SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VIII - Issue #8
January 27, 2006
TOP OF THE NEWSChoicePoint Settlement Imposes UD$15 Million Fine
UK Considering Updating Cyber Crime Laws
Gartner Says Oracle is "No Longer ... a Bastion of Security"
THE REST OF THE WEEK'S NEWSHOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
NSA Offers Guidance for Safely Redacting Word Documents for Public Release
SPYWARE, SPAM & PHISHING
Anti-Spyware Group Aims to Draw Attention to Culprits
Microsoft and Washington AG File Lawsuits Under State's Computer Spyware Act
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Oracle Users Urged to Apply Patch
Researcher Releases Critical Oracle Flaw Details
Buffer Overflow Flaw in CA's iTechnology iGateway Service
ATTACKS & INTRUSIONS & DATA THEFT
Ameriprise Notifies Customers Affected by Computer Theft
Providence Home Services Informs Patients Affected by Disk and Tape Theft
University of Delaware Alerts Students to Data Intrusion and Hardware Theft
University of Notre Dame Investigating Data Security Breach
Google to Introduce Censored Search Engine for China
********************** Sponsored by SANS Webcasts ***********************
Free SANS Webcasts next week on Tuesday and Wednesday!
What Works in Intrusion Prevention: "Eliminating Virus Outbreaks with Sara Lee" Tuesday, January 31 at 1:00 PM EST (1800 UTC/GMT) http://www.sans.org/info.php?id=1001 and "Spyware" Wednesday, February 01 at 1:00 PM EST (1800 UTC/GMT) http://www.sans.org/info.php?id=1000
Security Training Opportunities in the Next Four Weeks
SANS 2006 in Orlando (Feb 24- March 4) 36 tracks of extraordinary training - the best instructors in the world, and a great security tools exposition. Lots of people are bringing their families to Orlando to join them at the end of the program. Plus: San Francisco, Phoenix, St. Louis, Brisbane, Tokyo, Ottawa Or you can take SANS training anytime, anywhere with the new SANS On Demand. Details on these and other programs: www.sans.org
TOP OF THE NEWS
ChoicePoint Settlement Imposes UD$15 Million Fine (26 January 2006)The Federal Trade Commission (FTC) has unanimously approved a settlement with ChoicePoint which the identity verification service must pay fines of US$15 million, the largest civil penalty in US history. US$10 million is an FTC fine, the additional US$5 million is designated for customer compensation. Under the terms of the settlement, ChoicePoint must also undergo independent security audits every two years until 2026. The FTC charged that ChoicePoint's "security processes and data handling violated privacy rights and federal laws." The settlement also requires that ChoicePoint create "a comprehensive security program, and implement new procedures to ensure that only legitimate businesses obtain consumer reports." ChoicePoint sold data to customers who lied about their credentials, according to FTC charges. The US Securities and Exchange Commission (SEC) is looking into share trades made by ChoicePoint CEO Derek V. Smith and COO Doug Curling both of whom allegedly made considerable profits in the months following their knowledge of the security breach but before it became public.
[Editor's Note (Pescatore): Choicepoint had already publicly admitted (in SEC filings) $11.4M of costs directly related to their failing to protect customer data. Add in the $25M fine, and they have publicly announced direct costs of about $250 per account compromised. That doesn't even include the $350M drop in their market value or the indirect costs of reputation loss and loss of productivity during cleanup, etc. The market and existing legislation punished them nicely, and the bottom line is it would have saved them many millions of dollars if they had protected customer data (by better checking of credentials before allowing access) in the first place.
(Schmidt): Former FTC Commissioner, Orson Swindle III, said on a number of occasions that IF companies did not do what was right for consumers with security and privacy there WILL be an FTC in their future. This event may cause many others companies to take notice as it is clear that FTC can and will take action.
(Schultz): The fact that this is the largest civil penalty in US and also that it is because of a security breach is extremely significant. This settlement will serve as a potent wake-up call to senior management that neglecting security can and does result in dire outcomes. ]
UK Considering Updating Cyber Crime Laws (26/25 January 2006)The UK Home Office has introduced legislation that would increase penalties for those convicted of cyber crimes. The fifth section of the proposed Police and Justice Bill would revise the Computer Misuse Act and provide for a maximum prison sentence of 10 years "for individuals maliciously impairing the operation of a computer or hindering or preventing the access to programs or data." The present maximum penalty for breaking into a system is five years in prison. It appears the bill would include denial-of-service attacks, which are not currently addressed under the CMA.
Gartner Says Oracle is "No Longer ... a Bastion of Security" (24 January 2006)Gartner has published an advisory on its web site warning administrators that they need to be "more aggressive" in securing Oracle applications because the company is not providing their customers with adequate help. Gartner analyst Rich Mogull wrote that "Oracle can no longer be considered a bastion of security" and that "the range and seriousness of the vulnerabilities patches in this update cause us great concern." Gartner is also critical of Oracle for providing less information about fixes than the industry standard, for releasing faulty or difficult-to-use patches and for the fact that Oracle does not provide workarounds for vulnerabilities. Gartner recommends that administrators protect their systems with firewalls and intrusion prevention systems and use security monitoring tools. In addition, patching is sometimes not possible because legacy versions are unsupported.
************************ Sponsored Links: *******************************
1) Get a Free Online Demo Now! SANS On Demand - Online Security Training and Assessments http://www.sans.org/info.php?id=1002
2) Looking for a solution? SANS WhatWorks case studies and webcasts showcase real user interviews that illustrate effective internet security technologies. http://www.sans.org/info.php?id=1003
3) Security 503, Intrusion Detection in Depth, taught by Dr. Johannes Ulrich, the Chief Research Office of SANS and the Director of the Internet Storm Center. This SANS@HOME course starts next Thursday, February 2. Visit http://www.sans.org/info.php?id=1004
THE REST OF THE WEEK'S NEWS
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
NSA Offers Guidance for Safely Redacting Word Documents for Public Release (25 January 2006)The National Security Agency (NSA) has released a report offering advice to government agencies on how to safely edit sensitive information from Word documents and Adobe PDF files before releasing them for public consumption. The report says it is important to remove the data from the document, not just to cover it up or make it illegible. The three most common editing errors are covering text with black rectangles, rendering images illegible by making them very small or by covering them, and ignoring metadata - hidden data, including revision histories, embedded in files. The report provides step-by-step instructions for stripping confidential data from Word documents and converting them to Adobe PDF files.
[Editor's Note (Schultz): NSA's release of this guideline is very timely and helpful. Confidentiality breaches due to hidden information in Word and Adobe documents have occurred frequently in the past; owners and operators of Web sites have often not been aware of methods than can be used to edit these documents to remove such information. ]
SPYWARE, SPAM & PHISHING
Anti-Spyware Group Aims to Draw Attention to Culprits (26/25 January 2006)A newly formed group of technology companies, academics and consumer groups have come together under the name StopBadware.org; their mission is to "shine a light on shady spyware and adware" and draw attention to the companies that spread them. StopBadware.org will act as a clearinghouse for information about badware, which they define as "the broad range of malicious software that is sneaking onto people's computers, including spyware and deceptive adware." They also plan to develop standards and tests to help clarify the definition of badware. Sponsors include Google, Sun Microsystems and Lenovo. The group's organizers are the Berkman Center for Internet & Society at Harvard Law School, Oxford University's Oxford Internet Institute and Consumer Reports WebWatch. The web site will keep a list of programs that contain badware.
[Editor's Note (Pescatore): I doubt that many people will search out sites that list purveyors of "badware" and I doubt that most of the purveyors will care, but it is a good idea to try to shame the legitimate companies out there out of using spyware techniques.]
Microsoft and Washington AG File Lawsuits Under State's Computer Spyware Act (25 January 2006)Microsoft and Washington state Attorney General Rob McKenna have each filed a lawsuit against Secure Computer, charging that the company violated several laws, including Washington's Computer Spyware Act, which provides for fines of up to US$100,000 per violation. Secure Computer allegedly engaged in deceptive activity by implying their products were endorsed by Microsoft. The company also allegedly used a pop-up feature that untruthfully told people their computers were infected with spyware. The people were then encouraged to purchase the company's Spyware Cleaner for US$49.95 to get the purported malware off their computers. McKenna alleges that the product not only does not remove spyware from computers, but actually changes computers' settings so that they are more vulnerable to certain types of malware.
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Oracle Users Urged to Apply Patch (25 January 2006)Oracle customers are urged to apply patch DB18 issued last week in the company's quarterly security update. The vulnerability exists in Oracle versions 8, 9 and 10 and could be exploited to bypass database authentication and gain administrative privileges simply by sending a SQL command to the database while logging in. There is some concern that Oracle users may not be aware how serious the flaw is; Oracle has met with criticism for not providing much information regarding the flaws they patch.
Researcher Releases Critical Oracle Flaw Details (25 January 2006)Security researcher David Litchfield has released details about a critical vulnerability in Oracle software that could allow attackers to gain control of a backend Oracle database. Litchfield also spoke out against Oracle's practice of not cooperating with the security community and for "taking too long to fix software issues that threaten its customers." Litchfield maintains Oracle should have fixed the flaw in its most recent security update but did not. Oracle criticized Litchfield for making details of the vulnerability public before a fix was available. Litchfield notified Oracle about the flaw in October.
Buffer Overflow Flaw in CA's iTechnology iGateway Service (23 January 2006)Computer Associates has released an advisory warning of a buffer overflow flaw in its iTechnology iGateway service. Due to improper handling of negative HTTP Content-Length values, attackers could execute arbitrary code. The flaw can be exploited remotely.
ATTACKS & INTRUSIONS & DATA THEFT
Ameriprise Notifies Customers Affected by Computer Theft (26 January 2006)Ameriprise Financial Inc. has sent letters to 158,000 customers informing them their personal account data were held in a laptop stolen from an employee's car. The customer data do not include customer Social Security numbers (SSNs), but the computer also held a file that contained the names and SSNs of 68,000 current and former financial advisers.
[Editor's Note (Pescatore): if there was a legitimate business reason for those records to be on a laptop, why wasn't the laptop's disk encrypted?
(Kreitner): Would this kind of thing happen if organizations implemented a policy requiring that any personal data stored on a laptop be encrypted--with termination as consequence for violating the policy? Tighter management would solve lots of security problems. ]
Providence Home Services Informs Patients Affected by Disk and Tape Theft (25 January 2006)Providence Home Services is informing current and former patients that their medical data were compromised when disks and tapes were stolen from the car of a Providence Home Services employee. The theft was reported on December 31, 2005. The majority of the 265,000 patients affected by the theft live in Oregon and in Washington state. There is no evidence that the stolen information has been used for identity fraud. Some current and former employees are also affected. "The duplicate data sources were taken home nightly by a designated employee as part of a backup process intended to guarantee access to critical information in case of an emergency at
primary offices." Providence is providing a hot line to answer questions for those whose data were compromised.
[Editor's Note (Pescatore ): Not really a well thought out backup plan, having employees take backup tapes *home* at night and leave them in their cars. Cheaper than an actual plan, I suppose - until you get caught. ]
University of Delaware Alerts Students to Data Intrusion and Hardware Theft (25 January 2006)The University of Delaware recently experienced two data security breaches. First, someone broke into a machine at the University of Delaware's School of Urban Affairs and Public Policy; 159 graduate students whose SSNs were on that computer have been notified. Second, someone stole a backup hard drive from the University's Department of Entomology and Wildlife Ecology; people whose personal data were on the hard drive have been notified of the theft.
University of Notre Dame Investigating Data Security Breach (24/23 January 2006)The University of Notre Dame is investigating a computer intrusion of a remote server that contains confidential data belonging to school donors. The attack was discovered on January 13, 2006. The school has notified people whose data were compromised. The server was not connected to university central databases; it has been taken offline and is being examined by forensics experts.
Google to Introduce Censored Search Engine for China (25 January 2006)Google plans to release Google.cn in China, a version of its search engine that filters content that the country's government would find objectionable. Google officials say the choice to censor content was a difficult one, yet one that best serves the interests of its customers in China. Google says users will be informed when their search results have been censored. Google will not offer email, blogging or chat room services in China to avoid the possibility that the government could demand customers' personal data.
[Editor's Note (Schultz): Google's decision to censor its search engine in China is likely to help further set a precedent in which search engine providers and even ISPs will be virtually forced to modify the services they offer in each country on the basis of demands and constraints within each particular country ]
NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian
Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore,
Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit