Security Musings

Security Musings


2006 Year in Review for Information Security: February Recap


By Stephen Northcutt


Summary:
We are bombarded with so much information, it can be hard to keep track of the important trends in IT Security. This article, the second in a series of 12, is primarily based on the "Top of the News" from SANS NewsBites. The idea is to review some of the most important stories from 2006 to make sure we are grounded with the knowledge we need as we move into the future.

NOTE: This is not just a rehash of NewsBites, we have taken the time to research additional information to bring the stories up-to-date.

The dominant trends in information security in 2006 - February:

Data Breaches
EU Data Retention Directive
DHS "Cyber Storm" Exercise
Mac OS Flaws
Greek Wiretapping Scandal
Update - Sun Addresses Privilege Escalation Vulnerability in JRE

Data Breaches

A not so pleasant milestone was reached in late 2006 when the total number of records involved in security breaches passed the 100 million mark on December 13, 2006. As previously reported in NewBites, a chronology of known data security breaches is published by the Privacy Rights Clearinghouse (PRC). The additions to this listing show no signs of slowing down, with banks, CPA firms, retail merchants, insurance companies, hotels, universities, medical centers, newspapers, city, state and federal entities, and the DoD among those represented on this list.
http://www.privacyrights.org/ar/ChronDataBreaches.htm

The recent announcement on January 17, 2007 by TJX (T.J. Maxx, Marshalls, HomeGoods) of a massive security breach that occurred in December, 2006 elicited statements from the PCI Security Standards Council and the Cyber Security Industry Alliance (CSIA) the following day. PCI reminded businesses of the importance of protecting customer data, and CSIA renewed the call to congress to pass a national security law.
http://www.informationweek.com/security/showArticle.jhtml?articleID=196902075
http://www.eweek.com/article2/0,1895,2085390,00.asp
https://www.pcisecuritystandards.org/pdfs/pci_security_standards_council_statement_on_recent_data_breaches.pdf
https://www.csialliance.org/news/pr/view?item_key=8fb3e3fc4564513f99a27cb45d5eb6b9d67bea66

Legislation has been proposed in the US to protect sensitive personal data, but has not yet been enacted. It seems that each time a data breach is announced, there are new calls for this legislation. When AOL released search history in August 2006, Representative Edward Markey (D-MA) urged action on privacy legislation that he introduced in February 2006 that would require deletion of data. This bill is still in the Subcommittee on Commerce, Trade and Consumer Protection. After the TJX announcement, a spokesman for the House Committee on Financial Services said that protecting sensitive personal data would be a priority in 2007, and Wm. Lacy Clay (D-MO, head of the House Oversight and Government Reform Committee's Information Policy, Census and National Archives Subcommittee) said he "plans to delve into the problems surrounding technology and privacy." The CSIA maintains a Legislative Update page showing the status of bills that have been introduced.
http://www.sci-tech-today.com/story.xhtml?story_id=02300000MCAG
http://thomas.loc.gov/cgi-bin/bdquery/z?d109:H.R.4731:
http://today.reuters.com/news/articleinvesting.aspx?type=comktnews&storyID=2007-01-18T223005Z_01_N18198268_RTRIDST_0_CONGRESS-DATASECURITY.XML
http://www.fcw.com/article97422-01-19-07-Web
https://www.csialliance.org/legislation/us/

Either with top down pressure: enactment of legislation; or bottom up pressure: the high cost to companies facing security breaches ($182 per record, a 31% increase over 2005), and the humiliation this has caused to governmental agencies (e.g. the VA stolen laptop that contained the personal information of 26.5 million veterans), hopefully 2007 will be the year that the tide is turned.
http://www.eweek.com/article2/0,1895,2034667,00.asp
http://www.fcw.com/article97085-12-26-06-Web

EU Data Retention Directive

On the flip side of proposed laws for mandatory deletion of data - In February 2006, Ministers at the Justice and Home Affairs (JHA) Council of the EU gave final approval of a controversial data retention directive. The directive went into force as an EU law in May 2006; however, Member States must still transpose the law (which may be in conflict with laws already on the books of EU members). This presents a daunting challenge for telcos and ISPs in collecting and maintaining the data.
http://networks.silicon.com/telecoms/0,39024659,39156685,00.htm?r=1
http://www.eurocomms.co.uk/features/features.ehtml?o=2201
http://www.pcpro.co.uk/news/102171/fears-grow-over-eu-data-retention-law.html

The US has been exploring options for data retention, but issues such as data mining by the National Security Agency (NSA) have brought opposition.
http://news.com.com/2100-1028_3-6072601.html
http://www.usatoday.com/news/washington/2006-05-10-nsa_x.htm
http://news.com.com/2100-1028_3-6149118.html

DHS "Cyber Storm" Exercise

The Department of Homeland Security (DHS), National Cyber Security Division (NCSD) conducted a cyber security exercise, dubbed Cyber Storm, February 6-10, 2006. The exercise included the Information Technology Information-Sharing and Analysis Center (IT-ISAC), as well as Cisco Systems, Microsoft, Symantec and others involved in the cyber security industry. It was designed to simulate events requiring the need for coordination between public and private entities in the face of a major cyber attack or natural disaster.
http://www.eweek.com/article2/0,1895,1925483,00.asp

The report detailing the findings of Cyber Storm was released September 13, 2006. According to the report, the public and private sectors need to improve the coordination of their communication regarding multiple events. The conclusion is not surprising; in a major event of any sort, communication is always the problem. Cyber Storm II is scheduled to take place in March 2008. It will be interesting to see if lessons learned from the first Cyber Storm exercise will result in improvements.
http://www.eweek.com/article2/0%2C1895%2C2015743%2C00.asp
http://www.dhs.gov/xnews/releases/pr_1158340980371.shtm

Mac OS Flaws

SANS NewsBites reported in the February 24, 2006 issue that three security issues hit Mac OS X in a short time. In May 2006 SANS noted a sharp increase in Mac OS X flaws. CNET's News.com "Year in Review 2006 - Bugs/flaws" highlights two articles regarding in Mac OS - "Is Mac OS as safe as ever?" and "Tribble on Apple's security troubles".
http://www.sans.org/newsletters/newsbites/newsbites.php?vol=8&issue=16#sID200
http://www.sans.org/newsletters/newsbites/newsbites.php?vol=8&issue=35#sID200
http://news.com.com/Year+in+review+Zero-day+mania/2009-1002_3-6136825.html

A pair of researchers have picked January 2007 to run a "Month of Apple Bugs" project. Ten have been discovered so far during this project.
http://blog.washingtonpost.com/securityfix/2006/12/january_2007_month_of_apple_bu.html
http://news.com.com/Apple+guru+combats+month+of+bugs/2100-1002_3-6146886.html
http://www.technewsworld.com/story/55141.html

Greek Wiretapping Scandal

The Greek government acknowledged in early February 2006 that approximately 100 mobile phones belonging to Greek politicians were tapped in 2004 and 2005. In December 2006 cell phone operator Vodafone was fined €76 million (US$100 million). Vodafone's Greek unit said it would challenge the decision in court.
http://www.iht.com/articles/ap/2006/12/14/europe/EU_GEN_Greece_Wiretaps_Vodafone.php

Sun Addresses Privilege Escalation Vulnerability in JRE

The February 10, 2006 issue of NewsBites noted that Sun Microsystems had released updated versions of its Java Runtime Environment (JRE) to address seven critical security flaws. The flaws lie in problems with the "reflection" APIs and could be exploited with maliciously crafted applets to read and write files on hard drives of vulnerable systems and to execute programs. Since that time, Sun has announced three further security that may allow an untrusted applet to elevate privileges. The SANS Internet Storm Center reminds that as new versions of the Sun Java JRE keep coming out to address security , do NOT forget to remove the old versions. It is possible that you may be running Java code in your applications that absolutely require a specific version of the JRE to run. Update the applications, update the JRE, and then remove the old JRE versions. Why? A Java applet can request which version of JRE it wishes to use, that's why.
http://www.sans.org/newsletters/newsbites/newsbites.php?vol=8&issue=12#sID306
http://isc.sans.org/diary.html?date=2007-01-22