SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VIII - Issue #76
September 26, 2006
TOP OF THE NEWSMore Than 1,000 Commerce Dept. Laptops Missing Since 2001
Germany Considering Update to Cyber Crime Penal Code
Massive Growth In Organized Crime Targeting Home PC Users
THE REST OF THE WEEK'S NEWSSPYWARE, SPAM & PHISHING
Phishers Turn to eCards
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Microsoft Discourages Use of Third-Party IE VML Flaw Fix
Apple Releases Fixes for Flaws in AirPort Software
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
DNS Attack in China Takes 180,000 Web Sites Offline
Stolen Laptop Holds Data on 50,000 GE Employees
Computers, Storage Devices Stolen from Nagasaki Univ. Hospital Contain Patient Data
Computers Stolen from Kenyan Revenue Authority
Missing Jump Drive Holds Hospital Employee Data
U of Colo. Business School Computers Missing
Purdue Univ. Notifying Affected Students of Possible Data Breach
Student Financial Aid Application Data Misplaced
STATISTICS, STUDIES & SURVEYS
U.S. Employees Willing To Submit To Email Monitoring
*********************** Sponsored By Symark Software ********************
How do you guard against sabotage, theft or unauthorized access of data? Sudo doesn't provide the accountability for "privileged" accounts required by COBIT 4.0/ISO17799. Learn how PowerBroker, the most widely used solution for controlling Unix/Linux superuser privileges, helps you meet data privacy and compliance requirements. ALERT: Download the FREE White Paper "PowerBroker vs. sudo."
How Good Are SANS Courses? ++ "I have attended courses by several of SANS rivals, and SANS blew them away." - Alton Thompson, US Marines ++ "This is the only conference/training I've ever attended at which I learned techniques and found tools I could apply immediately." - Dwight Leo, Defense Logistics Agency, DLA ++ "This program provided the opportunity to learn from many of the people who are defining the future direction of information technology" - - Larry Anderson, Computer Sciences Corp. ++ "The SANS classes have been uniformly excellent. To learn as much through traditional classes would have entailed weeks away from work." - - David Ritch, Department of Defense Programs are scheduled in more than 40 cities in the next few months or you can attend live classes (or on demand courses) without leaving your home.
TOP OF THE NEWS
More Than 1,000 Commerce Dept. Laptops Missing Since 2001 (22 September 2006)The US Department of Commerce has acknowledged that 1,137 laptop computers have been lost or stolen since 2001. Of the missing computers, 249 hold personally identifiable information. Some of the computers are protected with passwords; some are fully encrypted. Six hundred seventy two of the missing laptops were from the Census Bureau, 246 of which hold personally identifiable information. The other three computers holding personally identifiable information are from the National Oceanic and Atmospheric Administration. Commerce Secretary Carlos M. Gutierrez estimated approximately 6,200 households could be affected by the data security breach. The agency conducted the review "in response to a Congressional request and public inquiries." House Government Reform Committee Chairman Tom Davis (R-Va.) has requested that all agencies report all security breaches. "Davis has proposed legislation that would require the Office of Management and Budget to establish policies for agencies to follow in the event of a data breach."
[Editor's Note (Pescatore): There are already government regulations about incident reporting and there are already penalties in the Privacy Act that apply to government managers responsible for misuse of privacy-related information. A much better approach would be to put requirements in all government funding bills that mandate procurement of strong authentication and data protection technology with every computer procurement or system development.
(Paller): The Commerce Department laptop losses pale in comparison with those of other agencies. One section of the Treasury Department, for example, has lost five times that many, in less time. Congressional demands for more reporting - knowing how counter-productive their FISMA reporting demands have been - border on negligence. The same Treasury agency that is losing all the laptops has been forced to spend more than 75% of its security budget paying contractors to write reports for FISMA. They could easily have put data protection on every laptop for less than they are spending to write the FISMA reports. John Pescatore is right; it's time for Congress to use Federal procurement specifications to improve security. ]
Germany Considering Update to Cyber Crime Penal Code (22 & 21 September 2006)The German government is considering legislation that would make breaking into computers a crime punishable by up to ten years imprisonment. The draft law defines a punishable offense as any action that penetrates a computer system and gains access to secure data; data theft is not a requirement for punishment under this proposed law. In addition, "groups that intentionally create, spread or purchase hacker tools designed for illegal purposes could be punished by the law." Some have pointed out that the section of the law prohibiting the use and development of "hacking tools" could prevent administrators and security consultants from conducting legitimate tests. Laws already exist in Germany regarding IT system attacks, but allow for indictment only when companies or government entities have been attacked; this legislation aims to "close any remaining loopholes."
Massive Growth In Organized Crime Targeting Home PC Users (25 September 2006)According to Symantec's semi-annual Internet Threat Report, home computer users are becoming the preferred target of cyber criminals. The report noted an 81 percent jump in the number of phishing emails in the first half of 2006 over the previous six months. Among home users surveyed, just 46.3 percent say their anti-virus software is up-to-date. Among other findings in the report: browser flaws are on the rise and the US is the largest source of Internet attacks due to the large number of compromised computers with broadband connections.
*************************** Sponsored Links: **************************
1) Using Real-Time Log Analysis to Defend Against Network Attacks and Insider Abuse - Live Webinar
2) The SANS Secure Storage & Encryption Summit, December 6-7, provides you with concrete, actionable information you can deploy as soon as you return to work.
3) Take Advantage of Special Web Filtering Offers from iPrism. Get a Quick Quote Now!
THE REST OF THE WEEK'S NEWS
SPYWARE, SPAM & PHISHING
Phishers Turn to eCards (22 September 2006)Thousands of people have reportedly fallen prey to a phishing attack that uses ecards as bait. The cards appear to come from a secret admirer. When the recipient clicks on the provided link, the computer is directed to a malicious site that attempts to download a keystroke logger; the card is then displayed. The attack exploits a flaw in Microsoft Windows that was patched in May (MS06-014).
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Microsoft Discourages Use of Third-Party IE VML Flaw Fix (25 September 2006)
[Vulnerability update from the editors: The VML flaw is being actively exploited. Help calls support calls skyrocketing at some ISPs especially as people check their email at home using Outlook with the preview pane turned on. The Internet Storm Center's threat level rose to yellow for 24 hours over the weekend as this problem spread. ]
For the third time this year, a group has released a third-party patch for a Microsoft software vulnerability that is being actively exploited. Microsoft recently acknowledged the flaw in the Vector Markup Language (VML) component of Internet Explorer (IE) and plans to address the vulnerability in its next scheduled security update release on October 10. Microsoft does not recommend using the third-party patch. The group that has released the patch acknowledges that it did not undergo the rigorous testing to which Microsoft patches are subjected before their release and recommends that users replace its fix with Microsoft's official patch once it becomes available.
In a separate story the VML vulnerability also affects the Outlook 2003 email client.
Apple Releases Fixes for Flaws in AirPort Software (22 September 2006)Apple has released updates for three flaws in its AirPort wireless driver. The vulnerabilities could be exploited to execute arbitrary code and crash systems, escalate privileges or take control of Mac computers over wi-fi. The flaws affect Mac OS X 10.3.9 through 10.4.7. All three vulnerabilities concern the way AirPort wireless handles "frames."
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
DNS Attack in China Takes 180,000 Web Sites Offline (26 September 2006)China's second largest domain name service (DNS) provider, Xinet, was hit with an eight-hour denial of service attack that disabled 180,000 web sites. Many of the web sites are back on line and Xinet hopes to have the rest (primarily smaller sites) back on line by October 7. The Shanghai Daily site on which the attack is reported was one of the ones that had been disabled.
Stolen Laptop Holds Data on 50,000 GE Employees (25 September 2006)A laptop computer stolen from the locked hotel room of a General Electric employee holds the names and Social Security numbers (SSNs) of approximately 50,000 current and former GE employees. A company spokesperson said GE is offering all affected individuals a year of free credit monitoring.
Computers, Storage Devices Stolen from Nagasaki Univ. Hospital Contain Patient Data (24 September 2006)A Nagasaki University official has acknowledged that six notebook computers holding personally identifiable data on roughly 9,000 patients were stolen from the Nagasaki University Hospital of Medicine and Dentistry. The data include names, birth dates and medical diagnoses of patients who have been seen at the hematology division since the early 1990s. The computers were stolen overnight between September 14 and 15. The police were notified immediately. Eight USB memory units and two hard disks were also stolen.
[Editor's Note (Honan): According to the report, "The data, based on patients' medical files, had been stored there for educational and academic purposes, and some of them contained detailed descriptions on the patient's medical histories"; this highlights the reason why live/real data should never be used in non-production environments where the levels of security controls may not be the same as those found in production environments. ]
Computers Stolen from Kenyan Revenue Authority (24 September 2006)Computers stolen from the Kenya Revenue Authority contain income tax return data. A KRA official says the data were probably not backed up. Other Kenyan public offices have recently suffered similar computer thefts. Police say the burglars are targeting the most current computer models.
Missing Jump Drive Holds Hospital Employee Data (23 September 2006)A USB storage device reported missing from a locked office on September 15 contains the names and SSNs of approximately 4,150 current and former Erlanger Hospital (TN) employees who had undergone employment status changes between November 2003 and September 2006. Hospital officials say letters were sent to affected individuals within 24 hours of learning of the breach. An additional 2,050 current employees who were not affected by the breach also received letters describing the incident. An employee who was working with the data and noticed them missing notified his supervisors promptly.
[Editor's Note (Northcutt): Hmmm, what are the risks of using USB drives in hospitals? Most of the doors aren't locked. After all availability is paramount. What kind of data would primarily be on a computer in a hospital? Patient or employee data would be most probable. I wonder how they decided USB drives were an acceptable risk? I wonder what they think now? From their PR statement, they do not seem to be terribly concerned:
FWIW, USB can be disabled with a couple of clicks in the Group Policy Editor as shown below:
U of Colo. Business School Computers Missing (25 & 22 September 2006)The Leeds School of Business at the University of Colorado is in the process of notifying 1,372 current and former students that their names, Social Security numbers (SSNs) and grades are held on two computers that have been missing. One of the computers has since been found. The computers were reportedly placed in storage in May during a move to temporary quarters; when the items were removed from storage in late August, two computers were unaccounted for. University police are investigating. The school has established a hotline for those who receive letters about the breach and have more questions.
Purdue Univ. Notifying Affected Students of Possible Data Breach (22 September 2006)Purdue University is notifying approximately 2,500 individuals who were students at the school in 2000 that their personal data may have been compromised. The data include names and SSNs. A security check of an administrative workstation in the University's Chemistry Department found that a file might have been accessed by a cyber intruder. Purdue has established a toll-free number for people who believe they may be affected by the breach. Analysis indicated that the intruder obtained remote access to the computer's hard drive and installed software that would allow files to be downloaded. Purdue University no longer uses SSNs as universal unique identifiers for students.
Student Financial Aid Application Data Misplaced (20 September 2006)Berry College (GA) officials have been notified that sensitive student data in both paper and digital form have been lost. Apparently a consultant misplaced the data at an airport. The data include names, SSNs and reported family income for 2,093 students and applicants who submitted a free application for Federal Student Aid to the college in 2005 and 2006. More than half of those whose data were compromised are enrolled at the school. The college is notifying those affected by the breach individually. A hotline and a webpage have been established to help those with questions about the breach.
STATISTICS, STUDIES & SURVEYS
U.S. Employees Willing To Submit To Email Monitoring (20 September 2006)In sharp contrast to workers at universities and government agencies, 100 percent of surveyed workers at U.S.-based corporations said it was appropriate for companies to scan their employees' e-mail, instant messaging and other communications systems. In universities only 31% of employees feel monitoring of communications is appropriate. In government only 11% do. The study specifically asked about sensitive data such as customers' personally identifiable information, Social Security numbers, bank account data or credit card numbers.
[Editor's Note (Northcutt): Extrusion detection technology is more advanced than ever before. Smart badges track employee location at all times. All of this is fine, but it must be specifically covered by policy that is known by employees. Though the GAO report on the subject needs to be updated, it still makes it clear that too much is undefined:
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center, to the Editorial Board.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.
Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit