From: The SANS Institute (NewsBitessans.org)
Date: Fri Jan 26 2007 - 14:14:10 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The third and fourth stories under "Top of the News" offer more proof
that laptop losses and theft are not "harmless," and that any US
Congressional efforts to undermine strict state disclosure laws should
be considered anti-consumer and anti-voter at best, and criminal at
worst.

And the Laptop Encryption Summit (that was sold out last fall in DC),
will be run again in San Jose April 23-25. Users sharing the lessons
learned in enterprise deployment of encryption. This one will be sold
out, too, and the web site isn't up yet. If you want to be notified when
the registration web site goes live, email infosans.org with subject
"Encryption Summit"
                                 Alan

*************************************************************************
SANS NewsBites January 26, 2007 Vol. 9, Num. 8
*************************************************************************
TOP OF THE NEWS
  Former Michigan County Treasurer Allegedly Embezzled State Funds to Pay
     Nigerian 419 Scammers
  Class Action Suit Files Against Chicago Board of Elections for Data
     Exposure
  Data Stolen from TJX Has Been Used to Commit Fraud
  Delay In Reporting Xerox Laptop Loss Leads To Damage To Employees
THE REST OF THE WEEK'S NEWS
  LEGAL MATTERS
     MySpace Sues Spammer
  COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
    Norwegian Government Sets Timetable for Apple Compliance with DRM
       Modifications
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
    Cisco Issues Three Patches for IOS Software Flaws
    Apple Fixes QuickTime Flaw
  ATTACKS, INTRUSIONS, DATA THEFT & LOSS
    Stolen Laptops Have Data Encryption Technology
    Stolen Concentra Tapes Also Affect Nationwide Health Ins. Customers
    Exploit Packs and Hacking Software
  STATISTICS, STUDIES & SURVEYS
    Half of Finance Managers Put Unsolicited USB Drive in Computers
  MISCELLANEOUS
    Anti-Theft Software Tracks Thief, Leads to Drug Bust

*********************** Sponsored By Imperva Inc. ***********************
Download Free Database Vulnerability Scanner - Are your databases secure?
Know for sure. Use Scuba by Imperva for a deep dive into MS-SQL, Oracle,
DB2, and Sybase databases. Find flaws that hinder data security and
compliance. It's free, easy, safe, and outputs technical and
management-friendly reports. Free download
http://www.sans.org/info/3141.

Visit Imperva at RSA - Booth # 2632.
*************************************************************************
SECURITY TRAINING UPDATE: Several of the hands-on immersion security
training courses at SANS 2007 (San Diego, March 29 - April 4) are
starting to fill up. If you want a place, register early. You'll also
save hundreds of dollars if you do it in the next few weeks.
Full Schedule (53 courses): http://www.sans.org/sans2007/event.php
*************************************************************************

TOP OF THE NEWS
 --Former Michigan County Treasurer Allegedly Embezzled State Funds to
    Pay Nigerian 419 Scammers
(25, 24 & 17 January 2007)
Former Alcona County (Michigan) Treasurer Thomas Katona has been
arraigned on nine felony counts of embezzlement and one felony count of
forgery for allegedly embezzling state funds to the tune of US $1.2
million; some of the money was allegedly sent to 419 fraudsters in
Nigeria. Authorities became aware of the situation when a local bank
alerted them to unauthorized wire transfers Katona had directed. Bank
officials had cautioned Katona on several occasions that he was falling
for a scam, but he ignored their warnings. Katona also allegedly lost
more than US $72,000 of his own money in the scam.
http://www.theregister.co.uk/2007/01/25/treasurer_accused/print.html
http://www.informationweek.com/showArticle.jhtml;jsessionid=UKVFNGXFCRYXIQSNDLPCKH0CJUNN2JVN?articleID=197000242
http://www.michigan.gov/ag/0,1607,7-164-34739_34811-160250--,00.html
[Editor's Note (Schultz): It is hard to understand how someone who
ostensibly is an otherwise intelligent, responsible person could
allegedly have fallen for such a scam in such a big way. This shows that
despite the fact that 419 scams have lost much of their lustre, they
nevertheless still pose a high level of risk.
(Liston): The common misconception is that 419 scams (and their ilk) are
aimed at unintelligent victims. Mr. Katona, no doubt, saw the prospect
of the 419 "windfall" as a way to cover up his alleged embezzlement, and
let greed and desperation overwhelm common sense. Remember: scams are
aimed at other human weaknesses -- not "stupidity."
(Grefer): FTC and State Department web sites provide additional guidance at:
http://www.ftc.gov/bcp/conline/pubs/alerts/nigeralrt.htm
http://www.state.gov/www/regions/africa/naffpub.pdf
(Shpantzer): These scams are profitable
http://www.theregister.co.uk/2007/01/02/money_launderer_caught/ and have
resulted in domestic violence
http://www.theregister.co.uk/2006/07/20/419_shooting/ and
kidnappings/ransom/killings of those who travel to Nigeria to close
'deals' with the scammers.]

 --Class Action Suit Files Against Chicago Board of Elections for Data Exposure
(23 January 2007)
A class-action lawsuit has been filed against the Chicago Board of
Elections for sending out more than 100 CDs with sensitive, personally
identifiable voter information to city aldermen and ward committeemen.
"The suit ... alleges the board violated the Illinois Personal
Information Protection Act" and seeks unspecified compensation for all
Chicago voters whose Social Security numbers (SSNs) were compromised.
Other data on the CDs include dates of birth, addresses and phone
numbers. The board is making efforts to get the disks back, but a board
spokesperson maintains there have been no reports of associated identity
fraud since the disks were sent out more than three years ago. The board
is required by law to notify voters about the incident, but it plans to
make the notification through advertising rather than by contacting each
voter individually. The Personal Information Protection Act allows for
this sort of notification; see Section 10 (c).
http://www.suntimes.com/news/politics/224519,CST-NWS-data23.article
Text of Illinois Personal Information Protection Act:
http://www.ilga.gov/legislation/publicacts/fulltext.asp?Name=094-0036&print=true
[Editor's Note (Liston): It is interesting to see the government's
response to its own error and contrast that with the what we can only
assume would've been the reaction if this had been a private firm's
mistake.
(Shpantzer): This mirrors this week's leak investigation of the entire
Israeli population data being given to the political parties in Israel,
per Israeli law, facilitating democracy and election fairness. Where
else is this happening, and what's being done about this unintended
consequence?]

 --Data Stolen from TJX Has Been Used to Commit Fraud
(25 & 24 January 2007)
The Massachusetts Bankers Association says customer data stolen in the
TJX computer intrusion have been used in fraudulent activity. Close to
60 banks in Massachusetts have been contacted by credit and debit card
companies regarding fraudulent activity on compromised debit and credit
cards. Banks in other states, including Vermont, Wisconsin and New
Mexico have reported issuing new cards. Canadian cardholders have been
hit by fraud as well.
http://www.forbes.com/feeds/ap/2007/01/24/ap3359602.html
http://www.forbes.com/feeds/ap/2007/01/24/ap3357843.html
http://www.freenewmexican.com/news/55831.html
http://www.theglobeandmail.com/servlet/story/LAC.20070125.WINNERS25/TPStory/National
http://www.postcrescent.com/apps/pbcs.dll/article?AID=/20070124/APC03/701240643/1888/APCbusiness

 --Delay In Reporting Xerox Laptop Loss Leads To Damage To Employees
(22 January 2007)
A laptop computer stolen from a Xerox human resources manager's car in
August 2006 holds information belonging to an unknown number of Xerox
employees; nearly 300 employees received letters notifying them of the
theft four months after the fact. Some of the employees had experienced
credit problems in the interim; for instance, one individual said
several cell phone accounts were opened in his name in the fall of 2006.
A spokesperson defended the company's decision to delay notification,
saying they wanted to determine whether any personal information was on
the computer.
http://www.kgw.com/news-local/stories/kgw_012207_news_xerox_theft.cde8339.html

************************** Sponsored Links: ***************************

1) Don't miss SANS Ask the Expert Webcast: Malware Analysis Shortcuts
on Thursday, February 01 at 1:00 PM EST (1800 UTC/GMT)
Sign up now! http://www.sans.org/info/3146

2) "Where is your privacy data and IP going? Find out! Download your
free Info-Protection kit!" link to:
http://www.sans.org/info/3151

3) Log Management and Security Event Management in Rhythm. One easy to
use, enterprise-class solution.
http://www.sans.org/info/3156
*************************************************************************

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
 --MySpace Sues Spammer
(23 & 22 January 2007)
MySpace has filed a lawsuit against Scott Richter for allegedly
accessing MySpace user accounts and using them to send spam. Richter and
his associates obtained the account information either by phishing or
by purchasing a list of accounts from phishers. The lawsuit seeks an
injunction that would prohibit Richter and his associates from accessing
MySpace as well as damages and "repayment of all profits gained as a
result of the activity." Spam charges are not new to Richter. In
August 2005 he agreed to pay Microsoft US $7 million to settle a spam
lawsuit. Richter also settled a similar lawsuit brought by then-NY
State Attorney General Eliot Spitzer.
http://edition.cnn.com/2007/TECH/internet/01/23/myspace.spam.ap/
http://www.theregister.co.uk/2007/01/22/myspace_sues_spammer/print.html

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
 --Norwegian Government Sets Timetable for Apple Compliance with DRM Modifications
(24 January 2007)
To clarify a point in a story from Tuesday's NewsBites: Norway's
government ombudsman says Apple has until March 1, 2007 to say whether
or not it will modify its DRM policy to allow interoperability between
iTunes and digital media players other than the iPod. The current
arrangement violates Norwegian law. The company then has until October
1, 2007 to say exactly how it plans to implement those changes. Apple
could face legal action from the Norwegian government if it does not
take appropriate action.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9009049&source=rss_topic17
http://www.theregister.co.uk/2007/01/24/apple_drm_illegal_in_norway/print.html

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
 --Cisco Issues Three Patches for IOS Software Flaws
(25 & 24 January 2007)
Cisco has released a trio of fixes for security flaws in its
Internetwork Operating System (IOS) software. One of the flaws could
allow attackers to create denial-of-service (DOS) conditions; the other
two could allow DOS conditions as well as the execution of arbitrary
code. There is some concern that the vulnerabilities will be exploited
before Internet service providers have applied the patches. Workarounds
are available.
http://news.bbc.co.uk/2/hi/technology/6297865.stm
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9009060&source=rss_topic17
http://www.theregister.co.uk/2007/01/25/cisco_ios_bug_fix/
http://www.us-cert.gov/cas/techalerts/TA07-024A.html
[Editor's Note (Liston): These are very serious issues, and every Cisco
shop I know of is treating them that way. Unfortunately, Cisco's
workarounds aren't very practical in many instances, so these patches
will need to be fast-tracked into production.]

 --Apple Fixes QuickTime Flaw
(24 January 2007)
Apple has released fixes for a buffer overflow flaw in its QuickTime
media playback software. The flaw affects Windows and Mac OS X. "The
QuickTime flaw involves an error in processing malformed Real Time
Streaming Protocol (RTSP) URLs" and could be exploited to execute
arbitrary code. Exploit code for the flaw is available.
http://www.theregister.co.uk/2007/01/24/apple_patches_quicktime_bug/print.html
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9008923&source=rss_topic17
http://www.forbes.com/feeds/ap/2007/01/24/ap3359602.html
http://www.zdnetasia.com/news/security/printfriendly.htm?AT=61984239-39000005c
http://docs.info.apple.com/article.html?artnum=304989

ATTACKS, INTRUSIONS, DATA THEFT & LOSS
 --Stolen Laptops Have Data Encryption Technology
(24 January 2007)
Thieves stole 18 laptop computers from an Orlando, Fla. law firm earlier
this week. The firm, Foley & Lardner LLP, says "the computers
automatically encrypt data and render information on them unusable to
others."
http://www.orlandosentinel.com/news/local/orange/orl-mcfbriefs24_507jan24,0,6292858.story?coll=orl-news-headlines-orange
[Editor's Note (Pescatore): Laptop thefts aren't going away, but by this
time in 2008 this type of item (laptop stolen, but the data was
protected) shouldn't even be newsworthy. Of course, the big question is
"Was the data on the laptop backed up??" Laptop theft, or loss of/damage
to encryption keys can still lead to a "Denial of Data" attack.
(Multiple): This law firm should be commended for having data encryption
on laptops, but its handling of physical security appears to leave a lot
to be desired.]

 --Stolen Concentra Tapes Also Affect Nationwide Health Ins. Customers
(24 January 2007)
Backup tapes stolen from a lockbox at a Concentra Preferred Systems
office in Weymouth, Mass. hold sensitive, personally identifiable
information of more than 28,000 Nationwide Health Plan customers. The
data include names, Social Security Numbers (SSNs) and health
information. The breach affects only Nationwide Health Plan customers,
mostly from central Ohio; car, life and homeowners policyholders were
not affected. The theft occurred on October 26, 2006; Nationwide was
apprised of the situation two weeks later. Nationwide notified
customers by mail last week, although Concentra's web site had a notice
about the theft on December 1. A Nationwide spokesperson said the delay
between their learning of the breach and their notification of customers
was to allow the company to determine the nature of the data stolen and
whether it was exploitable by identity thieves and fraudsters. The
stolen tapes also hold data belonging to about 130,000 Aetna and 42,000
Group Health Insurance customers; those customers were notified in
mid-December. Concentra is a subcontractor providing auditing services
to Nationwide.
http://www.columbusdispatch.com/business/business.php?story=241942
[Editor's Note (Honan): From the article "Nationwide was among the first
insurance companies to offer identity theft insurance, rolling out the
product in 2005 after one of the company directors had his identity
stolen.", Oh the irony of it all. ]

 --Exploit Packs and Hacking Software
(23 & 24 January 2007)
More than 70 percent of web-based attacks in December 2006 can be traced
to just one "multi-exploit hack pack." The kit comprises as many as a
dozen exploits, some of which have their origins in proof-of-concept
code released by a researcher during July's "Month of Browser Bugs." In
a separate story, a Russian crime group is reportedly selling bank
account hacking software in South Africa.
http://www.informationweek.com/story/showArticle.jhtml?articleID=196902970
http://www.thestar.co.za/index.php?fArticleId=3642294
[Editor's Note (Ranum): Yet we continue to hear people spout the
ideology that these "security researchers" are offering the community a
valuable service and that disclosing bugs is to everyone's benefit. How
much longer can people continue to ignore the obvious?]

STATISTICS, STUDIES & SURVEYS
 --Half of Finance Managers Put Unsolicited USB Drive in Computers
(25 January 2007)
As a research project, a consulting firm sent USB sticks to finance
directors at 500 firms in the UK. The memory devices purported to be
invitations to "the Party of a Lifetime" with an anonymous sender but
were actually part of an experiment. Nearly half of the finance
directors inserted the stick into company computers. Media companies
fared the worst in the experiment, with 65 percent putting the memory
stick into computers. At technology, retail and transportation
companies, the figure was between 38 and 39 percent. The devices could
be used to plant malware on computer systems.
http://www.vnunet.com/computing/news/2173365/uk-firms-naive-usb-stick
[Editor's Note (Liston): While this test seems somewhat contrived, you
really can't argue with the results. Human curiosity is an incredibly
strong motivator that will, more often than not, overwhelm common sense.
If you found a USB key laying in the parking lot outside your workplace,
what would YOU do? What would the majority of your co-workers do?
(Schultz): The results of this research study further underscore the
great need to reach management in security training and awareness
efforts, something that is much too often completely overlooked.
(Honan): This story illustrates how depending on your perimeter defences
alone are no longer sufficient. Comprehensive security awareness
programmes coupled with technical controls such as locked down desktops
and USB port management are needed in the battle against ever
increasingly sophisticated attackers. Using resources such as those
provided by the Centre for Internet Security,
http://www.cisecurity.org/, will help. For example, a simple registry
entry on Windows machines will disable autoplay from any disk type,
regardless of application
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun.]

MISCELLANEOUS
 --Anti-Theft Software Tracks Thief, Leads to Drug Bust
(23 January 2007)
A laptop computer taken along with other items in a Des Moines,
Iowa-area burglary was equipped with software that calls home when the
computer is next plugged in. "Police used Internet access records from
a separate company" that led them to a home where they not only
apprehended a man suspected in the theft, but also discovered a drug
operation.
http://desmoinesregister.com/apps/pbcs.dll/article?AID=/20070123/NEWS01/701230411/-1/BUSINESS04
[Editor's Note (Ullrich): Some universities had great luck tracking down
stolen laptops on campus by watching for the laptops MAC address to show
up on campus networks. In some cases, raids to dorm rooms triggered by
these finds revealed larger crime operations involving more stolen
items, drugs and weapons. See for example:
http://www.umass.edu/chronicle/archives/02/11-15/arrest12.htm]

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers.
Schneier has regularly appeared on television and radio, has testified
before Congress, and is a frequent writer and lecturer on issues
surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer
for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development
Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a
non-profit federally funded research and development corporation that
provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin,
Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (Darwin)

iD8DBQFFulIs+LUG5KFpTkYRAm5TAJ9n/8YLEMICeLoVq0XdlTrOXpixlACgl/Bj
n6C1T+vqvNZsrNrUCzIYb2k=
=BByY
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]