SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume IX - Issue #58
July 24, 2007
Good News on Application Security:
In addition to the White House mandate reported earlier, more than 150 companies that are implementing secure coding programs are coming to Washington in three weeks to hear VISA clarify the application security requirements in the PCI standard and to hear application security pioneers from Morgan Stanley, Cisco, LexisNexis, Oracle, Honeywell, Sovereign Bank, Depository Trust, Polk, TSA, Ounce, SpiDynamics, TippingPoint, and the FBI share the lessons they learned in establishing their secure application development programs: how to manage outsourced application development securely; how to get the developers engaged; how to pick the right tools; how to train and test programmer skills and much more. If you are building an application security program and/or if you are subject to PCI, attending the Application Security Summit will save you months of research and will help you avoid the pitfalls that have hurt other programs.
Agenda and registration: http://www.sans.org/appsummit07
Companies attending the Summit also get scholarships for two of their programmers to participate in the Secure Software Certification Examinations (in Java and in C) the day before the Summit.
Details: http://www.sans.org/gssp07/ Questions: email email@example.com.
TOP OF THE NEWSiPhone Vulnerability Lets Attackers Take Control
Standard Windows Desktop Configuration Image Expected Early Next Month
DoJ Proposes Enhanced Identity Theft Legislation
THE REST OF THE WEEK'S NEWSLEGAL MATTERS
Ten Indicted in Academic Record Altering Scheme
Former Employee Sues Pfizer Over Data Exposure
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
SAIC Breach Exposes Armed Services Personnel Data
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
U of Michigan Databases Breached
Ohio IG's Report Says Blame for Stolen Data is Shared
M&T Bank Issues New Visa Cards in Wake of Retailer Breach
STATISTICS, STUDIES & SURVEYS
Irish Companies Unaware of Liability for Employees' Internet Behavior
eVoting Machines Undergo Rigorous Testing in California
Search Engines Jump on the Privacy Bandwagon
LIST OF UPCOMING FREE SANS WEBCASTS
************************ Sponsored By ArcSight, Inc. ********************
Free Whitepaper: Calculating Return on Security Investment With budgets shrinking and regulations growing, today's IT managers need to justify every security infrastructure purchase. Calculating Return on Security Investment (ROSI) means measuring the intangibles. Learn how to measure ROSI with our free whitepaper.
Brought to you by ArcSight, the leader in security, compliance and insider threat.
SECURITY TRAINING UPDATE
SANS Network Security 2007 (September 22-30, in Las Vegas) is the largest fall conference on cybersecurity with more than 40 courses and wonderful evening sessions and a big vendor exposition. Most importantly, it brings together the top rated teachers in cybersecurity in the world. How good are they? Here's what past attendees said:
"This course has valuable information that can be implemented immediately in the work place." (Christopher O'Brien, Booz Allen Hamilton)
"The quality of teachers, speakers, and even attendees is far superior to any other training event I've attended." (Corinne Cook, Jeppesen)
"SANS provides by far the most in-depth security training with the true experts in the field as instructors." (Mark Smith, Costco Wholesale)
Registration information: http://www.sans.org/ns2007/
TOP OF THE NEWS
iPhone Vulnerability Lets Attackers Take Control (July 23, 207)A trio of individuals has contacted Apple Computer regarding a flaw they discovered in the iPhone that could be exploited to take control of the device. The three recommended a patch for the flaw and noted that the phone has strong security measures, but "once
managed to find a hole,
were in complete control." One of the three plans to present additional information about the vulnerability at a conference at the beginning of August. Once in control, attackers could use the phone to make calls, access data on the phone, or even use it as a bugging device. The flaw can be exploited through malicious sites or a man-in-the-middle attack; users need to be tricked into accessing a malicious wireless access point. The three also observed that "all processes of interest run with administrative privileges. This implies that a compromise of any application gives an attacker full access to the device."
[Editor's Note (Pescatore): This may not sound like an enterprise worry, but it is pretty easy to connect the iPhone to corporate email systems. You know that it will creep into use by your employees regardless of policy that says "Don't." Like all immature software, more vulnerabilities will continue to be found - Apple needs to provide enterprise support features so that vulnerability management and data protection can be extended to the iPhone. ]
Standard Windows Desktop Configuration Image Expected Early Next Month (July 16 & 23, 2007)The test image for standard Windows configuration is expected to be available for US government agencies in early August, more than three months after the April 20 deadline set by the Office of Management and Budget (OMB). The National Institute of Standards and Technology (NIST) will release a virtual PC and virtual security settings so agencies can test applications in that environment without running into problems on their own systems. The delay of the Windows desktop image means it will be likely that agencies will not meet the February 2008 implementation deadline.
DoJ Proposes Enhanced Identity Theft Legislation (July 20, 2007)The US Department of Justice (DoJ) has submitted the Identity Theft Enforcement and Restitution Act of 2007 to Congress. The proposed legislation expands identity theft and aggravated identity theft statutes to include prosecution for those who steal data from organizations as well as from individuals. The bill would also provide financial restitution for people who have to spend time fixing the problems created by identity theft.
[Editor's Note (Schultz): This proposed legislation is extremely significant in the fight against identity fraud. At the same time, however, I would not count on it passing given the US Congress' voting record concerning issues that affect the welfare of the public over the last few years. ]
*************************** SPONSORED LINKS ***************************
1) ALERT: Web 2.0 Hacking - Attack Scenarios and Examples
2) Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
3) Learn how this innovative, intelligence-led security strategy can proactively address risks in today's online world. New FREE report provides the facts.
THE REST OF THE WEEK'S NEWS
Ten Indicted in Academic Record Altering Scheme (July 23, 2007)The director of the computer center and the director of admissions at Touro College have both been charged in connection with a grade altering and transcript-forging scheme. The pair took bribes to alter the academic records of current Touro students and forge transcripts for people who never attended the college. Eight other people were indicted, including another Touro employee. "Touro College's own vigilance and oversight led to the discovery of unauthorized changes in student records." The indicted employees have been fired.
[Editor's Note (Pescatore): The fact that the college *did* detect the changes probably puts them in the upper 10% of enterprises as far as having processes and controls that actually assure the integrity of data from sys admin actions. Many have gotten better at detecting senstive data leaving the enterprise, but protecting stored data from unauthorized actions by authorized people is still a major weakness. (Weatherford): It may sound naive, but the lack of moral compass here is appalling. Another case of people thinking they are above the law. The positive message is that they had auditing and a control process in place to identify this activity and then the administration had the gravities to take action and fire the criminals! (Grefer): Kudos to the college for not only having policies and procedures in place, but also enforcing them. ]
Former Employee Sues Pfizer Over Data Exposure (July 20, 2007)A former Pfizer employee has filed a class action lawsuit against the company over personal data that was exposed on the Internet. The data made their way to the Internet through a file-sharing program that had been installed on a Pfizer-owned laptop by an employee's spouse. The suit seeks identity theft insurance and the creation of a fund to pay for damages incurred by the affected individuals. The exposed data include names, Social Security numbers (SSNs) and bonus pay information of approximately 17,000 current and former Pfizer employees. Pfizer notified people affected by the breach more than two months after the data's exposure.
[Editor's Note (Northcutt): This is the second time this year we have covered a story of a spouse installing software on a corporate computer leading to data compromise. I feel a security policy update coming on! ]
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
SAIC Breach Exposes Armed Services Personnel Data (July 20, 21 & 23, 2007)Science Applications International Corporation (SAIC) has acknowledged that "personal information of certain uniformed service members, family members, and others was placed at risk for potential compromise while being processed" by the San Diego-based Pentagon contractor. The data were transmitted over the Internet unencrypted. Approximately 580,000 households received notification of the breach; some of the households have more than one affected member. The data include names, SSNs, birthdates and some health information. The data belonged to TRICARE, the health benefits program for armed service members, families and retirees. SAIC was alerted to the breach on May 29 "by US Air Force personnel in Europe
detected sensitive information being transmitted in clear across the net." SAIC was aware of security problems with this particular server even before the alert, two weeks prior the company shut down the server "based on general concerns regarding the security of transmissions." The server itself was not secured, which violated both SAIC and US Defense Department policy. An unspecified number of SAIC employees have been placed on administrative leave pending the results of investigations.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
U of Michigan Databases Breached (July 21, 2007)Following the discovery of unauthorized activity on a University of Michigan (U-M) server, 5,500 current and former U-M School of Education students have been notified that their personal information may have been compromised. The breach affected two databases that contain names, addresses, SSNs and in some instances, birth dates and the school districts where graduates were employed. The breach was discovered on July 3 and the notification letters were sent July 16.
Ohio IG's Report Says Blame for Stolen Data is Shared (July 20 & 21, 2007)A report from Ohio's inspector general (IG) says a series of decisions made by a number of people are to blame for the theft of a data storage device that holds personally identifiable information of more than one million Ohio residents. The device was stolen from the car of state office intern Jared Ilovar, who had been instructed to take the device home as part of an arrangement to keep data backups offsite. David White, the program manager of the Ohio Administrative Knowledge System (OAKS) and Ilovar's supervisor, initially downplayed the seriousness of the incident and advised Ilovar to keep pertinent information from police. White's resignation was announced following the report's release; Ilovar has been fired. The report also notes that a February 2007 audit indicated that sensitive data were accessible on a shared drive on the OAKS intranet, but no steps were taken to mitigate that problem. The report does not recommend criminal prosecution for any state employees or IT contractors, though it does recommend disciplinary action for some.
[Editors' Note (Weatherford and Grefer): The blame is almost ALWAYS shared! It's a rare incident where a single person is responsible for everything from policy to physical security to information security. Even if all of the policies and procedures are in place, the use of "past practices" and informal methods of "being more productive" will circumvent the best security policy. It's a culture thing! ]
M&T Bank Issues New Visa Cards in Wake of Retailer Breach (July 20, 2007)Buffalo (NY)-based M&T bank is issuing new Visa cards to an unspecified number of customers following a data security breach at an unnamed retailer. The bank was alerted to the breach by Visa. Customers were notified by letters dated July 13; the letters indicated that some card information stolen in the breach and been used to conduct fraudulent transactions.
[Editor's Note (Northcutt): The pressure continues to build. In this case the bank bears the cost of reissuing credit cards due to a breach of security at a retailer. Meanwhile the retailer is working with a credit card system that is inherently insecure; the proof of that being the very large number of merchant breaches. The retailer bears the cost of implementing manual procedures (Payment Card Industry practices) to layer a degree of assurance over the inherently insecure design. At some point we will find ourselves in a shootout, amazingly enough, 18 - 21% interest only cures all up to a point and I think we are starting to reach that point.
(Weatherford): It's interesting to read about a breach by the financial institution affected but the retail organization responsible for the incident isn't identified.
(Grefer): WGRZ coverage refers to intrusions at several major US companies rather than a single unnamed retailer.
STATISTICS, STUDIES & SURVEYS
Irish Companies Unaware of Liability for Employees' Internet Behavior (July 19, 2007)A Chambers Ireland eBusiness Survey found that just 37 percent are aware that they are responsible for their employees' online behavior. Current law allows businesses to be prosecuted if their employees engage in illegal activity using electronic communications over the company network. Many employers were also unaware that they are required to inform employees if they are going to monitor files and email. The survey covers other areas as well, including broadband use and converged communications service.
eVoting Machines Undergo Rigorous Testing in California (July 23, 2007)For two months, experts have been testing electronic voting machines on the orders of California Secretary of State Debra Bowen. Bowen's report on the machines is due on August 3, just six months before the presidential primary elections in February 2008. Most evoting machine testing until this point has centered on whether or not the machines do what the vendors claim they do. This battery of tests put the machines in real-world scenarios of active attacks aimed at altering the outcome of elections. The report will indicate whether or not the machines should be certified for use in upcoming elections. Voting machine vendors and county registrars have vested interests in the outcome of the report.
[Editor's Note (Schultz): Good for Ms. Bowen and the state of California! Voting machines should not be used unless they have passed a series of rigorous tests, the kinds of tests Ms. Bowen is having performed. ]
Search Engines Jump on the Privacy Bandwagon (July 22 & 23, 2007)Following Google's lead, other search engines are revamping and publicizing their data retention policies. In March, Google announced that it would begin anonymizing the search data it retains after the data are between 18 and 24 months old unless faced with a legal obligation to keep them longer. Microsoft plans to remove identifying information from retained search data after 18 months, unless users want the information held for a longer period. Microsoft search data will be held separately from data that identifies users personally. Microsoft also plans to offer a way for users to search anonymously on Microsoft Windows Live websites. Yahoo! will start anonymizing IP addresses associated with searches after 13 months, and Ask will not retain users' search history at all if users request. If the users allow their search data to be retained, Ask will anonymize the data after 18 months. The issue of stored search data came to light last year when AOL posted information about 650,000 searches on the website; information included in some of the query data could be used to identify the individuals who conducted searches. A joint statement from Ask and Microsoft calls for search engines to create industry standards to make clear to consumers what data they collect, how those data are used, and what role the stored data play in advertising.
[Editor's Note (Grefer): An opt-in model would be beneficial. Providing certain types of value-added services that actually require this type of information in order to properly function to only those people who opt-in is not all that difficult to implement. ]
LIST OF UPCOMING FREE SANS WEBCASTSJuly 18, 2007: Ask The Expert: Making Your Web Applications PCI Compliant
Sponsored By: SPI Dynamics
June 28, 2007: Ask The Expert: The Importance of Web Application Security
for PCI Compliance
Sponsored By: Watchfire
June 27, 2007: WhatWorks in Log Management: Regulating Logs Globally
Sponsored By: LogLogic, Inc.
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.
Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/