SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume IX - Issue #8
January 26, 2007
The third and fourth stories under "Top of the News" offer more proof that laptop losses and theft are not "harmless," and that any US Congressional efforts to undermine strict state disclosure laws should be considered anti-consumer and anti-voter at best, and criminal at worst.
And the Laptop Encryption Summit (that was sold out last fall in DC), will be run again in San Jose April 23-25. Users sharing the lessons learned in enterprise deployment of encryption. This one will be sold out, too, and the web site isn't up yet. If you want to be notified when the registration web site goes live, email firstname.lastname@example.org with subject "Encryption Summit"
TOP OF THE NEWSFormer Michigan County Treasurer Allegedly Embezzled State Funds to Pay Nigerian 419 Scammers
Class Action Suit Files Against Chicago Board of Elections for Data Exposure
Data Stolen from TJX Has Been Used to Commit Fraud
Delay In Reporting Xerox Laptop Loss Leads To Damage To Employees
THE REST OF THE WEEK'S NEWSLEGAL MATTERS
MySpace Sues Spammer
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Norwegian Government Sets Timetable for Apple Compliance with DRM Modifications
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Cisco Issues Three Patches for IOS Software Flaws
Apple Fixes QuickTime Flaw
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Stolen Laptops Have Data Encryption Technology
Stolen Concentra Tapes Also Affect Nationwide Health Ins. Customers
Exploit Packs and Hacking Software
STATISTICS, STUDIES & SURVEYS
Half of Finance Managers Put Unsolicited USB Drive in Computers
Anti-Theft Software Tracks Thief, Leads to Drug Bust
*********************** Sponsored By Imperva Inc. ***********************
Download Free Database Vulnerability Scanner - Are your databases secure? Know for sure. Use Scuba by Imperva for a deep dive into MS-SQL, Oracle, DB2, and Sybase databases. Find flaws that hinder data security and compliance. It's free, easy, safe, and outputs technical and management-friendly reports. Free download
Visit Imperva at RSA - Booth # 2632.
SECURITY TRAINING UPDATE: Several of the hands-on immersion security training courses at SANS 2007 (San Diego, March 29 - April 4) are starting to fill up. If you want a place, register early. You'll also save hundreds of dollars if you do it in the next few weeks.
Full Schedule (53 courses): http://www.sans.org/sans2007/event.php
TOP OF THE NEWS
Former Michigan County Treasurer Allegedly Embezzled State Funds to Pay Nigerian 419 Scammers (25, 24 & 17 January 2007)Former Alcona County (Michigan) Treasurer Thomas Katona has been arraigned on nine felony counts of embezzlement and one felony count of forgery for allegedly embezzling state funds to the tune of US $1.2 million; some of the money was allegedly sent to 419 fraudsters in Nigeria. Authorities became aware of the situation when a local bank alerted them to unauthorized wire transfers Katona had directed. Bank officials had cautioned Katona on several occasions that he was falling for a scam, but he ignored their warnings. Katona also allegedly lost more than US $72,000 of his own money in the scam.
[Editor's Note (Schultz): It is hard to understand how someone who ostensibly is an otherwise intelligent, responsible person could allegedly have fallen for such a scam in such a big way. This shows that despite the fact that 419 scams have lost much of their lustre, they nevertheless still pose a high level of risk.
(Liston): The common misconception is that 419 scams (and their ilk) are aimed at unintelligent victims. Mr. Katona, no doubt, saw the prospect of the 419 "windfall" as a way to cover up his alleged embezzlement, and let greed and desperation overwhelm common sense. Remember: scams are aimed at other human weaknesses -- not "stupidity."
(Grefer): FTC and State Department web sites provide additional guidance at:
(Shpantzer): These scams are profitable
and have resulted in domestic violence
and kidnappings/ransom/killings of those who travel to Nigeria to close 'deals' with the scammers. ]
Class Action Suit Files Against Chicago Board of Elections for Data Exposure (23 January 2007)A class-action lawsuit has been filed against the Chicago Board of Elections for sending out more than 100 CDs with sensitive, personally identifiable voter information to city aldermen and ward committeemen. "The suit ... alleges the board violated the Illinois Personal Information Protection Act" and seeks unspecified compensation for all Chicago voters whose Social Security numbers (SSNs) were compromised. Other data on the CDs include dates of birth, addresses and phone numbers. The board is making efforts to get the disks back, but a board spokesperson maintains there have been no reports of associated identity fraud since the disks were sent out more than three years ago. The board is required by law to notify voters about the incident, but it plans to make the notification through advertising rather than by contacting each voter individually. The Personal Information Protection Act allows for this sort of notification; see Section 10 (c).
Text of Illinois Personal Information Protection Act:
[Editor's Note (Liston): It is interesting to see the government's response to its own error and contrast that with the what we can only assume would've been the reaction if this had been a private firm's mistake.
(Shpantzer): This mirrors this week's leak investigation of the entire Israeli population data being given to the political parties in Israel, per Israeli law, facilitating democracy and election fairness. Where else is this happening, and what's being done about this unintended consequence? ]
Data Stolen from TJX Has Been Used to Commit Fraud (25 & 24 January 2007)The Massachusetts Bankers Association says customer data stolen in the TJX computer intrusion have been used in fraudulent activity. Close to 60 banks in Massachusetts have been contacted by credit and debit card companies regarding fraudulent activity on compromised debit and credit cards. Banks in other states, including Vermont, Wisconsin and New Mexico have reported issuing new cards. Canadian cardholders have been hit by fraud as well.
Delay In Reporting Xerox Laptop Loss Leads To Damage To Employees (22 January 2007)A laptop computer stolen from a Xerox human resources manager's car in August 2006 holds information belonging to an unknown number of Xerox employees; nearly 300 employees received letters notifying them of the theft four months after the fact. Some of the employees had experienced credit problems in the interim; for instance, one individual said several cell phone accounts were opened in his name in the fall of 2006. A spokesperson defended the company's decision to delay notification, saying they wanted to determine whether any personal information was on the computer.
************************** Sponsored Links: ***************************
1) Don't miss SANS Ask the Expert Webcast: Malware Analysis Shortcuts on Thursday, February 01 at 1:00 PM EST (1800 UTC/GMT) Sign up now! http://www.sans.org/info/3146
2) "Where is your privacy data and IP going? Find out! Download your free Info-Protection kit!" link to: http://www.sans.org/info/3151
3) Log Management and Security Event Management in Rhythm. One easy to use, enterprise-class solution. http://www.sans.org/info/3156
THE REST OF THE WEEK'S NEWS
MySpace Sues Spammer (23 & 22 January 2007)MySpace has filed a lawsuit against Scott Richter for allegedly accessing MySpace user accounts and using them to send spam. Richter and his associates obtained the account information either by phishing or by purchasing a list of accounts from phishers. The lawsuit seeks an injunction that would prohibit Richter and his associates from accessing MySpace as well as damages and "repayment of all profits gained as a result of the activity." Spam charges are not new to Richter. In August 2005 he agreed to pay Microsoft US $7 million to settle a spam lawsuit. Richter also settled a similar lawsuit brought by then-NY State Attorney General Eliot Spitzer.
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Norwegian Government Sets Timetable for Apple Compliance with DRM Modifications (24 January 2007)To clarify a point in a story from Tuesday's NewsBites: Norway's government ombudsman says Apple has until March 1, 2007 to say whether or not it will modify its DRM policy to allow interoperability between iTunes and digital media players other than the iPod. The current arrangement violates Norwegian law. The company then has until October 1, 2007 to say exactly how it plans to implement those changes. Apple could face legal action from the Norwegian government if it does not take appropriate action.
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Cisco Issues Three Patches for IOS Software Flaws (25 & 24 January 2007)Cisco has released a trio of fixes for security flaws in its Internetwork Operating System (IOS) software. One of the flaws could allow attackers to create denial-of-service (DOS) conditions; the other two could allow DOS conditions as well as the execution of arbitrary code. There is some concern that the vulnerabilities will be exploited before Internet service providers have applied the patches. Workarounds are available.
[Editor's Note (Liston): These are very serious issues, and every Cisco shop I know of is treating them that way. Unfortunately, Cisco's workarounds aren't very practical in many instances, so these patches will need to be fast-tracked into production. ]
Apple Fixes QuickTime Flaw (24 January 2007)Apple has released fixes for a buffer overflow flaw in its QuickTime media playback software. The flaw affects Windows and Mac OS X. "The QuickTime flaw involves an error in processing malformed Real Time Streaming Protocol (RTSP) URLs" and could be exploited to execute arbitrary code. Exploit code for the flaw is available.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Stolen Laptops Have Data Encryption Technology (24 January 2007)Thieves stole 18 laptop computers from an Orlando, Fla. law firm earlier this week. The firm, Foley & Lardner LLP, says "the computers automatically encrypt data and render information on them unusable to others."
[Editor's Note (Pescatore): Laptop thefts aren't going away, but by this time in 2008 this type of item (laptop stolen, but the data was protected) shouldn't even be newsworthy. Of course, the big question is "Was the data on the laptop backed up??" Laptop theft, or loss of/damage to encryption keys can still lead to a "Denial of Data" attack.
(Multiple): This law firm should be commended for having data encryption on laptops, but its handling of physical security appears to leave a lot to be desired. ]
Stolen Concentra Tapes Also Affect Nationwide Health Ins. Customers (24 January 2007)Backup tapes stolen from a lockbox at a Concentra Preferred Systems office in Weymouth, Mass. hold sensitive, personally identifiable information of more than 28,000 Nationwide Health Plan customers. The data include names, Social Security Numbers (SSNs) and health information. The breach affects only Nationwide Health Plan customers, mostly from central Ohio; car, life and homeowners policyholders were not affected. The theft occurred on October 26, 2006; Nationwide was apprised of the situation two weeks later. Nationwide notified customers by mail last week, although Concentra's web site had a notice about the theft on December 1. A Nationwide spokesperson said the delay between their learning of the breach and their notification of customers was to allow the company to determine the nature of the data stolen and whether it was exploitable by identity thieves and fraudsters. The stolen tapes also hold data belonging to about 130,000 Aetna and 42,000 Group Health Insurance customers; those customers were notified in mid-December. Concentra is a subcontractor providing auditing services to Nationwide.
[Editor's Note (Honan): From the article "Nationwide was among the first insurance companies to offer identity theft insurance, rolling out the product in 2005 after one of the company directors had his identity stolen.", Oh the irony of it all. ]
Exploit Packs and Hacking Software (23 & 24 January 2007)More than 70 percent of web-based attacks in December 2006 can be traced to just one "multi-exploit hack pack." The kit comprises as many as a dozen exploits, some of which have their origins in proof-of-concept code released by a researcher during July's "Month of Browser Bugs." In a separate story, a Russian crime group is reportedly selling bank account hacking software in South Africa.
[Editor's Note (Ranum): Yet we continue to hear people spout the ideology that these "security researchers" are offering the community a valuable service and that disclosing bugs is to everyone's benefit. How much longer can people continue to ignore the obvious? ]
STATISTICS, STUDIES & SURVEYS
Half of Finance Managers Put Unsolicited USB Drive in Computers (25 January 2007)As a research project, a consulting firm sent USB sticks to finance directors at 500 firms in the UK. The memory devices purported to be invitations to "the Party of a Lifetime" with an anonymous sender but were actually part of an experiment. Nearly half of the finance directors inserted the stick into company computers. Media companies fared the worst in the experiment, with 65 percent putting the memory stick into computers. At technology, retail and transportation companies, the figure was between 38 and 39 percent. The devices could be used to plant malware on computer systems.
[Editor's Note (Liston): While this test seems somewhat contrived, you really can't argue with the results. Human curiosity is an incredibly strong motivator that will, more often than not, overwhelm common sense. If you found a USB key laying in the parking lot outside your workplace, what would YOU do? What would the majority of your co-workers do?
(Schultz): The results of this research study further underscore the great need to reach management in security training and awareness efforts, something that is much too often completely overlooked.
(Honan): This story illustrates how depending on your perimeter defences alone are no longer sufficient. Comprehensive security awareness programmes coupled with technical controls such as locked down desktops and USB port management are needed in the battle against ever increasingly sophisticated attackers. Using resources such as those provided by the Centre for Internet Security,
will help. For example, a simple registry entry on Windows machines will disable autoplay from any disk type, regardless of application HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoDriveTypeAutoRun. ]
Anti-Theft Software Tracks Thief, Leads to Drug Bust (23 January 2007)A laptop computer taken along with other items in a Des Moines, Iowa-area burglary was equipped with software that calls home when the computer is next plugged in. "Police used Internet access records from a separate company" that led them to a home where they not only apprehended a man suspected in the theft, but also discovered a drug operation.
[Editor's Note (Ullrich): Some universities had great luck tracking down stolen laptops on campus by watching for the laptops MAC address to show up on campus networks. In some cases, raids to dorm rooms triggered by these finds revealed larger crime operations involving more stolen items, drugs and weapons. See for example:
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.
Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit