Security Musings

Security Musings

2006 Year in Review for Information Security: January Recap


By Stephen Northcutt

Summary: We are bombarded with so much information, it can be hard to keep track of the important trends in IT Security. This article, the first of a series of 12, is primarily based on the “Top of the News” from SANS NewsBites. The idea is to review some of the most important stories from 2006 to make sure we are grounded with the knowledge we need as we move into the future.

NOTE: this is not just a rehash of NewsBites, I have taken the time to research additional information to bring the stories to closure.

The dominant trends in information security in 2006 – January are:

Crime continues to increase
Deterrence, people who do bad things actually got caught
Security keeps becoming a harder and harder problem
Data Records, many companies lost data
Privacy Government vs. Citizen's needs
The governments of the world are still passing legislation to help us
The government is struggling with IT and IT security
The patch of the month

Crime continues to increase

An FBI study of 2,066 firms found that 90%% had experienced cyber crime events and 64% had experienced financial losses from such events. Worms and viruses caused the most damage despite defenses most organizations had put in place. Average losses were $24,000.
http://www.fbi.gov/page2/jan06/computer_crime_survey011806.htm

http://news.com.com/2100-7349_3-6028946.html

I tried to follow up on this. The survey is based on data from The Internet Crime Complaint Center (IC3) and I have a call in to their press department. If we get further information about a 2006 survey we will update this article.

The Financial Services Authority (FSA) in the United Kingdom has called on banks to increase security measures to protect customer accounts. FSA reports that online bank fraud tripled in the first half of 2005 compared with the same period in 2004. Lloyds issued 30,000 security devices to customers in a pilot project.
http://news.bbc.co.uk/2/hi/business/4637226.stm

Deterrence, people who do bad things actually got caught

Though there is a lot of computer crime and many criminals do not get caught, others do and that is important. Read and understand these stories. Bring them up in your awareness talks, in business meetings. We need to make sure people do not give up, if we keep prosecuting this forms a type of to make criminals think twice before attempting to exploit cyber resources.

A federal judge has ordered Christopher William Smith to pay America Online (AOL) more than US$5 million in damages and legal fees for sending billions of spam messages advertising fake drugs. AOL filed a lawsuit against Smith in 2004 under the CAN-SPAM Act. Smith is also awaiting trial on criminal charges of violating federal drug laws.
http://www.usatoday.com/tech/news/computersecurity/2006-01-26-aol-spam-case_x.htm

His passport photo is shown here. Later, in March 2006, Chris tries to use his phone privileges to arrange a “hit” to murder one of the witnesses in his trial.
http://spamkings.oreilly.com/archives/2005/06/drug_spam_kings.html
http://www.spamdailynews.com/publish/Jailed_spam_king_caught_conspiring_to_kill_witness.asp

In November 2006, he was convicted of illegally selling drugs over the internet and faces a mandatory sentence of 20 years.
http://thespamdiaries.blogspot.com/2006/11/christopher-william-smith-convicted-in.html

ChoicePoint consumer record database security breach by Nigerian national Olatunji Oluwatosin led to massive data theft that compromised the personal data of 145,000 people. Oluwatosin will be sentenced on February 10, 2006; he is already serving a 16-month prison term for an earlier felony count of identity theft. Where did ChoicePoint get all that data? From public records such court rulings, driver records and real estate details, as well as credit bureaus.
http://www.consumeraffairs.com/news04/2005/choicepoint_guilty.html
http://www.washingtonpost.com/wp-dyn/articles/A8587-2005Mar4_3.html

March - ChoicePoint must pay fines of US$15 million, the largest civil penalty in US history. US$10 million is an FTC fine, the additional US$5 million is designated for customer compensation. Under the terms of the settlement, ChoicePoint must also undergo independent security audits every two years until 2026. The US Securities and Exchange Commission (SEC) is looking into share trades made by ChoicePoint CEO Derek V. Smith and COO Doug Curling both of whom allegedly made considerable profits in the months following their knowledge of the security breach but before it became public.
http://www.eweek.com/print_article2/0,1217,a=170079,00.asp
http://www.usatoday.com/tech/news/computersecurity/2006-01-26-ftc-choicepoint_x.htm
http://www.forbes.com/2006/01/26/choicepoint-fined-breach-cx_gl_0126autofacescan10.html

An Australian court has ordered Brad Norrish and Chesley Rafferty to pay AU$2.3 (US$1.72 million) million in damages and legal fees for running a domain registration scam that targeted as many as 50,000 UK website owners. They were able to get their data using the whois service. Then they sent notices to the owners telling them their domains needed to be renewed. Norrish declared bankruptcy.
http://domainsmagazine.com/domain/Domains_1/Domain_3829.shtml
http://www.theregister.co.uk/2006/01/03/domain_scam/print.html
http://www.theaustralian.news.com.au/common/story_page/0,5744,17549155%255E2702,00.html

Robert Kramer, the owner of an Iowa-based Internet services company, has been awarded a US$11.2 billion judgment against spammer James McCalla who is also prohibited from accessing the Internet for three years. Kramer is some sort of anti-spam superhero figure, who previously won $1bn against Cash Link Systems, AMP Dollar Savings and TEI Marketing Group.
http://www.computerworld.com/printthis/2006/0,4814,107598,00.html
http://www.wired.com/news/politics/1,69966-0.html

Security keeps becoming a harder and harder problem

Gartner has published an advisory on its web site warning administrators that they need to be "more aggressive" in securing Oracle applications because the company is not providing their customers with adequate help. Gartner analyst Rich Mogull wrote that "Oracle can no longer be considered a bastion of security" and that "the range and seriousness of the vulnerabilities patches in this update cause us great concern." Gartner is also critical of Oracle for providing less information about fixes than the industry standard, for releasing faulty or difficult-to-use patches and for the fact that Oracle does not provide workarounds for vulnerabilities. Gartner recommends that administrators protect their systems with firewalls and intrusion prevention systems and use security monitoring tools. In addition, patching is sometimes not possible because legacy versions are unsupported. This may be related to the vulnerabilities published by security researcher David Litchfield.
http://www.computerworld.com/printthis/2006/0,4814,108038,00.html

Fortunately, the SANS SCORE project has posted a checklist and the Center for Internet Security has a benchmark for 8 and 9 as well.
http://www.sans.org/score/oraclechecklist.php
http://www.cisecurity.org/bench_oracle.html
http://www.cisecurity.org/bench_oracle.html

The destructive worm of the month for January 2006 was clearly "Blackworm" or more correctly, CME 24. It infected about 300,000 systems based on analysis of logs from the counter web site used by the worm to track itself. This worm is different and more serious than other worms for a number of reasons. In particular, it will overwrite a user's files on February 3rd.

The following file types will be overwritten by the virus: DOC, XLS, MDE, MDB, PPT, PPS, RAR, PDF, PSD, DMP, ZIP. The files are overwritten with an error message( 'DATA Error [47 0F 94 93 F4 K5]').CME-24 makes infected computers visit an online counter; the ISP is monitoring the counter traffic and sending warnings to users whose computers visit the counter website. CME-24 carries a malicious payload; on February 3, it is programmed to destroy files on infected PCs.
http://www.zdnet.co.uk/print/?TYPE=story&AT=39249660-39020375t-10000025c
http://news.bbc.co.uk/1/hi/technology/4661582.stm
http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39308105-39000005c

[Guest Editor's Notes: Ed Skoudis points us to the new Common Malware Enumeration Site for a list of all the names of this beast:
http://cme.mitre.org/news/index.html#20060124a]

According to Caida, between 469,507 and 946,835 computers in more than 200 countries were infected by the Nyxem virus between January 15 23:40:54 UTC 2006 and Wednesday February 1 05:00:12 UTC.
http://www.caida.org/analysis/security/blackworm/

The most amazing statistic? We know about how many computers were infected due to the online counter, we know many files had to be destroyed on February 3, 2006, but we have no idea what the number is.

A proof-of-concept exploit for a zero-day vulnerability in the Winamp 5.12 music player is circulating on the Internet. By tricking Winamp users into downloading a malicious playlist with a filename in excess of approximately 1,040 bytes, attackers could take control of vulnerable PCs. No patch is presently available.
http://www.techweb.com/wire/177105266

One of the most important themes of 2006 was the widespread emergence of zero day attacks.

Data Records, many companies, organizations lost data

Perhaps foreshadowing the HP pretexting disaster, A federal court in Atlanta has granted Cingular Wireless a temporary restraining order (TRO) against operators of several web sites that provide private cellular phone records for a fee. Cingular says the companies' employees pretend to be cellular phone customers and Cingular employees to gather confidential information from customer service representatives. The information offered for sale includes private phone numbers and call records. In a separate case, on line data brokers have used devious means to obtain cell phone records of Verizon Wireless customers, according to court documents filed in a Florida court.
http://www.usatoday.com/tech/wireless/2006-01-16-cingular-records_x.htm
http://www.theregister.co.uk/2006/01/17/cingular_sues_over_customer_records/print.html
http://www.wired.com/news/technology/1,70027-1.html

A Rhode Island government web site, www.RI.gov, was reportedly the target of cyber thieves, who stole credit card information belonging to people who had conducted online business with Rhode Island state agencies. The breach was discovered through routine security procedures; measures have been taken to close the hole the thieves exploited.
http://www.fcw.com/article92132-01-27-06-Web

Privacy Government vs. Citizen’s needs

Google is resisting government requests for data on its search engine usage. The two requests the government has made are for a random sample of 1 million web site addresses in its search engine index and for the text of all queries made on the search engine during a specific week. The government maintains it needs the records from Google to prepare its defense in a lawsuit brought by the American Civil Liberties Union. The lawsuit challenges the Child Online Protection Act (COPA) on the grounds that it violates the First Amendment. The government wants the information to help support its claim that COPA is stronger than Internet content filtering in efforts to prevent minors from accessing pornographic Internet content. Google believes the government's demand for information is overreaching. Other search engine operators, including Microsoft's MSN and Yahoo, have complied with the government's request for search data. Both say no personal information was revealed.
http://www.infoworld.com/article/06/01/19/74616_HNgoogle_1.html
http://www.computerworld.com.au/index.php/id;514585818;fp;16;fpid;0
http://www.eweek.com/print_article2/0,1217,a=169742,00.asp
http://technology.timesonline.co.uk/article/0,,20411-2002169,00.html

March – Google’s case was upheld in court, they did provide data on 50,000 specific URLs.
http://googleblog.blogspot.com/2006/03/judge-tells-doj-no-on-search-queries.html

Google plans to release Google.cn in China, a version of its search engine that filters content that the country's government would find objectionable. Google officials say the choice to censor content was a difficult one, yet one that best serves the interests of its customers in China. Google says users will be informed when their search results have been censored. Google will not offer email, blogging or chat room services in China to avoid the possibility that the government could demand customers' personal data.
http://www.wired.com/news/technology/1,70081-0.html
http://www.vnunet.com/vnunet/news/2149163/google-bow-great-firewall-china
http://news.bbc.co.uk/2/hi/technology/4647398.stm

The governments of the world are still passing legislation to help us

New state laws in Louisiana, New Jersey and Illinois require that people be notified when data security breaches compromise their personal information.
http://www.kplctv.com/Global/story.asp?S=4307966&nav=0nqx

January, the recently enacted Violence Against Women and Department of Justice Reauthorization Act contains a clause that makes it a crime to post "annoying messages or send annoying email" without disclosing one's true identity.
http://www.whitehouse.gov/news/releases/2006/01/20060105-3.html

The UK Home Office has introduced legislation that would increase penalties for those convicted of cyber crimes. The fifth section of the proposed Police and Justice Bill would revise the Computer Misuse Act and provide for a maximum prison sentence of 10 years "for individuals maliciously impairing the operation of a computer or hindering or preventing the access to programs or data." The present maximum penalty for breaking into a system is five years in prison. It appears the bill would include denial-of-service attacks, which are not currently addressed under the CMA.
http://software.silicon.com/security/0,39024888,39155931,00.htm
http://www.theregister.co.uk/2006/01/26/uk_computer_crime_revamp/print.html
http://www.out-law.com/page-6569
http://www.publications.parliament.uk/pa/cm200506/cmbills/119/06119.27-33.html#j383A

The government is struggling with IT and IT security

Beginning in March, the US Internal Revenue Service (IRS) will have three private contractors helping to collect back taxes from US citizens. There are concerns that the IRS will not sufficiently protect taxpayer information. http://www.informationweek.com/story/showArticle.jhtml?articleID=177100345

The eOffer/eMod web site, which is used by vendors to bid on government contracts through the General Services Administration (GSA), has been closed to address security concerns.
http://www.fcw.com/article91960-01-13-06-Web

The patch of the month

The SANS Internet Storm Center recommends applying an unofficial patch for WMF since one was not available from Microsoft.
http://isc.sans.org/diary.php?storyid=993

Microsoft Releases Out-of-Cycle Patch for WMF Flaw
http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx