From: The SANS Institute (NewsBitessans.org)
Date: Fri Apr 14 2006 - 16:35:14 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Wednesday (April 19) is the last day for early registration discounts
for SANS Security in San Diego (May 11-16). San Diego is a unique
opportunity for immersion training in security and advanced audit
techniques: you get the same great SANS teachers as in the big national
conferences, with smaller classes. Plus it's right on the Bay.

*************************************************************************
SANS NewsBites April 14, 2006 Vol. 8, Num. 30
*************************************************************************

TOP OF THE NEWS
  Congressional Committee Chairman Says He Is Interested in Exploring
     FISMA Revisions
  Stolen US Military Computer Hardware Sold at Afghan Bazaar
  Air Force Base Web Site Contains Sensitive Air Force One Details

  THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCES
    Alleged Online Bank Thief Extradited to Spain
  HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
    Border Security Computer System Failure May Have Been Due to Failure
       to Patch for Zotob in Timely Fashion
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
    University Researchers Prove DoS Attacks Against RFID Tags are Possible
    Microsoft's April Security Bulletins
  ATTACKS & INTRUSIONS & DATA THEFT & LOSS
    Security Breach at NJ Medical and Dental School
  MISCELLANEOUS
    China Mobile Service Provider Cuts SMS Service to Alleged Fraudsters
    County Web Sites Exposing Sensitive Data
    UK Information Commissioner Issues Guidelines for Sale of Customer Databases

********** SPONSORED BY THE NATIONAL DOD 8570 TRAINING PROGRAM **********
Low Cost SANS Training For Meeting The New Certification Requirements

To help boost DoD and US government security, SANS is now arranging
on-site training for DoD and other government organizations that need
to prepare large numbers of people for 8570 compliance and don't want
to spend a lot of money for each student. Programs cover training for
any or all of the effective 8570 technical certifications. Minimum 100
students. Email infosans.org with subject "8570" if you would like to
schedule a session at your facility.

If you don't have 100, but still need 8570 certification, use the same
email to ask for large group (more than 25) discounts at any of the
scheduled SANS conference (www.sans.org). Or even onsite programs for
smaller groups.

*************************************************************************

TOP OF THE NEWS

 --Congressional Committee Chairman Says He Is Interested in Exploring
    FISMA Revisions
(10 April 2006)
In response to critics of the Federal Information Security Management
Act's (FISMA) effectiveness in helping to secure government IT systems,
US Representative Tom Davis (R-Va.), who also chairs the House
Government Reform Committee and was the author of FISMA, says he is
interested in further discussion of ideas for making the law more
effective. Criticism of FISMA focuses on the law's requirement that
agencies write certification and accreditation reports rather than
actively assess the security of federal IT systems. The law has been
called "a paper drill." In April, the Office of Management and Budget
(OMB) administrator of e-government Karen Evans said that FISMA is
working and that "substantial revision could delay additional progress."
http://govexec.com/story_page.cfm?articleid=33811&printerfriendlyVers=1&
[Editor's Note (Schultz): Honestly, from what I have seen first-hand,
FISMA is more of a paper drill than anything else. It is a game that
government agencies and sites play, something that produces reams of
documentation, but very few genuine changes as far as security programs
go.
(Paller) Many technically savvy government contractors know that the
FISMA and DITSCAP reports they write are not leading to significant
security improvement. They are frustrated and angry that they are not
allowed to use their technical skills to help protect the nation.
Instead they charge the government and the taxpayers $100 per hour to
fill in Microsoft Word templates for 200 page reports that are never
read. We have received requests from the press to talk with contractors
(current or retired) willing to be interviewed about this problem. If
you are a contractor with FISMA or DITSCAP experience, and want to help
make the situation better, call Alan Paller at 301-951-0102 x108
(Kreitner): It is a rare piece of legislation that doesn't produce some
unintended consequences. Probably every piece of legislation should be
revisited a few years after passage to incorporate learning based on
experience gained during its implementation.]

 --Stolen US Military Computer Hardware Sold at Afghan Bazaar
(10 and 12 April 2006)
According to the Los Angeles Times, computer hardware stolen from a US
base in Bagram, Afghanistan is being sold at a nearby bazaar. US forces
are looking into the reports, which say that among the hardware are
disks that contain data about US soldiers, military defenses and lists
of enemy targets as well as names of corrupt Afghan officials. An
Associated Press report appears to confirm the allegations that
sensitive information is available for purchase. One shopkeeper said
in an interview that he was interested in the value of the hardware, not
the data they hold.
http://www.latimes.com/news/printedition/la-fg-disks10apr10,0,3557737,print.story
http://news.bbc.co.uk/2/hi/south_asia/4905052.stm
[Editor's Note (Grefer): I doubt that said shopkeeper continued to be
solely interested in the value of the hardware once he was made aware
of the value of the data. He probably just did not know what hidden
treasure(s) he held in his hands.]

 --Air Force Base Web Site Contains Sensitive Air Force One Details
(8 April 2006)
Detailed information about Air Force One, has been found posted on an
Air Force base web site. The information includes details about the
planes' anti-missile defenses and maps of their interiors. The Secret
Service has not commented. As soon as the Air Force learned about the
error, it removed the information.
http://sfgate.com/cgi-bin/article.cgi?file=/c/a/2006/04/08/MNGESI5U6C1.DTL&type=printable
[Editor's Note (Northcutt): There are two sides to this story, please
consider: http://www.defensetech.org/archives/002315.html]
(Guest Editor Note (Schneier): Some blogs criticized the San Francisco
Chronicle for publishing this story because it gives the terrorists more
information. I think they should be criticized for publishing this
because there's no story here.]

*********************** SPONSORED LINKS *********************************
1) Stop spyware!
Try Webroot Spy Sweeper Enterprise for free and assess your spyware risk
exposure.
http://www.sans.org/info.php?id=1104

2) Free SANS Webcast next week - What Works Webcast:WhatWorks in
Vulnerability Management: "Expediting Patching with Nuclear Fuels"
Tuesday, April 18 at 1:00 PM EDT (1700 UTC/GMT)
http://www.sans.org/info.php?id=1105

3) The SANHome program brings the same courses taught at SANS
conferences right to your home. Many new classes starting in this month.
See http://www.sans.org/athome
*************************************************************************

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
 --Alleged Online Bank Thief Extradited to Spain
(10 and 11 April 2006)
Argentina has extradited alleged cyber criminal Jose Manuel Garca
Rodrguez to Spain. Garca Rodrguez, who is known online as Tasmania,
allegedly stole hundreds of thousands of euros from online bank
accounts. If convicted of charges pending against him, he could face
up to 40 years in prison. Garca Rodrguez left Spain two years ago and
was located in Argentina last July.
http://www.theregister.co.uk/2006/04/11/argentina_extradites_spanish_hacker/print.html

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
 --Border Security Computer System Failure May Have Been Due to Failure
    to Patch for Zotob in Timely Fashion
(12 April 2006)
According to documents obtained by Wired News, a US Customs and Border
Protection (CBP) computer failure that caused problems at international
airports in the US last August was caused by the decision to delay
deployment of a patch that would have protected the system from the
Zotob worm. The incident was initially publicly attributed to a virus,
then to a routine system failure. However, documents obtained under the
Freedom of Information Act (FOIA) indicate agency computers were
infected with Zotob the same day the border-screening system was down.
The infection of agency computers prompted the application of the patch
on hundreds of workstations at airports, seaports and land border
crossings around the country. The Zotob worm exploits a vulnerability
in Microsoft Windows plug-and-play feature; Microsoft released a patch
for the flaw on August 9, 2005. The reason the workstations were not
updated immediately, according to the documents, was the concern the
patch might not be compatible with their configurations.
http://www.wired.com/news/technology/1,70642-0.html
[Editor's Note (Ranum): Why on earth would a critical production system
be on a shared network such that it'd be exposed to worms, viruses, etc?
Production systems do not need to be patched; they should be isolated
so that they can be left in an operational configuration.]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
 --University Researchers Prove DoS Attacks Against RFID Tags are Possible
(11 and 13 April 2006)
Academic researchers at Edith Cowan University in Western Australia have
demonstrated that radio frequency identification (RFID) tags can be
disrupted by inundating them with an overload of data. The researchers
say that even the more sophisticated, next-generation RFID tags are
vulnerable to the denial-of-service scenario. "The Australian
researchers saturated the frequency range used by the tags, which
prevented them from talking to the readers." The attacks were conducted
at the range of one meter.
http://www.zdnet.co.uk/print/?TYPE=story&AT=39263221-39020375t-10000025c
http://www.computerworld.com/printthis/2006/0,4814,110424,00.html
[Editor Comment (Northcutt): here is a bit more data:
http://scissec.scis.ecu.edu.au/wordpress/?p=39 I would tend to agree
that if you place a transmitter a meter away from an RFID device and its
reader, and then spray RF across the frequencies the devices use, that
you can make a mess of the system. However, that really isn't news,
though it is a great reminder to keep physical security in mind when you
design RFID systems. The more important question is what is the true
risk, how do you apply the attack. Is it possible to do a hardware hack
on a Uniden cordless phone to turn it into a raging RFID DDoS device?
Now that would be news! ]

 --Microsoft's April Security Bulletins
(12 April 2006)
On April 11, Microsoft released five patches for flaws in Windows and
Internet Explorer (IE). MS06-013 addresses a number of flaws in IE
including the createTextRange() flaw that has already been exploited by
attackers. The problem raised enough concern that several third-party
patches for the flaw were developed in the days before Microsoft
addressed the flaw. Microsoft also released fixes for two additional
critical flaws. One lies in the way Windows Explorer handles Component
Object Model objects; the other is in an ActiveX control named
RDS.Dataspace.
http://www.techworld.com/security/news/index.cfm?NewsID=5776
http://www.microsoft.com/technet/security/Bulletin/MS06-013.mspx
http://www.microsoft.com/technet/security/bulletin/ms06-apr.mspx

ATTACKS & INTRUSIONS & DATA THEFT & LOSS
 --Security Breach at NJ Medical and Dental School
(9 April 2006)
A computer security breach at the University of Medicine and Dentistry
of New Jersey exposed sensitive data belonging to nearly 2,000 students
and alumni. The breach was detected on February 24, though it is
unclear when it actually took place. University officials kept quiet
about the breach during an investigation. Students have been sent
letters informing them of the breach and warning that they could be
victims of identity fraud.
http://wcbstv.com/topstories/local_story_099123340.html

MISCELLANEOUS
 --China Mobile Service Provider Cuts SMS Service to Alleged Fraudsters
(12 April 2006)
China Mobile, one of the country's largest mobile service providers, has
cancelled SMS service to 19,000 subscribers who allegedly used the text
messaging service to send messages intended to defraud the recipients.
The company's manager for customer service says they cancel the SMS
function once they receive seven or more complaints about a particular
number. China Mobile also monitors its contracted Internet service
providers (ISPs) and "terminates the cooperation" if they receive more
than fifty complaints about a single ISP.
http://www.australianit.news.com.au/articles/0,7204,18792340%5E15322%5E%5Enbv%5E,00.html

 --County Web Sites Exposing Sensitive Data
(12 April 2006)
Counties around the US have been posting documents that contain
sensitive personal data that could be used to commit identity fraud.
The data, including Social Security numbers, driver's license numbers
and bank account information, are included in public land records and
other documents. The documents are posted on the Internet but not
redacted for privacy. Most counties will honor citizens' requests to
have their personal information removed.
http://www.computerworld.com/printthis/2006/0,4814,110453,00.html
[Editor's Note (Kreitner): I find the recent press accounts on this
subject troubling. Government personnel are putting forth lame
arguments like, the law doesn't require them to redact sensitive
personal information from the publicly posted documents ,and that
hackers aren't likely to spend the time required to extract the
information for illicit use. I hear a lot about smaller government--how
about responsible government, common sense government, or trustworthy
government? In this electronic age, unnecessarily exposing any
citizen's personal information to misuse by anyone or any entity, public
or private, is unacceptable--period.]

 --UK Information Commissioner Issues Guidelines for Sale of Customer Databases
(10 and 12 April 2006)
The UK Information Commissioner's office has released guidelines
regarding the sale of customer databases following a business's closure.
According to the guidelines, the data can be used only in the manner
which was indicated when the information was initially collected; if it
is to be used for other purposes, the new owners must obtain express
consent from those whose information is in the database. The guidelines
also address the length of time the data may be kept.
http://management.silicon.com/government/0,39024677,39158046,00.htm
http://www.theregister.co.uk/2006/04/10/ico_database_guidelines/print.html
http://www.ico.gov.uk/cms/DocumentUploads/Buying_and_selling_databases.pdf
[Editor's Note (Shpantzer): When the dot com era ended, most of the
defunct companies had nothing of value left except expensive office
furniture and customer databases. It would have been nice to have had
those databases tagged with specific privacy policies that endured
beyond the sale of the databases to new parties.]

===end===

NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian
Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore,
Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw
Tan, Mark Weatherford

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEQBFu+LUG5KFpTkYRAqHOAJwMV/FQqfwDMLj8yPnnfQaHmM5VygCcD5lr
3tIeK1/VWIelHIJZ+vqb+SQ=
=s/75
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]