SANS NewsBites - Volume: VIII, Issue: 68


We asked the folks at DHS for a list of industries that are at risk because of security weaknesses in SCADA and Distributed Control Systems. The answer was far more than we expected. Here's what the US government (NIST) provided: These highly vulnerable systems are used in the (1) electric, (2) water, (3) oil and gas (pipelines, too), (4) chemical, (5) pharmaceutical, (6) pulp and paper, (7) food and beverage, and (8) discrete manufacturing (automotive, aerospace and durable goods) industries. We were surprised. If you are responsible for security in any of these industries, and want to master the rapidly growing threat to control systems, join us at the Process Control and SCADA Security Summit (September 29-30) just before SANS Network Security 2006 in Las Vegas. See http://www.sans.org/scadasummit_fall06/ for details.

Alan


*************************************************************************
SANS NewsBites                     August 29, 2006                    Volume: VIII, Issue: 68
*************************************************************************
TOP OF THE NEWS

  EU Regulators Discuss US's Right to Seek EU Financial Transaction Data
  Cisco Warns of Flaw in Firewall Products

LONGER SENTENCES FOR CYBER CRIMINALS

  Man Who Created Botnet Gets Three Years in Prison
  Man Sentenced to 30 Months in Prison for Conspiring to Attack
  Software Pirate Draws Six-Year Sentence

THE REST OF THE WEEK'S NEWS

  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
   Intel Will Fix Faulty PROSet Update
   Microsoft Tries Again on Internet Explorer Patch
  ATTACKS, INTRUSIONS, DATA THEFT & LOSS
   Univ. of South Carolina Servers Breached
   Stolen Laptop Holds Data on Commercial Driver's License Holders
   Theater Patrons Notified of Data Breach
  STATISTICS, STUDIES & SURVEYS
   Study: Stock Spam Can Affect Market
  MISCELLANEOUS
   Australian Taxation Office Employees Penalized for Unauthorized Access of Records


*********************** Sponsored By Attachmate ************************

Comprehensive security management with Attachmate *** Get reduced threat exposure, improved security knowledge and increased protection levels, with better operational performance-all that plus compliance. NetIQ Security Manager also enables you to centrally collect, view, analyze, archive and report on security information from across your organization. Know you're secure. Get the white paper now!
http://www.sans.org/info.php?id=1325

*************************************************************************

How Good Are The Courses at SANS Network Security 2006? Ask the alumni. ++ "I have attended courses by several of SANS rivals, and SANS blew them away." - Alton Thompson, US Marines ++ "This is the only conference/training I've ever attended at which I learned techniques and found tools I could apply immediately." - Dwight Leo, Defense Logistics Agency, DLA ++ "This program provided the opportunity to learn from many of the people who are defining the future direction of information technology" - - Larry Anderson, Computer Sciences Corp. ++ "The SANS classes have been uniformly excellent. To learn as much through traditional classes would have entailed weeks away from work." - - David Ritch, Department of Defense SANS best instructors all come together at Network Security 2006 in Las Vegas, October 1-9. 37 immersion courses; big exposition; free evening classes, much more . Early registration deadline is Friday, August 18.
See: http://www.sans.org/ns2006/caag.php

*************************************************************************

TOP OF THE NEWS

EU Regulators Discuss US's Right to Seek EU Financial Transaction Data (25 August 2006)
European regulators met last week to examine the case of Swift, a Belgian firm that has received some number of subpoenas from the US Treasury Department's terrorism finance investigation seeking information about international financial transactions. This appears to be a test case for both international business and international law. Regulators would like to see the requests denied under EU data protection laws, but the regulators have no jurisdiction over security matters.
-http://www.theregister.com/2006/08/25/eu_vs_us_snooping/print.html
[Editor's Note (Honan):The importance of this issue cannot be over stressed. The outcome will greatly impact the way US companies operating in the European Union will treat private data held on EU citizens. ]


Cisco Warns of Flaw in Firewall Products (25 August 2006)
An alert from Cisco Systems Inc. describes an unintentional password modification vulnerability in multiple firewall products that could be exploited to change passwords without user interaction and allow "unauthorized users ... to gain access to a device that has been reloaded after passwords in its startup configuration have been changed. Authorized users can be locked out and lose the ability to manage the affected device." The flaw affects Cisco PIX 500 Series Security Appliances, Cisco ASA 5500 Series Adaptive Security Appliances and Firewall Service Module (FWSM) for Cisco Catalyst 6500 switches and Cisco 7600 Series Routers running affected versions of the software. Cisco has issued software to address this vulnerability. A second alert from Cisco describes a pair of flaws in Cisco VPN 3000 series concentrators with FTP file management enabled that could be exploited to execute some FTP commands and delete files. Cisco has issued free software to address these two flaws and also made workarounds available.
-http://www.eweek.com/print_article2/0,1217,a=187089,00.asp

-http://www.cisco.com/en/US/products/products_security_advisory09186a00807183b0.s
html

-http://www.cisco.com/en/US/products/products_security_advisory09186a0080718330.s
html

[Editor's Note (Boeckman): Security flaws in software that is supposed to make you more secure is way too common of an occurrence. While we have grown accustomed to vendors having no liability for their software, perhaps security software vendors should be held to a different legal standard. ]



************************ Sponsored Link: ******************************

The Hack is Back! A New On-Demand Video/Companion Guide from Fiberlink. Advanced Hacking Techniques - Implications for a Mobile Workforce.
http://www.sans.org/info.php?id=1326

*************************************************************************


LONGER SENTENCES FOR CYBER CRIMINALS

Man Who Created Botnet Gets Three Years in Prison (26 August 2006)
A federal court judge has sentenced Christopher Maxwell to more than three years in prison followed by three years of supervised release for creating a botnet that infected millions of computers worldwide in an attempt to reap profits from installing spyware on compromised machines. In May, Maxwell pleaded guilty to one count of conspiracy to intentionally damage a protected computer and one count of intentional computer damage that interferes with medical treatment. The FBI's cybersquad estimates Maxwell and two accomplices, unnamed because they are minors, made more than US$100,000. The malware disrupted computers at the US Department of Defense, a hospital in Seattle and a California school district, among other organizations. Maxwell has also been ordered to pay more than US$250,000 in restitution to the DOD and Seattle's Northwest Hospital and Medical Center.
-http://www.upi.com/NewsTrack/view.php?StoryID=20060826-074139-3494r
-http://seattletimes.nwsource.com/cgi-bin/PrintStory.pl?document_id=2003226994&am
p;zsection_id=2002111777&slug=botnet26m&date=20060826


-http://seattlepi.nwsource.com/local/282674_botnet26.html

-http://www.smh.com.au/news/Technology/Man-gets-3-years-for-botnet-attack-on-hosp
ital-school-districtmilitary-installations/2006/08/26/1156012780632.html

-http://www.wired.com/news/wireservice/0,71669-0.html


Man Sentenced to 30 Months in Prison for Conspiring to Attack Competitors' Web Sites (26 August 2006)
Jason Arabo has been sentenced to 30 months in federal prison for conspiring to launch cyber attacks against his business competitors. He was also ordered to pay more than US$500,000 in restitution to his victims. Arabo, who sold classic sport team jerseys online, admitted to hiring Jasmine Singh to launch denial-of-service attacks against other web sites selling merchandise like his own. Singh was sentenced to five years in prison last August and ordered to pay US$35,000 in restitution.
-http://www.smh.com.au/news/Technology/Man-Sentenced-Over-Computer-Attacks/2006/0
8/26/1156012772263.html



Software Pirate Draws Six-Year Sentence (26 August 2006)
A US District court judge has sentenced Danny Ferrer to six years in prison and ordered the Florida man to pay restitution in excess of US$4.1 million for trafficking in pirated software. In June, Ferrer pleaded guilty to conspiracy and criminal copyright infringement. Ferrer and several accomplices operated a web site that offered copies of popular software at deep discounts. Losses to the companies whose products were pirated are estimated to be roughly US$20 million. Ferrer has agreed to appear in public service announcements about software piracy. He has also been ordered to forfeit motor vehicles, aircraft and boats purchased with the proceeds from his web site and to perform 50 hours of community service.
-http://www.washingtonpost.com/wp-dyn/content/article/2006/08/25/AR2006082500511_
pf.html

-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9002750



THE REST OF THE WEEK'S NEWS

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES


Intel Will Fix Faulty PROSet Update (25 August 2006)
Intel has acknowledged that a problem with a recent software update for Intel PROSet software version 10.5 for Intel wireless hardware consumes PC memory and slows down the machine. Intel planned to have a fix version of the patch available by Friday, August 25.
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39393948-39000005c
-http://www.dailytech.com/article.aspx?newsid=3947


Microsoft Tries Again on Internet Explorer Patch (24 August 2006)
Microsoft released a corrected cumulative security patch for Internet Explorer because its first patch created a vulnerability.
-http://www.securityfocus.com/brief/288


ATTACKS, INTRUSIONS, DATA THEFT & LOSS


Univ. of South Carolina Servers Breached (27 & 26 August 2006)
A security breach of the University of South Carolina's internal servers may have exposed personally identifiable information belonging to 6,000 current and former students. The affected individuals have been notified. Although the breach occurred in September 2005, it was not discovered until the summer of 2006. School officials do not know if any of the personal data was taken; there have been no reports that the data have been misused. A school spokesperson says the matter is being investigated internally; law enforcement has not been contacted.
-http://www.wltx.com/news/story.aspx?storyid=41314
-http://www.thestate.com/mld/thestate/news/nation/15366334.htm


Stolen Laptop Holds Data on Commercial Driver's License Holders (26 August 2006)
The Federal Motor Carrier Safety Administration, a division of the US Department of Transportation, has acknowledged that a laptop computer stolen from a government vehicle may contain personally identifiable information of nearly 200 individuals with commercial driver's licenses. The theft occurred in Baltimore, Maryland on August 22. The driver's licenses in question were issued in 13 different states and Washington, DC; the data breach affects 40 motor carrier companies. Police have been notified.
-http://www.baltimoresun.com/news/local/bal-md.laptop26aug26,0,6919261.story?coll
=bal-local-headlines

-http://www.etrucker.com/apps/news/article.asp?id=55125


Theater Patrons Notified of Data Breach (26 August 2006)
Police in Portland, Maine are investigating the breach of the PortTix web site in which credit card information of approximately 2,000 Merrill Auditorium patrons was compromised. The affected customers were notified by email; the company plans to mail letters as well. The compromise came to light after a phone call from an unnamed individual who said that ticket purchaser information might have been exposed. An audit has been conducted to make sure the same thing could not happen again.
-http://pressherald.mainetoday.com/news/local/060826tickethack.shtml


STATISTICS, STUDIES & SURVEYS


Study: Stock Spam Can Affect Market (25 August 2006)
A study conducted by a professor from Purdue University and a professor from Oxford University found that spam that offers stock tips could generate changes in the market. The study looked at more than 75,000 spam messages sent in an 18-month period between January 2004 and July 2005. It found that if spammers purchased the stocks they touted the day before the spam was sent and sold them the day after the spam was sent, they would reap an average return on investment of nearly five percent. Recipients of the email would lose an average of seven percent of their investment if they bought the stocks when they received the messages and sold them two days later.
-http://news.bbc.co.uk/2/hi/technology/5284618.stm
[Editor's Note (Schultz): This finding is depressing, yet very believable because too many individuals believe whatever they see or hear without investigating any further. ]


MISCELLANEOUS


Australian Taxation Office Employees Penalized for Unauthorized Access of Records (29 August 2006)
The Australian Taxation Office has taken action against 27 employees for accessing taxpayer records without authorization. Some of the offenders resigned when confronted with evidence of their wrongdoing; others were fired, fined, demoted or took a cut in salary. The revelation of these data privacy breaches follows close on the heels of another set of privacy violations; hundreds of Centrelink employees faced penalties, including loss of employment, pay cuts and demotions, after it was discovered they had accessed welfare files without authorization. Other Australian government bodies are examining their systems to protect the information they hold.
-http://australianit.news.com.au/common/print/0,7208,20284498%5E15306%5E%5Enbv%5E
,00.html



******************* The Editorial Board of SANS NewsBites ***************

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent language consultant based in Clearwater, Florida.

*************************************************************************

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/