Security Bytes: Investigators slam VA over data breach

Investigators slam VA over data breach
U.S. Department of Veterans Affairs (VA) Inspector General George J. Opfer has released a scathing report (.pdf) on the data breach that left 26.5 million veterans and about 2.2 million active duty personnel at risk for identity fraud.

Investigators in his office concluded that a VA analyst showed poor judgment by taking the data home and that his supervisors were lax in their oversight.

Opfer outlined a litany of missteps, insufficient security measures and an overall lack of care in the events leading up to the May 3 burglary of the analyst's Maryland home. The report also slams a chain of the analyst's supervisors, leading up to Deputy Secretary Gordon H. Mansfield, for waiting nearly three weeks to publicize the burglary, which unreasonably put veterans and active duty personnel at risk for fraud, the report said.

In a written response, VA Secretary Jim Nicholson promised improvements in handling information, according to The Associated Press (AP).

Meanwhile, the AP reported, the Federal Bureau of Investigation (FBI) has determined with a "high degree of confidence" that the sensitive files on the employee's recently recovered laptop were neither compromised nor read. The FBI recently completed a full forensic analysis of the stolen laptop and external drive, which were recovered June 29.

Cisco addresses router application flaw; other issues
San Jose, Calif.-based networking giant Cisco Systems Inc. has addressed three separate security issues, including a flaw in its Router Web Setup application.

The default Cisco IOS configuration shipped with the Cisco Router Web Setup (CRWS) application "allows the execution of commands at privilege level 15 through the Cisco IOS HTTP (Hypertext Transfer Protocol) server Web interface without requiring authentication credentials," Cisco said in an advisory. "Privilege level 15 is the highest privilege level on Cisco IOS devices."

Fixed versions of the CRWS application have been modified by Cisco to provide a more secure default IOS configuration and additional functionality with regards to the Cisco IOS HTTP server Web interface, the company said.

The second issue is that Cisco Unified CallManager (CUCM) 5.0 contains command line interface (CLI) and session initiation protocol (SIP) flaws. "There are potential privilege escalation vulnerabilities in the CLI which may allow an authenticated administrator to access the base operating system with root privileges," Cisco said. "There is also a buffer overflow vulnerability in the processing of hostnames contained in a SIP request which may result in arbitrary code execution or cause a denial of service."

Cisco said it has made free software available to address these vulnerabilities.

The third issue is that Cisco Intrusion Prevention System (IPS) software version 5.1 is prone to a denial-of-service condition caused by a malformed packet, "which may result in an IPS device becoming inaccessible remotely or via the console and fail to process packets," Cisco said. "A power reset is required to recover the IPS device. There are no workarounds for this vulnerability."

Cisco said it has made free software available to address this vulnerability as well.

IBM sued over server attack
IBM is being sued by Washington law firm Butera & Andrews over a 2005 attack on its email server. The firm claims that an unknown IBM employee tried to attack the server last November, shortly after the firm found that its computer had been hijacked by an unknown attacker, the IDG News Service reported. Security investigators traced the attack to a computer inside IBM's Cornwallis Road facility in Durham, N.C., the law firm claims.

The IDG News Service reported the lawsuit was filed April 7 in the U.S. District Court for the District of Washington. An analysis of computer logs revealed "over 42,000" attempts by IBM-controlled machines to attack Butera & Andrews servers during 2005, the lawsuit claims. Butera & Andrews wants the court to make IBM reveal information related to the attacks and to award it damages, including the $61,000 spent investigating the matter.

IBM has asked for the case to be dismissed, saying that Butera & Andrews "alleges no facts to justify its supposition that its systems were attacked by an IBM employee, as opposed to a computer hacker."

Spammers' latest trick: A fake Putin death report
UK-based antivirus firm Sophos said spammers have launched a new campaign disguised as a breaking news report that Russian President Vladimir Putin has died. Hackers are using the trick to try and infect computers with a Trojan horse.

Embedded in the HTML email is a hidden script that allows the attacker to secretly download Troj.Dloadr-ZP from a Russian Web site. The Trojan horse is designed to download further malicious code that could allow remote hackers to gain unauthorized access to the victim's computer.

Although the link pretends to be that of a BBC News report, Sophos said the user is directed to another Russian Web site purporting to be the home of a construction firm focused on providing heating systems for apartments and advertising training seminars.