Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2007-03-24 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

A Possible Data Breach at Romanian Finance Ministry? Maybe Not.

Published: 2007-03-24
Last Updated: 2007-03-27 23:52:43 UTC
by Lenny Zeltser (Version: 5)
0 comment(s)
An ISC reader shared with us a link to a story reported by a Romanian news agency that seems to describe a data breach at Romanian Finance Ministry (thanks you!). According to him, the article discusses a vulnerability on the website of Romania's National Agency for Fiscal Administration (main unit of the Romanian Finance Ministry, equivalent of the IRS in the USA):
This vulnerability made available the full information about all of Romania's ~22 million citizens, including the Personal Number Code (CNP - "Cod Numeric Personal" - equivalent of the Social Security Number in the USA)
Even more, full identifying data of each tax payer is/was available. In addition to the CNP this also includes the full name, full address, and full finance information, including informations about taxes and duties paid to the state budget.
This sounds like a very severe breach. Unfortunately, we don't have a way of verifying the person's description of the article, and we cannot translate the article's text ourselves.

The article's text is available at:
http://www.ziua.ro/display.php?data=2007-03-13&id=217445
Update March 25: Another ISC reader wrote to let us know that a search in the on-lines archives of two important Romanian news portals (hotnews.ro and ziare.ro) did not return any results related to the alleged brief. The person also commented that reporter who wrote the original story, referenced above, did not include any details in the article to support the claim of a breach.

Update March 26: ISC reader Ciprian Pantea translated the most of the article for us. The article's text states that the reporter was able to compromise security of the agency's website and expose the sensitive data. The article does not offer any details regarding the vulnerability. According to the translated version of the article, a "problem in the security systems of the servers of MFP permits every user of a computer connected to the Internet to access the database administred by ANAF. In this way one can obtain complete information about certain individuals." However, we still have not seen any confirmation of the described security issue.

Update March 27a: Another ISC reader KC shared with us his or her perspective on the article: "This article explains how a local Romanian newspaper was able to gain access to the private site without the use of any special hardware or software and therefor were not breaking any laws in discovering the vulnerability in RFM system. They went public with the information because they notified the RFM regarding the issue and never received a response."

Update March 27b: Another ISC reader pointed out that the article "does not actually claim that all citizens have had their personal data exposed. Plus, it seems that it was not 'full finance information, including informations about taxes and duties paid to the state budget,' but just some information on the type of tax these people were supposed to pay."

-- Lenny

Lenny Zeltser
InfoSec Practice Leader
Gemini Systems, LLC
www.zeltser.com
Keywords:
0 comment(s)

Tracking Publicly-Announced Data Breaches

Published: 2007-03-24
Last Updated: 2007-03-27 14:52:47 UTC
by Lenny Zeltser (Version: 2)
0 comment(s)
Prioritizing IT spending is hard. Increasing awareness for IT security risks among executive managers is not any easier. Breach notification laws, which have recently been enacted by many states in the US, help on both accounts.

In a nutshell, the laws require companies that suffered a breach of sensitive customer information to notify the affected individuals. This is one of the reasons we have been hearing so many announcements of such incidents. It's not that data wasn't being compromised earlier; it's just that now there are legal obligations for making the breached public.

Knowing the circumstances of publicly-announced breaches can help you identify and mitigate similar risks in your organization. An ISC reader wrote to us about one such situation, where he was asked to research incidents where a backup tape lost in transit resulted in a breach that led to identity fraud.

Although it's difficult to link  breaches to confirmed cases of identity fraud--such details are rarely made public--here are a few ways you can keep track of announced data breaches.
  • Attrition.org maintains a Data Loss Archive and Database, which records many potential instances of data breaches. The information is available as an RSS feed and in a CSV file.
  • Privacy Rights Clearing house maintains a list of data breaches, sorted in chronological order for 2005, 2006 and 2007.
  • The Educational Security Incidents site tracks breach announcements at institutions of higher education. (Thanks for letting us know, Greg!)
  • About.com compiled a list that includes a number of data breaches announced in 2006 and 2007.
If you would like to know which US states have enacted breach notification laws, take a look at the detailed list maintained by the University of Georgia; it was last updated on October 1, 2006. Another list, updated on January 9, 2007, is maintained by National Conference of State Legislatures.

Here are a few more data points related to data breaches, which you may want to add to your arsenal:
  • According to the 2006 Annual Study: Cost of a Data Breach, conducted by The Ponemon Institute and sponsored by PGP Corporation and Vontu, the cost of responding to a data breach "averaged $182 per lost customer record." "The average total cost per reporting company was $4.8 million per breach and ranged from $226,000 to $22 million."
  •  A study of announced data breaches, conducted by Phil Howard and Kris Erickson at the University of Washington, found that almost 1.8 billion records were compromised from year 2000 to 2006. A draft of the paper is available for download and includes lots of other interesting details.

-- Lenny

Lenny Zeltser
InfoSec Practice Leader
Gemini Systems, LLC
www.zeltser.com
Keywords:
0 comment(s)

Vista's Windows Mail - program execution - CVE-2007-1658

Published: 2007-03-24
Last Updated: 2007-03-24 20:55:36 UTC
by Swa Frantzen (Version: 1)
0 comment(s)

There is public discussion about a vulnerability in Microsoft Windows Vista's Windows Mail. It centers around crafted URLs that are able to start programs if a similarly named directory exists as well. Claims are made this works against both local resources and UNC paths (e.g. \\server\share\path\file ) which are intrinsically remote.

CVE-2007-1658 was assigned to this issue.

We're still seeking further information and will keep tracking this with the other publicly known unpatched vulnerabilities in Microsoft products.

--
Swa Frantzen -- NET2S

Keywords:
0 comment(s)

Domain Appraisal Scam Targets Domain Name Owners

Published: 2007-03-24
Last Updated: 2007-03-24 20:41:17 UTC
by Lenny Zeltser (Version: 1)
0 comment(s)
The Internet is abound with scams of all shapes, colors, and flavors. This note is about a domain appraisal scam that seems to be targeting domain name owners. Justin Hall sent us an email, describing the scam that targeted him recently. This note is based on his description of the scam, as well as on the accounts sprinkled throughout the web.

There are many accounts of this scam on the web. Although some details change from incident to incident, the key attributes, meant to confuse and misdirect the victim remain the same.

At the onset of the scam, the scammer emails the victim with an offer to purchase one of his or her domain names. According to one report, the note looks like this:
I found your name for sale on the web. Can you give me a price for the name in the subject line. Domain names is not my main business. Just another way to make money online on domain reselling.
The goal of the scam seems to be to direct the victim to appraise the domain name with an appraisal service of the  scammer's choice. However, rather than directly pointing the victim to a particular appraiser, the scammer directs the victim to a forum discussion about the most reliable appraisal service:
Of course, we must be sure that you are engaging a reputable appraisal company. I heard many appraisal companies often made inaccurate appraisals. I will only accept appraisals from independent sources I trust. I heard some appraisal companies often made inaccurate appraisals. To avoid mistakes I asked domain experts about reputable appraisal companies in a forum http://domaintalk.ourplace.com/Archive/261947.htm
All indications suggest that the forum discussion is bogus. The "forum" seems to be a static HTM page that is meant to look like a forum discussion. Discussions on real web forums about this scam indicate that there have been multiple versions of the bogus discussion, all hosted under http://domaintalk.ourplace.com/Archive, but using different file names.

Some of the bogus discussions are still available (95073.htm, 261947.htm, 98042.htm); others are not longer live. The discussions differ slightly, but all have the same pattern. The first message asks to recommend a good domain appraisal service:
Hi folks, I am going to invest money in several good names. I don't want to overpay so third party valuation is a must. Investing in good names is a new business for me. Can someone recommend me good appraisers?
A user "NameSeller" responds by mentioning a few appraisal services. After a few other messages, the apparent winner usually becomes securenamesale.com.

Public accounts of the scam state that even if the victim pays for an appraisal certificate from the service approved by the scammer, the scammer does not purchase the domain.

Is securenamesale.com a legitimate service? It's hard to say for sure, but the victims describing the scam on public forums are highly doubtful. The site sells domain appraisal software for $99. We located another site hosted on the same IP address and having the same content as securenamesale.com; it goes under the name allfordomains.com.

The ultimate objective of the scammer remains a bit unclear. The scammer probably benefits financially from the victim using the designated domain appraisal service, although it's possible that some other motives exist. If you have any specific information about this scam, please let us know.

-- Lenny

Lenny Zeltser
InfoSec Practice Leader
Gemini Systems, LLC
www.zeltser.com
Keywords:
0 comment(s)
Diary Archives