OnDemand Includes 4 Months Access to Course Content - Special Offers Available Now!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume VII - Issue #63

December 20, 2005

A real Christmas present from the US Department of Homeland Security and
the US Department of Energy for everyone involved in securing SCADA and
control systems. Four very good courses on how to secure control
systems and SCADA systems will be given for free in Orlando on March 1,
as part of the SCADA Security Summit. Registration will open later this
week. All the free seats will be taken in a about a week, so if you are
involved in building or operating or securing SCADA or other control
systems, or if you know someone who is, send an email (or have them send
an email) to info@sans.org with subject SCADA courses and your name and
organization and email and we'll get you word the minute the
registration site goes live later this week. The seats are available
first-come, first served, and there is no restriction to US citizens.

Preliminary information on the Summit http://www.sans.org/scadasummit06
Final information will be posted when the site goes live this week.



Security Software Firm Hacked, Customer Records Stolen
IEEE Working Group Hones Data Storage Encryption Standards


NY State Legislators Propose Anti-Phishing Law
FTC to Deliver Report on Effectiveness of CAN-SPAM Act
Kazaa Parent Company May Face Contempt Charges for Failing to Deploy Filters
New RIAA Copyright Infringement Lawsuits Push Total past 17,000
IE Patch Causes problems With Side-by-Side IE6, IE7 Beta Install
Dasher Worm Exploits MSDTC Flaw
Cyber Extortionists Hit Game Company
Sam's Club Data Breach May be Larger than First Believed
NIST Releases Draft Specifications for Federal ID Card Biometric Data
Gartner Predicts IT Spending Will Grow Twice as Fast in 2006

*********************** Sponsored by Permeo *****************************

New eBook provides advice on combating information theft. "The Definitive Guide to Information Theft Prevention" provides IT/ Security professionals with advice on combating and preventing information theft across the network. This eBook discusses information protection, privacy regulations, threat identification and information security best practices. You'll also get advice on risk management, incident response & emerging security technologies. Click here to download the eBook. http://www.sans.org/info.php?id=969



Security Software Firm Hacked, Customer Records Stolen (20 December 2005)

Guidance Software, maker of forensics software used by law enforcement and corporate investigators, sent letters last week informing customers of the theft of their credit card data including the 3-digit CCV numbers that are not authorized to be stored. One victim already reported $20,000 in unauthorized charges against a credit card that was one of those affected. (registration required)

IEEE Working Group Hones Data Storage Encryption Standards (15 December 2005)

The IEEE's Security in Storage Working Group is fine-tuning encryption standards for data stored on disk and tape. The need for standards is underscored by the loss of unencrypted tapes containing customer data in several high profile cases. The working group anticipates approval of the proposed standards, IEEE P1619 and P1619.1, Standard Architecture for Encrypted Shared Storage Media, next year. The standards define three encryption algorithms and a key management "method". Other encryption protocols, such as Secure Sockets Layer (SSL), Secure Shell (SSH) and IPSec encrypt "data in transit."

[Editor's Note (Pescatore) Anything that makes it easier to encrypt data at rest is probably a good thing. Back in September, the big credit card bureaus announced they were working on common standards for stored data encryption - let's hope it is harmonized with this IEEE effort.
(Shpantzer): This is great and necessary for backups. However, encrypting laptops and smartphones with sensitive information is just as important, since unlike for backups destined for storage, there is virtually no measure of physical security for these mobile computing assets. Companies should also conduct audits of sensitive content on laptops, such as offline copies of databases, which account for many of the higher profile data losses in the past few years. ]

************************ Sponsored Links: *******************************

1) Email threat protection for small and medium-sized businesses - get our white paper now! http://www.sans.org/info.php?id=970

2) Earn your Master's degree from a program that challenges you, but enables you to be proud to be one of the information security elite. http://http://www.sans.edu




NY State Legislators Propose Anti-Phishing Law (18/16 December 2005)

Two New York state lawmakers have proposed the Anti-Phishing Act of 2005, legislation that would allow the state Attorney General and legitimate companies whose systems and identities were used by phishers to file civil claims against the perpetrators. They would be allowed to sue for the greater of US$500 or actual damages for each violation. California passed anti-phishing legislation in October 2005, and both houses of Congress have bills in progress. A recent study found that approximately 25 percent of Internet users receive phishing emails every month; seven in 10 of those people believed the scam emails were legitimate.



FTC to Deliver Report on Effectiveness of CAN-SPAM Act (18 December 2005)

On Tuesday, December 20, 2005, the Federal Trade Commission (FTC) will issue a report to Congress on the effectiveness of the CAN-SPAM Act, two-year-old legislation aimed at curbing unsolicited commercial email. Executives at companies whose business it is to block spam believe CAN-SPAM has not been effective in stemming the flow of spam.
[Editor's Note (Schultz): The fact that the CAN-SPAM Act has not been very effective is pretty obvious, but you have to start somewhere, and CAN-SPAM represents a bona fide start in the US. The most critical advance in the war against spam would be to pass legislation in countries that currently have no anti-spam legislation; many spammers currently operate out of these countries without having to worry about legal consequences.
(Grefer): I have yet to see even a single piece of CAN-SPAM compliant spam. ]


Kazaa Parent Company May Face Contempt Charges for Failing to Deploy Filters (16 December 2005)

Kazaa parent company Sharman networks may find itself in contempt of court if record companies have their way. Sharman missed a court-ordered December 5 deadline to deploy a keyword filter to its software to prevent illegal file sharing. Sharman instead chose to block people visiting its site from Australian ISPs from downloading its file-sharing software and warned people in Australia not to use the software. The court will consider the contempt motion on January 30, 2006. The charges carry a prison sentence.

New RIAA Copyright Infringement Lawsuits Push Total past 17,000 (16/15 December 2005)

The Recording Industry Association of America (RIAA) has filed copyright infringement lawsuits against 751 individuals, including students at several universities across the country, for allegedly sharing music files on P2P networks. These are called "John Doe" suits because the RIAA does not know the identities of the defendants; the RIAA will seek court permission to proceed to discover the identities. RIAA has filed an additional 105 lawsuits against named defendants in 12 states who were at one time "John Does" as well. The RIAA has filed copyright infringement lawsuits against more than 17,000 people since September 2003.


IE Patch Causes problems With Side-by-Side IE6, IE7 Beta Install (19 December 2005)

One of the patches Microsoft issued for Internet Explorer (IE) last week is reportedly causing problems for people testing a beta of IE7 alongside IE6. Among the symptoms are blank links, multiple windows opening when the browser is started and browser hang. A side-by-side installation of IE6 and IE7 is "unsupported" according to IE security project manager Jeremy Dallman, who recommended a fix that involves deleting a Windows registry key and reinstalling IE7 in a way that overwrites the existing IE6 install.

Dasher Worm Exploits MSDTC Flaw (16/15 December 2005)

The Dasher worm exploits a flaw in the Microsoft Windows Distributed Transaction Coordinator (MSDTC) that was patched in October, 2005. At least 3,000 systems were infected as of Friday, December 16. Once the worm has infected a computer, it "contacts a central control server" and receives a command to download a malicious payload from a remote FTP server. Users are urged to apply the patch for the flaw that accompanies Microsoft Security bulletin MS05-051; if they are unable to do so, they should filter unsolicited inbound traffic on TCP port 1025. There is concern that problems with the patch prevented some users from installing it successfully. The MSDTC flaw is rated "critical" for Windows 2000 systems.

[Editor's Note (Pescatore): Users of Windows 2000 that have been unable or unwilling to move to SP4 have been getting hit by exploits like this one or Zotob, since Windows 2003 SP3 has been unsupported since July of this year. Microsoft doesn't produce patches for W2000 SP3 or even mention it in the patch releases since then. Back in late 2004 Microsoft gave plenty of warning about this, so folks staying with SP3 are consciously taking a risk. The only real choices are to enter into a custom support contract with Microsoft, or put host-based intrusion prevention software on all Windows 2000 SP3 machines. ]


Cyber Extortionists Hit Game Company (19 December 2005)

Cyber extortionists have targeted White Wolf Publishing, a creator of role-playing computer games. On December 11, the company received a message from cyber thieves telling them they had broken through the company's security measures and gained access to customer data. They demanded money in exchange for not posting the information on the Internet. White Wolf did not comply, and the cyber extortionists emailed individual customers, telling them they could buy their data back for US$10. White Wolf took down its online store for several days to address the security flaw the intruders exploited. The FBI is investigating.
[Editor's Note (Northcutt): Part of White Wolf's response is a public letter posted on their web site and others. This action may help other people that receive extortion letters develop the courage to say no. I certainly hope to see some folks from White Wolf's IT shop in Orlando at SANS 2006, it would be great to get the story from their perspective:

(Pescatore) This is a good example of how it almost invariably less expensive to protect your customers' data than it is to deal with the problems that occur when you don't.
(Schmidt): A good investigation and successful prosecution of the suspects in this case should help send a clear message that you can be prosecuted for doing this and maybe get more victims to report these incidents. The more people that report this to the authorities the better chance we have to catch those involved. ]

Sam's Club Data Breach May be Larger than First Believed (16/14 December 2005)

Evidence is mounting that the credit card data security breach reported by Sam's Club earlier this month may have occurred over a longer period of time and affected more people than was first believed. On December 2, 2005, Sam's Club said the credit card data were stolen between September 21 and October 2, 2005 from people who bought gas at Sam's Club fuel stations; at that time, Sam's Club said it was aware of approximately 600 people who were affected by the breach. A California man who experienced fraudulent activity on his credit card account says he believes his account details were stolen by a card-skimming device attached to the pump at Sam's Club on either November 2 or November 17, considerably later than the dates Sam's Club had indicated. In addition, the Alabama Credit Union issued new cards to 500 customers after learning of the breach from the Credit Union National Association. If just one financial institution had to block and reissue 500 cards, it is likely that the number of people affected by the breach is greater than first acknowledged.

[Editor's Note (Northcutt): Another strong vote for the Visa/Mastercard Payment Card Industry standard to prevent these sorts of incidents:
(Kreitner): The required adoption of the Payment Card Industry Standard should significantly improve credit card security as the many players in the credit/debit card industry implement the twelve basic security practices required by the standard. Other sectors would do well to adopt the PCI Standard as a baseline of good information security practice. ]


NIST Releases Draft Specifications for Federal ID card Biometric Data (16 December 2005)

The National Institute of Standards and Technology (NIST) has released draft specifications for biometric data used in federal identity cards. The biometric specification for Federal Information Processing Standard 201, Personal Identity Verification, includes an interoperable standard for storing "data extracted from fingerprint images," known as minutiae. US federal agencies are required to start distributing the cards to employees and contractors by October 27, 2006. NIST is accepting comments on the draft specifications until January 13, 2006. The draft specification also addresses facial biometrics.



Gartner Predicts IT Spending Will Grow Twice as Fast in 2006 (16/15 December 2005)

Gartner's Financial Management Compliance survey indicates that between 10 and 15 percent of IT budgets will be spent on financial compliance and corporate governance in 2006. IT spending is expected to grow at twice the rate it did in 2005, due largely to Sarbanes Oxley and other international corporate governance regulations. Gartner found that large portions of discretionary resources are being redirected to compliance with regulatory measures. The survey "polled 326 audit, finance and IT professionals in North America and Western Europe."


NewsBites Editorial Board:
Kathy Bradford, Rohit Dhamankar, Roland Grefer, Richard Hayler,
Jaap-Henk Hoepman, Brian Honan, Clint Kreitner, Stephen Northcutt, Alan
Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Eugene Schultz,
Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit