SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VIII - Issue #61
August 04, 2006
Microsoft will release patches for 10 Windows vulnerabilities and 2 Office vulnerabilities on Tuesday. Some of them are rated Critical. http://www.microsoft.com/technet/security/bulletin/advance.mspx
We just received confirmation that the Process Control & SCADA Security Summit (Las Vegas Sept. 28-30) will have special sessions on the new networking technologies being woven into control systems and the new security vulnerabilities those technologies introduce. Add the definitive session on current attack patterns against control systems, ranking of the vulnerabilities, specific strategies for mitigating each of them, best practices from innovative users, the top five research projects, and you have the perfect program to prepare IT security and control system engineers. Please make sure your control systems people are aware of the Summit. It happens just before SANS Network Security in Las Vegas, the largest security training conference.
Control System/SCADA Security Summit: http://www.sans.org/scadasummit_fall06/
Network Security 2006: http://www.sans.org/ns2006/
TOP OF THE NEWSBarclays to Issue Card Readers to Online Banking Customers
South Korea to Ask Google to Remove ID Numbers
Trojan Hits 10,000 Computers in Australia; Tax File Numbers Stolen
More Than Half of Home Users Secure Wi-Fi Networks
THE REST OF THE WEEK'S NEWSHOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Nova Scotia Auditor General: IT Security Problems Not Addressed
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Apple Releases Update for Mac OS X
McAfee Patches Remote Code Execution Flaw in SecurityCenter
Diebold eVoting Machine Flaw
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Three More Laptop Thefts
Colleges Struggle with Cyber Security
Scammers Use Bots to Boost eBay Ratings
STATISTICS, STUDIES & SURVEYS
Survey: IT Workers Earn Extra Pay for Skills and Certifications
Ohio University Reveals IT Restructuring Plan
************************** Sponsored By SANS ****************************
CYBER DEFENSE INITIATIVE 8570 TRAINING EVENT 16-22 OCTOBER, SILVER SPRING, MD
First Cyber Defense Initiative (CDI) training event in response to the US Department of Defense's Directive 8570.1 and its implementing manual DoD 8570.01-M.
TOP OF THE NEWS
Barclays to Issue Card Readers to Online Banking Customers (3 August 2006)The UK's Barclays bank will issue card readers to its online banking customers. The bank hopes to reduce "card-not-present" fraud with the devices, which will give users a one-time pass code to enter the online banking portal after they have read the cards' chips. This particular method conforms to the Apacs standard. Apacs is the UK's banking industry body. Other banks have adopted two-factor authentication methods, such as key-ring password generation devices, that do not conform to the Apacs standard.
South Korea to Ask Google to Remove ID Numbers (2 & 1 August 2006)South Korea's Ministry of Communication and Information says it will ask Google to remove the resident registration numbers of more than 95,000 of its citizens. The number is used for identification at banks and government offices in South Korea as well as on web sites. Stolen numbers have been used to commit identity fraud. The Ministry found the numbers by running a program that scours the Web for the registration numbers.
[Editor's Note (Tan): It is commendable to see the Korean Government playing an active role in protecting its citizens. Korea has the highest percentage in broadband users of any country in Asia, and it also one of the top countries where cyber attacks have been originating. But the Korean Government has been putting in great effort in stepping up security measures to ensure a safer Internet environment. Improvement can be seen and their effort has been paying off. ]
Trojan Hits 10,000 Computers in Australia; Tax File Numbers Stolen (3 & 2 August 2006)The Australian Tax Office has warned that nearly 180 citizens have had their tax file numbers stolen while accessing the e-tax system on line. The data theft was accomplished because the victims' computers had been infected with the Backdoor.Haxdoor.M Trojan horse program, which captures keystrokes and, in the case of the Australians' tax file numbers, posts them to the Internet. The attack is not specific to the Tax Office web site. More than 10,000 computers in Australia have been infected with the Trojan.
More Than Half of Home Users Secure Wi-Fi Networks (1 August 2006)Statistics from JupiterResearch indicate that 60 percent of computer users with Wi-Fi home networks enable security on those networks. The Wi-Fi Protected Access (WPA) protocol "is included with virtually all consumer-grade wireless access cards and routers." Other data from JupiterResearch indicates roughly 30 percent of home users have piggy-packed on unsecured wireless networks while they were traveling and about 10 percent have piggy-backed on neighbors' networks at home.
[Editor's Note (Schultz): Concerns about piggy-backing on open wireless networks are only going to grow over time. Many users engage in piggy-backing without thinking that it might be wrong and that there might be negative consequences. I also suspect that the JupiterResearch results that indicate that 30 percent of home users have piggy-backed on other wireless networks may be a gross underestimate--respondents may have been less than forthright in admitting that they have engaged in such activity.
(Northcutt): This is totally unscientific but I just drove around the neighborhoods where I live and found very few secured networks so I have serious doubts that 60% of users secure their networks. In terms of piggy-backing, if a homeowner leaves the SSID as default (i.e. Linksys) then it is a given your neighbors will piggy-back. This is because eventually everyone that travels has to connect to a wireless network named Linksys, then when you are back home, if your wireless drops for a second, your Windows box will then join the Linksys. ]
THE REST OF THE WEEK'S NEWS
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Nova Scotia Auditor General: IT Security Problems Not Addressed (26 July 2006)Nova Scotia's auditor general Jacques Lapointe has expressed concern about the security of the province's computer systems. For instance, many employees are using just one password; some of the employees had changed jobs and should not have access to the information any more. Lapointe, who became auditor general in March 2006, also noted that former auditors general had raised many of the same security issues, but the problems have not yet been resolved.
[Editor's Note (Honan): When will organizations learn that acting on auditor findings before an incident occurs is much better than after? On the flip side, budget approval for security controls is normally a much simpler process after an incident. ]
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Apple Releases Update for Mac OS X (3 & 2 August 2006)An update for Apple Computer's Mac OS X addresses 26 security flaws, 17 of which could allow remote code execution. The other flaws could be exploited to cause denial-of-service conditions, expose data and escalate privileges. The vulnerabilities exist in the way Mac OS X handles images, as well as file sharing and the Fetchmail and DHCP networking functionality. Most of the flaws affect both the client and server versions of Mac OS X.
Internet Storm Center posting:
[Editor's Note (Ullrich): Apple manages to "reinvent" old and long-fixed flaws from open source packages. A serious example: the fetchmail flaw. An exploit was available the day of Apple released a patch. OS X exploit development can borrow heavily from Unix exploits written for these flaws back when the flaw was originally discovered in other BSD variants. ]
McAfee Patches Remote Code Execution Flaw in SecurityCenter (2 & 1 August 2006)McAfee has confirmed that a remote code execution flaw in several of its security programs could be exploited to access, modify and delete files on vulnerable computers. The flaw could expose potentially sensitive data such as bank account numbers. McAfee sent out a SecurityCenter update to fix the problem on Wednesday, August 2. The flaw affects McAfee SecurityCenter versions 4.3 through 6.0.22.
Diebold eVoting Machine Flaw (1 August 2006)Researchers at the Open Voting Foundation have discovered another flaw in Diebold's electronic voting systems. Someone with physical access to the machine could get the "machine to boot from an unverified external flash drive" by flipping a switch. Newer machines are not vulnerable to the attack because they can contain just one boot profile at a time, but older machines could be compromised.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Three More Laptop Thefts (2 August 2006)The president of Belhaven College has acknowledged that a laptop stolen from a school employee contained names and Social Security numbers (SSNs) of an undetermined number of college employees.
(2 August 2006)
A laptop computer was stolen from the West Virginia Division of Rehabilitation Services; the computer held agency clients' names, addresses and SSNs. The agency notified those affected by mail in late July.
(1 August 2006)
More than 3,000 current and former Cal Poly University-San Luis Obispo students were notified that their names and SSNs were stored on a laptop computer that was stolen from a professor's home in July. Cal Poly University-San Luis Obispo is attempting to eliminate the use of SSNs as unique identifiers for its students.
Colleges Struggle with Cyber Security (2 & 1 August 2006)Cyber security breaches at colleges and universities accounted for one-third to one-half of all reported cyber security incidents in the last 18 months. This could be attributed in part to the fact that schools are likely to be more forthcoming about breaches than are private sector organizations. In addition, computer systems at institutions of higher education are often decentralized, making security more difficult. This series of articles examines "how and why security breaches have occurred" at the schools and looks at the increased privacy and security measures colleges and universities have taken in response to the cyber security incidents.
[Editor's Note (Kreitner): Establishment and enforcement of security is a widely neglected management responsibility. One of management's duties is assigning accountability for adherence to established policies and articulating consequences for policy violations. Management's failure to do this for protecting information is a root cause of most security incidents. Once Boards of Directors begin to routinely require management to report to the Board on every security incident, including its cause and what has been done to prevent a similar incident in the future, management will begin to get serious about protecting the information entrusted to the organization. ]
Scammers Use Bots to Boost eBay Ratings (1 August & 31 July 2006)Scammers are using botnets to create eBay accounts and generate positive feedback histories. The phony accounts establish their histories by purchasing 1-cent "Buy it Now" items on the auction site. Once they have created a satisfactory reputation, the scammers then offer expensive items for sale, collect the money and never deliver the promised items.
[Editor's Note (Northcutt): The amazing thing about cyber crime is the intensity of the scammers et al. They never let up, never quit innovating. If these same folks were focused on helping people, the world would be a better place by far. ]
STATISTICS, STUDIES & SURVEYS
Survey: IT Workers Earn Extra Pay for Skills and Certifications (1 August 2006)A survey from Foote Partners found that more than half of IT workers earn additional pay for specific skills and certifications. This practice helps companies where job titles are out of step with their responsibilities because the skills and certifications are recognized and workers are appropriately compensated. The research did find, however, that few employers are willing to put a pay for skills and certification policy in writing.
Ohio University Reveals IT Restructuring Plan (31 July 2006)Ohio University has released details about the planned restructuring of the school's IT environment. OU has been in the news recently due to the disclosure of several significant data security breaches. A "unified IT structure" will replace two separate entities: the Communication Network Service and Computer Services. OU also plans to deploy a perimeter firewall, reduce the use of SSNs as unique identifiers, encrypt those SSNs it still uses and classify data according to the level of protection they require.
***************** The Editorial Board of SANS NewsBites ****************
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.
Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent language consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/