SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VIII - Issue #46
June 09, 2006
Some potentially good news for all US taxpayers and for people who care about security: the government leaders who have to pay for security certification and accreditation studies have decided the country needs to get more security for our money. See the first story in Top of the News.
Also, don't be surprised next week when you visit www.sans.org and you see an entirely new look that reflects many of your suggestions. If something does not work, please let firstname.lastname@example.org know that.
TOP OF THE NEWSCertification & Accreditation Re-vitalization Begins
Veterans Groups File Class Action Suit in VA Data Theft Case
Ransomware Variant Uses Stronger Encryption
Medical Identity Theft
THE REST OF THE WEEK'S NEWSARRESTS, CONVICTIONS AND SENTENCES
Alleged Internet Phone Fraudsters Arrested
SPYWARE, SPAM & PHISHING
Man Agrees to Pay US$1 Million to Settle Spam Lawsuit
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
ATTACKS & INTRUSIONS & DATA THEFT & LOSS
Sweden Investigating Attacks on Government and Police Web Sites
Laptop in Lost Suitcase Holds Grocery Chain Retirees' Pension Data
More Missing Laptops
Univ. of Kentucky Notifies 1,300 of Personal Data Exposure
Microsoft to Clarify Purpose of Windows Genuine Advantage Daily Check-in
An Ounce of Prevention
Creating Security Problems to Fix
Purportedly Destroyed Hard Drive from Ohio Surfaces in Chicago
New Oklahoma Spyware Law May Have A Dark Side, Thanks To Software Vendors
******************** Sponsored By CipherTrust ***************************
Protect Your Company From The Bad Guys...Spammers, phishers, hackers, zombies, and other malicious e-mail threats that continue to grow in volume and sophistication. New communication protocols such as instant messaging, Webmail and VOIP begin to face similar crises. Ready to secure your messaging infrastructure? Complimentary 60 minute CipherTrust webcast featuring Gartner's Peter Firstbrook:
Like gold hidden in rocks, a number of surprising security assets have been discovered hiding in log data - in logs you might not be keeping. More than a dozen users from banks, hospitals, manufacturers, and government will be sharing their discoveries at the Log Management Summit July 12-14 in Washington, DC. And in the same hotel, you can attend any of 16 SANS immersion training courses, taught by the world's best instructors. You'll also be allowed to attend insider briefings on new developments in malware and other security innovations. That's SANSFIRE 2006, July 5-12.
Log Management Summit information: http://www.sans.org/logmgtsummit06
SANSFIRE 2006 information: http://www.sans.org/sansfire06
TOP OF THE NEWS
Certification & Accreditation Re-vitalization Begins (7 June 2006)The Director of National Intelligence CIO's Certification & Accreditation Re-vitalization initiative kick-off event happened 7 June 2006. This is a five-month activity designed to solicit fresh and innovative ideas to improve the Certification & Accreditation processes. They are looking for participation from industry, academia, and government communities. After the kick off, they intend to use information gathering forums, tiger teams, war room activities and an executive review. If you are involved in certification, you probably want to be involved in this effort.
[Editor's Note (Paller) General Meyerrose (DNI CIO) and Priscilla Guthrie (DOD Deputy CIO) have demonstrated enormous (and rare) security leadership in publicly saying that C&A is broken. Kudos to both. They'll get push-back from federal security policy people who will say that the point-in-time certifications did a little good here or there and that we "shouldn't throw the baby out with the bath water." My great hope is that General Meyerrose and Ms. Guthrie are strong enough to ignore these misguided people, and follow through to change C&A to a continuous monitoring and correction process where all the major security benefits lie.
PS have you ever wondered why a three-year C&A paper exercise is almost never used by leading security practitioners in the banking and other commercial organizations where security problems are immediate and critical? Could it be that the federal C&A process isn't worth the money? ]
Veterans Groups File Class Action Suit in VA Data Theft Case (4, 6 & 7 June 2006)The Department of Veterans Affairs (VA) has acknowledged that the data on a laptop computer and external hard drive stolen from an agency analyst's home, belong not only to retired military, but also to nearly 80 percent of the military's active-duty force, as well as more than 1 million members of the National Guard and reserves. A class action lawsuit filed by five separate veterans groups seeks full disclosure of who is affected by the theft, US$1,000 in damages for each individual affected as well as "an injunction that would bar VA workers from using any personal data until a court-appointed panel decides how best to protect against future breaches." The Montgomery County, Maryland police department is offering a US$50,000 reward for the return of the stolen hardware. Taking data home violates established VA procedures. Officials say the analyst has been fired and his supervisor has resigned from his position.
(Please note this site requires free registration)
Ransomware Variant Uses Stronger Encryption (6 June 2006)A new variant of ransomware malware has been detected spreading in Russia. Win32.GpCode.ae encrypts data on infected machines with RSA 260-bit encryption and demands money in exchange for releasing the files.
[Editor's Note (Ranum): Moral: do your backups and maintain them offline. ]
Medical Identity Theft (5 June 2006)People victimized by medical identity theft face hurdles in repairing their records because unlike victims of financial identity fraud, "there are no blanket rights allowing people to correct errors in their medical files." Victims have been faced with bills for procedures and services they never received; furthermore, false information, including blood type and medication, could be added to victims' medical records, which could jeopardize their lives in emergencies. Hospitals are starting to establish practices to prevent medical identity theft.
[Editor's Note ( Northcutt): This is becoming a big issue, closely monitor any requests/replies for "explanation of benefits" from your health insurer. Take services that you never received or office visits that you didn't make seriously. The wrong information in your medical jacket could get you killed. Here are two related stories:
********************** Sponsored Links: *******************************
1) Do you know what your privileged users are doing? We do. Learn more at http://www.sans.org/info.php?id=1186
2) "Hacking the Hallways: The Convergence of Physical and Logical Security" a SANS Tool Talk Webcast next week -
Tuesday, June 13 at 1:00 PM EDT (1700 UTC/GMT)
3) Upcoming ToolTalk Webcast: Auditors Present How to Reach Compliance Nirvana - PCI and Government Regulatory Compliance
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCES
Alleged Internet Phone Fraudsters Arrested (8 & 7 June 2006)Police in Miami have arrested Edwin Andres Pena and Robert Moore on charges of wire and computer fraud. Pena allegedly tapped into Internet phone companies' lines and sold service to others. Moore allegedly helped by breaking into the networks.
[Editor's Note (Schmidt): There are a lot of best practices around VoIP security as well as some good work done by the VoIP Security Alliance (
). Implementing best practices can make this a non issue. Don't forget the client side, though. Normal client side vulnerabilities can create similar problems.]
SPYWARE, SPAM & PHISHING
Man Agrees to Pay US$1 Million to Settle Spam Lawsuit (5 June 2006)Ryan Pitylak has agreed to pay US$1 million to settle a lawsuit brought by Microsoft and the State of Texas accusing him of sending millions of unsolicited commercial email messages on a daily basis. Authorities have also seized the assets Pitylak acquired as a result of sending spam. Pitylak has written on his blog that he now understands why spam is such a problem and that he has started a consulting company to advise others on protecting their systems from spam.
[Editor's Note (Schultz): Here lamentably is yet another case of someone who has by all appearances broken the law and who now declares himself a security consultant. There really ought to be a law against this sort of thing.
(Honan): Great, just what the industry needs, another road to Damascus convert! I wonder if companies that hire people like these also hire convicted burglars to look after their physical security? ]
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
ATTACKS & INTRUSIONS & DATA THEFT & LOSS
Sweden Investigating Attacks on Government and Police Web Sites (7 & 5 June 2006)Sweden's official government and police web sites have been targeted by cyber attacks believed to be in response to the shut down of Pirate Bay, a web site that allegedly facilitated digital piracy. Sweden's Security Police intelligence agency is investigating the cyber attacks.
Laptop in Lost Suitcase Holds Grocery Chain Retirees' Pension Data (5 & 2 June 2006)A laptop that was in a checked bag lost by a commercial airline last month contained personal data belonging to people who have retired from four US grocery store chains owned by Ahold USA. The affected former employees have been notified by letter, but the company is not releasing information about the number of people affected. An Electronic Data Systems Corp. employee lost the computer; that company provides data processing services for Ahold USA's pension plan. An EDS spokesperson said the employee violated company policy by placing the computer in checked luggage.
[Editor's Note (Ranum): The important phrase here is: "the employee violated company policy by placing the computer in checked luggage." Since a great deal of security practice today is based on procedural "controls" rather than technical enforcement you can see exactly how effective it is: all you need is one person who ignores the procedures and you're in a world of hurt. A more pertinent question would be "why is it even possible for people to gain unfettered access to complete subsets of a database?" ]
More Missing Laptops (5 June 2006)A laptop lost on an airline flight contained data, including names, Social Security numbers and fingerprints, belonging to nearly 300 IRS employees and job applicants. The IRS plans to send letters to all people affected by the potentially exposed data.
(6 June 2006)
Four laptop computers stolen from the offices of Buckeye Community Health Plan in Columbus, Ohio contained data belonging to 72,000 subscribers in three counties and medical data belonging to 13,000 subscribers. The company plans to notify all those affected by letter.
(1 June 2006)
Two laptop computers stolen from the offices of the YMCA of Greater Providence (RI) contained personal data, including names, addresses and some credit card, bank routing and Social Security numbers, belonging to more than 65,000 YMCA members. The YMCA plans to notify members of the security breach.
[Editor's Note (Schultz): The title of the "Windows Genuine Advantage" tool is terribly misleading in that the advantage is clearly Microsoft's, not users'. In time I predict that some of the same issues that plagued Sony BMG over its copy restriction software will surface concerning this tool.
(Schmidt): Ok, enough is enough!!! It is time to mandate the use of STRONG encryption to reduce the likelihood of ANY of these becoming an issue. Same thing applies with data leakage related to file sharing (P2P) applications. The amount of data on P2P networks is unreal and the fact it is not encrypted is almost criminal.
(Kreitner): It's time for a mandate requiring encryption of personal data on any portable device or media, with a stiff penalty for non-compliance.
(Grefer): A Kensington (or similar) cable lock is a rather low cost investment in comparison to the alternatives illustrated above. ]
Univ. of Kentucky Notifies 1,300 of Personal Data Exposure (2 June 2006)The University of Kentucky (UK) has notified approximately 1,300 current and former employees that their personal data, including Social Security numbers (SSNs), were exposed. The university has corrected an error that made a folder containing the data publicly available for 19 days in May. During that time, the folder received 41 hits. UK is in the process of installing a new system and halting the use of SSNs as unique identifiers.
[Editor's Note (Schultz): I strongly agree that encryption is the most logical first step in protecting sensitive data. However, Litan's comparison of costs associated with protecting these data and with data security breaches was incomplete in that she omitted any mention concerning the probability of a data security breach occurring with and without appropriate control measures. Without knowing such probabilities, the real value of spending $16 to safeguard against an incident that costs $90 is unknown. ]
Microsoft to Clarify Purpose of Windows Genuine Advantage Daily Check-in (8 June 2006)Microsoft agrees that it needs to be more forthcoming about how its Windows Genuine Advantage (WGA) Notification tool behaves. The tool, which is designed to ensure that computers are running legitimate versions of software, checks in daily with Microsoft. Microsoft says the daily check-in allows the company to shut down the program quickly if there is a malfunction. The WGA licensing agreement does not disclose the check-in feature. The company plans to change the program so it checks in every two weeks instead.
An Ounce of Prevention (6 June 2006)While testifying at a Senate hearing prompted by the Department of Veterans Affairs loss of data on 26.5 million veterans, Gartner analyst Avivah Litan noted that a company with 10,000 or more accounts to protect could spend US$16 on each account for data encryption, host-based intrusion prevention and strong security audits; companies would spend at least US$90 per account in the event of a security breach.
Creating Security Problems to Fix (5 June 2006)Warnings from antivirus companies often do not live up to their hype; in December and January, warnings circulated about the Sober and Kama Sutra worms, but both fizzled. According to a survey from the Computer Security Institute and the FBI, losses from security breaches fell last year as did the percentage of companies reporting problems with malware. Antivirus vendors are now predicting the next vectors of attack - IM, wireless and the susceptibility of employees to social engineering.
[Editor's Note (Pescatore): There is definitely a "boy who cried wolf" problem here. Most security professionals know there really are hungry wolves out in the woods but if we shout wolf every time we see a chipmunk, our credibility is gone. When vendors try to hype sales by making every new vulnerability or new threat in the lab seem like the coming of the apocalypse, no one will believe us when we try to get them to act in advance of the next real problem. Security products need to start heeding Moore's law and each year blocking more threats for the same price, or the same threats for a lower price - and get out of the mode of hyping each threat to sell a new product.
(Schmidt) I would not put this on the anti-virus companies, but on "so called experts" that jump on listserves with doom and gloom stories every time they hear of something new. They have no insights as to what companies do to protect their systems. The men and women working in the IT/IT Security shops deserve a lot of credit for keeping the impact of malware down again.
(Paller): The PR arms of a few of the security companies are geared to exploit every possible vulnerability or threat - to get their executives into the news, regardless of how much damage they do by hyping tiny problems. ]
Purportedly Destroyed Hard Drive from Ohio Surfaces in Chicago (1 June 2006)An Ohio couple was startled to receive a phone call from a man in Chicago telling them he had purchased their old computer hard drive at a flea market for US$25; the couple believed the drive had been destroyed. The man offered to wipe the drive or send it to them. The couple took their computer to Best Buy to have the drive replaced a year ago; they were assured that the old drive would be destroyed.
[Editor's Note (Schmidt): Once a person moves on to a new computer they usually forget all about the old data. PC vendors should add a utility that wipes the disk BEFORE you recycle a computer. ]
New Oklahoma Spyware Law May Have A Dark Side, Thanks To Software Vendors (1 June 2006)The Oklahoma "Computer Spyware Protection Act," House Bill 2083, allows for fines for up to a million dollars for inserting spyware, but if you click the accept button on the user agreement it also authorizes vendors to remove non-registered software from your hard drive. According to the article, Microsoft helped develop the bill.
[Editor Note (Northcutt): this is actually a fairly broad piece of legislation, the liability limitation clauses should be closely scrutinized. The Bill is available in RTF here: webserver1.lsb.state.ok.us/2005-06HB/HB2083_int.rtf]
NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan, Mark Weatherford
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/