Ending Soon! Online Training Special Offer: Get iPad Pro w/ Smart Keyboard, HP ProBook, or $350 Off through July 24!

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume VIII - Issue #67

August 25, 2006

The first story this week tells of a speech by a top US military officer in which he confirmed the hugely damaging series of cyber attacks by the Chinese (previously called the Titan Rain attacks). Those same attacks have cut through defenses at other US government agencies and military contractors. Canadian and European government systems have also been compromised. In all these attacks, substantial amounts of sensitive data is exfiltrated (stolen) and back doors are left in a lot of important computers.



Chinese Units Successfully Attacking US Military Computers
US Army Plans to Encrypt Data on Notebook Computers
Hundreds of Workers Punished for Data Privacy Breaches


Man Gets Two Months of Curfew for eMail Attack
SEC Suing Couple for Alleged Stock "Pump-and-Dump" Scheme
US Dept. of Education Addressing Software Flaw That Exposed Personal Data
Advocacy Group Wants FAA Cybersecurity Information
China Fines Company for Sending Spam
Chinese Authorities Shut Down Sites Violating Digital Copyright Regulations
Microsoft: New IE Update Delayed; Then Delivered
AT&T Suing 25 "John Doe" Data Brokers
More Stolen Laptops
Beaumont Hospital's Home Care Patients Data on Stolen Computer
Stolen Laptop Holds Info on 612 Aflac Policyholders
IBM Will Acquire ISS

********* Sponsored by SANS Network Security 2006 in Las Vegas **********

How Good Are The Courses at SANS Network Security 2006? Ask the alumni. ++ "I have attended courses by several of SANS rivals, and SANS blew them away." - Alton Thompson, US Marines ++ "This is the only conference/training I've ever attended at which I learned techniques and found tools I could apply immediately." - Dwight Leo, Defense Logistics Agency, DLA ++ "This program provided the opportunity to learn from many of the people who are defining the future direction of information technology" - - Larry Anderson, Computer Sciences Corp. ++ "The SANS classes have been uniformly excellent. To learn as much through traditional classes would have entailed weeks away from work." - - David Ritch, Department of Defense SANS best instructors all come together at Network Security 2006 in Las Vegas, October 1-9. 37 immersion courses; big exposition; free evening classes, much more . Early registration deadline is Friday, August 18.
See: http://www.sans.org/ns2006/caag.php

******* And By SANS Voucher Credit Program To Make It Easier ************

SANS Voucher Credits Maximize your Training Budget! SANS Program that pays you credits and delivers flexibility Do you have remaining fiscal 2006 education funds? Are you looking for a creative way to finance training?
Visit: http://www.sans.org/info.php?id=1319



Chinese Units Successfully Attacking US Military Computers

Air Force Major General William Lord, director of information, services and integration in the Air Force's Office of Warfighting Integration and Chief Information Officer, told a recent gathering of Air Force IT staff that China has downloaded 10 to 20 terabytes of data from the NIPRNet (DOD's Non-Classified Network). He called it a nation-state threat and said that the Chinese are trying to steal credentials that will allow them to get into the network masquerading as authorized users. The People's Liberation Army writings in recent years have called for the use of information warfare, to support or advance their nation's interests

US Army Plans to Encrypt Data on Notebook Computers (22 August 2006)

The US Army is following the lead of the Veterans Affairs department (VA) by piloting a program to encrypt data held on notebook computers. Army CIO Lt. General Steven Boutelle said a forthcoming policy would require Army personnel to provide an accounting of mobile devices, including notebook computers. Each device will be labeled, identifying it as mobile or non-mobile. Personnel will also be instructed not to remove mobile devices from secure areas unless the data on the devices are encrypted.
[Editor's Note (Schultz): The US Army's (and the VA's) plans make a lot of sense and will serve as a good model for other organizations faced with the threat of data compromise because of stolen or lost laptop computers. ]

Hundreds of Workers Punished for Data Privacy Breaches (23 August 2006)

Nineteen Centrelink staff members were fired; ninety-two resigned and more than 300 face salary reductions, after allegations of privacy breaches, including looking at records of neighbors and friends, surfaced. Centrelink is an agency of Australia's Department of Human Services. A two-year investigation uncovered nearly 800 instances in which Centrelink employees gained "inappropriate access" to welfare records since 2004. Nearly 600 staff members are believed to have performed the inappropriate searches. Employees were warned twice last year that an investigation into inappropriate access to records was underway.

[Editor's Note (Schultz): This is yet another in a rapidly growing number of accounts in which organizations that do not establish and run an adequate information security practice suffer the consequences. ]



Man Gets Two Months of Curfew for eMail Attack (24 & 23 August 2006)

David Lennon has pleaded guilty to violating Section 3 of the UK's Computer Misuse Act (CMA) for inundating his former employer's email server with five million unsolicited messages. The denial-of-service attack, which took place two-and-a-half years ago, caused the server to crash. Lennon was sentenced to a two-month curfew during which he must be home by 12:30 am and remain there for a set number of hours. Last autumn, a judge dismissed charges against Lennon, saying there was no case under the CMA. The Crown Prosecution Service appealed that ruling. As a result of this case, amendments to the CMA are pending to help it better address current issues in cyber crime.


[Editor's Note (Honan): When will the courts realise computer crime is crime period? Just because computers are involved does not make the crime any less serious. This man has been found guilty of committing a crime resulting in an estimated 30,000 of damage and his punishment is sending him to his room for two months?!]

SEC Suing Couple for Alleged Stock "Pump-and-Dump" Scheme (21 August 2006)

The US Securities and Exchange Commission (SEC) is suing a Connecticut husband and wife for using spam to artificially inflate the price of stock they had purchased; they then allegedly sold the stock when its value temporarily shot up. Jeffrey Stone and Janette Diller Stone allegedly made US$1 million with their scheme, typically called a "pump-and-dump" scheme.


US Dept. of Education Addressing Software Flaw That Exposed Personal Data (23 August 2006)

The US Department of Education has offered free credit monitoring to approximately 21,000 students whose personal data may have been exposed on the agency's web site. The exposure affected people who borrowed college money from the federal government, through the department's loan site; students who applied for loans through private companies are not affected. The Education Department has disabled the parts of the software that caused the problem. Howard Schmidt, former White House security advisor, observed that the situation might have been averted had the update been tested in a closed environment before being taken live.
[Editor's Note (Pescatore): Federal agencies are supposed to have formal certification and accreditation processes that test applications before they go live. Too many of these are pure paperwork exercises - testing for vulnerabilities and unexpected functions needs to be high priority for all C&A programs.]

Advocacy Group Wants FAA Cybersecurity Information (22 August 2006)

Americans for Safer Air Travel (ASAT) has filed a Freedom of Information Act (FOIA) request for information on the measures the US Federal Aviation Administration (FAA) is taking to protect air safety data. Specifically, ASAT seeks FAA information about FAA systems that contain air traffic control reports, radar analyses and other security data. The request also asks the FAA to disclose the number and frequency of system intrusions since September 11, 2001. The request follows in the wake of several widely publicized data security breaches at several government agencies, most notably the VA and the Department of Transportation's office of the Inspector General.


China Fines Company for Sending Spam (22 August 2006)

The Chinese government has fined a company for sending spam, the first case of its kind in that country. Hesheng Zhihui Enterprise Management Consulting was fined 5,000 yuan (US$627) for sending "bulk emails containing advertisements to Internet users." The company was also ordered to stop sending the unsolicited commercial email immediately. The Chinese government adopted an anti-spam regulation earlier this year, requiring organizations sending commercial email offer a means for recipients to subscribe to or opt out of receiving further messages.

[Editor's Note (Grefer):To put this fine a bit into perspective: According to
the average annual income per household in China is US$1396.]


Chinese Authorities Shut Down Sites Violating Digital Copyright Regulations (22 August 2006)

Chinese authorities are taking aim at web sites that violate the country's new copyright regulations. More than 100 web sites, including some that offer movies and music at no cost, have been shut down. The regulation came into effect on July 1 and prohibits uploading and downloading digital content without the copyright-holder's permission.

[Editor's Note (Grefer): It appears China is taking gradual steps to become an even more powerful and accepted player in the world economy. ]


Microsoft: New IE Update Delayed; Then Delivered (22 August 2006)

Microsoft has pushed back the projected release date for a revised version of MS06-042. The original version of the update, released on August 8, contains a flaw that could cause Internet Explorer (IE) to crash in certain scenarios. Microsoft originally had said a new version of the update would be made available on August 22, but due to a problem revealed in the final testing, the release date was delayed.
As of 25 August, the patch is available



AT&T Suing 25 "John Doe" Data Brokers (23 August 2006)

AT&T has filed a lawsuit against 25 data brokers, alleging they used pretexting, or the practice of setting up phony online accounts to obtain access to approximately 2,500 AT&T customers' call records. The suit is seen to be "a step toward identifying the perpetrators by using email addresses and IP addresses and toward seeking damages." AT&T says affected customers have been contacted.

[Editor's Note (Pescatore): Identifying perpetrators is valuable, ATT closing the holes in their enrollment process that allowed the pretexting to work is priceless. ]

More Stolen Laptops

Beaumont Hospital's Home Care Patients Data on Stolen Computer (23 & 22 August 2006)

A laptop computer stolen on August 5 from the car of a nurse in Detroit holds personally identifiable information, including names, Social Security numbers (SSNs) and medical insurance information of more than 28,000 Home Care patients of Beaumont Hospitals. There is no evidence that the data on the computer have been misused. Although the laptop was encrypted and password-protected, the nurse's access code and password were stolen along with the computer. Authorities have disabled the login connection for the computer.

As of 25 August, the laptop has been found and returned.

[Editor's Note (Honan): A prime example of how technology alone is not the answer to securing data. Security controls can be undermined by someone simply leaving their password with their computer. ]

Stolen Laptop Holds Info on 612 Aflac Policyholders (22 August 2006)

A laptop computer containing personally identifiable information belonging to 612 American Family Life Assurance Co. (Aflac) policyholders was stolen from an agent's car. The company notified those affected by the data security breach in a letter dated August 11, 2006. The stolen laptop is equipped with tracking technology. Aflac has established a call line for affected customers with questions about the theft. Local law enforcement is investigating.


IBM Will Acquire ISS (23 August 2006)

IBM has announced its intention to purchase Internet Security Systems (ISS) for US$1.3 billion. IBM is making the purchase because it sees "security services as an area of huge growth potential," according to Val Rahmani, general manager of infrastructure management services at IBM Global Services. The deal is expected to close in the fourth quarter of this year.


******************* The Editorial Board of SANS NewsBites ***************

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent language consultant based in Clearwater, Florida.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/