SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VIII - Issue #47
June 13, 2006
Tomorrow (June 14) is the final day for getting low cost hotel rooms for SANSFIRE in Washington, July 5-13. It is also the final day for saving $150 on registration costs. This is a great conference: 16 immersion tracks and several "insider briefings" that only SANSFIRE delegates will be allowed to attend, including new data on the most effective penetration testing techniques and how to block them.
TOP OF THE NEWSEnergy Dept. Officials Learn of Data Security Breach Months After the Fact
VA Changes Telework Rules in Wake of Massive Data Loss
Court Upholds FCC Ruling Requiring VoIP Providers to Comply with CALEA
THE REST OF THE WEEK'S NEWSHOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
DISA Wants Info on Tools to Fight Insider Threats
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
JS-Yamanner Worm Affects Yahoo! Mail Users
Microsoft to Issue a Dozen Bulletins on June 13
Microsoft Will Not Fix Flaw in Windows 98 and ME
ATTACKS & INTRUSIONS & DATA THEFT & LOSS
Michigan High School Investigating Computer System Intrusion
Missing Hard Drive Holds CPAs' Names and SSNs
Penetration Testers Try a New Twist on Social Engineering
********************** Sponsored By CipherTrust *************************
Protect Your Company From The Bad Guys...Spammers, phishers, hackers, zombies, and other malicious e-mail threats that continue to grow in volume and sophistication. New communication protocols such as instant messaging, Webmail and VOIP begin to face similar crises. Ready to secure your messaging infrastructure? Complimentary 60 minute CipherTrust webcast featuring Gartner's Peter Firstbrook:
TOP OF THE NEWS
Energy Dept. Officials Learn of Data Security Breach Months After the Fact (9 June 2006)Senior Energy Department officials learned on June 7 that a cyber intruder stole a file containing names and Social Security numbers (SSNs) of 1,500 workers at the Energy Department's nuclear weapons agency from a computer system at the National Nuclear Security Administration (NNSA). The breach occurred in September 2005. Although NNSA administrator Linton Brooks learned of the breach in September, he maintains he did not know whose job it was to inform Energy Secretary Samuel Bodman or Deputy Energy Secretary Clay Sell. Secretary Bodman has directed that the individuals affected by the data theft be notified immediately; no effort to notify them had been made before.
[Editor's Note (Pescatore): There is definitely a trend to allow corporate work to be performed on privately owned devices. While there can definitely be productivity increases and capital expenditure reductions if this is done right, VA's problems show how expensive this can turn out to be if done wrong. It is really not all that hard to build the right security controls in to do telework securely - the key is building it in before telework is allowed.
(Schultz): Who is Mr. Brooks trying to fool? Ignorance is no excuse for failing to notify those who have been potentially affected by this deplorable incident.
(Honan): Good security is only as effective as the response it generates, in this case it appears that neither the security nor the response was good enough. ]
VA Changes Telework Rules in Wake of Massive Data Loss (8 & 7 June 2006)Veterans Affairs employees may no longer use their own computers to conduct official business for the agency, and at one of the VA's divisions, the Veterans Benefits Administration, telework has been limited. Claim files may no longer be removed from offices; some employees may access servers through a virtual private network (VPN) but may not use their own computers to do so. VA employees also received a directive reminding them that failing to comply with VA data protection policy could result in penalties. Some have observed that the massive data breach that prompted these changes and reminders could have been prevented if the employee had used the VPN instead of bringing the data home. Inadequate IT management structure at the VA has also been blamed for the data breach; the CIO can issue policies, but lacks the power to enforce those policies by shutting down systems or withholding funding.
[Editor's Note (Northcutt): The statement about the CIO that can issue policy but lacks the power to enforce the policy reminds me eerily of the Pueblo Incident, the ship that was boarded by North Korea and the crew held for 11 months. When Cdr. Bucher took command of the ship he had concerns about her security and recommended that a destruction system be installed for the ship's electronic and cryptographic areas and noted that scuttling the ship would take 2 1/2 hours. He was not given the authority to make changes:
(Schultz): Something is indeed wrong with the IT management structure if the CIO does not even have the power to shut down systems when there is a policy violation. ]
Court Upholds FCC Ruling Requiring VoIP Providers to Comply with CALEA (9 June 2006)The US Court of Appeals for the District of Columbia has upheld a Federal Communications Commission (FCC) ruling that providers of voice over Internet Protocol (VoIP) must comply with the Communications Assistance for Law Enforcement Act (CALEA) by providing law enforcement agencies with wiretapping capabilities by May 14, 2007. Those appealing the FCC ruling had argued that building wiretapping capabilities into VoIP would introduce vulnerabilities and increase costs to consumers.
[Editor's Note (Pescatore): This is touchy topic but in 1968 the United States decided law enforcement needed the ability to monitor the communications of suspected criminals, passing the Title III acts. Over the years the oddly named Electronic Communications Privacy Act (1986) and CALEA (1994) reaffirmed and extended this decision to wireless and digital forms of communication. It is important that the defined legal controls be followed to make sure that this capability is not misused, but the Internet does not change that fact that our current laws define lawful intercept as a required capability. The definition of "provider" needs to be more carefully defined but until we as a society decide that lawful intercept is not necessary, we should not be surprised that each new form of communication will run into this issue. ]
****************** Sponsored Links: *************************************
1) ALERT: "How A Hacker Launches A Blind SQL Injection Attack Step-by-Step"!"- SPI Dynamics White Paper
2) Do you know what your privileged users are doing? We do. Learn more at
http://www.sans.org/info.php?id=11923) Upcoming ToolTalk Webcast: Auditors Present How to Reach Compliance Nirvana - PCI and Government Regulatory Compliance
THE REST OF THE WEEK'S NEWS
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
DISA Wants Info on Tools to Fight Insider Threats (2 June 2006)The Defense Information Systems Agency (DISA) has issued a request for information seeking tools to help fight insider threats. DISA is specifically looking for tools to monitor and gather data on insider network activity, analyze that data and warn of anomalies. Responses are due to DISA by July 5.
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
JS-Yamanner Worm Affects Yahoo! Mail Users (12 June 2006)The JS-Yamanner worm collects the addresses it finds on Yahoo! Mail contact lists to spread itself; it also sends the addresses back to a remote server. The "from" field is spoofed to make the email appear to come from email@example.com. It spreads when users open email sent by the worm. The vulnerability allows script embedded in HTML email to run within users' browsers. Internet Storm Center analysis:
Microsoft to Issue a Dozen Bulletins on June 13 (9 June 2006)On Tuesday, June 13, Microsoft will release nine security bulletins for Windows, one for Microsoft Exchange and two for Microsoft Office; the highest severity rating among the updates is "critical." Several of the updates will require restarts.
Microsoft Will Not Fix Flaw in Windows 98 and ME (9 June 2006)Microsoft does not plan to issue a fix for a flaw in Windows 98 and ME that could allow attackers to take control of vulnerable machines because it could break other applications. Fixes are available for Windows Server 2003, XP and 2000. Microsoft is cutting back on support for earlier operating systems, issuing patches only for vulnerabilities with critical ratings. Users of Windows 98 and ME are encouraged to configure firewalls to filter traffic on TCP port 139 to guard their systems from exploits. Microsoft says the best way to enhance security for Windows-based machines is to upgrade to newer versions of the operating system.
[Editor's Note (Grefer): Microsoft's suggestion to upgrade from Windows 98 and ME to the likes of XP is not practicable. The effective system and performance requirements would demand massive upgrades to the hardware in addition to the cost of the upgrades of the operating system and application software. For all practical purposes, Microsoft is therefore telling consumers that they are out of luck and better get a new computer, soon.
(Northcutt): It is all too easy to view this as planned obsolescence and claim it is all about more money for Microsoft, but the sad reality is that it is impossible to secure Windows 98 and ME. If you are going to put a computer with an MS operating system on a network, even a dial up ISP account, it should probably be Server 2003 or XP. ]
ATTACKS & INTRUSIONS & DATA THEFT & LOSS
Michigan High School Investigating Computer System Intrusion (8 June 2006)The International Academy, a public high school of choice school in Bloomfield Hills, Michigan, is investigating an incident in which five students allegedly gained unauthorized access to a school computer system and changed grades. The incident came to light after teachers noticed discrepancies between the computerized records and their own records. The investigation has uncovered evidence that the students placed software on the computer system that allowed them to gather teachers' user names and passwords. The students will receive punishments ranging from loss of academic credit to expulsion; they could also face criminal charges, depending on the findings of the investigation.
Missing Hard Drive Holds CPAs' Names and SSNs (7 June 2006)A damaged hard drive belonging to the American Institute of Certified Public Accountants (AICPA) has been missing since February. The drive holds unencrypted personal data belonging to almost all 330,000 members of the organization. The drive "was sent for repair to an external data recovery service in violation of the AICPA's policies." It was sent back via FedEx, but never arrived. All affected members have been notified of the drive's loss.
[Editor's Note (Grefer): A few dollars spent on encryption software could have helped to avoid at least some of the headaches the AICPA and FedEx are now facing.
(Kreitner): Now every member of AICPA please go to the blackboard and write "unencrypted personal data is a bad idea" 500 times.
(Ranum): This is the 4th incident we've seen in the last 2 weeks in which data was compromised because someone exposed it "in violation of policy." This brings to mind a few questions: 1) Is "policy violation" the new scapegoat? Presumably, disclosing information is a violation of policy. Therefore it's always the employee's fault? 2) The notion of "risk management" assumes that organizations are able to effectively factor risk likelihood into their controls. What happens when the likelihood estimate is way off? Well, it appears that a vast number of organizations seriously underestimated their exposure to "unwanted data migration." Now what? ]
Penetration Testers Try a New Twist on Social Engineering (7 June 2006)A credit union that had been experiencing problems with employees sharing passwords and divulging other information too easily hired a company to asses their network security with a focus on social engineering. Employees were aware that their security was going to be tested, so instead of taking the usual social engineering routes, the penetration testing company left 20 USB drives near the credit union in the parking lot and smoking areas. Employees picked up 15 of the 20 drives and installed them on their computers to see what they held, which turned out to be a Trojan horse program that gathered passwords, logins and other data and emailed them back to the company.
[Editor's Note (Northcutt): It may be a new twist to the author of the article, but this trick as old as the hills. I first saw this done using a floppy disk survey. You stuck the disk in your laptop, filled out the survey, put the disk in a pre-packaged mailer and sent it back to receive a free prize. Another variant is demonstration software. You leave shrink wrapped CDs that look like they have games or useful applications around the target site. People will try the game or application while installing the attacker's software on their systems. The article does serve as a reminder, and I like the ending. Telling people is not enough, you need to keep hammering it into their heads. It would be interesting to try some trojaned thumb drives in a candy jar that if inserted into a computer posted a big red message saying you just earned a 100 dollar fine. ]
(Schultz): I have mixed feelings about this news item. On one hand, the penetration testers deserve a great deal of credit for their ingenuity. At the same time, however, members of the black hat community who learn of this new social engineering method are now more likely to try it. ]
NewsBites Editorial Board: Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan, Mark Weatherford
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/