SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VII - Issue #17
April 27, 2005
TOP OF THE NEWSHouse Subcommittee Approves Bill to Create Assistant Secretary for Cyber Security Position at DHS
GAO: IRS Computer Systems Vulnerable to Unauthorized Access
Retailers Face Payment Card Industry Standard Compliance Deadline
Sovereign Bank Files Suit Against BJ's Wholesale in Card Data Theft Case
THE REST OF THE WEEK'S NEWSSPAM & PHISHING
Lawsuit Alleges Kraft Foods Sent Spam
COPYRIGHT, PIRACY AND DIGITAL RIGHTS MANAGEMENT
Shanghai Court Sentences Two Americans to Prison
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
Trend Micro Apologizes for Flawed Update
RealNetworks Issues Patch for Buffer Overflow Flaw
Microsoft Lists Windows Server 2003 SP1 Application Compatibility Problems
Fixes Available for PHP Vulnerabilities
ATTACKS AND INTRUSIONS
Carnegie Mellon Computer Breach Exposes Personal Data
Ameritrade Notifying 200,000 Customers Whose Data is on Missing Tape
DSW Ups Number Affected by Data Breach to 1.4 Million
STANDARDS AND BEST PRACTICES
CIS Release Five New Security Configuration Standards, Including Wireless Networks
STATISTICS, STUDIES AND SURVEYS
China Has Highest Number of New Zombie Computers
SANS Releases Analysis of Log Management Industry
UK Ministry of Defence Files Found on Discarded Computer
Rendering Drives Completely Unreadable Can be Difficult
Center Plans to Conduct Real Time Monitoring of Cyber Intrusions
A Rare NewsBites Book Review: Silence on the Wire
******************** Sponsored by Watchfire Corp. ***********************
"Developing and Deploying Secure Web Applications," a Watchfire Whitepaper
To build and deploy secure web applications, you need to create 'hacker resistant' business logic, test quality in the QA/staging environment, and enforce security and compliance through internal and external audits. The potential for a security breach exists in each layer of the web application. Learn best practices to safeguard your web applications from future attacks.
Why Professionals Always Attend SANS Training If They Have A Choice
(1) "SANS teaches you things that you can use right away without all the fluff. What an eye opener." (Sean Saxton, EMS)
(2) "The knowledge gained from SANS training has not only empowered me with the confidence of providing top notched computer security services, but it has also reduced the time needed for unbillable hours of research." (Kevin Cohen, Data Triage Technologies)
(3) "Quick, concise, full of content" (Michael Moore, EDS)
TOP OF THE NEWS
House Subcommittee Approves Bill to Create Assistant Secretary for Cyber Security Position at DHS (20 April 2005)The House Subcommittee on Economic Security, Infrastructure Protection and Cyber Security has approved HR 285, the Department of Homeland Security Cybersecurity Enhancement Act which would create an assistant secretary for cybersecurity position at DHS. Presently, the highest ranking cybersecurity position at DHS is the director of the National Cyber Security Division; industry has been pushing for a higher ranking cyber security position. Among the assistant secretary's responsibilities would be "establishing a national cyber security response system, ... a national cyber security threat and vulnerability reduction program, ... and ... a national cyber security awareness and training program."
Text of HR 285:
[Editor's Note (Schneier): I predict more failure. This is still lacking any sort of coordinated plan. Awareness is all very well, but it doesn't accomplish much.
(Pescatore): Big sigh. We are still lacking what Presidential Decision Directive 63 called for waay back in 1998: a coordinated focus on the federal government becoming a model citizen in Internet security, and using its buying power to move the market forward. Bully pulpits are fine, the government actually moving forward would be much more effective.
(Paller): John and Bruce are exactly right. DHS has not led the way in using its procurement power to buy safer systems. Perhaps a new Secretary and a new - yet to be named - CIO at DHS will enable the Department to lead by example and then begin to help other agencies improve their security through smarter use of available funds. (Ranum): This is going to be another "failure as usual" for the government. Here's how I can tell: already they are talking about the responsibilities of the position and not about the authority of the position or its power to get anything done.
(Schultz): Perhaps elevating the position of the DHS cyber security chief will help reverse the dismal trend of quick exits of individuals who have held this position in the past.
(Schmidt): We have said many times that the majority of the work needs to be done by the private sector (worldwide): better software, easier security, self healing, self repairing systems etc. Like any other job, the more senior the position the more likely more resources are applied and the greatly chance for success in a shorter period of time. ]
GAO: IRS Computer Systems Vulnerable to Unauthorized Access (20/18 April 2005)According to a report from the Government Accountability Office, security holes in the Internal Revenue Service's computer systems leave taxpayer information vulnerable to unauthorized access and tampering. Although the IRS has addressed 32 of the 53 security problems described in a 2002 review, this year's report found an additional 39 problems. Nearly 7,500 IRS employees, other government employees and independent contractors have the ability to access and modify tax return and financial crime report data. Furthermore, the IRS does not adequately monitor its computer systems to detect unauthorized access.
[Editor's Note (Ranum): Pathetic.
(Pescatore) Sarbanes Oxley audits are giving a lot of private industry companies the same deficiencies - missing Identity and Access Management processes and controls. Policies are the easy part - I'm sure the IRS had reams of policies. Implementing the processes across groups, and having the access controls implement separation of duties is the real heavy lifting. ]
Retailers Face Payment Card Industry Standard Compliance Deadline (25/23/22 April 2005)Retailers have until June 30, 2005 to comply with the Payment Card Industry Data Security Standard. To receive certification under the standard, merchants must meet a dozen security requirements, including installing and maintaining a firewall, not using default passwords, using strong protection for stored data and implementing controls that restrict data access to a need-to-know basis. Businesses may not store the cards' verification codes or data from the cards' magnetic stripes. Those failing to comply will face fines, or in some instances may be banned from processing transactions using payment cards.
[Editor's Note (Pescatore): Enforcement of this program has been slow to get cranked up, but it is a really good example of an industry defining a meaningful set of standards for its members. If Visa and MasterCard had cooperated from the git go, instead of pushing separate standards for the past 4 years, we could have avoided a lot of identity theft in the past few years. ]
Sovereign Bank Files Suit Against BJ's Wholesale in Card Data Theft Case (11 February 2005)Sovereign Bank has filed a civil lawsuit saying that it had incurred significant financial damage when debit card information was stolen from BJ's Wholesale Club. The suit claims that BJ's was required to meet security standards set by VISA but failed to do so, resulting in the losses.
[Editor's Note (Paller): Security people have talked for years 9with some wistfulness ]
about the possibility of some law suit that "makes people liable for bad security." This case has the potential to meet that goal. The VISA requirements are very useful and are quickly becoming a standard of due care for organizations storing sensitive information. You can see a level version of them at:
(Ranum): This is a very interesting "shot across the bows" to all organizations that hold credit card information. It's one thing to have a few thousand upset customers, but another thing entirely to be sued by a major bank! ]
************************ SPONSORED LINKS ********************************
1) FREE WebInspect Trial: "Protect Your Web Applications from Hacker Attack!"
2) Visit Lancope's Download Center to access "Network Security Doesn't End with IPS" white paper.
3) Security is #1 with Shavlik HFNetChkPro(tm) security patch management. Download the trial version today at
THE REST OF THE WEEK'S NEWS
SPAM & PHISHING
Lawsuit Alleges Kraft Foods Sent Spam (22 April 2005)The founder of a small California ISP has filed a lawsuit against Kraft Foods, Inc., alleging the company is responsible for 8,500 spam email messages in violation of both the federal CAN-SPAM Act and California anti-spam law; the headers of the unsolicited commercial email messages were faked. The attorney representing the man who filed the suit says his client is entitled to US$11.7 million in damages.
[Editor's Note (Schneier): Kraft sending Spam? No, that can't be right; it's Hormel that makes Spam, not Kraft. ]
COPYRIGHT, PIRACY AND DIGITAL RIGHTS MANAGEMENT
Shanghai Court Sentences Two Americans to Prison (19 April 2005)Shanghai's No. 2 District Court sentenced two American men to prison for selling pirated DVDs over the Internet. Randolph Hobson Guthrie received a prison sentence of two-and-a-half years and was fined 500,000 yuan (US$60,400). Abram Cody Thrush received a one-year prison term and was fined 10,000 yuan (US$1,200). Both will be deported at the completion of their sentences. Guthrie reportedly earned about US$160,000 selling the pirated material.
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
Trend Micro Apologizes for Flawed Update (25 April 2005)Trend Micro is apologizing for a "faulty" software update that rendered machines running Windows XP SP2 inoperable. Trend Micro says it will offer compensation to companies for the time spent repairing the damage the faulty update caused; the company attributed the problem to a mistake on a pattern file, and said that it has released a fix.
[Editor's Note (Schultz): Trend Micro's actions are impressive and hopefully will serve as an example to others. Vendors should, after all, take responsibilities for flaws in their products and should compensate their customers when flaws cause financial loss. If vendors do not take responsibility, sooner or later national legislation will require them to do so.
(Tan): This is indeed a very unfortunate incident. When it hit, it left many people clueless about the sudden death of their system. Most people did not expect it to have been caused by the anti-virus product. In fact, many Internet Storm Center (ISC) readers wrote in and said that they had spent several hours diagnosing the problem before finally finding the cause posted at the ISC website. One user even rebuilt the whole system. I can't imagine how a normal user will know how to handle this.
RealNetworks Issues Patch for Buffer Overflow Flaw (22 April 2005)RealNetworks has released a patch for a buffer overflow flaw in some of its products that could allow the execution of malicious code. The vulnerability exists in most recent consumer versions of the RealPlayer media player software for Windows, Macintosh and some Linux systems, as well as in some versions of RealOne Player. There have been no reports of exploits for the flaw in the wild.
Microsoft Lists Windows Server 2003 SP1 Application Compatibility Problems (20 April 2005)Microsoft has acknowledged that Windows Server 2003 Service Pack 1 breaks a number of applications, including Exchange Server 2003 and Systems Management Server 2003. Information on SP1 application compatibility is available on Microsoft's support site.
[Editor's Note (Schultz): This serves as yet another example why installing Service Packs and hotfixes as soon as they released is not really a good idea.
(Paller): This type of incompatibility is a necessary step in the painful process of vendors moving toward delivering safely configured systems. It is real pain caused by decades of development without concern for security, but Microsoft's new release is not the primary problem that must be "solved". Software developed on insecure platforms is the big problem. ]
Fixes Available for PHP Vulnerabilities (19 April 2005)The PHP group has announced the availability of updates, both from the group's web site and from vendors, for a number of vulnerabilities, including some which could be exploited to execute malicious code and create denial-of-service conditions.
ATTACKS AND INTRUSIONS
Carnegie Mellon Computer Breach Exposes Personal Data (21 April 2005)Carnegie Mellon University is informing more than 5,000 people that their personal information, including Social Security numbers, may have been compromised during a computer network breach that was discovered on April 10. The compromised computers contain information about current graduate students and administrative staff as well as those who received graduate degrees from and those who applied to several different graduate programs.
Ameritrade Notifying 200,000 Customers Whose Data is on Missing Tape (20/19 April 2005)Ameritrade has begun sending letters to approximately 200,000 current and former customers informing them that a tape containing their personal data kept on file by the company has been misplaced. A spokeswoman for the company says there is every reason to believe the tape is still somewhere in the facility of the shipping company that initially misplaced it or that it has been destroyed. She also said the data were compressed but not encrypted.
DSW Ups Number Affected by Data Breach to 1.4 Million (19 April 2005)DSW Shoe Warehouse now says that the number of people affected by a massive theft of customer data is as high as 1.4 million, a number ten times greater than had previously been acknowledged. DSW says it has begun contacting those people for whom they have contact information. The thieves managed to steal credit card numbers, driver's license numbers and checking account numbers, but no customer names or addresses were affected. The Secret Service is investigating.
[Editor's Note (Schneier): So you're saying that some thief might have my credit card number, driver's license numbers and checking account number, but not my name or address? Imagine how much safer that makes me feel. Honestly, any thief who can't obtain the relevant data from a driver's license number isn't worth his salt. ]
STANDARDS AND BEST PRACTICES
CIS Release Five New Security Configuration Standards, Including Wireless Networks (22 April 2005)The Center for Internet Security released consensus security configuration benchmarks for wireless networks AIS, OS X, Oracle 9i/10g, and Solaris 10. This brings the total number of publicly released CIS Benchmarks to 19. Each benchmark comes with a free tool that measures compliance. These benchmarks and tools are among the most important products produced by DHS-sponsored public/private partnerships and have are being widely adopted. There is no cost for the downloads, that are available at
STATISTICS, STUDIES AND SURVEYS
China Has Highest Number of New Zombie Computers (21 April 2005)According to a recent report, over 20% of the 157,000 new zombie computers identified daily are in China. The US is next on the list with 16%, followed by South Korea with 10%. Zombies are computers infected with malware which allow them to be used by others to launch denial of service attacks or to send spam or phishing email.
SANS Releases Analysis of Log Management Industry (26 April 2005)In conjunction with Log Logic and other security log analysis vendors, SANS offers a free analysis of the rapidly growing Log Analysis industry. The paper is available at:
UK Ministry of Defence Files Found on Discarded Computer (21 April 2005)A UK man found 70 "top-secret" Ministry of Defence files on a laptop he obtained at a garbage dump. The MoD is conducting an investigation to find out whether or not the computer was official MoD equipment. In 2002, the ministry admitted that nearly 600 laptops had been stolen or gone missing in the five preceding years. An MoD spokesman said the ministry has procedures in place to ensure that the equipment it disposes of does not contain sensitive information.
Rendering Drives Completely Unreadable Can be Difficult (20 April 2005)The National Association for Information Destruction has said it cannot endorse the use of wiping applications alone for ensuring that data have been effectively removed from hard drives. NAID executive director Bob Johnson said the only way to ensure that the data will be unreadable is to physically destroy the drives, and even that has to be done in certain ways to ensure its efficacy. Most major PC makers offer a drive destruction service for $20 or $30. Some hardware engineers say they understand why the drives have been created in a way that makes it hard to completely erase the data: customers demanded it because they were afraid of losing information they had stored on their drives.
[Editor's Note (Pescatore): Cool, I want a "National Association for Information Destruction" tee shirt. How hard could it be to have an interlock feature - you can really, really clear the drive if you open the case, hold this button down while you delete?
(Ranum): Peter Guttman, from New Zealand, did a terrific talk in 1997 at USENIX in which he showed electromicrographs of hard disk surfaces that had been "wiped" - you could still clearly see the 1s and 0s where the heads failed to line up perfectly on the track during the write/erase sequence. He also pointed out that you can tell more recently written data from less recently written data by the field strength in the area, which would actually make it much easier to tell what had been "wiped" versus what was persistent long-term store. The paper, minus the cool photos may be found at:
Hard disks, I've found, make satisfying small arms targets. ]
Center Plans to Conduct Real Time Monitoring of Cyber Intrusions (21/20 April 2005)The Cyber Incident Detection Data Analysis Center, a non-profit working group backed by a grant from the Department of Homeland Security, will soon begin a pilot data collection program. Headquartered at the University of Pennsylvania's Institute of Strategic Threat Analysis and Response Institute, the group plans to use Real Time Cyber Attack Detection sensors to gather cyber intrusion information. The group's primary focus is sharing the information with private sector organizations responsible for critical infrastructure in a timely manner.
A Rare NewsBites Book Review: Silence on the WireWe rarely do book reviews, but this is an extraordinary collection of information on passive reconnaissance and the publisher is fairly unknown, so if we didn't bring "Silence on the wire" to your attention it might get missed. If you are involved in information warfare, or in charge of security at an organization with high value assets you should be aware of this book:
NewsBites Editorial Board:
Kathy Bradford, Rohit Dhamankar, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit