SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VIII - Issue #96
December 05, 2006
Tomorrow, December 6, is the deadline for saving money on SANS Bootcamp January 13-19 in Orlando. Fifteen full-week immersion security and audit training programs and eight one-day bonus classes all at the Walt Disney Swan hotel. (The average high temp in January is 72 degrees.)
More information: http://www.sans.org/bootcamp07/
TOP OF THE NEWSMan Indicted for Government Computer Intrusions
Court Weakens CAN-SPAM
Government Report Says China is Taking Offensive Cyber Warfare Stance
THE REST OF THE WEEK'S NEWSLEGAL MATTERS
Washington State Settles Spyware Case for $1 Million
New Electronic Records Rules In Force DEC 1, 2006
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Flaws in Adobe Acrobat and Adobe Reader
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Winny Virus Leaks Military Documents
Stolen Computers Hold PA Driver's License Data
TransUnion Credit Bureau Data Compromised
NIST Draft Report Addresses eVoting Problems
******** Sponsored By Check Point Software Technologies, Inc. **********
Download FREE white paper and learn how Check Point Unified Threat Management solutions simplify security deployment by combining security functions above and beyond traditional UTMs. These solutions eliminate the need for many standalone security solutions, and provide centralized, real-time control and security updates from a single management console.
TOP OF THE NEWS
Man Indicted for Government Computer Intrusions (3 December 2006)A federal grand jury has indicted Victor Faur for breaking into more than 150 government computers including systems at NASA's Jet Propulsion Laboratory and Goddard Space Flight Center, the Energy Department and the US Naval Observatory. The indictment charges that Faur, who is from Romania, heads a group whose focus was breaking into US government computers; it alleges that he and his accomplices hosted chat rooms on the computers they compromised and searched those computers for passwords to other systems. According to the US Attorney's Office, losses due to the intrusions at NASA totaled at least US$1.4 million. Faur could spend up to 54 years in prison if he is convicted of all counts.
[Editor's Note (Skoudis): The USA Today article mentions that the attackers'... "Main goal was to break into U.S. government computers because they are some of the securest in the world." I found that quote to be interesting, and, in a lot of cases, sadly untrue. From a technical perspective, look for chat traffic (such as the very common IRC, most often used on TCP port 6667) originating from systems that have no business need for such traffic, such as most servers in an organization.]
Court Weakens CAN-SPAM (29 November 2006)The 4th Circuit Court of Appeals said that while email from Omega World Travel and its subsidiary Cruise.com did have false Internet addresses and non-working "From" addresses, the senders did not violate the federal CAN-SPAM Act. Omega World Travel and Cruise.com sued Mark Mumma, owner of Oklahoma-based MummaGraphics, for defamation after he posted negative comments about the company on his web site and threatened to sue them for spam violations. Mumma filed counterclaims against Omega and Cruise.com. The court's opinion states that "the CAN-SPAM Act preempts MummaGraphics' claims under Oklahoma state laws."
[Editor's Note (Liston): Anti-spam activists have been saying for a long time that CAN-SPAM *protects* spammers rather than consumers, by creating a minimal standard that unsolicited emails need to meet in order to not be considered "spam". The 4th Circuit certainly has bolstered that opinion.
(Schultz): There is no question but that this rule potentially takes a lot of wind out of the CAN-SPAM Act's sails. The ruling seems irrational--I find it a difficult to believe that the 4th Circuit of Appeals could decide that an entity that was falsifying Internet addresses in bulk email that it sent did not violate this Act. ]
Government Report Says China is Taking Offensive Cyber Warfare Stance (1 December 2006)The US-China Economic and Security Review Commission's annual report, issued in mid-November, says that China "is actively improving its non-traditional military capabilities" and that the country's cyber warfare posture has shifted from defensive to offensive. The Commission's report recommends enhancing security of government computer systems through examination of the procurement process.
[Editor's Note (Northcutt): This isn't news exactly, the Chinese have published their intent from at least 1996, but this certainly supports the data that we are seeing from network attacks. Consider this quote from the OSD's annual report to congress titled: Military Power of the People's Republic of China 2006 "During a military contingency, information warfare units could support active PLA forces by conducting "hacker attacks" and network intrusions, or other forms of "cyber" warfare, on an adversary's military and commercial computer systems, while helping to defend Chinese networks.
The threat to financial systems from Al Qaeda is probably a 1 on a 1 to 10 scale, but the threat from China if they choose to aggressively target financial systems, is probably in the 3 - 5 range and growing. ]
************************* Sponsored Links: ****************************
1) "Top 10 Questions You Must Ask Before Purchasing a SIM Solution"-a must-read for SIM shoppers.
2) Make your organization an unwanted target for phishers. FREE report shows you how.
THE REST OF THE WEEK'S NEWS
Washington State Settles Spyware Case for $1 Million (04 December 2006)Secure Computer, a company that offered free spyware scans but *always* discovered problems that needed cleaning, agreed to pay $200,000 in civil penalties, $75,000 in restitution for consumers, and $725,000 in state attorneys' fees and costs. There was no admission or finding of wrongdoing under the agreement.
New Electronic Records Rules In Force DEC 1, 2006 (1 December 2006)Make sure your legal department is aware of the new records rules for electronic records for discovery that came into force the first of December. In particular, system administrators could end up in harm's way if they delete evidence even if the deletion follows routine practice such as reusing backup tapes.
[Editor's Note (Northcutt): This is really important, though dry, reading. An enterprise approach to records management is critical. In the case of Coleman (Parent) Holdings, Inc. v. Morgan Stanley & Co. Morgan Stanley's inability to produce the electronic records in the case certainly contributed to losing the suit and having to pay $600 million in compensatory and $850 million in punitive damages. So here are some informative, though not easy reading links to share with your legal department:
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Flaws in Adobe Acrobat and Adobe Reader (1 December 2006)Security flaws in Adobe Acrobat and Adobe Reader could be exploited to crash the applications and allow attackers to take control of vulnerable machines when PDFs are opened in Internet Explorer. The flaws do not affect other browsers. The holes exist in Acrobat Standard and Professional versions 7.0.0 through 7.0.8 and Adobe Reader 7.0.0 through 7.0.8. Adobe is currently developing a patch.
[Editor's Note (Skoudis): Here are more client-side flaws, clearly one of the most-used vectors for compromise today. Also, Acrobat seems to have a very large number of such issues. It seems that nearly every time I run it, it asks to patch itself.
(Liston): Remember back in the good old days when we only used to worry about executable code coming in to our networks? Remember saying "that's not a problem... it's only data..."?
(Kreitner): It's time the application vendors get more heat about the security weaknesses in their products. They have been gettng a free ride for too long while the pressure has been on operating system level security. The focus should be on the whole O/S, middleware, and application software stack, because that's where security for end users is ultimately adequate or not. ]
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Winny Virus Leaks Military Documents (1 December 2006)A virus affecting the file-sharing program Winny is apparently responsible for the leak of military information onto the Internet. Police seized a Japanese Air Self-Defense Forces second lieutenant's computer, which is believed to be the source of the leak. The exposed documents include descriptions of "supplies airlifted from US army bases in Iraq, Kuwait and other countries." The data are not considered to be classified.
[Editor's Note (Weatherford): They seem to have minimized this one little tidbit of information but...why was this information on a "privately owned computer?" If they've already punished 47 other people for the same offense, perhaps it's time to step back and do a little training on what is and isn't authorized. ]
Stolen Computers Hold PA Driver's License Data (30 November 2006)State officials in Pennsylvania acknowledged that two computers stolen from a driver's license office hold personally identifiable information of 11,384 individuals. The thieves also made away with a camera, a printer and card stock and laminate to manufacture as many as 750 phony licenses. The compromised data include names, addresses, birth dates, driver's license numbers and some Social Security numbers (SSNs). The State plans to notify affected license holders by mail.
TransUnion Credit Bureau Data Compromised (30 November 2006)Someone managed to get login information for the TransUnion Credit Bureau and steal personally identifiable credit information, including SSNs, of more than 1,700 individuals. TransUnion is notifying the people whose information was stolen.
[Editor's Note (Weatherford): This is scary for a couple reasons and TransUnion being one of the big 3 credit reporting bureaus isn't one of them. First, how did one set of login credentials allow someone to get the entire credit histories and social security numbers of hundreds of people. Two, if the login information came from a courthouse in Kingman Arizona, was the account being used for "official" purposes or was it simply an employee account. Something fishy here... ]
NIST Draft Report Addresses eVoting Problems (1 December 2006)A draft report from the National Institute of Standards and Technology (NIST) says paperless electronic voting machines "cannot be made secure." The report recommends the use of optical scan ballots, which offer the benefits of being read by computers while allowing voters to review their selections and providing election officials with a physical document if a recount is needed. The NIST report was "prepared ... at the request of the Technical Guidelines Development Committee, ... an advisory group to the Election Assistance Commission." If the guidelines are adopted by the EAC, they will be voluntary, "but most states require ... voting systems that meet national or federal criteria."
[Editor's Note (Schultz): I wholeheartedly agree with the premise of NIST's draft report. Many states within the US rushed into electronic voting without obtaining any kind of understanding of the risks involved; security-related risks are clearly among the worst of these risks. I'd urge interested readers to read Dr. Avi Rubin's book, _Brave New Ballot_, on this subject. ]
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.
Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit