Good news and bad news on SCADA security: [SCADA and process control systems are the computers that control nuclear power plants, chemical plants, power stations, pipelines, dams and other major critical infrastructure facilities]
Bad news first: Two SCADA systems have been penetrated for criminal (extortion) activity. You can count on rapid expansion of this type of crime.
Now the good news: The SCADA Security Procurement Project has made extraordinary progress on developing procurement specifications so all buyers can ensure they are acquiring the best security they can for their control systems. Three SCADA/process control users are part of the Vanguard Group, putting the new specifications to work in their current procurements. The team at Idaho National Laboratory says they can work with several other organizations planning procurements and that such cooperation will help make the procurement language better. If your organization will be acquiring a control system within the next eight months, check out the project at: http://www.cscic.state.ny.us/msisac/scada/
And if you are willing to consider confidentially participating on the project with your upcoming procurement, contact Michael Assante at INL (email@example.com) or Will Pelgrin., CISO of New York State (firstname.lastname@example.org)
PS We need your help on the Reading Room. See the Reading Room story at the end of this issue.
************************************************************************* SANS NewsBites May 26, 2006 Volume: VIII, Issue: 42 *************************************************************************
******************** SPONSORED BY THE LOG MANAGEMENT SUMMIT *************
More than twenty pioneering log management users will be sharing the lessons learned and best practices at the Log Management Summit July 12-14, 2006 in Washington DC. Here's what you'll learn: How to find and stop phishing sites Buy vs. Build -- tradeoffs Legal foundations for log management How log management helped catch four insider thieves at one site. How log management stopped a spyware outbreak How log management helps IT operations-beyond security How log management helped stop a virus before it created havoc The SANS consensus findings of the twenty most important log management reports and alerts Solving the storage dilemma Making Windows logging effective The future of log management
Sony BMG Rootkit DRM Settlement Approved (23 May 2006)
A US district court judge has approved a settlement in the Sony BMG rootkit class action lawsuit. Sony must provide all affected consumers with CDs free of the controversial digital rights management (DRM) software; the settlement also calls for Sony to provide free music downloads to those customers. The software, which was automatically downloaded to users' computers when they played the disk for the first time, was in essence a rootkit that allowed malware purveyors to take advantage of its presence. The software also reportedly sent information about the users' actions back to Sony. Under the terms of the settlement, Sony has agreed to stop manufacturing CDs with the two offending pieces of software. Sony will also submit any DRM software it plans to use in the future to a third party for review and include a description of the software with all CDs that contain it. -http://www.theregister.co.uk/2006/05/23/sony_rootkit_settlement/print.html -http://software.silicon.com/security/0,39024655,39159045,00.htm [Editor's Note (Pescatore): I've seen reliable numbers that show the Sony BMG rootkit software is on more than 10 million PCs world wide, at least several million in the US. But, of course, rootkits' major mission in life is to not let "affected consumers" know they have been affected - - I hope the settlement forces Sony to spend a lot of money finding those PCs, not forcing the consumers to realize they have a problem. (Shpantzer): I was at a DC area major bookstore chain this weekend and they're STILL selling the Sony BMG CD's with MediaMax on them. I looked for the logo on the label and there it was. What's the point of giving customer refunds for a defective product if you're still selling it in stores? ]
German Police Charge 3,500 eDonkey Users with Piracy (24/23 May 2006)
Survey Finds Americans Want Strong Data Security Legislation (23 May 2006)
A survey from the Cyber Security Industry Alliance (CSIA) of 1,150 US adults found 71 percent want the federal government to enact legislation to protect personal data similar to California's data security law. Of that 71 percent, 46 percent said they would consider a political candidate's position on data security legislation and "have serious or very serious doubts about political candidates who do not support quick action to improve existing laws." In addition, half of those surveyed avoid making online purchases due to security concerns. -http://www.fcw.com/article94613-05-23-06-Web -http://ww6.infoworld.com/products/print_friendly.jsp?link=/article/06/05/23/7860 9_HNdatapolitics_1.html [Editor's Note (Schultz): These results as well as the lamentable recent incident at the Veterans Administration once again shows how badly the US is in need of a statute that requires strong protection of such information and prescribes strong punishments for individuals who fail to provide such protection. Additionally, such legislation should mandate prompt notification of individuals who are potentially affected by compromises of personal and or financial information. (Weatherford): Big surprise here! Just look at today's NewsBites articles: VA loses data on 26M Veterans; Red Cross warns donors of possible Identity Fraud; University of Delaware Investigating Data Security Breach. Is it any wonder the public doesn't trust organizations to protect their personal data. Of course the bad news is that our personal information simply isn't personal anymore! (Pescatore): It is interesting to watch software industry lobbying groups try to foster legislation that will drive demand for their software while remaining amazingly silent whenever the topic of liability or warranty is brought up for those same software products. (Ranum): Notice the leading question, Do you "have serious or very serious doubts about political candidates who do not support quick action to improve existing laws" ]
OMB Directs Agency Privacy Officials to Hone Policies and Processes (22 May 2006)
A memo from the Office of Management and Budget (OMB) acting director Clay Johnson directs senior privacy officials as US government agencies to "review ... policies and processes, and take corrective action as appropriate to ensure your agency has adequate safeguards to prevent the intentional or negligent misuse of, or unauthorized access to, personally identifiable information." The results should be included with agency Federal Information Security Management Act (FISMA) compliance reports, which are due this fall. -http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn_daily& story.id=40842 -http://www.whitehouse.gov/omb/memoranda/fy2006/m-06-15.pdf [Editor's Note (Northcutt): According to the OMB memo: "The review shall address all administrative, technical, and physical means used by your agency to control such information, including but not limited to procedures and restrictions on the use or removal of personally identifiable information beyond agency premises or control." I am sure this is a step in the right direction, but the number of breaches of data from government and commercial organizations indicates too many organizations consider discretionary access controls an acceptable solution. They are not acceptable. If any NewsBites reader is using a commercial encryption system for your production database and are willing to share what tool you are using and how well you think it works, please drop a note to Stephen At sans.edu]
ATTACKS & INTRUSIONS & DATA THEFT & LOSS
Lawmakers Livid Over Delay in Notification of VA Data Theft (25/24 May 2006)
US lawmakers are questioning the Department of Veterans Affairs' decision to delay disclosing a security breach for two weeks. While local law enforcement and the VA were notified of the theft "promptly" following the May 3 theft, VA Secretary Jim Nicholson did not learn of it until May 16. Nicholson has asked the VA's inspector general to find out who knew of the breach and when they knew it; Nicholson has acknowledged that the breach will cost in excess of US$100 million to "fix." Bills in both the Senate and the House have been introduced to provide for free credit reports and credit monitoring for veterans. Some legislators have called for Nicholson to resign. -http://www.msnbc.msn.com/id/12953600/ -http://news.com.com/2102-7348_3-6076100.html?tag=st.util.print -http://www.informationweek.com/showArticle.jhtml;jsessionid=5Q5RN2BO5EELQQSNDBOC KH0CJUMEKJVN?articleID=188500310 -http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti cleId=9000777 [Editor's Note (Schultz): The delay in notifying those who have been affected by this ugly incident is inexcusable. Additionally, why was there no policy forbidding personal data from being stored in laptop computers? Alternatively, if data could be stored in such a manner, why was there no policy that required encryption? (Weatherford): Having been on the receiving end of these sharp arrows of criticism, I realize how easy it is to arm-chair quarterback during a crisis but this is simply ridiculous. Even recognizing the VA as a massively bureaucratic organization, two weeks for the Director to learn of something this significant is more than scandalous! ]
American Red Cross Warns Blood Donors of Breach and Identity Fraud (24 May 2006)
The American Red Cross has warned approximately 1 million blood donors in the Missouri-Illinois region that a former employee may have had access to their personal information; the warning is being made through the media and the Red Cross web site. Eight thousand donors whose data were held in a database used by the employee received letters alerting them to the danger of identity fraud posed by the data exposure; at least four of the original 8,000 have experienced problems with identity fraud. The Red Cross decided to inform all donors in the region due to concerns the employee may have accessed additional records. The employee used the stolen information to open credit card accounts and make purchases using those accounts. The former employee has been indicted on three felony counts of aggravated identity theft and one count of credit card fraud. -http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti cleId=9000754 -http://www.ksdk.com/news/news_article.aspx?storyid=97155
Univ. of Delaware Investigating Data Security Breach (23 May 2006)
The University of Delaware (UD) has notified more than 1,000 people that their personal information, including names, Social Security numbers and driver's license numbers, may have been compromised in a security breach of a server at the school's Department of Public Safety. The department, along with state law enforcement and the FBI, are investigating the incident. The breach was detected on April 8 and the department put its cyber incident response plan into effect. The university's Office of Information Technologies has initiated a campaign to educate various departments about the necessity of protecting what they call "sensitive personal nonpublic information (PNPI)." -http://www.udel.edu/PR/UDaily/2006/may/breach052306.html
STATISTICS, STUDIES & SURVEYS
BSA Survey Finds Piracy Losses Total US$34 Billion (23 May 2006)
Suit Alleges MPAA Paid Someone to Infiltrate Valence Media IT Systems (25 May 2006)
TorrentSpy operator Valence Media has filed a lawsuit in the US District Court for the Central District of California alleging that the Motion Picture Association of America (MPAA) hired someone to gain unauthorized access to the company's IT systems to find evidence to use in its patent infringement suit against TorrentSpy, a file-sharing portal site. -http://www.eweek.com/print_article2/0,1217,a=179329,00.asp [Editor's Note (Honan): This is a timely reminder that assessments of external threats should include attacks motivated by commercial and industrial espionage. ]
Improving the SANS READING ROOM (www.sans.org/rr/)
By Stephen Northcutt Hello, we need your help to keep the reading room as a useful resource for the community. The list of people below are authors of popular reading room papers that need to be updated. Sadly, we have lost contact. If you are one of the people below and are willing to update your paper, or willing to give us permission to update your paper for you, please write me, Stephen@sans.org. If you know someone on the list, please give them a bump and suggest they reconnect with SANS!
John Mallery Philip Craiger Timothy Layton Benjamin Huey Christina Neal Nancy Navato Aaron Greenlee Jamie Crapanzano Dana Graesser David Jarmon Frederick Garbrecht Patrick Lindley Douglas Ford David Carts Philip Kaleewoun Walter Patrick Neil Cleveland William Martin Chaiw Kee
Eugene Schultz, Ph.D., CISM, CISSP is the author/ co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.
Chuck Boeckman is Lead Network Security Engineer supporting the US Transportation Command, responsible for the security of global military transportation command and control systems.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent language consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/
As a SysAdmin, I found this course invaluable. It not only gave me the skills I need to audit my own systems, but also gave me some insight on how to better work with external auditors. -Christoper O'Keefe, CPC