Don't Miss Pen Test Hackfest Summit & Training, November 2-9 near DC!

Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume VIII - Issue #64

August 15, 2006

WashingtonPost.Com reporter Brian Krebs just posted the next installment in his controversial Apple wireless hacking story, providing a rock solid answer to the critics: "... in the demo Maynor showed me personally, he exploited the Macbook without any third-party wireless card plugged in." At least one other independent person also saw the demo.

But that's not the only revelation from Brian today. He'll soon publish a blog describing a Russian site that has found cross site scripting in Verisign, eEye, and other security companies' (and government agency) web sites.

Heads up for SANS alumni, GIAC certification holders, and people registered for SANS Network Security 2006 (Las Vegas, Oct. 1-9, ): Next week, we mail out the summary of the seven most effective and damaging new attack tools (including the Blue Pill) and the summary of the ten most important new developments coming in security over the next year. But it will get there only if your surface mail address is correct at the SANS Portal. Please check your mailing address by visiting and clicking on "Update your account" no later than Thursday, August 17.



Report on Britain's Nuclear Industry Security Highlights Wireless Risks
VA to Encrypt All Laptops Within One Month


IG Report Finds eMail Security Problems at IRS
Malware Code Targets Windows Server Flaw
Symantec Offers Fix for Heap Overflow Flaw in Backup Exec
Dollar Tree Customers Report Debit and Check Card Fraud
Man Charged with Downloading Patient Data
Microsoft Reports Organized Crime Groups Targeting On Line Gaming
Personal bank Account Data For Sale in Nigeria, Cheap!
Study Finds Data Removal Measures Not Always Effective

********************* Sponsored By Symark Software **********************

How do you guard against sabotage, theft or unauthorized access of data? Sudo doesn't provide the accountability for "privileged" accounts required by COBIT 4.0/ISO17799. Learn how PowerBroker, the most widely used solution for controlling Unix/Linux superuser privileges, helps you meet data privacy and compliance requirements. ALERT: Download the FREE White Paper " PowerBroker vs. sudo."


How Good Are The Courses at SANS Network Security 2006? Ask the alumni. "I have attended courses by several of SANS rivals, and SANS blew them away." - Alton Thompson, US Marines "This is the only conference/training I've ever attended at which I learned techniques and found tools I could apply immediately." - Dwight Leo, Defense Logistics Agency, DLA "This program provided the opportunity to learn from many of the people who are defining the future direction of information technology" - Larry Anderson, Computer Sciences Corp. "The SANS classes have been uniformly excellent. To learn as much through traditional classes would have entailed weeks away from work." - David Ritch, Department of Defense SANS best instructors all come together at Network Security 2006 in Las Vegas, October 1-9. 37 immersion courses; big exposition; free evening classes, much more . Early registration deadline is Friday, August 18. See:



Report on Britain's Nuclear Industry Security Highlights Wireless Risks (13 August 2006)

A report from Britain's Office for Civil Nuclear Security (OCNS) revealed that the nuclear industry in Britain had 39 reported security incidents in the year ending March 31, 2006. Eight information security breaches were reported, including the theft of laptops and "inappropriate transmission of restricted information over the Internet." Although no damage was reported as a result of the breaches, the OCNS has also expressed concern about the growing risk of IT breaches with the increased use of wireless technology. The report detailed physical security incidents as well.

VA to Encrypt All Laptops Within One Month (14 August 2006)

The US Department of Veterans Affairs (VA) has announced that it will begin encrypting all data on VA laptop computers. VA Secretary James Nicholson says the new security program will begin immediately and the plan is to have all laptops encrypted within one month. After the laptops are encrypted, the VA plans to encrypt its desktop computers, followed by servers and data centers.

[Editor's Note (Schultz): Encryption of data stored on laptops (and eventually on desktop and other systems) will not solve all of the VA's security problems, but it will serve as a significant step in the right direction.
(Grefer): Given the sudden pace of the implementation, one has to hope that enough thought was spent on how this will affect the infrastructure and interoperability as well as which criteria were applied to key handling and distribution. ]

************************** Sponsored Links: ***************************

1) Whitepaper: Calculating Security ROI Prove and predict your security ROI. From ArcSight, a security leader.

2) Using Real-Time Log Analysis to Defend Against Network Attacks and Insider Abuse - Live Webinar

3) Protecting Your Business from Malicious Email Intrusions - MX Logic Webinar, August 17th. Register today!




IG Report Finds eMail Security Problems at IRS (10 August 2006)

A recent report from the Treasury Inspector General (IG) for Tax Administration indicated that nearly 75 percent of 96 IRS employee email inboxes reviewed contained messages that violated the department's personal use policy. The IG's report recommends that the IRS monitor email content. The audit also examined 28 of the IRS's 228 email servers and found a total of 687 vulnerabilities. The report recommends reducing the number of email servers. There was also evidence that devices had been configured to act as unauthorized email servers. The report says system administrators should be responsible for ensuring that only authorized email servers are used.
[Editor's Note (Schultz): Given the number and severity of vulnerabilities typically found in mail servers, reducing the number of mail servers is a sound security measure. It is just as important, however, to ensure both that standards for securing email servers are written, well-distributed, and adhered to, and that constant monitoring for the presence of unauthorized mail servers occurs.
(Honan): Administrators should consider using rules on network firewalls and routers to restrict incoming and outgoing email traffic to and from authorised servers. Otherwise, "unauthorized e-mail servers" could appear on their network via computers becoming infected with a piece of malware installing it's own email (SMTP) server engine. ]


Malware Code Targets Windows Server Flaw (14, 13 & 10 August 2006)

Malware targeting computers that have not been patched against the recently disclosed vulnerability in the Windows Server networking function is now spreading; attack code to exploit the flaw was posted to the Internet late last week. The malware affects only unpatched Windows 2000 systems. The malware alters security settings and hijacks infected computers to be used in bot nets. Infected machines are directed to contact servers in China through IRC. SANS Internet Storm Center (ISC) reported a noticeable increase in scans for computers vulnerable to the flaw. Users who have not applied the patch described in MS06-040 are urged to do so as soon as possible.



Symantec Offers Fix for Heap Overflow Flaw in Backup Exec (14 August 2006)

Symantec has acknowledged a heap overflow flaw in versions 9.1 and 9.2 of its Symantec Backup Exec for NetWare servers with Remote Agent for Windows Servers. Fixes are available, and the company is investigating reports that the flaw also affects other Backup Exec remote agents. The flaw lies in the remote procedure call (RPC) interfaces of Backup Exec and could be exploited to send malicious code to the application. Attackers could create denial-of-service conditions and conceivably gain control of unpatched machines.


Dollar Tree Customers Report Debit and Check Card Fraud (14, 4 & 1 August 2006)

The US Secret Service and Visa are investigating reports that ATM card information and PINs were stolen from people who shopped at Dollar Tree stores in states on the US's west coast. The stolen information was apparently used to create phony cards that were used to steal hundreds of thousands of dollars from victims. The data were apparently stolen in March and April, but were not used until several months later. When debit cards are used, the money is immediately deducted from accounts. Customers have just 60 days to call their banks and straighten out the situation, or lose their money. Credit card fraud presents less financial risk for consumers.
[Editor's Note (Grefer): Debit card users would be well advised to check with their bank if it extents the same protection to logo-bearing debit cards that they afford users of their corresponding credit cards. ]

Man Charged with Downloading Patient Data (11 August 2006)

Timothy R. Kiel, a former employee of the Madrona Medical Group in Bellingham, Washington, has been charged with downloading patient files onto his own laptop computer. The stolen data include Social Security numbers (SSNs), names and dates of birth. Patients have been urged to monitor their credit reports for suspicious activity. Police were notified of the problem in December when officials became aware of the activity. Prosecutors also allege that Kiel accessed Madrona servers numerous times and deleted files after resigning from the company.

Microsoft Reports Organized Crime Groups Targeting On Line Gaming

Microsoft's Dave Weinstein, a security engineer, says, "Those of you who are working on massively multiplayer online games, organized crime is already looking at you." They make money by hacking into computers, stealing account information, and then selling off virtual gold and weapons.


Personal bank Account Data For Sale in Nigeria, Cheap! (14 August 2006)

Personal financial information belonging to thousands of UK residents is being sold in Nigeria; the information was gleaned from the hard drives of used PCs sent from the UK. People in West Africa are reportedly buying Internet banking account details for under GBP20 (US$37.75). The UK television program Real Story found PCs containing sensitive information from all over the world in Nigeria's capital, Lagos. People are still being encouraged to give away their used PCs, but also to make sure the hard disks are wiped of personal data or removed from the computers altogether. The UK's Information Commissioner's office says companies are legally obligated by the Data Protection Act to remove customer data from their computers when they no longer require the information.
[Editor's Note (Northcutt): A quick google search for "buy computer hard drive Nigeria" turns up an offer to buy a large quantity of drives in March of this year. When will we ever learn? This would be a good story for security awareness programs!
(Honan): Consumers and companies need to make themselves more aware of the dangers posed by not securely disposing of data, be that in paper or electronic format. The information available in many recycling facilities and dumps that can be used to commit fraud is scary. The BBC programme graphically illustrated how valuable this data is to the cyber thieves by filming the Nigerian police coming under gun fire as they raided an Internet caf suspected of being used to commit online fraud. ]

Study Finds Data Removal Measures Not Always Effective (11 August 2006)

In a separate story, a report funded by BT that looked at more than 300 used hard drives found proprietary business information and other sensitive data. In many cases, users had removed the data with the Windows delete function or reformatting; both processes are fairly easy to reverse. Twenty-five percent of the drives offered up personally identifiable information. The results do not differ much from those of a similar study conducted last year.
[Editors' Note (Multiple): NTFS file deletion is reputed to overwrite the disk space with random characters multiple times, and that is seen as being good enough to comply with object reuse protection standards in MIL-STD 5200. The study directors say the majority of files that were article *may* be accurate only for Windows machines using the FAT files system.
(Grefer): Simple deletion with standard operating system procedures does not actually erase the file content. A recently updated discussion of secure file deletion can be found at

***************** The Editorial Board of SANS NewsBites ****************

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College,

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent language consultant based in Clearwater, Florida.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit