"
2) Tear down authorization silos to improve security and compliance. Download this free Securent whitepaper.
3) Stop the use of unauthorized USBs, iPods, and PDAs across your network with VolumeShield AntiCopy!
THE REST OF THE WEEK'S NEWS
Yahoo! Sued Over Role in Chinese Journalist's Arrest (June 11, 207)Yahoo! is being sued for allegedly providing Chinese officials with information that helped them track down and arrest journalist Shi Tao. Shi had sent out an email containing government policies regarding media restrictions; he was convicted of leaking state secrets and sentenced to 10 years in jail. While Yahoo! has in the past acknowledged it shared information about him, a statement issued recently reads, "Yahoo! is dismayed that citizens in China have been imprisoned for expressing their political views on the Internet," but made no mention of the lawsuit. Yahoo! also says that it has to comply with Chinese law while operating in China, or its employees could face penalties.
[Editor's Note (Grefer): Until an international court is established that has jurisdiction to deal with transnational issues, a lot of case law will have to suffice to determine which laws apply under which circumstances when more than one country is involved. ]
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Estonia Says Cyber Attacks are Terrorist Acts (June 8, 2007)Estonian Prime Minister Andrus Ansip wants to designate cyber attacks as "acts of terror." Sustained cyber attacks against Estonian government and commercial web sites in April were apparently launched in retaliation for Estonia's removal of a Russian war memorial from the capital city of Tallinn; that incident also sparked physical demonstrations. The attacks bore IP addresses indicating they came from the Kremlin. Prime Minister Ansip says it is possible the Russian government sponsored the attacks; it is also possible that the attackers infected and then used Kremlin computers to make them appear to come from the government. Moscow denies any involvement with the attacks.
[Editor's Note (Pescatore and Paller): Distributed Denial of Service attacks are a daily event, this only got news because the Estonian sites appear to have been totally unprepared to protect themselves. If you have a mission critical Internet site, you should have DDoS protection baked in to its Internet connection. Major internet service providers offer such protection and charge for it. (Ranum): "Terrorism" is attempts to alter the behavior of a state through attacks designed to instill fear. I don't think a DDOS attack qualifies. Perhaps we need a new term like, maybe, "Irritantism." (Grefer): Given the ease of tampering with IP address information, any such allegations would be hard to substantiate and should be treated with the utmost caution.It is all too easy to disguise an incident or attack to make it appear to have been performed by a third party. ]
SPYWARE, SPAM & PHISHING
Anti-Spam Groups Hit with DDoS Attacks (June 11, 2007)Several organizations devoted to fighting spam have been targeted by distributed denial of service (DDoS) attacks. Two of the three, Spamhaus and Spam URI Realtime Blocklists (SURBL), have managed to keep their sites up despite the barrage of traffic; Realtime URL Blacklist (URIBL) was unavailable for several days last week. Rules Emporium was reportedly offline and may have been targeted by the attacks as well. The attacks bear similarities to last year's attack on Blue Security, another anti-spam organization. That attack used the Storm malware.
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Trojan Hides in Phony Security Bulletin (June 11, 2007)A message claiming to be a cumulative update for Internet Explorer with the title "Microsoft Security Bulletin MS06-4" has been sent to users. A link provided in the email claims to be the patch, but actually allows a malicious file on a remote server to install malware on users' computers. The websites hosting the malicious downloader code have been shut down.
[Editor's Note (Pescatore: There are a few phrases that should stick in everyone's mind: "Cross at the green, not in between", "Loose lips sink ships", "A patch from an email link is bound to stink." ]
Yahoo! Issues Update for Messenger Flaw (June 8 & 11, 2007)Yahoo! has made available a fix to address a remote code execution flaw in Yahoo! Messenger. The buffer overflow flaw in a Yahoo! Messenger Webcam ActiveX control was disclosed last week. Proof-of-concept code and the patch followed in quick succession. The flaw could also be exploited to force users to log out of chat or instant messaging sessions, or crash certain applications. The flaw is reportedly being exploited in the wild, making it all the more important for users to upgrade to a fixed version of the messaging software.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Pfizer Employee Data Exposed (June 11, 2007)File-sharing software installed on a Pfizer employee's work-supplied laptop exposed personally identifiable information of approximately 17,000 current and former employees of the international pharmaceutical company. The computer had been issued so the employee could work from home; the employee's spouse installed the file-sharing software. Pfizer has confirmed that some files containing the employee data were accessed. The affected employees are being notified by mail. Connecticut Attorney General Richard Blumenthal is investigating the incident.
[Editor's Note (Schmidt): The whole issue of Peer to Peer/File Sharing problems does not get the attention that it needs. Thousands of files containing everything from network passwords to audit reports by large audit firms (including homeland security audits) are being shared all around the world. That does not take into account the thousands of end users that have no idea that more than just their media files are being shared. I have seen data from about every sector of business and there is little being done to address this growing data leakage/theft problem. (Northcutt): This implies the employee had local administrator privileges or it would have been difficult for the spouse to install the peer to peer software. Also, huge awareness tip, we each need to make sure our employees as well as friends and family understand that peer to peer software is designed to share files. If you install it, the odds are that you are sharing files even if you are not aware that you are. ]
University of Virginia Data Breach (June 8, 9 & 11, 2007)The University of Virginia (UVa) has acknowledged that data breaches exposed personally identifiable information of approximately 6,000 current and former faculty members. The data include names, dates of birth and Social Security numbers (SSNs). The breaches occurred between May 2005 and April 19, 2007. The system in question was accessed no fewer than 54 times over the nearly two-year period. The breach was discovered while UVa was in the process of switching from SSNs to university-issued ID numbers as unique identifiers. The data were not in a place where one would normally stumble across them by accident; the attack was likely purposeful. Current faculty members have been apprised of the situation; former faculty members are being notified by mail and email. The breach affects individuals who worked as UVa faculty between 1990 and 2003 as well as current faculty members. Some records may have contained additional data, including dates of hire, tenure status, addresses and places of birth. The FBI, the UVa police department and the UVa IT department are investigating the incident.
New Hampshire Hospital Data Breach (June 9 & 10, 2007)Concord (NH) Hospital has informed more than 9,000 patients that their personal information was exposed on the Internet for at least a month. Concord Hospital learned of the breach from a Bellevue, Washington-based online billing subcontractor on May 30, 2007; patients were notified more than a week later. The compromised data include names, addresses, dates of birth and SSNs. The data were exposed when a firewall was turned off for maintenance. Medical information was not exposed, but the hospital president and CEO says there's no way of knowing whether or not the information has been stolen.
University of Iowa Graduate Program Data Breach (June 8, 2007)The University of Iowa is in the process of notifying 1,100 students, applicants, and faculty members that their personal data may have been compromised when a web site's security was breached. The breach affected "a database containing administrative information for the Interdisciplinary Graduate Program in Molecular and Cellular Biology." University and law enforcement officials have been informed of the incident. The breach occurred on May 19, 2007.
Link CorrectionIn last Friday's edition of NewsBites (Vol. 9, No. 45), the links we supplied for the texts of the two spyware bills in the US House of Representatives did not work. We apologize for any inconvenience this may have caused and offer new links:
I-SPY Prevention Act:
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.
Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit