Security Bytes: Investigators slam VA over data breach

By SearchSecurity.com Staff 13 Jul 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Investigators slam VA over data breach
U.S. Department of Veterans Affairs (VA) Inspector General George J. Opfer has released a scathing report (.pdf) on the data breach that left 26.5 million veterans and about 2.2 million active duty personnel at risk for identity fraud.

Investigators in his office concluded that a VA analyst showed poor judgment by taking the data home and that his supervisors were lax in their oversight.

Opfer outlined a litany of missteps, insufficient security measures and an overall lack of care in the events leading up to the May 3 burglary of the analyst's Maryland home. The report also slams a chain of the analyst's supervisors, leading up to Deputy Secretary Gordon H. Mansfield, for waiting nearly three weeks to publicize the burglary, which unreasonably put veterans and active duty personnel at risk for fraud, the report said.

In a written response, VA Secretary Jim Nicholson promised improvements in handling information, according to The Associated Press (AP).

Meanwhile, the AP reported, the Federal Bureau of Investigation (FBI) has determined with a "high degree of confidence" that the sensitive files on the employee's recently recovered laptop were neither compromised nor read. The FBI recently completed a full forensic analysis of the stolen laptop and external drive, which were recovered June 29.

Cisco addresses router application flaw; other issues
San Jose, Calif.-based networking giant Cisco Systems Inc. has addressed three separate security issues, including a flaw in its Router Web Setup application.

The default Cisco IOS configuration shipped with the Cisco Router Web Setup (CRWS) application "allows the execution of commands at privilege level 15 through the Cisco IOS HTTP (Hypertext Transfer Protocol) server Web interface without requiring authentication credentials," Cisco said in an advisory. "Privilege level 15 is the highest privilege level on Cisco IOS devices."

Fixed versions of the CRWS application have been modified by Cisco to provide a more secure default IOS configuration and additional functionality with regards to the Cisco IOS HTTP server Web interface, the company said.

The second issue is that Cisco Unified CallManager (CUCM) 5.0 contains command line interface (CLI) and session initiation protocol (SIP) flaws. "There are potential privilege escalation vulnerabilities in the CLI which may allow an authenticated administrator to access the base operating system with root privileges," Cisco said. "There is also a buffer overflow vulnerability in the processing of hostnames contained in a SIP request which may result in arbitrary code execution or cause a denial of service."

Cisco said it has made free software available to address these vulnerabilities.

The third issue is that Cisco Intrusion Prevention System (IPS) software version 5.1 is prone to a denial-of-service condition caused by a malformed packet, "which may result in an IPS device becoming inaccessible remotely or via the console and fail to process packets," Cisco said. "A power reset is required to recover the IPS device. There are no workarounds for this vulnerability."

Cisco said it has made free software available to address this vulnerability as well.

IBM sued over server attack
IBM is being sued by Washington law firm Butera & Andrews over a 2005 attack on its email server. The firm claims that an unknown IBM employee tried to attack the server last November, shortly after the firm found that its computer had been hijacked by an unknown attacker, the IDG News Service reported. Security investigators traced the attack to a computer inside IBM's Cornwallis Road facility in Durham, N.C., the law firm claims.

The IDG News Service reported the lawsuit was filed April 7 in the U.S. District Court for the District of Washington. An analysis of computer logs revealed "over 42,000" attempts by IBM-controlled machines to attack Butera & Andrews servers during 2005, the lawsuit claims. Butera & Andrews wants the court to make IBM reveal information related to the attacks and to award it damages, including the $61,000 spent investigating the matter.

IBM has asked for the case to be dismissed, saying that Butera & Andrews "alleges no facts to justify its supposition that its systems were attacked by an IBM employee, as opposed to a computer hacker."

Spammers' latest trick: A fake Putin death report
UK-based antivirus firm Sophos said spammers have launched a new campaign disguised as a breaking news report that Russian President Vladimir Putin has died. Hackers are using the trick to try and infect computers with a Trojan horse.

Embedded in the HTML email is a hidden script that allows the attacker to secretly download Troj.Dloadr-ZP from a Russian Web site. The Trojan horse is designed to download further malicious code that could allow remote hackers to gain unauthorized access to the victim's computer.

Although the link pretends to be that of a BBC News report, Sophos said the user is directed to another Russian Web site purporting to be the home of a construction firm focused on providing heating systems for apartments and advertising training seminars.

Tags: Identity Theft and Data Security Breaches,  Information Security Laws, Investigations and Ethics,  Network Firewalls, Routers and Switches,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Identity Theft and Data Security Breaches Health Net healthcare data breach affects1.5 million Massive T-Mobile UK security breach involves insiders Chip and PIN adoption serves lesson for U.S. payment industry Group to shed light on secure identity management threats Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection University data breach exposes 163,000 women to identity theft TJX thrives following breach, bucks sour economy Information Security Laws, Investigations and Ethics Melissa Hathaway urges more cooperation, government attention to cybersecurity Cybersecurity czar candidate questions clout of new position DHS fills National Cybersecurity Center post FTC shutters rogue ISP for hosting malicious content, botnets Experts optimistic of Obama cybersecurity plan WH cybersecurity plan needs private sector guidance Obama announces creation of cybersecurity coordinator position Cybersecurity Act of 2009: Power grab, or necessary step? Face-off: Who should be in charge of cybersecurity? Feds should get private sector advice on cybersecurity Network Firewalls, Routers and Switches How to prepare for a secure network hardware upgrade Best Network Firewall Products What is the difference between static and dynamic network validation? Screencast: Smoothwall offers firewall defense in lean times New Cisco IOS bugs pose tempting targets, says Black Hat researcher How to implement virtual firewalls in a complex network infrastructure How to manage network bandwidth with distributed ISP bandwidth Firewall rule management best practices Should enterprises be running multiple firewalls? What are the disadvantages of proxy-based firewalls?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) CISP-PCI  (SearchFinancialSecurity.com) cookie poisoning  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) extrusion prevention  (SearchSecurity.com) identity theft  (SearchSecurity.com) parameter tampering  (SearchSecurity.com) pretexting  (SearchCIO.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary