From: The SANS Institute (NewsBitessans.org)
Date: Tue Jan 30 2007 - 14:19:47 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

As you are probably already sensing, the security field is entering one
of its rapid change periods where previous winners are pushed aside and
new leaders arise. The cause this time is something most security
people have long thought they wanted. Senior management - from bank CEOs
to Congressional Committee chairs - have finally awakened to the threat.
Sadly, what awakened them is hard evidence of massive failures of some
government and commercial security programs.

We'll have management briefings in San Diego covering the most important
changes that are taking place, for the people who attend SANS 2007 in
late March. This will be a big year for security. SANS 2007 offers 56
courses and a huge expo. It makes sense to be sure all your people have
their skills absolutely up to date.
http://www.sans.org/sans2007/event.php

                                  Alan

*************************************************************************
SANS NewsBites January 30, 2007 Vol. 9, Num. 9
*************************************************************************
TOP OF THE NEWS
  TJX Hit with Class Action Lawsuit
  Zero-Day Microsoft Word Flaw
  Common Access Cards Improve DOD Network Security
  Americans Relatively Unconcerned About Movie Piracy
THE REST OF THE WEEK'S NEWS
  LEGAL MATTERS
    Man Gets Home Detention, Probation for Damaging Car Dealership Site
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
    PGP Desktop Vulnerability
  ATTACKS, INTRUSIONS, DATA THEFT & LOSS
    Stolen Laptop Holds Kansas Hospital Patient Data
    Stolen Laptop Holds Eastern Illinois Univ. Student Information
    Stolen Computers Hold Vanguard Univ. Financial Aid Applicant Info.
    Stolen Boeing Laptop Recovered
    Prudential, Amex and Random House Employees Learn Their Data Are in
       Stolen Towers Perrin Computers
  STANDARDS & BEST PRACTICES
    Anti Spyware Coalition Publishes Best Practices Document for Anti
       Spyware Makers
  MISCELLANEOUS
    UK Police Struggle to Combat e-Crime

********************** Sponsored By ArcSight, Inc. *********************

Free Whitepaper: Security Controls Oversight for Compliance
Auditing security operations to comply with Sarbanes-Oxley means you
need both a real-time and an historical perspective. Learn how to turn
floods of data into accurate, auditable informationwithout adding
staffwith this free whitepaper. Brought to you by ArcSight, the ESM
leader that turns security data into action.
http://www.sans.org/info/3211
*************************************************************************

TOP OF THE NEWS
 --TJX Hit with Class Action Lawsuit
(29 January 2007)
A class action lawsuit, filed in US District Court in Boston, alleges
TJX was negligent in maintaining computer security resulting in the
misuse of customer information. The lawsuit also claims that TJX failed
to disclose the intrusion in a timely manner. TJX runs 2,500 TJ Maxx
and Marshall's stores. Credit card and drivers license data was stolen
and the company did not disclose the loss for a month. The suit seeks
credit monitoring services for those whose information was exposed as
well as damages incurred as a result of the breach. TJX chairman Ben
Cammarata said the company would not provide credit monitoring because
it would not "be meaningful to customers" and that the delay in
notification about the breach allowed the company "to contain the
problem and further strengthen [its] computer network to prevent further
intrusions."
http://www.boston.com/business/ticker/2007/01/class_action_su_1.html
http://www.securityfocus.com/news/11438
[Editor's Note (Schultz): Mr. Cammarata's statements and the long delay
in notifying customers show a blatant disregard for customers. Perhaps
the lawsuit filed against his company will help in changing this
attitude.
(Honan): A more direct message to TJX would be for customers to not
provide credit card details to TJX because, to paraphrase Mr. Cammarata,
it would not "be meaningful to the company."]

 --Zero-Day Microsoft Word Flaw
(29, 26 & 25 January 2007)
Microsoft is investigating reports of a zero-day attack against a flaw
in Microsoft Word. The code execution vulnerability affects multiple
versions of Microsoft Word running on various versions of the Windows
operating system. The flaw is exploited by tricking users into opening
maliciously crafted Word documents; when a document is opened, it places
back door Trojans on the user's computer. This is the fourth zero-day
vulnerability reported in Microsoft Word within the last two months.
http://www.computing.co.uk/vnunet/news/2173724/attackers-prey-office-2000-flaw
http://www.eweek.com/print_article2/0,1217,a=199588,00.asp
http://www.zdnetasia.com/news/security/printfriendly.htm?AT=61984836-39000005c
[Editor's Note (Skoudis): I think all of Microsoft Office needs a
massive security overhaul, kind of like what happened with Windows in
the transition to XP SP 2.]

 --Common Access Cards Improve DOD Network Security
(25 January 2007)
The number of successful computer intrusions at the US Department of
Defense (DOD) computer networks has declined 46 percent in the last
year; Air Force Lt. Gen. Charles Croom attributed the decline to the
mandatory use of Common Access Cards (CAC) for DOD network users. DOD
networks are probed an estimated six million times a day. Croom is the
director of the Defense Information Systems Agency and commander of the
Joint Task Force for Global Network Operations. Croom also noted that
the number of successful spear phishing attacks against DOD users fell
30 percent in the last year.
http://www.fcw.com/article97480-01-25-07-Web&printLayout
[Editor's Note (Pescatore): Moving away from reusable passwords will
definitely thwart attacks like phishing that are aimed at capturing
passwords, which is a very good thing. Of course, we've already seen
attacks evolve to trick the user into downloading targeted malware - the
attacker doesn't need to capture the password. That does *not* negate
the gain of moving away from reusable passwords but it does mean that
for those with limited budgets, consuming too much of the budget on a
type of authentication may starve other areas that may actually be more
critical. For example, if your real problem is vulnerable applications,
spending $100 per user on smart cards and card readers may not come
close to a much smaller investment in making sure applications have been
tested for vulnerabilities before being installed on product systems.
(Schultz): These results should be no surprise for information security
professionals. Strong authentication is one of the single most effective
security measures.
(Skoudis): The progress here is certainly laudable, and I strongly
support the CAC authentication deployment, as well as the stance against
OWA. However, whenever I read an article or announcement saying,
"successful intrusions have declined 46 percent in the past year," I
always think, "successful intrusions... that you were able to detect."
We measure what is measurable, and should rightfully be pleased that the
trends are going in the right direction. But, don't forget the need to
strive to improve our detection capabilities to get a better feel for
the size of the iceberg under the water.]

 --Americans Relatively Unconcerned About Movie Piracy
(26 January 2007)
A survey of approximately 2,600 Americans found that 59 percent believe
parking in a fire lane is a more serious offense than downloading
copyrighted movies from the Internet without permission. Just 40
percent of those surveyed said downloading movies was a serious offense,
although 78 percent said shoplifting a DVD was a serious offense.
http://www.australianit.news.com.au/articles/0,7204,21121390%5E15306%5E%5Enbv%5E,00.html
[Editor's Note (Schultz): These are very revealing findings, ones that
the Motion Picture Association of America should take to heart, because
they show a dire need for an awareness campaign designed to change the
public's views about obtaining unauthorized copies of movies.
(Pescatore): Well, blocking a fire lane actually *is* more serious an
offense than stealing a movie, digital or otherwise. But this does point
out how tightly the idea of "property" is tied to atoms, not bits, in
so many cultures and laws.]

************************** Sponsored Links: ***************************
1) Visit Utimaco and Lenovo at RSA Booth 531 to learn about our layered
security solution.
http://www.sans.org/info/3216

2) Control the Security of All Things Mobile: Detect, Encrypt, Audit,
Report, Managefrom a Single Console
http://www.sans.org/info/3221

3) Download Free Database Vulnerability Scanner Scuba by Imperva.
MS-SQL, Oracle, DB2, Sybase
http://www.sans.org/info/3226 Visit Imperva at RSA - Booth # 2632.

*************************************************************************

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
 --Man Gets Home Detention, Probation for Damaging Car Dealership Site
(29 January 2007)
A Florida man has been sentenced to three months of home detention,
three years of probation and 300 hours of community service for "a
felony violation of intentionally damaging a computer used in interstate
commerce." Matthew Tatem was also ordered to pay US $5,000 in
restitution. Tatem broke into and damaged the web site of a car
dealership where he had experienced difficulty obtaining financing for
a new car. The site was restored within three hours.
http://www.technologynewsdaily.com/node/5836

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
 --PGP Desktop Vulnerability
(29 & 26 January 2007)
A remote code execution flaw has been detected in the PGP Desktop
encryption tool. Users are encouraged to upgrade to version 9.5.2.
The flaw affects versions prior to 9.5.1, but version 9.5.2 incorporates
an additional fix.
http://www.vnunet.com/vnunet/news/2173564/flaw-found-pgp-encryption
http://www.itnews.com.au/newsstory.aspx?CIaNID=44982&src=site-marq

ATTACKS, INTRUSIONS, DATA THEFT & LOSS
 --Stolen Laptop Holds Kansas Hospital Patient Data
(28 January 2007)
Among the items taken in a burglary at Salina (Kansas) Regional Health
Center is a laptop computer that contains personally identifiable
information of as many as 1,100 patients. The data include Social
Security numbers (SSNs) and medical histories. The hospital has
notified the affected patients by mail. The data were stored on the
computer because its authorized user travels to different offices in the
course of this person's work.
http://www.saljournal.com/?module=displaystory&story_id=9386&format=print

 --Stolen Laptop Holds Eastern Illinois Univ. Student Information
(26 January 2007)
A desktop computer stolen from the Student Life office of Eastern
Illinois University (EIU) holds personally identifiable information,
including SSNs, of about 1,400 students. The database on the computer
holds fraternity and sorority membership rosters. The university has
sent letters to the affected students. EIU police are investigating the
theft. The Greek Life secretary was credited with the fact that the
breach affected such a limited number of people; she apparently makes
concerted efforts to remove outdated information each semester. EIU is
in the process of eliminating the use of SSNs as unique identifiers;
that plan is expected to be complete in one year. EIU is in Charleston,
Illinois.
http://www.jg-tc.com/articles/2007/01/28/news/news001.prt

 --Stolen Computers Hold Vanguard Univ. Financial Aid Applicant Info.
(26 January 2007)
Two computers stolen from Vanguard University's financial aid office
contain personally identifiable information of more than 5,000 financial
aid applicants. The computers were stolen in mid-January, but officials
did not know until Friday, January 26 that they contained sensitive
data, including SSNs, driver's license numbers and lists of assets. The
number of people affected is reportedly as high as 10,000, as many of
the students are dependent children. The breach affects students who
applied for financial aid for the 2005-06 and 2006-07 academic years.
The university is notifying those affected by the breach by letter.
Vanguard University is in Costa Mesa, California.
http://www.dailypilot.com/articles/2007/01/26/front/doc45ba618886459435458713.txt
http://identityalert.vanguard.edu/notification.htm
http://identityalert.vanguard.edu/

 --Stolen Boeing Laptop Recovered
(27 & 26 January 2007)
A laptop reported stolen from Boeing has been recovered. The laptop was
reported stolen in December 2006; it holds personally identifiable
information of approximately 382,000 current and former Boeing
employees. Boeing Senior VP Rick Stephens reportedly told employees in
an email that a consultant had determined that the files were not read
after the theft. Boeing fired the employee responsible for the computer
shortly after the theft was reported.
http://seattletimes.nwsource.com/html/businesstechnology/2003541873_bizbriefs26.html
http://seattlepi.nwsource.com/business/301406_boeinglaptop27.html
[Editor's Note (Honan): Statements claiming that information was not
accessed on missing computers are very misleading and serve to simply
put marketing spin on an incident to placate non-technical users.
Anyone with forensic tools or disk imaging software can take a copy of
the data and use it at their leisure. Simple rule, once physical access
is gained to any of your systems = Game over.]

 --Prudential, Amex and Random House Employees Learn Their Data Are in Stolen Towers Perrin Computers
(25 & 23 January 2007)
The roster of companies affected by the Towers Perrin computer theft
continues to grow. Employees at Prudential, American Express and Random
House have been notified their personal information could be at risk of
exposure following the computers' disappearance. Towers Perrin provides
actuarial services for pension plans at Prudential and other companies.
A former Towers Perrin employee has been arrested in connection with the
theft but the computers have not been recovered. Random House is owned
by Bertelsmann, a German company that had contracted with Towers Perrin.
http://www.gawker.com/news/random-house/random-house-to-employees-oops-we-lost-your-social-our-bad-231384.php
http://www.nj.com/business/ledger/index.ssf?/base/business-5/1169532666221410.xml&coll=1

STANDARDS & BEST PRACTICES
 --Anti Spyware Coalition Publishes Best Practices Document for Anti-Spyware Makers
(26 & 25 January 2007)
The Anti-Spyware Coalition (ASC) has released a draft document titled
"Best Practices: Factors for Use in the Evaluation of Potentially
Unwanted Technologies." The document provides specifics about how
software can be analyzed to determine if it is harmful. The ASC has
also released a draft document aimed at helping resolve disputes between
antispyware companies; that document is titled "Conflict Identification
and Resolution Process."
http://www.zdnetasia.com/news/security/printfriendly.htm?AT=61984844-39000005c
http://www.antispywarecoalition.org/documents/BestPractices.htm
[Editor's Note (Skoudis): The Anti-Spyware Coalition has done some
wonderful work here, and has carefully balanced a lot of controversial
and political issues. The document does a solid job in establishing a
baseline of activities that encompasses what most malicious software
does today, and what anti-spyware tools can do to help thwart it.]

MISCELLANEOUS
 --UK Police Struggle to Combat e-Crime
(26 & 25 January 2007)
Microsoft says police in the UK are not putting enough focus on cyber
crime, according to a written submissions provided to the House Lords
Science and Technology Committee in advance of an inquiry hearing.
Microsoft observed that "cyber crime and related fraud are not presently
priority indicators for the police as set by the Home Office." The
company notes that attention to cyber crime has waned since the National
Hi-Tech Crime Unit (NHTCU) became part of the Serious Organized Crime
Agency (SOCA) last year. The UK's Office of Fair Trading says it does
not have the expertise to deal with Internet scams. The office is
skilled in working with "real world" scams, but on line schemes require
a different skill set. A written report from the Metropolitan Police
says local forces cannot manage e-crime and calls for the establishment
of a "national [e-crime] unit ... to address the problem. [The unit]
would act as a central coordination point for police officers across the
country." Presently, different e-crimes are handled by different
entities, depending on the "level" of the crime.
http://www.theregister.co.uk/2007/01/26/uk_cybercrime_criticism/print.html
http://www.zdnet.co.uk/misc/print/0,1000000169,39285627-39001093c,00.htm
http://www.zdnet.co.uk/misc/print/0,1000000169,39285631-39001093c,00.htm
http://www.vnunet.com/computing/news/2173370/ecrime-efforts-stall-staff
[Editor's Note (Honan): Unfortunately this state of affairs is not
unique to the United Kingdom. Many police computer crime units around
the world are overwhelmed by the number of incidents that they have to
deal with, both actual computer crimes and traditional crimes where
computers are used to assist in the planning or execution of those
crimes. In today's world governments need to realise that classifying
a crime as computer crime is similar to classifying it as a shoe crime
and should resource their law enforcement agencies accordingly.]

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers.
Schneier has regularly appeared on television and radio, has testified
before Congress, and is a frequent writer and lecturer on issues
surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer
for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development
Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a
non-profit federally funded research and development corporation that
provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin,
Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (Darwin)

iD8DBQFFv5xu+LUG5KFpTkYRAtxjAJ0dgvtfPibGm2cjaeofizbVRH3ZZgCeOwaG
C0OAsaPlcrGzy7mnQS0Zgn4=
=a4bW
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]