SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume X - Issue #3
January 11, 2008
NewsBites' editor Marcus Ranum wrote an editorial note about the Department of Energy story, "If you have a policy, and you don't enforce it, and you don't hold people accountable for violating it, then - do you have a policy?" There is wisdom in that question. The people who are pretending to do security by writing policies, but who are not carrying out the policies, are causing organizations to be vulnerable and are enabling damaging attacks. Let's join together to find the people who write important security policies but do not enforce them, and shine a light on them. Whenever you see an egregious example, email me the details at firstname.lastname@example.org and we'll investigate a bit, keeping you and your contribution entirely secret. We'll shine a light on the problem if it can be verified by including them in a special web page.
PS. If you find yourself traveling to conferences or anywhere else where you use hotel computers to connect to the Internet, you'll really want to read the first story in Top of the News - and if you feel safe because you are using your own laptop, read Stephen Northcutt's note.
TOP OF THE NEWSMan Pleads Guilty to Data Theft from Hotel Computers
Geeks.com Notifies Customers of Possible Data Compromise
Just Five Percent of Windows PCs are Fully Patched
German Group Seeks Injunction to Bar Use of eVoting Machines
THE REST OF THE WEEK'S NEWSLEGAL MATTERS
Sys Admin Draws 30-Month Sentence for Logic Bomb
Twelve Indicted on Internet Gambling Charges
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
DOE IG Report Details Security Breach at Oak Ridge Lab
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Proof-of-Concept Code for Zero Day QuickTime Flaw
MBR Rootkit In the Wild
Critical Windows TCP/IP Handling Flaws Patched
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
List of Credit Card Numbers Discovered on Blog
STATISTICS, STUDIES & SURVEYS
Companies Use Customer Data in Development and Testing
LIST OF UPCOMING FREE SANS WEBCASTS
******************* Sponsored By HP (SPI Dynamics) **********************
ALERT: Your web apps could be vulnerable to hackers! Learn how to identify common application threats and block access to your confidential data! Download HP Software's web application security whitepaper 'Security at the next level: Are your web apps vulnerable? http://www.sans.org/info/21998
Where can you find Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, CISSP, and SANS' other top-rated courses?
- - San Jose (2/2 - 2/8): http://www.sans.org/siliconvalley08/event.php
- - Phoenix (2/11 - 2/18) http://www.sans.org/phoenix08/event.php
- - Prague (2/18-2/23): http://www.sans.org/prague08
- - SANS 2008 (4/18-4/25) SANS' biggest: http://www.sans.org/sans2008
- - and in 100 other cites and on line any-time: www.sans.org
TOP OF THE NEWS
Man Pleads Guilty to Data Theft from Hotel Computers (January 9, 2008)Colombian engineer Mario Alberto Simbaqueba Bonilla has pleaded guilty to charges of conspiracy, fraud, and identity theft for placing keystroke logging software on hotel business center computers and stealing personally identifiable information. Simbaqueba Bonilla stole more than US $400,000 in a three-year period by installing the software on computers at hotels in the US and in other countries. Simbaqueba Bonilla is believed to have an accomplice, Nelya Alexandra Valero, who is still at large. He could face between seven and 10 years in prison when he is sentenced in March.
[Editor's Note (Pescatore): Three problems here: (1) the computers put in business centers for public use *should* be completely locked down so no software can be used but (2) business should *not* assume that is being done, because it obviously isn't, so (3) if you are *still* allowing reusable passwords to be used for remote access, your business *is* going to be hit by password stealing, whether from business center computers, employee home PCs or employee's checking email from their personal iPhones and the like.
(Skoudis): We really need to educate our employees about the risks of public kiosks and computers. They are completely unsafe. Tell employees to assume that anything they type into a public computer is accessible to everyone. Passwords for access to an enterprise or its applications should _never_ be entered into such systems. (Northcutt): Keep in mind the another way they collect information on you in hotels is the hotel Internet Service Provider:
Geeks.com Notifies Customers of Possible Data Compromise (January 7 & 8, 2008)Customers of the Geeks.com website are being notified that their credit card data and other personal information may have been compromised by an attacker. The website displays the "hacker safe" seal from McAfee ScanAlert, which constantly monitors sites for vulnerabilities that could place customer data at risk of exposure or theft. A ScanAlert spokesperson says the seal had been withdrawn from Geeks.com several times over the last year because the site's computer system fell out of compliance with ScanAlert requirements. Each time, the problems were addressed and the site was again permitted to display the seal. The intrusion took place on December 5, 2007; letters were sent to affected customers on Friday, January 4. The US Secret Service, Visa, and local law enforcement have been notified of the incident.
[Editor's Note (Schultz): This incident is one of many that show that using labels such as "hacker safe," "hacker proof," and the like constitute false advertising. The Federal Trade Commission should take on organizations that engage in such advertising practices.
(Northcutt): Wow, to keep the credit card numbers on file, post TJMax, who can imagine such a thing. They may get hit twice, a class action suit and a Darwin award. The best thing to do if you keep sensitive data is full disk encryption. Here are pointers to two SANS analysis papers, one that is a sample RFP, the other a comparison of the various regulatory requirements as they relate to data protection and cryptography. If you do not already have full disk encryption, maybe it is time to start planning for it:
Just Five Percent of Windows PCs are Fully Patched (January 9, 2008)According to statistics gathered from scans of 20,000 computers whose users had registered for a free software inspection tool from Secunia, just five percent of Windows-based computers are fully patched. More than 40 percent of the scanned machines had 11 or more unsecure applications installed.
[Editor's Note (Pescatore): its funny how today we all seem to think that there are no more fat client applications (outside of MSFT Office, Lotus Notes and a few others) yet anytime we audit business PCs we typically see about 10 unique client apps for every 1,000 employees - and of course *waaay* more on consumer PCs. Many enterprises have vulnerability management processes that will find those apps but very few have configuration management processes that extend to keeping those non-MSFT/Oracle/IBM apps patched - mainly because they are assuming there are no fat client apps in use... The current generation of consolidated end point protection platforms have application control capabilities that can provide a good deal of shielding for this problem, but the real issue is that if your business is going to allow employees to install software (and the trend is *more* in that direction, not less) then you need to extend your patch/configuration management capabilities. ):]
German Group Seeks Injunction to Bar Use of eVoting Machines (January 8, 2008)The Chaos Computer Club has filed a lawsuit against the German state of Hesse in the hopes of obtaining a temporary injunction against the use of electronic voting machines in January 27 local elections. The lawsuit maintains that the machines are "susceptible to manipulation." A group in the Netherlands lobbied to prevent the use of the same NEDAP voting machines in that country last year. A judge there ruled that the use of the machines in elections was unlawful, but the results of the election obtained with the machines were permitted to stand.
[Editor's Note (Northcutt): There are only a couple times in my treehugging life that I have opted for paper; this is one of them. Just say no to electronic only, no physical record that can be audited later, voting machines! If anyone should know better, we should. Is it theoretically possible to write reliable software? Yes? Does it make sense to bet democracy on it? No! What happens if Yung-Hsun Lin and Roger Duronio go in the voting machine business when they get out of the slammer? These days you can tell your elected official how you feel on a subject without having your fingers leave the keyboard, here are your senators:
Here are your representatives ( I apologize to those that do not live in the US, but please contact your legislators):
And here are some fun facts on the subject to share:
************************* Sponsored Links: ***************************
1) Discover the latest security management trends from Jon Oltsik's ESG research in this HP-hosted webinar.
THE REST OF THE WEEK'S NEWS
Sys Admin Draws 30-Month Sentence for Logic Bomb (January 9, 2008)Yung-Hsun Lin has been sentenced to 30 months in prison for placing a logic bomb on the computer network of his former employer. He was also ordered to pay US $81,200 in compensation to Medco Health Systems. Lin pleaded guilty to placing the code on the Medco's computer network while he worked there as a systems administrator. Lin feared that he would lose his job and designed the logic bomb to erase data on more than 70 company servers. The logic bomb failed, but if it had been successful, the damage could have been devastating to the company, erasing a drug interaction database for specific patients. The malware initially failed due to coding flaws, so Lin fixed it to deploy one year later; it was detected before the new detonation date.
[Editor's Note (Skoudis): Thank goodness for the fact that the quality of malware is no better than the quality of the enterprise software we use. Unfortunately, as malware writers improve their quality, things will get even worse.
(Northcutt): This kind of thing does happen and should be part of your risk management program as a threat or method of attack and your defense in depth architecture should factor this in as an attack vector. The most famous case I know of is Roger Duronio whose successful logic bomb took out about a 1,000 USB PaineWebber servers. He was apparently angry over the size of his bonus and not only installed the bomb, but set a put option on their stock betting their stock would go down after the event. PaineWebber spent about $3 million on the cleanup. Duronio got about eight years in prison. One thing both bombs have in common, they were designed to erase themselves after they fired.
Twelve Indicted on Internet Gambling Charges (January 8, 2008)The US government has indicted 12 people in connection with a Costa Rica-based Internet gambling operation used by US bookmakers. The gambling site's operator was not responsible for paying the winners; US bookies would pay Costa Rican wireroom operator Carmen "Buddy" Cicalese through couriers with debit cards and electronic funds transfers. US law prohibits citizens from using the Internet to place wagers except in the cases of state-sanctioned horseracing and lottery websites.
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
DOE IG Report Details Security Breach at Oak Ridge Lab (January 8, 2008)A report from the US Energy Department's (DOE) inspector general (IG) makes recommendations for bolstering security at Oak Ridge National Laboratory following an investigation into allegations that "unauthorized portable electronic devices were" brought into a Y-12 limited area without following proper protocols Y-12 areas use physical security to limit access to classified material. The report also found that the breach was not properly reported. The report recommended the Oak Ridge Office Manager hold accountable those responsible for the breach and provide all employees with security protocol training.
[Editor's Note (Ranum): If you have a policy, and you don't enforce it, and you don't hold people accountable for violating it, then - do you have a policy? ]
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Proof-of-Concept Code for Zero Day QuickTime Flaw (January 10, 2008)A proof-of-concept exploit for an unpatched QuickTime vulnerability has been posted to the Internet. The buffer overflow flaw could be exploited to allow attackers to execute remote code on vulnerable systems. The flaw affects QuickTime on both Mac OS X and on Windows. Apple was not notified of the flaw prior to the exploit's publication.
[Editor's Note (Skoudis): Perhaps we should just write a NewsBites template for QuickTime and RealPlayer flaws. There seems to be one every week. Enterprises must strive to keep those applications patched very regularly. ]
MBR Rootkit In the Wild (January 9 & 10, 2008)The Master Boot Record (MBR) rootkit modifies the Master Boot Record of computers it infects so that the program runs before Windows boots up. Attackers are now actively using MBR; until late last month, it was just a proof-of-concept. The rootkit gets onto computers through one of several known flaws in: Microsoft JVM ByteVerify; Microsoft MDAC; Microsoft Internet Explorer Vector markup Language; or Microsoft XML CoreServices. Microsoft has released fixes for all the flaws. Vulnerable computers become infected when they visit infected websites. Users who have been diligent about patching their computers should be protected from MBR rootkit infections. Most anti-virus programs are unable to detect MBR.
[Editor's Note (Skoudis): Everything that was old is new again. Master Boot Record viruses were a plague over a decade ago, when we relied heavily on floppy disks. But, here we go again. This sounds similar to the work on the Vista bootkit (Vbootkit) by Kumar and Kumar in 2007 and the Bootroot tool by eEye before then. It sounds like the bad guys took good notes in applying the concepts.
(Cole): This is a perfect example of those that do not learn from the past are forced to repeat it. Everyone likes to focus on cutting edge attacks but MBR's originated in the 80's with floppy disks as the primary way to spread viruses and it was only a matter of time until they resurfaced. Rule of thumb is any external media that is put into a computer, needs to be scanned or not allowed with desktop lockdown. ]
Critical Windows TCP/IP Handling Flaws Patched (January 8, 2008)On Tuesday, January 8, Microsoft issued two security bulletins. The first addresses two remote code execution flaws that affect Windows Vista, XP, 2003 Server and 2000. The flaws lie in the way the operating system processed the Transmission Control Protocol/Internet Protocol (TCP/IP) and is rated critical. The second bulletin, which is rated important, addresses a flaw in the Windows Local Security Authority Subsystem Service (LSASS) that could be exploited to allow attackers to run arbitrary code with elevated privileges.
[Editor's Note (Skoudis): Microsoft has started the year off with a bang. Both of these are really significant. Remote code execution in the TCP/IP stack (MS08-001) is very scary, but don't discount the usefulness of the local privilege escalation attack against LSASS (MS08-002). Expedite the testing and installation of both of these, not just the first. ]
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
List of Credit Card Numbers Discovered on Blog (January 9, 2008)An investigative news team from KOAA, a television station serving the Colorado Springs/Pueblo Area, discovered a blog containing credit card information and other personal data for hundreds of individuals, including some in the Colorado Springs Area. Authorities have been contacted, and Google took down the offending site within half-an-hour of learning of the situation. The station also contacted some of the local people whose information was on the list. One cancelled his card after learning of the compromise; another said her credit card company called her to check on suspicious charges and cancelled the card when they learned it had been used fraudulently.
[Editor's Note (Pescatore): Many security managers are seeing increased business pressure to allow employees to access blogs, social networking sites like Facebook/Myspace an the like and loads of other sites and services like Google Apps that are by no means industrial-strength - but are seen to be of business value. If you have to allow access to those sites and services (and you will sooner or later) you have to show how services like content monitoring and filtering/data leak prevention and brand monitoring services have to funded to minimize the risk - to prevent business data from showing up on those sites or at least quickly finding and removing it.
(Cole): Credit card exposure will continue to be a big problem. Two rules to remember when protecting your credit card. It is better to have several cards with lower limits than one card with a huge limit. Also having different cards that you use for different purposes, makes it easier to identify where the fraud came from. Also, for cards used on the Internet, expire the card every 6-9 months, since many times when cards are stolen they are not used right away. ]
STATISTICS, STUDIES & SURVEYS
Companies Use Customer Data in Development and Testing (January 10, 2008)A study commissioned by Compuware and conducted by the Ponemon Institute found that more than 75 percent of German companies use customer data in software development or application testing. In the US, 69 percent of companies use customer data in testing, followed by the UK (58 percent) and France (43 percent). Companies presume that because the data are not being used in a live scenario, there is no risk of exposure. Customer data used in the testing process can include names, credit card numbers, Social Security numbers (SSNs) and other sensitive information. Sixty percent of companies that outsource application testing share sensitive data with those contractors. A large number of companies do not have clearly established policies about who is responsible for test data security. The statistics are based on responses from 2.368 IT professionals in Germany, the US, the UK, and France.
[Editor's Note (Pescatore): There are plenty of data obfuscation products out there to create safe test databases out of live customer databases. The data safety side of secure development life cycles definitely needs to be emphasized. This is one area where the federal government and FISMA have pushed requirements out to government contractors to protect such data.
(Skoudis): I'm surprised the number is so low. When we perform assessments, the vast majority of the companies we work with tell us that they use customer data in test environments, even greater than the 75% of this survey.
(Schultz): Using customer data in development and testing shows blatant disregard for the welfare of customers. The fact that security considerations appear to be largely overlooked only compounds the problem.
(Honan): The high percentage of European companies using information in this way is disconcerting as these companies could be in breach of the European Data Protection legislation as personal data belonging to customers can only be used for the purposes the customer agreed to when submitting their details.
(Shpantzer): This problem also extends to researchers who use live medical and social welfare data. Here's one recent example we reported on in Newsbites, there are many, many more.
LIST OF UPCOMING FREE SANS WEBCASTSInternet Storm Center: Threat Update
WHEN: Wednesday, January 9, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Johannes Ullrich
Sponsored By: Core Security
This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.
SANS Tool Talk Webcast: NAC - After the Honeymoon
WHEN: Tuesday, January 15, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Alok Agrawal, Jimmy Ray Purser, and Robb Boyd
Sponsored By: Cisco Systems
Its fair to say that NAC, or Network Admission Control, has certainly enjoyed its day in the sun. Despite being a very real technology solving very real problems, NAC has now moved out of the spotlight of center stage and is firmly entrenched as a set of technologies that every enterprise has some kind of an opinion on. Whether you have deployed some type of NAC solution today, have plans for it in the future or perhaps are truly wondering what the heck we are talking about.this conversation is for you. The problems can be pretty easy to understand but the devil is in the details - we promise to sort through the details in this interactive conversation. Please join Robb Boyd from Cisco's TechWiseTV as he welcomes his panel of experts, Jimmy Ray Purser, Chief Geek for Cisco's TechWiseTV and Alok Agrawal, Manager of Technical Marketing from Cisco's NAC Business Unit.
SANS Ask the Expert Webcast: Going beyond log management to solve security, risk and audit challenges
WHEN: Wednesday, January 23, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and Vijay Basani
Sponsored By: eIQnetworks
In this webcast, learn the benefits of going beyond log management to perform end-to-end correlation and analysis, how compliance can tie into the use of security technologies, and why the future of security information management (SIM) systems is shaping up to integrate security, risk and audit management onto one platform.
SANS Special Webcast: Things That Go Bump in the Network: Embedded Device Security
WHEN: Thursday, January 24, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Paul Asadoorian
Sponsored By: Core Security
Embedded devices come into your network and appear in many different forms, including printers, iPhones, wireless routers and network-based cameras. What you might not realize is that these devices offer unique opportunities for attackers to do damage and gain access to your network - - and to the information it contains. This webcast will review known embedded device vulnerabilities and cover how these vulnerabilities can be used to gain control of devices, networks, and data - and, more importantly, what can be done about it.
SANS Special Webcast: The SANS Database and Compliance Survey
WHEN: Tuesday, February 5, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Barb Filkins
Sponsored By: Lumigent Technologies
On Feb. 5, SANS analyst Barbara Filkins uncovers the findings in the SANS Database Auditing and Compliance Survey. Conducted over three months, 348 respondents answered a variety of questions ranging from their perceptions of compliance issues to security frameworks and roles and responsibilities for data privacy protection inside their organizations. We will also be announcing the $250 American Express card winner from among nearly 200 respondents who signed up for our drawing.
Be sure to check out the following FREE SANS archived webcasts:
Internet Storm Center: Threat Update
WHEN: Wednesday, December 12, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Johannes Ullrich and John Weinschenk
Sponsored By: Cezic
This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period. SANS Special Webcast: Pinpointing and Proving Web Application Vulnerabilities with Eric Cole
WHEN: Monday, December 10, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Dr. Eric Cole
Sponsored By: Core Security
The September "Internet Security Threat Report" from Symantec reported that 61% of all vulnerabilities disclosed in the first half of 2007 were web application vulnerabilities. It's no wonder, since web apps are often highly customized and can be rife with potential security holes. Fortunately, recent advances in penetration testing products can help you to pinpoint and prove web application security weaknesses - even in customized apps.
SANS Special Webcast: Analyzing a Traffic Analyzer: NIKSUN NetDetector/NetVCR 2005
WHEN: Wednesday, December 5, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Jerry Shenk
Sponsored By: NIKSUN
How deep can traffic inspection reach without hindering data flow and how much data should it store for post-mortem analysis? Join this Webcast to hear senior SANS Analyst Jerry Shenk go over his test results on the NetDectector/NetVCR 2005 and features such as full packet inspection and the ability to call up and review raw data in its native format.
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/