Kick off the New Year with SANS Security East 2017 in New Orleans (January 9-14)

Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume IX - Issue #76

September 25, 2007

The first story in this issue, about the possible criminal failure of the DHS intrusion detection contract, is worth a few minutes of your time, because it illuminates fundamental failure at an agency that should know better. DHS isn't alone; some unscrupulous contractors are taking advantage of lax government oversight in security all across government to charge enormous amounts of money while systematically failing to do what is needed to actually secure the systems. Contractors claim they know the work is flawed but they are "only doing what their federal customers are requesting". Shame on them for accepting assignments they know to be impotent and failing to do the job that is needed to protect our nation's systems and secrets. This scandalous behavior has been going on for more than seven years, but it looks like it is finally going to stop. Chairmen Bennie Thompson and James Langevin (Chairmen of the House Homeland Security Committee and its Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, respectively) are investing enormous amounts of their time to find the failures and fix them. They both deserve the thanks of everyone who cares about effective cyber security.


FBI Investigating DHS Contractor For Alleged Failure to Detect DHS Breaches
Companies Still Not Taking Adequate Measures to Wipe Used Drives
Number of Cyber Attacks is Down, But Severity is Up


TJX Offers Settlement
Panda Author Gets Four Years in Prison
Estonia Looking to Update Cyber Security Laws
German Courts Order eDonkey Servers Shut Down
Cross-Site Scripting Flaws in Google
Zero-Day PDF Flaw in Adobe Reader
Overflow Flaw in OpenOffice Could Allow Remote Code Execution
Mortgage Data Exposed through Filesharing Network
Another Laptop Theft in Connecticut


Looking at Data Leakage or Encryption, hear lessons learned by the pioneers:
***WhatWorks in Stopping Data Leakage and Insider Threat Summit
***WhatWorks in Mobile Encryption Summit

Where can you find Hacker Exploits and SANS other top-rated courses?
Las Vegas (9/23-9-28):
Chicago (11/2-11/7):
Tokyo (11/5-11/10):
London (11/26 - 12/1):
Washington DC (12/13-12/18):
New Orleans (1/12-1/17):

How good are the courses? Here's what past attendees said:
"An extraordinary amount of information covered in a week, backed up with excellent documentation for those long winter nights." (Keith Mellism, Canada Life)
"This course has valuable information that can be implemented immediately in the work place." (Christopher O'Brien, Booz Allen Hamilton)
"You will never ever find anything more valuable than SANS super knowledge. Worth the price!!" (Carlos Fragoso, CESCA)



FBI Investigating DHS Contractor For Alleged Failure to Detect DHS Breaches (September 24, 2007)

The FBI is investigating Unisys over allegations the company failed to detect cyber attacks on US Department of Homeland Security (DHS) computer systems. The investigation was prompted by a letter from the House Committee on Homeland Security, citing the "high and unacceptable" number of "cyber security incidents" experienced by DHS computer systems in fiscal years 2005 and 2006. The committee alleges that the intrusion protection devices placed on DHS systems by Unisys were improperly installed. Unisys refutes the allegations of improperly installed systems and maintains it reported cyber security incidents. Committee chairman Bennie Thompson (D-Miss.) and Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology chairman James R. Langevin ( D-R.I.) have also asked DHS Inspector General Richard Skinner to conduct an investigation.
[Editor's Note (Ullrich): Nobody will guaranty that a network is fully secured against any possible attack. However, this case may become interesting if it evolves into a meaningful discussion about security service level agreements.
(Honan): Outsourcing the implementation or management of your security systems to a third party does not equate to outsourcing the responsibility for those systems. You need to implement proper checks and balances to ensure that your provider is providing the level of service you require. It will be interesting to see how the outcome of this case will impact on the outsourced security provider space. (Ranum): While they're all playing "blame the contractor," the truth is that government agencies have been allowed to become utterly de-skilled through overreliance on outsiders instead of actually knowing how to do anything. The fact that DHS is the agency nominally tagged with leading the US' cyber security efforts makes this whole comic opera a lot less funny.
(Schultz): It is reasonable to expect events such as this one to occur more frequently over time. Security service providers are going to increasingly be held accountable for the results of the services that they provide. ]

Companies Still Not Taking Adequate Measures to Wipe Used Drives (September 21, 2007)

The percentage of used hard drives containing sensitive data has not changed much in the last two years. According to statistics from BT Group, 37 percent of second-hand hard drives still contain confidential information from their previous users. BT Group examined 350 hard drives bought in online auctions. Nineteen percent of the disks had sufficient data on them to identify the organization of origin, and 65 percent contained personally identifiable information. The report, which has yet to be released, also says that used drives are not highly reliable; 44 percent of the 133 disks purchased in the UK did not work

[Editor's Note (Ullrich): Wiping data takes time. Companies might be better served by destroying the drives vs. trying to resell them used. Its not worth the risk. ]

Number of Cyber Attacks is Down, But Severity is Up (September 21, 2007)

According to a study from the Computing Technology Industry Association (CompTIA), the incidence of cyber attacks has declined slightly over the last year, but the severity of those attacks has increased significantly. Of the 1,070 organizations responding to the survey, 66 percent did not report a security breach within the previous 12 months. Last year, that figure was 61.8 percent, and the year before, 42 percent. However, the organizations gave the attacks they did experience an average severity rating of 4.8 on a scale of 0 to 10; last year's average severity rating was 2.6. The largest portions of the costs involved in security breaches were impact on employee productivity and server and network downtime.
[Editor's Note (Ullrich): Modern malware becomes harder and harder to remove and detect. Once a system is infected, the damages very quickly escalate due to malware automation and counter measures taken against detection. The smaller number of attacks may very well reflect the difficulties in detecting these attacks vs. an actual decline.
(Northcutt): These results are probably not correct, I think organizations with DHS as a case in point are simply losing the ability or desire to detect attacks.
(Ranum: I don't think we should quote these numbers because they are meaningless and therefore deceptive. I just checked on CompTia's site - - the site producing the research - appears to simply use web-based surveys in which basically anyone can log in and fill it out. There are two horrible methodological flaws in doing this. First and foremost, it's a self-selected sample, which guarantees bias. You're not measuring "cyber attacks" you're measuring "what people who were bored enough to take a survey claimed about cyber attacks." Unless they used some different methodology for the survey (in which case they should explain it!) Secondly, there's no way of telling if the respondent actually has relevant information; for all we know the survey was taken by bored 12-year-olds mashing buttons at random. ]

************************* Sponsored Links: ***************************

1) ALERT: Hacking Web Applications- A Step-by-Step Attack Analysis
Download this SPI Dynamics White Paper:

2) *NEW* Whitepaper. How do you take control of inside threats?
Learn 10 proven strategies for combating attacks.

3) 63% of malware distributed by US hosted web sites. New ID Theft and Fraud Report provides the latest stats.




TJX Offers Settlement (September 24, 2007)

TJX Companies has made a settlement offer to address class action lawsuits brought in response to the massive security breach that was disclosed earlier this year. Under the terms of the offer, customers would be reimbursed for the cost of replacing their driver's licenses and would be provided with three years of credit monitoring. The settlement is subject to court approval. The company would also provide store vouchers if customers incurred losses as a result of the breach.
[Editor's Note (Schultz): TJX would be lucky to have its offer accepted, as the compensation it is offering is rather meager in comparison to the magnitude of the impact of its security breach on so many of its customers. ]

Panda Author Gets Four Years in Prison (September 24, 2007)

A Chinese court has sentenced Li Jun to four years in prison for writing and releasing the Panda worm. Three accomplices received sentences of between one year and two-and-a-half years. The four earned approximately 200,000 yuan (US $26,600) from selling the worm to others. Prosecutors maintain the malware caused significant damage to millions of computers between November 2006 and March 2007.


Estonia Looking to Update Cyber Security Laws (September 17, 2007)

Estonian legislators are taking steps to amend the penal code to provide for more stringent punishments for cyber criminals. Estonian government and business websites came under attack last spring, which prompted the amendments. Current computer crime law in Estonia addresses crimes with personal and financial gain as their aim. Under the proposed laws, cyber crimes would be deemed acts of terrorism if their intents were the same as acts of physical terrorism.


German Courts Order eDonkey Servers Shut Down (September 20 & 21, 2007)

Following orders from German courts, seven eDonkey servers inGermany were shut down. The removal of those servers means that approximately one-third of esDonkey's four million users will not have access to the filesharing network. eDonkey does not have a parent company; it is a loose organization with no apparent central control, so authorities decided to take aim at those operating the servers that enabled the eDonkey network. Injunctions against servers in France and the Netherlands have also been issued.


Cross-Site Scripting Flaws in Google (September 24, 2007)

A trio of cross-site scripting flaws in Google applications could be exploited to steal data. A flaw in the polls application of Google Groups could allow attackers to steal messages and contacts from Gmail accounts. The second flaw lies in the Google search appliance and could be exploited to steal site login credentials and other sensitive information. The third vulnerability, which is in Google's Picasa photo organizer, could allow attackers to steal pictures by manipulating users into visiting specially crafted websites.

Zero-Day PDF Flaw in Adobe Reader (September 21, 2007)

A zero-day, critical flaw in Adobe Acrobat Reader could be exploited with a maliciously crafted PDF file to take control of PCs. The person who found the flaw says he will not release proof of concept code until a fix is available. In the meantime, he advises users to refrain from opening PDF files. Adobe is investigating the issue.

[Editor's Note (Ullrich): Sadly, Adobe has done little to shed light on the issue of severity. Even without a patch available yet, I would hope a software company would provide clear guidance on severity and mitigating measures.
(Frantzen): There is no such thing as a 0-day *vulnerability*. There are only 0-day exploits at best. The right term for a vulnerability is "new" or "unpatched", even "unconfirmed". The mitigation described is of no help as the alternative will be even worse. Going back to emailing word documents where the vulnerabilities are documented with exploits before they get patched?
(Honan): Given the widespread use of the PDF file format for distributing files the potential impact of this problem should not be underestimated. Until more details are available or Adobe issues a patch I suggest talking to your senior management to highlight this problem. Based on that discussion mitigation steps such as blocking/quarantining emails with PDF attachments, preventing the downloading of PDF files and reinforcing to users not to click on PDF files can be implemented.):]

Overflow Flaw in OpenOffice Could Allow Remote Code Execution (September 18, 2007)

A critical heap-based buffer overflow flaw in OpenOffice could allow attackers to execute arbitrary code and gain unauthorized access to vulnerable systems. The flaw lies in the way some tags within Tiff images are processed. To exploit the flaw, attackers would need to trick users into opening maliciously crafted documents. The flaw affects OpenOffice version prior to 2.3; users are urged to upgrade to the most recent version.


Mortgage Data Exposed through Filesharing Network (September 21 & 22, 2007)

Personally identifiable information of more than 5,200 ABN Amro Mortgage customers was leaked to the Internet. A former ABN employee had BearShare filesharing software installed on her computer, which allowed the leak of the ABN spreadsheets as well as some of her own personal information. The leaked data include Social Security numbers (SSNs). The company is investigating. There is legitimate concern that the information could be used to commit identity fraud; a man was recently arrested in Washington state for misusing information he obtained through filesharing networks.

[Editor's Note (Northcutt): Companies must have strong policy to never allow family members to use computers that are used for company business where the definition of company business is that one or more company files are on that computer. Also, we must understand that if you put peer to peer software on a system it is almost certain you will share more than you expect to:

Another Laptop Theft in Connecticut (September 21 & 22, 2007)

A laptop computer stolen from a car earlier this month in Watertown, Connecticut holds personally identifiable information of individuals connected with 41 child welfare cases. The computer belonged to a private consultant and held names, birthdates and allegations that prompted the involvement of the Department of Children and Families (DCF), but no financial data. The consultant reported the theft to the agency the day after it occurred. This information security breach follows close on the heels of the theft of a laptop computer containing Department of Revenue Services data for more than 105,000 Connecticut taxpayers and the revelation that a computer backup tape stolen from a car in Ohio earlier this year held information about state agency bank accounts as well as a small number of Connecticut residents.


Ask the Expert: Curing The Common Cold With Log Management
WHEN: Wednesday, September 26, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and A.N. Ananth
Sponsored By: Prism MicroSystems EventTracker

Well, perhaps that is a stretch, but Log Management is incredibly valuable to help solve a host of other real problems in IT beyond simple compliance. Compliance drives most log management purchases but IT Managers are constantly challenged to maximize investments in technology.


The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College,

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit