SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VIII - Issue #102
December 27, 2006
TOP OF THE NEWSGovernment Agencies to Test Employees with Phishing Attacks
DoD Bans HTML eMail and Outlook Web Access
Microsoft Investigating Reports of Vista Flaw
Open Relay DataBase Shuts Down
THE REST OF THE WEEK'S NEWSLEGAL MATTERS
Prison Sentences for Two Malware Gang Members
Sony BMG Settles with 39 More States
USC Cyber Intruder Gets Home Detention
POLICY & LEGISLATION
Bill Aims to Enhance VA Data Security
Cyber Legislation Before Congress in 07
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Boeing Taking Steps to Improve Data Security
Nissan Customer Database Leak
STATISTICS, STUDIES & SURVEYS
Data Security Breaches Top Execs' List of Concerns
Utah Valley State College Data Breach
Man Fired After Seeking Help to Change College Grades
OneDOJ Database Raises Privacy Concerns
TRAINING UPDATE: Great security courses in Orlando and San Diego -
Orlando: 15 immersion courses, January 13-19
San Diego: 30 immersion courses, March 29-April 6
TOP OF THE NEWS
Government Agencies to Test Employees with Phishing Attacks (18 December 2006)US military services and several agencies will use penetration testing software to "launch diagnostic phishing attacks against their own workers." The goal is to see how well government employees follow email security policies. The software can be used for general phishing attacks as well as spear phishing attacks, which are aimed at specific targets. Agencies planning on using the software include the National Institute of Standards and Technology, the Department of Homeland Security, the Department of Veterans Affairs, and the Departments of Labor, Energy and Agriculture.
[Editor's Note (Kreitner): This is a good idea if workers are told about this activity in advance. It should motivate people to be more alert to phishing traps. The clueless folks who bite the bait should be required to attend a training class and pass a test. This kind of approach conveys the message that management is serious about security.
(Ullrich): Every organization should do this! Ignoring the social engineering approach during a penetration test is like not running a port scan against a firewall.
(Liston): Writing policies and offering security training are great, but you really need to TEST to see what you're doing is effective, then target the areas where you're deficient. Kudos to these agencies for doing the right thing.
(Honan): This is a positive move by these government agencies. It is one thing having computer security policies and security awareness programs in place, it is quite another to ensure they are effective in delivering the desired messages. ]
DoD Bans HTML eMail and Outlook Web Access (22 December 2006)In response to an elevated network threat condition, the US Defense Department has blocked HTML-based email and banned Outlook Web Access email applications. The current threat level does not prohibit the use of attachments.
[Editor's Note (Northcutt): I hope they can stick to their guns. There are a number of benefits from a security perspective for doing this. What often happens in DoD is they make pronouncements like this and then start approving exceptions. Here is a link to a slightly extreme article that explains why html mail might not be ideal:
(Liston): "Good thing we got that barn door closed. Now... has anyone seen the horses?" ]
Microsoft Investigating Reports of Vista Flaw (27, 26, 24 & 22 December 2006)Microsoft is investigating reports of a privilege escalation flaw that exists in all recent Microsoft operating systems, including Windows Vista. Proof of concept exploit code has been released for the flaw, which lies in the Client-Server Runtime Subsystem (CSRSS). The vulnerability may not pose a significant risk because attackers must have access to the machine to exploit the flaw. Microsoft is also investigating a report of a flaw in Internet Explorer 7 (IE 7) that could allow "booby-trapped" web sites to infect vulnerable computers. (Please note this site requires free registration)
[Editor's Note (Skoudis): One of the much-touted security features of Vista is the ability to limit the rights of users and applications, to fix the problems with the widespread proliferation of admin rights we saw with earlier Windows versions. If this goal is achieved, we'll be able to deploy systems where users do not have local admin privileges much more easily. But, local privilege escalation attacks, especially combined with client-side exploitation, fly in the face of this goal. I wholeheartedly expect that a dominant exploit vector of 2007 and 2008 will be infiltration into a machine via a browser (or other client-side) exploit, followed by a local privilege escalation attack like the one in this article for the bad guy to achieve local SYSTEM privileges. In other words, this CSRSS thing is likely the tip of the iceberg. ]
Open Relay DataBase Shuts Down (22 & 21 December 2006)Citing its decreasing effectiveness, the Open Relay DataBase (ORDB) is set to shut down on Sunday, December 31. The organization, created five-and-a-half years ago, maintained a blacklist of SMTP proxy servers, or open relays, that were being used by spammers. Spammers are now increasingly turning to botnets to spread their unsolicited email. Five years ago, 90 percent of spam came through open relays; today, that figure stands at less than one percent. The ORDB mailing list closed several days ago and the site will be taken down on the 31st.
[Editor's Note (Ullrich): The quality of various spam blacklists varies widely. Before you use any of them, define procedures to check their accuracy, efficiency, and availability periodically. The problem is that once a blacklist shuts down, it will no longer respond to queries from your spam filter and may cause significant delays and higher loads for the system running the spam filter. ]
THE REST OF THE WEEK'S NEWS
Prison Sentences for Two Malware Gang Members (22 December 2006)Two German men have received prison sentences for their roles in a scheme to manipulate PCs into dialing premium rate telephone numbers. The two are part of a larger gang that netted approximately 12 million Euros (US$15.75 million) in a 14-month period between 2002 and 2003 by infecting more than 100,000 computers with malware that dialed the numbers.
[Editor's Note (Liston): The potential for profit is too high and the potential for serious jail time is too low. This gang was raking in US$1 million per month, and so far only two of them will see the inside of a jail.
(Grefer): Readers who want to protect their Windows home computers or certain cellular phones with Symbian OS from such dialers can do so with the help of the free Spybot Search & Destroy utility available at
Sony BMG Settles with 39 More States (22 December 2006)Days after reaching settlements with California and Texas regarding the use of a rootkit to hide digital rights management (DRM) software, Sony BMG has settled a suit with 39 other states that will see the company paying out more than US$4.25 million. According to the terms of the settlement, Sony will pay individuals who spent money to remove the software from their computers up to US$175 each.
[Editor's Note (Liston): $4.25 million is a slap on the wrist. The corporate mind-set that allowed Sony BMG to create an incredibly invasive DRM scheme that silently installed itself on an estimated 500,000 machines can only be described as hubris. This fine will do nothing to change that attitude.
(Grefer): Unfortunately this is just the tip of the iceberg. The DRM features included with HD media burden users with extraordinary expenses for replacing most of their existing hardware in order to be able to view content in HD. Most recent hi-res monitors and a lot of hi-res graphics cards do not fullfil the HD DRM requirements. The new paradigm seems to be "guilty until proven innocent". ]
USC Cyber Intruder Gets Home Detention (21 December 2006)A US District Court judge in California has sentenced Eric McCarty to six months home detention and two and one half years probation for breaking into a University of Southern California (USC) computer system. The detention is part of McCarty's three-year probation; he has also been ordered to pay USC nearly US$38,000 in restitution. McCarty breached the university's online application system in June 2005; it remained offline for ten days. McCarty's attorneys claim he broke into the system to demonstrate its poor security. Although the database held information on 275,000 applicants, an examination of McCarty's home computer showed he had accessed information of just seven people. During his probation, McCarty's use of Internet-connected devices will be limited to job-related activity.
POLICY & LEGISLATION
Bill Aims to Enhance VA Data Security (26 December 2006)The Veterans Benefits, Health Care and Information Technology Act of 2006, signed into law by President Bush, addresses data security concerns raised by the theft last spring of equipment that held sensitive personally identifiable information of millions of veterans and active duty members. The new law requires the VA to inform veterans when their data are exposed and to make available fraud alerts, credit monitoring and identity theft insurance. The VA must also provide Congress with reports regarding any security breaches. In addition, the law provides an incentive for the VA to recruit employees with IT skills commensurate with the department's needs. The bill also increases funding for certain veterans' health benefits.
[Editor's Note (Kreitner): Why not levy the notification, credit monitoring, and ID theft insurance requirements on all federal agencies who store personally identifiable information? ]
Cyber Legislation Before Congress in 07 (22 December 2006)A substantial article on upcoming legislation before Congress including data breach, patent reform, broadband networking and expanding the cap on H-1B visas for high-skilled immigrant workers from 65,000 to 115,000.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Boeing Taking Steps to Improve Data Security (21 December 2006)Following the November 2005 theft of a laptop computer containing information on 161,000 current and former Boeing employees, the company instructed workers to remove sensitive data from laptop hard drives; managers were instructed to check that this was done. Employees were also told that if sensitive data are on a laptop, they should be encrypted. Boeing is moving away from using Social Security numbers (SSNs) as unique personal identifiers and has begun deploying software that will automatically encrypt data saved to company laptops' hard drives. Another Boeing laptop containing information of 382,000 current and former employees was stolen in early December; the employee from whom that computer was stolen was fired for violating company policy.
Nissan Customer Database Leak (21 December 2006)Nissan has acknowledged that information from its customer database may have been leaked. The auto manufacturer plans to notify the approximately 5.38 million affected customers. Nissan plans to implement additional security measures in 2007, including physical security monitoring of secure areas and software to monitor databases and track all access to the databases.
STATISTICS, STUDIES & SURVEYS
Data Security Breaches Top Execs' List of Concerns (22 December 2006)According to a Harris Interactive poll conducted in September, corporate executives at large companies place data security breaches and terrorism at the top of their list of concerns. Just nine percent of the 197 senior executives surveyed said they are not concerned about data security. Executives say they are also worried about corporate malfeasance.
[Editor's Note (Ullrich): The article points out that a lot of the concerns are about maintaining "customer trust". So in order to close the loop and make security a priority, tough disclosure laws are needed. Without disclosure laws, it's all too easy to solve the "customer trust" issue by covering up security problems. ]
Utah Valley State College Data Breach (27 December 2006)The names, SSNs and other personally identifiable information of approximately 15,000 Utah Valley State College (UVSC) students and faculty were inadvertently made available on Yahoo for about six weeks in November and December of this year. The data belong to students and faculty who participated in the college's distance education program between January 2002 and January 2005. UVSC removed the files from its servers as soon as it became aware of the situation. The school plans to notify all individuals affected by the data security breach.
Man Fired After Seeking Help to Change College Grades (27 & 21 December 2006)A man who worked as communications director for US representative Denny Rehberg (R-Mont.) has been fired after trying to hire people to break into the computer system of his alma mater, Texas Christian University (TCU), and change his grades. Todd Shriber was concerned that his school records were not strong enough to ensure his acceptance to graduate school. Shriber's online request was met with responses from individuals who never intended to conduct the attack and warned him repeatedly that what he was asking them to do was in violation of federal law. The pair warned Shriber that the scheme had been detected and advised him to "duck and run" though they never attempted to infiltrate TCU's computer system.
OneDOJ Database Raises Privacy Concerns (26 December 2006)The US Justice Department's OneDOJ database is raising concerns among privacy and civil rights advocacy groups. The database will allow law enforcement officials at the state and local level to have access to "millions of case files from the FBI, the Drug Enforcement Administration and other federal law enforcement agencies." The database poses concerns because police officers would have access to the personal information of suspects who have not been arrested or charged with a crime. OneDOJ has been under development for a year-and-a-half and holds approximately 1 million case records. That number is expected to triple over the next three years.
[Editor's Note (Northcutt): While these articles are fairly accurate, and there certainly are risks to giving that many people that much access, OneDOJ is not a new idea. It picked up a lift from the Intel Reform Act of 2004, and it is only one part of the DOJ's information sharing program. ]
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.
Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit