SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VIII - Issue #48
June 16, 2006
TOP OF THE NEWSTestimony in UBS PaineWebber Cyber Sabotage Case Illuminates Damage Done By Insider Attack
Exploits for Microsoft Flaws Circulating
Bank Officer Fooled by 419-like Fraud Scheme
THE REST OF THE WEEK'S NEWSARRESTS, CONVICTIONS AND SENTENCES
Man Sentenced for Stealing Verizon Wireless PINs
ATTACKS & INTRUSIONS & DATA THEFT & LOSS
AIG Acknowledges Stolen Hardware Held Personal Data
AusCERT Warns of Phony Failing Bank eMail
Florida's Disaster Site Attack Under Investigation
Ohio University Alums, Donors Weigh in on Data Breaches
Humana Medicare Informs 17,000 of Personal Data Breach
STATISTICS, STUDIES & SURVEYS
Computer Security Institute Finds Cyber Crime Losses Fell Again
Study Finds Security Incidents Up at Financial Services Organizations
************ SPONSORED BY SANS SUMMER TRAINING EXTRAVAGANZA *************
Over the next two months, you may attend one or more of 50 SANS courses in 20 cities on four continents. And if you cannot make those events, because of travel restrictions, you may attend live SANS courses with the best teachers in the world, without leaving your home. You can even take SANS courses online at your own schedule. Attendance at SANS educational events is experiencing the largest growth spurt in half a decade. Pick your class and register early to get a seat. http://www.sans.org
TOP OF THE NEWS
Testimony in UBS PaineWebber Cyber Sabotage Case Illuminates Damage Done By Insider Attack (6 June 2006)Testimony has begun in the case of former UBS PaineWebber systems administrator Roger Duronio, who is accused of planting a logic bomb in the company's computer system resulting in costs to the company in excess of US$3 million due to damage assessment and network restoration. IT manager Elvira Maria Rodriguez, the first witness called by the prosecution, rated the attack and its aftermath a "ten plus" on a scale of 1 to 10. The prosecutor also plans to call an expert witness who will show Duronio's user account and password were used to access the UBS network remotely.
Exploits for Microsoft Flaws Circulating (14 & 13 June 2006)Within a day after Microsoft's monthly security update, proof-of-concept exploits for at least five of the vulnerabilities addressed have been detected. Microsoft's June security release included twelve bulletins that addressed 21 vulnerabilities in Windows, Microsoft Office and Microsoft Exchange; eight of the bulletins received severity ratings of "critical." Some of the exploits are for flaws that had been disclosed prior to the security updates, but at least two are for flaws that were not known before the updates were released.
Bank Officer Fooled by 419-like Fraud Scheme (3 February 2006)A Canadian woman is at odds with National Bank after a bank manager there assured her that an out-of-the-blue inheritance from a dead relative in Africa was legitimate. The bank extended her credit to pay what the alleged representative of the Commercial Bank of Togo said were back taxes and other expenses. When the woman finally contacted a lawyer and learned she was the victim of fraud, she was US$40,000 in debt to the bank. The bank has offered to let her pay back just half that amount, but the woman's lawyer has sent a letter to the bank informing them she will not pay.
[Editor's Note (Schultz): I side with the plaintiff in this case. Although it is not an institution's responsibility to warn customers of the plethora of 419 scams that exist and that will perpetually continue to exist, the fact that a bank officer fell for one of them in my mind proves negligence. At some point senior management will catch on to the fact that ignorance of security is no defense. ]
************************ Sponsored Links: *****************************
1) VoIP security webinar discusses how to overcome the challenges of secure VoIP deployment. Register Today!
2) Free SANS Tool Talk Webcast next week "Comprehensive Threat Management: Helping You Navigate The Data Security Quagmire" Sponsored by Symantec Tuesday, June 20 at 1:00 PM EDT (1700 UTC/GMT)
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCES
Man Sentenced for Stealing Verizon Wireless PINs (13 June 2006)Timothy Mattos has been sentenced to 70 months in prison for stealing and reselling Verizon Wireless prepaid cellular service card personal identification numbers (PINs) from the company's computer system. The thefts occurred while Mattos was employed as a Verizon customer service representative and continued for a year after he left the company. Mattos has also been ordered to pay US$21.3 million in restitution.
ATTACKS & INTRUSIONS & DATA THEFT & LOSS
AIG Acknowledges Stolen Hardware Held Personal Data (15 & 14 June 2006)The American International Group (AIG) has acknowledged that computer equipment stolen from one of its offices held personal data that belong to approximately 930,000 individuals whose employers were seeking quotes on corporate health insurance through the company. The data came from nearly 700 different insurance brokers. AIG plans to send letters to those potentially affected by the data security breach soon. The equipment was stolen on March 31, 2006, but the theft was not made public until recently.
[Humorous, but Illuminating Editor's Note (Ranum) After I got my letter from the Veterans' Administration last week, I started to wonder if anyone in the US' personal information has NOT yet been compromised. By the time you add up a million here and 900,000 there and 4 million over there, you've covered most of the credit-holding and wage-earning population of the US. I'm sure my math is suspect, but I estimate that there are about 156 Americans whose personal information has not yet been compromised. :) So, the obvious response is to simply put a bullet through the problem. Using a credit card number or a SSN# as a password (because, really, that's all it is - so what if it's longer than 8 characters) is fundamentally doomed to failure. Perhaps the right thing to do would be to publish EVERYONE's SSN# and credit card #s on January 1st next year. That'd give the banks and credit card companies a few months to field some kind of alternative like 2-factor authentication, web-based permit/deny per transaction, or "ship only to" address locking. Clearly, the problem is going to get worse - LOTS worse - before it gets better. So, like pulling off a band-aid: it's best done with one quick painful jerk. ]
AusCERT Warns of Phony Failing Bank eMail (15 June 2006)The Australian Computer Emergency Response Team (AusCERT) is warning of fraudulent emails suggesting a certain bank is failing and offering links to websites with more details. These sites are set up to install the Haxdoor Trojan horse program on users' computers if they are using Internet Explorer (IE) or Firefox. AusCERT urges people not to click on links in unexpected email and urges administrators to block access to the malicious sites.
[Editor's Note (Paller): And keep the patches up to date. The malicious websites cannot install Haxdoor if your browser ha sup to date patches. ]
Florida's Disaster Site Attack Under Investigation (14 June 2006)The Florida Department of Law Enforcement is investigating a cyber attack that left the state's emergency web site, www.floridadisaster.com, briefly inaccessible on the morning of Tuesday, 13 June as Tropical Storm Alberto approached. Precautions have been taken to protect the site from similar attacks and workers are reviewing logs and using network tools to gather clues to the attacker's identity.
[Editor's Note (Schultz): I fear that business continuity planning efforts too often overlook potential events such as the one in this news item. The potential for security-related incidents very often ties in with the ability to engage in business continuity-related operations. ]
Ohio University Alums, Donors Weigh in on Data Breaches (12 June 2006)Ohio University (OU) officials are feeling the fallout from a number of recently disclosed data security breaches that exposed personal data, including Social Security numbers (SSNs) of thousands of students and alumni. Many have informed the school they will no longer be making donations, and some have questioned why the school retains alumni SSNs, including those of alumni who have never donated to the university. OU has spent more than US$77,000 to send letters to affected alumni and other donors. Two breaches were publicly disclosed last month; while these were being investigated, evidence of other breaches was uncovered.
[Editor's Note (Kreitner): When it gets across to enterprise management that these data breaches can cause significant financial pain in the form of lost customer confidence and revenue, we might begin to see a tapering off of the plethora of events like this involving exposed personal data. (Paller) Sadly, I am already seeing evidence that corporate executives have discovered that *disclosure* of such breaches costs them money, In response they are investing huge sums of money lobbying Congressional committee chairmen to draft laws that allow them to keep the breaches secret. The US government already keeps most of its breaches secret so it seems only fair to the executives that the California and other state disclosure laws should be rescinded by Federal legislation. Money talks in Washington. The executives are getting what they want. ]
Humana Medicare Informs 17,000 of Personal Data Breach (3 June 2006)Humana has informed roughly 17,000 people enrolled in Humana Medicare plans that their personal data were discovered on an unsecured hotel computer. Apparently a Humana employee staying at the hotel opened an email attachment containing the data and never deleted it when he was finished working. A Medicare spokesman called the incident "unacceptable" and has directed Humana to develop and implement a plan "to ensure that such privacy violations do not occur again."
[Editor's Note (Honan): The best plan to prevent this type of disclosure is to restrict employee access to known secure machines and not public/home computers. The amount of confidential corporate data available on hotel and Internet cafe PCs is frightening. ]
STATISTICS, STUDIES & SURVEYS
Computer Security Institute Study Finds Cyber Crime Losses Fell Again (14 June 2006)A survey from the Computer Security Institute found that cyber crime losses reported by businesses fell for the fourth year in a row. Survey respondents reported average losses of US$168,000, down 18 percent from last year's survey figures and 64 percent from those of the year before. Respondents also reported experiencing fewer cyber security incidents; viruses, laptop theft and insider threats topped the list of problems.
[Editor's Comment (Northcutt): They must not read NewsBites, clearly either losses are up or reporting of loss is going up! The survey is based on 615 responses and that might be too small to be a significant sample.
(Paller): In addition, we have hard data that bank losses from cyber attacks are skyrocketing - up 300% or more from last year in some large banks. ]
Study Finds Security Incidents Up at Financial Services Organizations (14 June 2006)The fourth annual Deloitte Touche Tohmatsu survey of the world's top 100 financial services institutions found 78 percent said they had experienced an external security breach in the past year; that figure was just 26 percent in 2005. The percentage of responding organizations that experienced at least one internal security breach rose from 35 percent last year to almost 50 percent this year. On a positive note, close to 88 percent of the respondents said their organizations had established business continuity plans.
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is the author/ co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He is the CTO of High Tower Software.
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.
Chuck Boeckman is Lead Network Security Engineer supporting the US Transportation Command, responsible for the security of global military transportation command and control systems.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent language consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/