Learn practical cyber security skills during SANS 2021 - Live Online. Choose from 30+ courses and three types of NetWars!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume VIII - Issue #53

July 07, 2006

Question for NewsBites readers: have you any experience with PC/laptop encryption tools? A key at the upcoming Secure Storage Summit will highlight the tools that work and point out the challenges users faced in implementing enterprise laptop encryption programs. If you have assessed these products, developed criteria for assessment, implemented one or more or have other reasons to be familiar with them, please share your experiences with us at info@sans.org Subject: encryption. Both whole disk and file encryption information is welcome. We especially interested in enterprise solutions - including small enterprises. If you don't already know how to implement laptop encryption and want an invitation to the upcoming summit, email encryptionsummit@sans.org.

Also: Network Security 2006 (Las Vegas, October 1-8, 2006) has just gone live for early registration. Last time we held a major conference in Las Vegas, 40% of the classes were sold out. Please review the program at http://www.sans.org/ns2006/ and register early to get a place in the course you want.


VA Directive Gives CIO Authority to Enforce Policy
Study Finds Popular eVoting Machines Susceptible to Fraud
Microsoft's WGA Spurs Two Lawsuits


Five Arrested in Connection with LexisNexis Data Theft
Co-Founder of Web Site that Sold Stolen Data Sentenced to 32 Months
High Court OKs Lawsuit Against Allofmp3.com
IFPI to Sue Yahoo China for Links to Pirated Music
OpenOffice Update Addresses Three Flaws
Flaw Found in IE Also Affects Firefox
Cyber Intruders Steal Funds from South African Bank Accounts
Red Cross Says Blood Donor Data on Stolen Laptop Were Encrypted
NIH Credit Union Acknowledges Data Theft
Nebraska Child Support Payment System Compromised
Study: Some IT Directors Using Live Data for Application Testing and Development

************************** Sponsored By Lancope *************************

"Revolutionize How You View Your Network Security" How do you protect what you can't see? Stop protecting while blind. Gain network visibility now. Learn how StealthWatch, the most widely used Network Behavior Analysis system, provides visibility and cost- effective, scalable security across internal enterprise networks. ALERT: Download FREE White Paper "Network Behavior Analysis (NBA) in the Enterprise."



Summer Security Training Extravaganza Over the next two months, you may attend one or more of 50 SANS courses in 20 cities on four continents. And if you cannot make those events, because of travel restrictions, you may attend live SANS courses with the best teachers in the world, without leaving your home. You can even take SANS courses online at your own schedule. Attendance at SANS educational events is experiencing the largest growth spurt in half a decade. Pick your class and register early to get a seat.



VA Directive Gives CIO Authority to Enforce Policy (30 June 2006)

A directive from Veterans Affairs (VA) secretary James Nicholson gives the VA CIO the authority to enforce security policies and procedures across the agency; the CIO's authority had previously been limited to "seeking compliance." The directive also requires that sensitive VA data be kept only on VA devices; VA plans to issue guidance regarding the practice of employees using their own computers to do VA work. VA CISO Pedro Cadenas resigned on June 29, a day after Nicholson issued the directive. Cadenas, who has been at the VA for over three-and-a-half years, said that until last week's policy changes, he has never had the "authority to implement any improvements;" Cadenas said the directive assigned him the onus of fixing VA security.


[Editor's Note (Pescatore): Responsible, authority and resources always have to be aligned for anything to get done. But I think the movie "The Wizard of Oz" pointed out that the Scarecrow really didn't need that diploma to make smart decisions. I sure hope the Secretary of VA doesn't really believe that the problem was just the lack of a directive saying that security policies and procedures were actually enforceable.
(Kreitner): "Seeking compliance"--what in the world does that mean? It is time for executive managers to get serious about protecting the information entrusted to them by making clear assignments of accountability for the operational disciplines that protect information. And some advice to individuals considering a CIO or CISO job that doesn't provide authority to implement improvements--don't touch it. Go do something else.
(Honan) - Seems to me that the VA have fallen into the trap of thinking that information security is the sole responsibility of IT. Not so, information security is the responsibility of all within an organization and the enforcement of policies should not rest solely with IT management but with management throughout an organization.
(Paller): With great respect for my fellow editors, I think what VA did is absolutely essential and all too rare. It's an important first step toward giving federal employees a reason to take security policies seriously. Of course if there the VA security policies are imprecise and untestable, if the VA doesn't monitor attack-based metrics, and if there are no repercussions for employees who ignore the important policies, then this move will have no impact at all. ]

Study Finds Popular eVoting Machines Susceptible to Fraud (27 June 2006)

A Brennan Center for Justice study of electronic voting machines concluded that the three most widely used voting machines are vulnerable to fraud, but there are measures that can be taken in all three cases to boost their integrity. Roughly 80 percent of American voters are expected to use electronic voting machines in elections this November. Representative Rush Holt (D-N.J.) has introduced a bill that would require all voting machines to provide a verifiable paper audit trail.
[Editor's Note (Schultz): The fact that a verifiable paper trail is being proposed is in and of itself an extremely positive step forward as far as fairness in electronic voting goes.
(Pescatore): I think we are past the point where any rational person believes that most current voting machines are safe enough. The first generation of ATM machines weren't secure enough either - the real issue is making sure the current problems are bounded and managed, and that the next generation of voting machines make big leaps forward.
(HONAN): The Irish Commission on Electronic Voting recently published their report highlighting serious concerns with the software used in the electronic voting machines purchased by the Irish Government. ]




Microsoft's WGA Spurs Two Lawsuits (5 July & 30 June 2006)

A lawsuit filed by a Los Angeles man against Microsoft alleges the company's Windows Genuine Advantage (WGA) anti-piracy tool violates consumer protection laws in California and Washington State as well as other laws that prohibit spyware. In addition to seeking damages, the suit asks that Microsoft delete all data gathered by WGA and provide customers with a means of removing the tool from their computers. Microsoft says the suit is without merit. A second lawsuit, filed on June 30 in US District Court in Seattle, alleges that Microsoft misled customers by calling WGA a critical security update; the class action suit also alleges that WGA is spyware.



**************************** Sponsored Links: **************************

1) Find out how Check Point's next-generation Unified Threat Management solutions can simplify your network security.


2) Tune into the FREE SANS Internet Storm Center editor coming up next Wednesday, July 12, 2006 at 1:00PM EDT.





Five Arrested in Connection with LexisNexis Data Theft (1 July 2006)

Five men have been charged with aggravated theft for their alleged roles in stealing data from a LexisNexis database. The men allegedly used stolen or forged accounts to access personal information, including Social Security numbers belonging to a number of celebrities. LexisNexis says information belonging to more than 300,000 individuals was stolen.

Co-Founder of Web Site that Sold Stolen Data Sentenced to 32 Months (30 June 2006)

US District Judge William J. Martini has sentenced Andrew Mantovani to 32 months in prison for his role in running a website that trafficked in stolen data used to commit identity fraud. Mantovani, who will also pay a US$5,000 fine, pleaded guilty to a number of charges in November, 2005; in all, 28 people were arrested as the result of an investigation into the Shadowcrew website. Shadowcrew is estimated to have had 4,000 members and to have been responsible for more than US$4 million in losses.



High Court OKs Lawsuit Against Allofmp3.com (4 July 2006)

A High Court judge has ruled that the British Phonographic Institute (BPI) may pursue litigation against Russian music website Allofmp3.com in the UK. Allofmp3.com, which sells copyrighted digital content at unusually low prices, claims to pay licensing fees to the Russian Multimedia and Internet Society; a BPI spokesperson says that organization "is not an officially licensed body and is not recognized as a trade association."


IFPI to Sue Yahoo China for Links to Pirated Music (4 July 2006)

The International Federation of the Phonographic Industries (IFPI) plans "to sue Yahoo China for allegedly providing links to pirated tracks." IFPI chairman John Kennedy has expressed hope that negotiations could preempt the litigation. The IFPI estimates that 90 percent of all recordings in China are pirated.



OpenOffice Update Addresses Three Flaws (3 July 2006)

A recently released OpenOffice update addresses three security flaws. The first could allow Java applets to escape the "sandbox" where they can execute without fear of harming the computer; the second could allow macros to execute even if the user has disabled that function; and the third could allow malicious code onto systems through a buffer overflow in XML file format parsing. The flaws affect versions 1.1.x and 2.0.x; OpenOffice version 2.0.3 addresses the problems, and a patch for 1.1.x is expected to be released soon. The flaws also affect StarOffice/Star Suite 8.x and 7.x and StarOffice 6.x; patches are available. The flaws were discovered during internal audits and there are no known exploits.


Flaw Found in IE Also Affects Firefox (30 June 2006)

One of the two recently disclosed flaws in Internet Explorer (IE) could also affect users of Mozilla's Firefox web browser. The flaw affecting both IE and Firefox could be exploited with cross-site scripting to steal sensitive data. The exploit would require that the targeted user have multiple browsers open. The flaw that affects just IE lies in HTA application processing and could be exploited to allow files to be read or rootkits to be installed without authorization. Exploit code for both IE flaws has been published, but there have been no reported attacks.

[Editor's Note Tan: Browser vulnerabilities catch many people's attention, particularly on those popular browsers. Interestingly, HD Moore has announced in his blog that he will publish one new browser vulnerability each day for the entire month of July to mark the Month of Browser Bugs project. Let's hope the vendors will address them before it gets out of control.


Cyber Intruders Steal Funds from South African Bank Accounts (5 & 4 July 2006)

Three banks in South Africa are investigating security breaches that resulted in money being stolen from customers' accounts. First National Bank, Standard and Absa say thousands of rands (R1,000 = US$142) were stolen from customer accounts over the course of three months.


Red Cross Says Blood Donor Data on Stolen Laptop Were Encrypted (1 July 2006)

The American Red Cross has acknowledged that a laptop computer holding personal data of thousands of Texas and Oklahoma blood donors was stolen from an office in the Dallas area. Red Cross officials say the data were encrypted. Donors were not notified of the theft, though police and the national office were informed.
[Editor's Note (Multiple): Assuming the data really was encrypted, let's hear it for the Red Cross!
(Schultz): The fact that an American Red Cross laptop was stolen is not anything to celebrate, yet the fact hat someone at this organization was wise enough to ensure that laptop data were encrypted warrants recognition of the person or persons who advocated this practice. ]

NIH Credit Union Acknowledges Data Theft (29 June 2006)

The National Institutes of Health (NIH) credit union has notified an undisclosed number of its 41,000 customers that their personal data were compromised and used to commit identity fraud. All customers were alerted to the data theft. Few details about the incident have been released; an investigation is underway. (Please note this site requires free registration)


Nebraska Child Support Payment System Compromised (29 June 2006)

Nebraska state treasurer Ron Ross acknowledged that a cyber intruder has compromised a computer system holding child support payment data. The State Patrol is conducting a forensic investigation; Ross does not believe the intruder downloaded any data. He encouraged parents who pay and receive support and their employers to monitor their financial accounts for anomalous activity.
[Editor's Note (Schultz): I would not at all be surprised to learn that the person who broke into this database was allegedly someone hired by a "deadbeat" father who wanted to avoid paying his fair share of child support. ]


Study: Some IT Directors Using Live Data for Application Testing and Development (4 July 2006)

A study has found that of 100 UK IT directors, 44 percent use real customer data when testing and developing applications in violation of the Data Protection Act (DPA). The DPA's second principle prohibits the use of customer data for any "purposes other than those for which it was collected." Eighty-six percent of those surveyed said their companies sent customer data offshore protected only by a non-disclosure agreement.

[Editor's Note (Schultz): It is incredible that so many individuals, the ones in the news item cited in this issue of the SANS NewsBites, ignore the long time, proven principle that one should never put anything into production that has not first been tested in a non-production environment. ]

SANS offers a variety of free resources to the security and IT community, including @RISK, the Internet Storm Center, WhatWorks and in-depth webcasts. Read more about these resources and others here: http://www.comsoc.org/livepubs/ci1/public/2006/jul/ciint.html

NewsBites Editorial Board: Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan, Mark Weatherford

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/