SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VIII - Issue #79
October 06, 2006
TOP OF THE NEWSAre Government Computers Riddled With BOTs?
SCADA Security Standards: Authoritative Commentary from A Utility Security Professional
Five People Face Felony Charges in HP Pretexting Case
Number of Records Breached in US Approaches 100 Million
THE REST OF THE WEEK'S NEWSARRESTS, CONVICTIONS & SENTENCES
Four Russians Sentenced to Eight Years in Prison for Cyber Extortion
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
DHS IG Laptops Have Security Problems
GAO Finds Laundry List of Security Problems with CMS
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
BSA Doubles Maximum Reward in Australia
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Exploit Code for Mac OS X Flaw Released
ZERT releases patches for Microsoft SP1
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Missing Disks at Sea-Tac Hold Airport Worker Data
Committee Recommends Reinstatement for Fired U of Ohio IT Workers
SANS: Trends to Watch in 2007
Flash Drive Technology Presents Increasing Security Risk
********** Sponsored By SANS Secure Storage & Encryption Summit *********
The SANS Secure Storage & Encryption Summit, December 6-7, is the only educational program that focuses on how to fight back against the most common threats to data. This in-depth event will feature user-to-user discussions focused on mistakes to avoid and the things that work.
Major US SANS Training Events in the Next 60 Days
New Orleans ( http://sans.org/neworleans06/ ) and
Washington, DC ( http://sans.org/cdieast06/ ) How Good Are SANS Courses. ++ "I have attended courses by several of SANS rivals, and SANS blew them away." - Alton Thompson, US Marines ++ "This is the only conference/training I've ever attended at which I learned techniques and found tools I could apply immediately." - Dwight Leo, Defense Logistics Agency, DLA ++ "This program provided the opportunity to learn from many of the people who are defining the future direction of information technology" - - Larry Anderson, Computer Sciences Corp. ++ "The SANS classes have been uniformly excellent. To learn as much through traditional classes would have entailed weeks away from work." - - David Ritch, Department of Defense Programs are scheduled in more than 40 cities in the next few months or you can attend live classes (or on demand courses) without leaving your home.
TOP OF THE NEWS
Are Government Computers Riddled With BOTs?A security vendor is claiming that seven thousand government computers are infected with malicious bots used for spam, denial of service and theft of data. IT managers at some sites cited by the vendor are disputing the vendor's claims.
SCADA Security: Authoritative Commentary from a Utility Security ProfessionalBy Michael Assante, Idaho National Laboratory and previously CISO, American Electric Power Electric sector utilities and organizations have been working hard to understand and address the risks associated with critical systems. It is too easy to criticize or draw conclusions if you are an observer and not participating in the process. The NERC standards drafting team had to deal with complex challenges but their knowledge of technology, security, and utility operations were instrumental in laying a strong foundation and achieving the first step forward. The foundation they built spans the diverse range of existing technology and security by setting a starting point for all organizations interconnected to the electric system. Building upon this foundation has already begun with additional efforts to improve the security of current and future technology. One important example is the control system security procurement language project. It is a partnership among asset owners, control system vendors, researchers and government officials in multiple countries. It is attempting to contribute meaningfully to the work being done across all control system dependent industries. Many of the entities working to implement the electric sector cyber security standards have made important contributions to the procurement project. The cyber security problem is large enough that no single effort can effectively address the risk we face. As a member of the procurement project, I am challenging everyone to participate and build upon existing and important work to further enhance the security of our critical infrastructures.
[Editor's Note (Paller): A few days ago I called into question the value of the work done on the NERC cybersecurity standards. Mr. Assante is much more engaged in the electrical industry than I am; he gets the last word. ]
Five People Face Felony Charges in HP Pretexting Case (4 October 2006)Former Hewlett Packard chairwoman Patricia Dunn and four other people face felony charges for their roles in the company's pretexting debacle. One of the other four individuals is a former senior attorney at HP; the other three were outsiders hired to obtain others' phone records in an effort to discover the source of corporate information leaks. The California attorney general has charged each of the five with fraudulent wire communications, wrongful use of computer data, identity theft and conspiracy to commit the preceding three crimes.
(Please note these sites requires free registration)
[Editor's Note (Schultz): There is a huge lesson to be learned from the HP pretexting fiasco--that governance is everything. When governance at any level (but particularly at the executive management level) breaks down, so do organizations; the information security arena is by no means exempt from this rule. ]
Number of Records Breached in US Approaches 100 Million (1 October & 25 September 2006)The Privacy Rights Clearinghouse's (PRC) running tally of the number of records "involved in security breaches" is approaching 100,000,000. PRC has been keeping tabs on security breaches since shortly after the ChoicePoint incident became public in February 2005. The sheer number of records affected indicates the need to address security from beyond the perspective of passwords and encryption; organizations also need to establish rules for who has access to what information, where it is stored and when, where and why it is being moved.
*********************** Sponsored Link: *****************************
1) Maximize your Training Budget! Save 15-30% on SANS training & certification! SANS Program that pays you credits and delivers flexibility. Are you looking for a creative way to finance training?
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS & SENTENCES
Four Russians Sentenced to Eight Years in Prison for Cyber Extortion (4 October 2006)Four Russian men have each been sentenced to eight years in prison for their roles in an extortion scheme that involved launching distributed denial-of-service (DDoS) attacks against online bookies and casinos in the UK. Each man has also been fined 100,000 rubles (US$3,700). The sentences are the most severe ever handed down in Russia for cyber crime. Sources indicate that a total of nine men were involved in the scheme. The group may have extorted as much as US$4 million in total in the UK alone. The group also launched similar attacks in other countries.
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
DHS IG Laptops Have Security Problems (4 & 2 October 2006)Laptop computers at the Department of Homeland Security's (DHS) office of the inspector general (IG) are not adequately protecting the data they hold, according to a report from DHS assistant IG for IT, Frank Deffer. Deffer's report is based on a survey of 94 laptops deemed sensitive but unclassified and eight laptops deemed classified. The department has not effectively implemented standard laptop configuration; as a result, almost 40 percent of the computers examined in the survey had unpatched vulnerabilities. In addition, missing or stolen laptops are not routinely reported to the DHS Computer Security Incident Response Center. Most of the details about the vulnerabilities found in the study were redacted from the report, which was published in August, but only recently declassified.
[Editor's Note (Schultz): Once again it sounds as if security problems are pervasive within the DHS, but DHS is by no means the only department or agency within the US government that has these kinds of problems. One data security breach after another is inevitable until something or someone forces departments and agencies to genuinely address problems such as unsecured laptops. ]
GAO Finds Laundry List of Security Problems with CMS Communication Network (4 & 3 October 2006)A report from the US Government Accountability Office (GAO) found 47 security weaknesses in the methods used by the US Centers for Medicare and Medicaid Services (CMS) to transmit data over a wide area network (WAN) "to health care facilities, contractors, financial institutions and state Medicaid offices." The data they manage include names, Social Security numbers (SSNs) and medical information. The GAO report says "a security breach in this communication network could lead to interruptions in the processing of medical claims or to unauthorized access to personally identifiable medical data." The security problems include "user identification and authentication, user authorization, system boundary protection, cryptography and auditing and monitoring of security-related events." The GAO report does note that "CMS
had many key information security controls in place." The report also notes that "CMS did not always ensure that its contractor effectively implemented electronic access controls designed to prevent, limit, and detect unauthorized access to sensitive computing resources and devices used to support the communication network." CMS is a component of the Department of Health and Human Services (HHS). CMS administrator Dr. Mark McClellan said in a letter that 22 of the 47 identified problems had been remedied. Fourteen others were "scheduled to be fixed within several weeks" of the letter and the last 11 had a target date of January 7, 2007. McClellan added that CMS is "taking further steps to assure that none
[of the vulnerabilities ]
result in actual security breaches."
(please note this site requires free registration)
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
BSA Doubles Maximum Reward in Australia (3 October 2006)The Business Software Alliance of Australia (BSAA) has doubled the maximum reward it offers to people turning in users of pirated business software. People who want to claim the reward of up to AUS$10,000 must agree to swear an affidavit regarding the use of the unlicensed software and be available to provide evidence in potentially lengthy legal proceedings. The reward will be paid if and only if the informant agrees to the terms, the BSA initiates court proceedings based on the information provided, and the BSA wins a judgment or out of court settlement it deems satisfactory.
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Exploit Code for Mac OS X Flaw Released (3 October 2006)Exploit code for a vulnerability in the Mac OS X kernel was released just days after Apple released an update for the operating system to address that very flaw. The exploit, which could be used to gain administrator privileges on unpatched computers, appears to have been written before the update was released. The attacker would need to be a local user or have remote log on privileges for the exploit code to work. The code that was released does not carry a malicious payload.
ZERT releases patches for Microsoft SP1 (29 September 2006)On October 10, 2006 Microsoft is going to stop offering patches for SP1 class XP systems. However, the Zeroday Emergency Response Team (ZERT), a non-profit loose collection of reverse engineering experts and programmers have made patches available from their web site. ZERT:
[Editor's Note (Northcutt): This is quite controversial, and most mainstream businesses are still adamant that they will not use third party patches. However, ZERT can move faster than many vendors and has a lot of talent. At a minimum I would start discussing this issue *before* you find yourself in a situation where there is a nasty bug running around and the only folks with a patch is ZERT. The time to establish policy is before you are in crisis. Richard Bejtlich, one of the most widely followed bloggers in information security, published commentary on the issue.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Missing Disks at Sea-Tac Hold Airport Worker Data (2 October 2006)The Port of Seattle says six computer disks are missing from the ID Badging Office at Seattle-Tacoma International Airport. The disks contain sensitive personal information scanned from paper forms; the data include names, SSNs and driver's license numbers. Those affected by the data breach will be notified by regular mail. The port was able to determine who was affected by the breach because the data were backed up. The breach affects 6,936 current and former employees at the airport.
Committee Recommends Reinstatement for Fired U of Ohio IT Workers (5 October 2006)A grievance committee has decided that two IT administrators were wrongly fired from Ohio University following disclosure of a number of network security breaches at the Athens, Ohio school. A letter from the Administrative Senate's Grievance Committee said Tom Reid and Todd Acheson were not responsible for the lapses in security that led to the breaches. Bill Sams, associate provost for information technology and CIO, fired Reid and Acheson for "nonfeasance;" the committee says that charge is "unfounded." The committee also faulted Sams for failing to address a splintered IT organization at the school, which led to the security problems. The committee has recommended Reid and Acheson be reinstated with full back pay, benefits and a public apology. Reid has remarked that reinstatement would be difficult as the university's IT structure has been reorganized so that his position no longer exists. The final decision now rests with university provost Kathy Krendl.
[Editor's Note (Honan): IT professionals have a difficult enough job trying to deal with genuine issues and vulnerabilities without having to deal with false claims no matter how "humourous" they are! ]
SANS: Trends to Watch in 2007 (3 & 2 October 2006)According to a report from SANS, laptop security, cell phone worms and VoIP fraud top the list of trends to pay heed to in 2007. As desktop computers are being replaced with more portable laptops, more data will be taken out of organizations; this is especially problematic when combined with a lack of encryption on the laptops and the possibility of the computers being lost or stolen. SANS also predicts at least 100,000 cell phones will be hit with worms next year. While in the past, cell phone malware has not been high on the list, the increasing use of cell phones for email makes them an attractive target for attackers who are looking to harvest passwords and user names. The increase in the use of VoIP also presents security concerns. Other trends on the list include federal and state legislation regarding consumer data protection and the increasing sophistication and prevalence of Network Access Control.
Flash Drive Technology Presents Increasing Security Risk (25 September 2006)The increasing popularity of USB memory sticks, also known as flash or thumb drives, has presented its own set of security concerns; people could potentially use the devices to download significant chunks of sensitive data. Now it appears the drives can be used to store and run applications; this feature could be exploited to place malware on machines or steal passwords and software product keys within seconds. These particular drives are self-activating, highlighting the need for organizations to disable Windows AutoRun.
[Editor's Note (Pescatore): People used to think CD ROMs were only ways to load software onto a PC, then common writable drives opened up a data leakage path enterprises hadn't been worrying about. USB drives have gone the other way - people think of them as storage only and have started to worry about data leakage but not malware loading.]
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center, to the Editorial Board.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.
Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit