SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume IX - Issue #35
May 01, 2007
Plan now to attend the biggest security training conference ever held, SANSFIRE 2007, with 57 one-to-six day courses, all in Washington, DC, beginning July 22. This program has a large exposition highlighting the security tools and services that matter and many free evening and lunch-time networking sessions to give you answers to new questions and introduce you to people with common interests. SANSFIRE attendees also get insider briefings from the extraordinary incident handlers at the Internet Storm Center http://www.sans.org/sansfire07/
TOP OF THE NEWSEuropean Parliament Approves Directive Criminalizing IP Violations
Internet Spying in Germany Halted Pending Legal Decision
Proposed Law in Australia Would Increase ID Theft Penalties
THE REST OF THE WEEK'S NEWSLEGAL MATTERS
NY AG Settles Data Breach Case With Chicago Company
Teen Allegedly Broke Into AOL Networks
Four Plead Guilty to Selling Pirated Software on eBay
Judge Says UW-Madison Must Provide Student Identities to RIAA
Deputy Convicted of Unauthorized Eavesdropping
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
GAO Report Calls for Guidelines to Establish Consistent Data Breach Notification Response
Review Will Help UK Government Revise National Strategy Information Assurance
POLICY & LEGISLATION
German Data Protection Commissioner Speaks Out Against Erosion of Privacy
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Proof-of-Concept Code for Photoshop Flaw is Released
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Caterpillar Employee Data on Stolen Laptop
**************************** Sponsored By SANS **************************
SANS Voucher Credits
Maximize your Training Budget
Save 15-30% on SANS training & certification
Visit http://www.sans.org/info/6571/ or Email Vouchers@sans.org
TOP OF THE NEWS
European Parliament Approves Directive Criminalizing IP Violations (April 26, 2007)The European Parliament has approved a directive criminalizing all forms of intellectual copyright infringement for commercial gain. Even attempts to violate copyrights would be considered criminal violations. An exception to the law lies in how the downloaded content is used by the individual. If it is used solely for the individual's entertainment, study or research, there are not grounds for prosecution. The goal of the directive is to "harmonize" intellectual property laws throughout the European Union. Penalties will be determined by individual countries and will vary.
Internet Spying in Germany Halted Pending Legal Decision (April 27, 2007)German intelligence agencies have been using the Internet to monitor suspects for two years. German Interior Minister Wolfgang Schuble is in favor of the practice, but has placed a moratorium on it pending a legal ruling on its legality, which has been challenged across party lines. Some maintain it violates Article 13 of the German Constiutution. Schuble wants to amend Article 13 to permit the practice because he feels it is a valuable tool. Observers note that the practice catches only individuals who do not know how to protect their computers from Trojan horse programs and other spyware.
[Editor's Note (Schultz): I predict that news items such as this one will becoming increasingly common over the next few years. Privacy protections that in many countries have been squashed in the name of fighting terrorism will become reinstated as governments realize that they have not achieved a reasonable balance between the need for privacy and the need to counter terrorism.
(Liston): "...the practice catches only those individuals who do not know how to protect their computers from Trojan horse programs and other spyware." Or, as we like to call them, the AOL Call Center. ]
Proposed Law in Australia Would Increase ID Theft Penalties (April 24, 2007)A proposed law in Australia would provide for jail sentences of up to five years for people convicted of identity theft. The law also recommends that people whose identities have been used fraudulently would receive court-ordered certificates to help them restore their credit histories. The proposed law was created by the Standing Committee of Attorneys-General (SCAG) and is available for public comment through June 12. The proposed law would allow law enforcement agencies to prosecute identity theft before an associated crime has occurred. There would be three new offenses: identity crime, encompassing both theft and fraud; selling identity data online; and being in possession of equipment used to create phony identity documents. The proposed law defines identity data as biometric data, written identification and financial information.
[Editor's Note (Schmidt): If this law is passed it will put a solid stake in the ground on holding cyber criminals accountable for their act, as well as doing more to minimize the impact on victims. While I would bet there will be legal challenges, this law could be a model for other countries to follow.
(Honan): Kudos to the Australian government for introducing this law to tackle the rising epidemic that is identity theft. Laws such as this bring the balance back in favour of law enforcement and the victims rather than the criminals. ]
**************************** Sponsored Links: *************************
1) Is your MPLS network secure? Register for a FREE webinar "Securing MPLS Networks" and learn how to utilize NetFlow to harden and securely operate your MPLS. http://www.sans.org/info/6576
THE REST OF THE WEEK'S NEWS
NY AG Settles Data Breach Case With Chicago Company (April 27, 2007)The New York Attorney General's (AG) office has reached an agreement with a Chicago company that neglected to inform the owner of the data of a data breach until two months after the fact. The agreement stipulates that CS Stars LLC will "implement precautionary procedures, comply with New York's notification law in the event of another security breach, and pay $60,000 to the AG's office for investigation costs." On May 9, 2006, a CS Stars employee noticed that a computer was missing. CS Starts computer held data that belonged to the New York Special Funds Conservation Committee, including names, addresses, and Social Security numbers (SSNs) of approximately 540,000 individuals,. That organization did not learn of the breach until June 29, 2006. The FBI was notified of the breach on the same date, and the AG's office was alerted to the situation on June 30. The FBI told CS Stars not to send notification letters to people affected by the breach because it could interfere with their investigation; in mid-July, the FBI gave permission for notification letters to be sent. On July 25, 2006, the FBI discovered the computer had been stolen by a cleaning company employee; the computer was recovered and there did not appear to have been any unauthorized access to the data. New York's Information Security Breach and Notification law requires organizations maintaining personal data to inform the owners of those data immediately in the event of a security breach.
[Editor's Note (Liston): While I'm certainly no proponent of increasing government regulation, I'm also realistic enough to recognize that today's corporate culture seems increasingly inept when it comes to responsibly disclosing the loss of sensitive data. Information security policy doesn't end with protecting data from loss or theft, it also needs to include mandated, responsible actions to properly disclose breaches rather than simply sweeping them under the rug.
(Honan): Where third parties are charged with managing and/or protecting your data, that data still belongs to you and you are ultimately responsible for it. This story highlights why you should ensure that any contracts or SLA agreements between you and the outsourcing company contain provisions to ensure that you are alerted to any security incidents relating to your data. ]
Teen Allegedly Broke Into AOL Networks (April 27, 2007)A New York teenager allegedly broke into America Online (AOL) computer networks and databases and used malware to steal confidential customer information. The complaint charges the teen with computer tampering, computer trespass and criminal possession of computer material. The intrusions allegedly took place between December 24, 2006 and April 7, 2007. The alleged offenses include: accessing systems containing customer billing records, which include names, addresses and credit card data; infecting AOL call support center machines with malware that sent data to his computer; logging in to 49 AOL Instant messenger (AIM) accounts that belong to customer support employees; and launching a phishing attack against AOL employees that netted him access to more than 60 employee and subcontractor accounts. The complaint alleges the teen admitted to his actions, blaming them on the fact that AOL had taken away his accounts. An AOL spokesperson says the company does not believe customer data were compromised.
Four Plead Guilty to Selling Pirated Software on eBay (April 26, 2007)Four men have pleaded guilty to selling pirated software on eBay. Between the four of them, they made a profit of about US $122,300 on counterfeit copies of Rockwell Automation software valued at US $19.1 million. Each of the defendants faces up to five years in prison and a fine of US $250,000. Three other defendants have already received felony convictions in the case.
Judge Says UW-Madison Must Provide Student Identities to RIAA (April 26, 2007)A federal judge has ruled that the University of Wisconsin, Madison (UW-Madison) must disclose the identities of 53 students whom the Recording Industry Association of America (RIAA) says have been sharing music over the Internet. The RIAA filed a John Doe lawsuit to obtain the names, addresses, phone numbers, email addresses and Media Access Control, or MAC addresses associated with specific IP addresses from which files were allegedly traded. The RIAA could use the information to file lawsuits against those individuals, although they will likely start with settlement offers. However, as Ken Frazier, interim CIO at UW-Madison, points out a very "imperfect relationship" between an IP address and an individual.
[Editor's Note (Liston): RIAA Folks... just so you know, MAC addresses can EASILY be changed... and your John Doe lawsuit just warned every P2P downloader to change theirs. To start things off right, I would like to propose the the concept of the "vanity" MAC address... Feel like downloading love songs sung by a bunch of tall, skinny blonds? Set your MAC to "ABBA00BA11AD". Stealing Madonna? "00000CABBAlA" Downloading The Stones? "c00101DD00D5". ]
Deputy Convicted of Unauthorized Eavesdropping (April 25, 2007)A Monroe County (NY) sheriff's deputy has been convicted of felony eavesdropping for conducting unauthorized computer surveillance on a neighbor. Investigator R. Michael Hildreth, one of the first deputies to be assigned full time to a computer crimes unit, used maliciously crafted email and a computer disk to plant keystroke logging software on his neighbor's computer. Hildreth suspected the neighbor of illegal activity, but gathered no evidence. Hildreth will be sentenced in June.
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
GAO Report Calls for Guidelines to Establish Consistent Data Breach Notification Response (April 30, 2007)A report from the US General Accounting Office (GAO) urges the Office of Management and Budget (OMB) to establish guidelines for agencies to use when responding to data security breaches so there is consistent response throughout the government. The report, titled "Privacy: Lessons Learned About Data Breach Notification," was prompted by last May's data security breach at the Department of Veterans Affairs (VA) that exposed the personal information of more than 26.5 million veterans and active duty members.
Review Will Help UK Government Revise National Strategy Information Assurance (April 25, 2007)A review scheduled for release at the end of May will examine how UK government entities manage and protect data. The UK cabinet will use information gathered for the report to develop "a revised national strategy on information assurance." Topics addressed in the review include "leadership and governance, enterprise architecture and compliance issues." The review comes at an opportune time for the UK government, which is in the process of establishing several projects that will deal with significant amounts of sensitive data, including the national ID card program and the National Health Service's IT systems. No details of the findings were released.
POLICY & LEGISLATION
German Data Protection Commissioner Speaks Out Against Erosion of Privacy (April 24, 2007)Germany's Federal Commissioner for Data Protection says the government has neglected to protect citizens' data privacy. Speaking at a data protection presentation in Berlin, Peter Schaar says security officials are violating German law in the name of fighting terror. Schaar said, "Data protection laws have not kept up with the advance of technology." Schaar spoke critically of plans for laws that would broaden German authorities' access to phone and Internet records, and allow them to access individuals' computers without their knowledge. Schaar is also opposed to a plan to store fingerprints of all German adults in a central database. Interior Minister Schuble says the laws are necessary to fight terrorism.
[Editor's Note (Honan): Under Article 8 of the European convention on Human Rights, privacy is a right not a privilege granted to all European citizens. Governments, and indeed companies based or that have offices in Europe, need to ensure that their actions when monitoring an individual's activity is in compliance with this convention and does not impinge on those rights, even if the reason for monitoring that activity is "for the greater good".
(Liston): There is a growing and frightening trend toward intrusive violations of personal privacy being justified as a necessary evil in the fight against terrorism. Such actions should not proceed unquestioned as though "fighting terrorism" is some sort of blank check. "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety." -- Benjamin Franklin ]
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Proof-of-Concept Code for Photoshop Flaw is Released (April 27, 2007)Proof-of-concept exploit code for an unpatched buffer overflow flaw in Adobe Photoshop has been made available on the Internet. The flaw exists in Adobe Photoshop Creative Suite 2 (CS2) and CS3. The flaw lies in Photoshop's handling of malicious bitmap files and could be exploited maliciously to gain control of vulnerable computers. Photoshop users should avoid opening bitmap files until Adobe releases a fix. Adobe has been notified of the vulnerability and is investigating.
[Editor's Note (Liston): Anyone besides me remember back to the good old days when you only worried about executable code whacking your network? Anyone else recall thinking "Who cares about that... it's only data"? ]
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Caterpillar Employee Data on Stolen Laptop (April 28 & 30, 2007)A laptop computer stolen April 5 from a Georgia repair shop contains personally identifiable information of Caterpillar Inc. employees. The computer reportedly did not belong to Caterpillar, but to a benefits consultant. Those affected by the theft have been sent notification letters. The laptop contained current and former employees' addresses, SSNs and banking information. Caterpillar did not say how many people were affected by the breach; the heavy equipment maker employs 95,000 people.
[Editor's Note (Schmidt): You can't protect data if you do not know where it is and this appears to be a classic example of that. It is important to make sure that business partners, joint ventures and contractors are accountable for data that they have been entrusted with and that there are protections in place to secure that data including insuring that encryption is used. We can never prevent theft and lost equipment but we can make sure that if it falls into the wrong hands that the data is not usable. ]
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.
Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit