SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume IX - Issue #1
January 02, 2007
TOP OF THE NEWSFrench Court: Privacy Trumps Piracy
High Definition DVD Encryption Cracked
TSA's Secure Flight Program Violated Privacy Act
THE REST OF THE WEEK'S NEWSLEGAL MATTERS
Chinese Site Fined for Downloads
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
FAA to Deploy Wireless Intrusion Detection
Coast Guard Personnel Required to Complete Anti-Phishing Training
SPYWARE, SPAM & PHISHING
Phishing Likely Behind Theft of Michigan County Funds
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Indiana Hospital Notifies Patients of Data Theft
Stolen Computer Tapes Hold Insurance Records
Texas Woman's University Notifies Students of Data Compromise
Earthquake Disrupts Asian Telecomm Services
TRAINING UPDATE: Great security courses in Orlando and San Diego -
Orlando: 15 immersion courses, January 13-19
San Diego: 30 immersion courses, March 29-April 6
TOP OF THE NEWS
French Court: Privacy Trumps Piracy (21 December 2006)A French court has ruled that copyright holders do not have free reign to monitor the Internet for people violating their copyrights. The case involved a man whose IP address was traced while he was using peer-to-peer software. In France, entities wishing to uncover the identities of individuals they believe are pirating content must obtain authorization from the National Commission for Information Technology and Liberty. In fact, violating French citizens' privacy could result in fines of as much as 300,000 Euros (US$396,500).
[Editor's Note (Grefer): German courts late last year also reprimanded German police for accepting "free" help in forensic and other investigations from groups similar to the BSA, indicating that there was clearly a conflict of interest.
(Northcutt): An IP address is like the information on the outside of an envelope, so this ruling is likely to be overturned or they will have to pass another law telling people they have to get permission before they can write down the license plate of an automobile. This case also involves the most sophisticated peer to peer software out there, shareaza, it can simultaneously connect to four networks Guntella, Guntella2 with 50,000 users, eDonkey network and BitTorrent in also has an advanced incoming user queue. A copy of shareaza inside your corporate network can suck down an unprecedented amount of bandwidth. ]
High Definition DVD Encryption Cracked (1 January 2007 & 29 December 2006)There are reports that that a high-definition DVD encryption system has been cracked. Someone has posted details about how he allegedly broke the Advanced Access Content System, which aims to prevent piracy by restricting the devices on which high-definition DVDs can be played. The Advanced Access Content System is used in the HD-DVD and the Blu-Ray standard, both of which are backed by a variety of companies with vested interests in digital media.
[Editor's Note (Ranum): This was inevitable. There is no way to allow people to have data but still control its access. Content controls are sort of like trying to stop a leak in a dike using your finger; except there's no dike. ]
TSA's Secure Flight Program Violated Privacy Act (22 December 2006)A report from the Department of Homeland Security's (DHS) privacy office says the Transportation Security Administration's (TSA) Secure Flight program violated federal law during the program's testing phase that ran from fall 2004 through spring 2005. The program obtained passenger data from data brokers without properly informing passengers, in violation of "a 1974 Privacy Act requirement that the public be made aware of any changes in a federal program that affects the privacy of US citizens." The implementation of the test differed from TSA's initial description. TSA said it would maintain a firewall between government systems and passenger data obtained from commercial sources. However, it appears that TSA may have accessed and stored such information. The program has been halted until privacy and security concerns are adequately addressed. TSA did revise the "public notice about the program to reflect more closely the program itself;" however, according to the report, the program is likely to run into more problems unless it adheres to a set of recommendations that include transparency regarding passenger data collection and use.
************************* Sponsored Links: ****************************
1) AmbironTrustWave is a leading provider of information security and compliance management solutions, serving businesses worldwide.
2) Do you like to study on your own schedule? Want to save money on travel costs? Check out SANS OnDemand online training and assessments.
THE REST OF THE WEEK'S NEWS
Chinese Site Fined for Downloads (29 December 2006)A Beijing court has ordered Sohu.com to pay 1.085 million Yuan (US$140,000) in damages for making movie files available for download without permission of the copyright holders. The company must also publish admission of its infractions and promise to refrain from violating copyrights in the future. The suit was brought by the Motion Picture Association, the international branch of the Motion Picture Association of America.
[Editor's Note (Grefer): To put this number into perspective, the GDP per Capita 2000 was USD800 for China vs. USD34,540 for the US, while the average household income in the top 10 wealthiest Chinese cities ranged from approx. USD155 to USD330. ]
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
FAA to Deploy Wireless Intrusion Detection (28 December 2006)In an effort to keep its computer systems safe from unauthorized access, the Federal Aviation Administration (FAA) plans to install wireless intrusion detection systems at FAA training centers, air traffic control centers and FAA headquarters. The impetus for the decision came from a Government Accountability Office (GAO) report in May 2005 titled "Information Security: Federal Agencies Need to Improve Controls over Wireless Networks".
[Editor's Note (Liton): Someone should be reviewing the decision to use wireless on these networks in the first place.
(Ranum): Certain networks should not be wireless. Period. Wire is cheap. ]
Coast Guard Personnel Required to Complete Anti-Phishing Training (28 December 2006)All Coast Guard personnel who use its computer network will be required to take training on how to avoid being victims of phishing attacks. The requirement follows the Defense Department's mandate that all personnel take spear phishing awareness training by January 17, 2007.
[Editor's Note (Liston): This type of training is an absolute MUST in today's world. The best security measures in the world are useless if your users invite the attackers inside.
(Northcutt): This story follows on the heels of a program by many federal agencies to use penetration testing techniques to test employee awareness for phishing. Also, we just posted an article on a security manager's responsibility WRT Phishing and would love to hear your thoughts:
SPYWARE, SPAM & PHISHING
Phishing Likely Behind Theft of Michigan County Funds (26 December 2006)The theft of funds from Oceana County (Michigan) bank accounts is believed to be the result of a county employee responding to a phishing email and providing information needed to access the county's accounts. The theft was detected on November 7, 2006; within two days, affected accounts were closed and reopened with new numbers. The FBI is investigating and the Oceana county clerk and treasurer are implementing new security procedures. County Board members have expressed their displeasure with the situation, and listed examples of careless work behavior, including personnel leaving computers on when they leave the office during the day and using work computers for personal matters. The county staff was warned twice about phishing attacks earlier in the fall.
[Editor's Note (Schultz): One must wonder what if Oceana County had implemented a anti-phishing training program such as the one that the Coast Guard has initiated. This whole ugly incident would probably have not occurred. ]
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Indiana Hospital Notifies Patients of Data Theft (27 December 2006)Deaconess Hospital in Indiana has sent letters to 128 patients, notifying them that their personal information was contained in a laptop computer that has been missing since late November. There is no evidence the information has been misused; the data include Social Security numbers (SSNs). The hospital is mulling over security improvements, including encryption software and providing places to lock up computers.
[Editor's Note (Honan): According to Mr. Sam Rogers, a spokesman for the hospital, the computer was password protected. While the hospital mulls over security improvements I suggest Mr. Rogers does a Google search for "password recovery tools". The results may help the hospital decide on how long to spend "mulling" over these improvements. ]
Stolen Computer Tapes Hold Insurance Records (23 December 2006)Computer tapes stolen during a burglary in Massachusetts are believed to hold personally identifiable information of approximately 42,000 New York City employees. The data include names and SSNs. The burglary took place at the offices of Concentra Preferred Systems, a vendor working with Group Health Insurance, Inc. Concentra also provides auditing for Aetna, who acknowledged approximately 130,000 customers across the country were affected by the breach as well.
[Editor's Note (Liston): While the article notes that the tapes apparently were taken as part of a larger burglary (and thus not the target of the theft), there is no mention of the information on the tapes being encrypted. Backup tapes contain valuable information and should be protected accordingly. This includes both physical security and data encryption.
(Honan): Most commercially available backup software include password protection, encryption or both as options. If you are backing up to tape you should seriously consider implementing these protections. ]
Texas Woman's University Notifies Students of Data Compromise (22 December 2006)Texas Woman's University (TWU) has sent letters to approximately 15,000 students notifying them that their personally identifiable information was exposed when an IRS tuition data document was sent to a vendor over a non-secure connection. The breach affected all TWU students who were enrolled at the school in the 2005 calendar year.
[Editor's Note (Schultz): I'm impressed that this university took the initiative to notify its students of the possible data security compromise. Notifications after unauthorized accesses to databases and loss or theft of computers or media have become commonplace, but to the best of my recollection this is the first case in which an organization that has sent personal data over unsecured channels has notified those who were potentially affected. (I also dread to think of the countless times organizations and individuals have sent such data over unsecured channels without giving the risk of doing so any thought whatsoever.) ]
Earthquake Disrupts Asian Telecomm Services (31, 29, 28 & 27 December 2006)An earthquake off the coast of Taiwan that severed undersea fiber optic cables disrupted telecommunications services in countries across Southeast Asia. Some companies are managing to divert traffic to satellites and cables that were not affected by the quake. Five ships have been sent to the site to repair the damage, but it could be weeks before normal operations are resumed.
[Editor's Note (Ullrich): These repairs are likely going to take longer then expected. One of the repair ships had to return to port today after technical problems. This event does point out the risks of relying on global data networks.
(Northcutt): My guess is that this is going to cause the outsourcing folks and the business continuity folks to burn some midnight oil. ]
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.
Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit