SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume IX - Issue #47
June 15, 2007
Folks in the Portland, Oregon area have complained that we never bring SANS conferences there. So we did.
TOP OF THE NEWSFBI Operation BotRoast IDs More Than One Million Infected PCs
FBI Proposes Huge Data Mining Project
FBI Data Collection Rule Violations Higher Than Indicated in March
THE REST OF THE WEEK'S NEWSLEGAL MATTERS
Phisher Draws Six-Year Sentence
Man Pleads Guilty to Spamming AOL Subscribers
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
VA Designates US $20 Million Fund for Data Breach Mitigation
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Apple Releases Safari for Windows Update
Exploits Follow Microsoft Patches
Sydney Opera House and Art Museum Sites Infected with Malware
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Winny Blamed for Police Data Leak
ChoicePoint "Role Model for Data Security"
Google Cuts Data Retention Period
************** Sponsored By The Secure Software Institute ***************
Be one of the first to earn the GSSP (Software Security Certification) in C or JAVA. The first administration of the National Secure Coding Examination will be August 14 in Washington, DC. Check out the test blueprints, try the sample tests there, look at the test specs and sign up for one of only 100 test slots. Register at:
SANS TRAINING UPDATE: In the next 120 days SANS training will be available in more than 30 cities in five countries with the biggest program in Washington DC at the end of July and Las Vegas the end of September.
Complete schedule at:
Two other ways to take SANS courses: (1) from your home or office you can learn from top SANS faculty teaching live on line and you asking questions in real time - very cool - called SANS@HOME
Or have SANS faculty come to your site and shape the course to your specific needs: http://www.sans.org/onsite/
TOP OF THE NEWS
FBI Operation BotRoast IDs More Than One Million Infected PCs (June 14, 2007)An FBI crackdown on botnets and those who control them has identified more than one million PCs infected with malware that allow them to be hijacked and used as part of an army of bots to attack other computers, spread malware, or send spam. The FBI is planning to notify the owners of the infected computers with the help of Carnegie Mellon University's Computer Emergency Response Team Coordination Center. The operation also netted three arrests: Robert Soloway, who allegedly sold spam kits and access to botnets for spamming; James Brewer, who allegedly compromised more than 10,000 PCs around the world; and Jason Downey, who allegedly ran a botnet used to conduct distributed denial of service (DDoS) attacks.
[Editor's Note (Paller: The FBI's arrests this week (see the first story) have raised the risk and cost for bot herders and the spammers and other criminals who rely on botnets. Though law enforcement cannot be expected to stamp out all crime, these large scale arrests make a significant difference. Kudos.
(Ullrich): Now that we know there are a million infected systems how are those victims supposed to learn about the problem and correct it? We have been trying to notify infected users with DShield data for years, but we have to work through ISPs who are not very responsive. In fact, a first version of the FBI's web site asked infected users to call their ISPs for help. This has since been changed and users are now directed to a number of websites with cleanup help. Lots of people gladly earn money by selling hardware, software and Internet access. Few are willing to help the users out once they get into trouble.
FBI Proposes Huge Data Mining Project (June 12, 2007)The FBI is requesting US $12 million for the fiscal year beginning October 1, 2007 for the Foreign Terrorist Tracking Task Force's proposed National Security Branch Analysis Center. The FBI is hoping to create a database that can be analyzed for behavior to detect terrorist sleeper cells. The database will hold an estimated 6 billion records by 2012. Two congressmen have voiced concerns over the project's threat to citizens' privacy; they have asked that the Government Accountability Office (GAO) investigate the FBI's proposal. Among the concerns are the ability of the FBI to manage such a large database and the efficacy of predictive data mining. Among prior incidents are the FBI's failed US $170 million Virtual Case File system; the fact that a consultant was able to gain access to classified FBI computers just last year; and the recent disclosure of the FBI's abuse of National Security Letters.
FBI Data Collection Rule Violations Higher Than Indicated in March (June 14, 2007)A recent internal FBI audit has found more than 1,000 rule violations regarding the collection of domestic phone call data, email and financial transactions, a considerably higher number than was reported in March. The majority of these are instances in which telephone companies and ISPs provided the FBI with more data than they had requested in National Security Letters. In some cases, instead of destroying the extra data, agents reportedly issued new National Security Letters to cover those data. The audit did not reveal knowing or willful violations of rules, but did illuminate a lack of understanding among agents regarding the legal procedures and paperwork requirements involved in collecting such data with National Security Letters. Approximately "two dozen of the newly discovered violations involved agents' requests for information that US law did not allow them to have," such as email header data. The law allows the agents to request data about email senders and recipients, but not the content of the messages. This audit examined approximately 10 percent of the FBI's security investigations since 2002.
[Editor's Note (Pescatore): The juxtaposition of these two items says it all. OMB has long has requirements that any IT project must include funding for information security sufficient to protect the information and the application - but there has never been any enforcement. This would be a good place to start.
(Ullrich): Typically, system administrators are more than willing to cooperate with lawful requests by the FBI, but the FBI has lost a lot of respect and good will from system administrators by bullying them with national security letters. ]
************************* Sponsored Links: ****************************
1) Upcoming SANS Web Cast June 18th at 1pm EST featuring Dr. Eric Cole, "Correlating SIM information to Detect Insider Threats"
Register Today. http://www.sans.org/info/9031
2) SANS Voucher Credits Maximize your Training Budget Save 15-30% on SANS training & certification
Visit http://www.sans.org/info/9036 or Email Vouchers@sans.org
3) Upcoming SANS Ask the Expert webcast on June 20th at 1pm EDT titled "Reputation-Based Network Security". Register today.
THE REST OF THE WEEK'S NEWS
Phisher Draws Six-Year Sentence (June 13, 2007)The first person to be convicted by a jury under the CAN-SPAM Act has been sentenced to nearly six years in prison. Jeffrey Brett Goodin used hijacked Earthlink accounts to send email messages to AOL subscribers that appeared to come from AOL's billing department. The email messages directed recipients to visit sites where they were asked for sensitive personal and financial information. The messages implied that if they did not supply the data requested, their AOL accounts would be suspended. Goodin was convicted not only of violating the CAN-SPAM Act, but also of wire fraud, unauthorized use of credit cards, and attempted witness harassment.
[Editor's Note (Ullrich): Very nice! These may not be the biggest fish in the pond, but it's a good start. These are very complex investigations. Law enforcement first has to convict some of the (smaller) domestic players before going after the large international groups, if that is possible at all at this time. ]
Man Pleads Guilty to Spamming AOL Subscribers (June 12, 2007)Adam Vitale has pleaded guilty to violating the CAN-SPAM Act by sending unsolicited commercial email to 1.2 million AOL email addresses. When he is sentenced in September, Vitale could face up to 11 years in prison and a US $250,000 fine. Vitale and an accomplice, Todd Moeller, were caught after they bragged of their capabilities to an individual who turned out to be a confidential government informant; Vitale and Moeller claimed to be able to send enormous quantities of spam in such a way that it would be almost impossible to trace the spam to them. The pair also claimed they could defeat AOL's spam filter. The informant suggested the plan involving the 1.2 million AOL subscribers. Moeller has not yet entered a plea in the case.
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
VA Designates US $20 Million Fund for Data Breach Mitigation (June 14, 2007)The Veterans Affairs Department (VA) has earmarked US $20 million to help address its most recent data security breach. The data are on a hard drive that was reported missing from a Birmingham, Alabama medical center earlier this year. The data belong to approximately one million US physicians and VA patients. The VA is providing credit monitoring for those whose data were compromised. One year ago, computer hardware containing personally identifiable information of 26.5 million veterans and active duty members was stolen from a VA employee's home. That equipment was eventually recovered.
[Editor's Note (Pescatore): That works out to $20/account compromised which, when you look at the hard costs of similar incidents of similar size in the past, is low by on the order of a factor of two. But government agencies do get to escape many of the incident costs that commercial entities have to pay.
(Ullrich): Note how easy it is to allocate money *after* the breach. ]
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
[Editor's Note (Ullrich): Note that we are talking about beta software here. Every self-respecting full featured web browser has to have at least one remote code execution flaw. It is actually kind of more interesting, even though much less reported, that by installing Safari you may also get a multicast DNS server as a free gift.
(Shpantzer): No browser is perfectly safe and no OS is either. Pretty obvious but for some reason Mac users (and now possibly Safari for Windows users) sometimes suffer from overconfidence in the security of their software, despite an acceleration in the discovery of vulnerabilities in the Mac platform. ]
Exploits Follow Microsoft Patches (June 13, 2007)Users of Microsoft software are urged to install patches released on Tuesday, June 12, 2007. Within hours of Microsoft's release of six security bulletins that address 15 vulnerabilities, exploits for two of the flaws were already posted to the Internet. Nine of the 15 flaws were given severity ratings of "critical." The flaws exploited by the new code are in Internet Explorer and Windows XP, 2000, and Server 2003.
Sydney Opera House and Art Museum Sites Infected with Malware (June 12 & 13, 2007)Google search results have warned users in the last few days that the web sites of the Sydney Opera House and the Sydney Museum of Contemporary Art "may harm
computers." Malware was apparently detected on both web sites. The Sydney Opera House has taken steps to remove the Trojan software from its web site. A third party will now check that site's security on a regular basis. A museum spokesperson said their site has been fixed as well.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Winny Blamed for Police Data Leak (June 14, 2007)Winny filesharing software installed on a Japanese policeman's private computer allowed approximately 10,000 documents and images to be uploaded onto the Internet. The documents include investigative records and personally identifiable information of individuals being investigated. In March of this year, Japan's National Police Agency directed all officers to check for the Winny filesharing software on their personal computers. This particular officer apparently indicated he did not have the software on his computer. He was identified as the culprit because his resume was among the information exposed.
ChoicePoint "Role Model for Data Security" (June 11, 2007)Darryl Lemecha, CIO and senior VP of Shared Services at data aggregator ChoicePoint recently spoke about what his company has learned and changes it has implemented in response to a security breach that exposed personally identifiable data of 163,000 individuals two years ago. ChoicePoint allowed individuals posing as legitimate business people access to personal data. The company now limits the data it sells and takes greater pains to authenticate its customers. ChoicePoint has also experienced more than 80 external audits in just two years. Lemecha recommends encrypting all laptops, putting passwords on handheld devices and ensuring there is a remote data wipe ability for all such devices. Lemecha also described a five-step plan for bolstering data security and privacy. First, implement a system of governance to clarify accountability and responsibility. Second, define expected behavior and provide tools to make compliance easy. Third, establish breach response policies and procedures. Fourth, authenticate employees' and business partners' credentials on an ongoing basis and finally, establish an environment of openness. While ChoicePoint did suffer one of the worst data breaches in the last several years, the company has "transformed itself ... to a role model for data security and privacy practices," according to Gartner analyst Avivah Litan.
Google Cuts Data Retention Period (June 13 & 14, 2007)Google has said it will shorten the amount of time before it starts to "obscure" the search data it retains. Initially, the company has said it would keep data for 24 months before starting to delete portions of identifiers that could link users with searches; now it will begin anonymizing the data after 18 months. Google's decision apparently comes in response to a letter from the European Union's (EU) Article 29 Data Protection Working Group implying that its practices violated the EU's Resolution on Privacy Protection and Search Engines. The resolution specifies that search data connecting users to their searches may be retained only with the users' permission. Google has said that it is retaining data in compliance with the EU's Data Retention Directive, but the law apparently does not apply to Google
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.
Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/