SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VIII - Issue #23
March 21, 2006
The "minimum security skills" standard for level one system administrators is now ready for review and prioritization. More than 40 organizations helped develop the current draft. If you have teams of system administrators and would be willing to help us complete this important project by asking your sysadmins to rate the tasks, please email firstname.lastname@example.org with the subject Level 1.
Also, the proposed new federal law on cybersecurity breach notification deserves your attention. See the first story below.
TOP OF THE NEWSProposed Data Breach Notification Law Draws Fire
French Legislators Address Internet Piracy Penalties
VeriSign Warns of New Type of DDoS Attack
Visa Warns Transaction Software Could "Inadvertently" Store PINs and Other Sensitive Data
THE REST OF THE WEEK'S NEWSARRESTS, CONVICTIONS AND SENTENCES
Chinese Internet Journalist Receives Ten-Year Sentence
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
DOD IG Report Says Missile Defense Agency Computer Network has Serious Security Flaws
Red Cross VP/CIO Says Government Should Not Lead Emergency Response Plan
SPYWARE, SPAM & PHISHING
Microsoft Will File More Phishing Lawsuits
Anti-Spyware Groups to Release Company Names This Week
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Apple Releases Third Patch for OS X This Month
ATTACKS & INTRUSIONS & DATA THEFT & LOSS
Bananas.com Informs Customers of Data Security Breach
US Banks Offer Notification Services on Potentially Fraudulent Transactions
Judge Orders Google to Turn Over Web Addresses but Not Query Terms
Pennsylvania AG Seizes Newspaper's Hard Drives in Grand Jury Probe of Lancaster Coroner
************************** Sponsored by Permeo **************************
Blue Coat was formerly Permeo Technologies
New security ebook on Information Theft Prevention
In The Definitive Guide to Information Theft Prevention, security author Dan Sullivan provides advice on information protection and privacy regulations; how to tackle threats from unmanaged devices; how to secure managed devices; and how to leverage new security technologies. This guide also discusses risk management, incident responses and emerging best practices around information security.
Download Chapter 1 now! http://www.sans.org/info.php?id=1077
SANS Training in San Diego, Munich, London and Washington DC
Turbo charge your security career or the careers of any of your coworkers this spring in San Diego in early May: a dozen of SANS most popular courses and a vendor exposition right on the harbor. http://www.sans.org/security06/
Or in London at the end of June: http://www.sans.org/london06
Or Munich in early April: http://www.sans.org/munich06
Or Washington in July right after July 4 for the biggest SANSFIRE ever: with all 17 SANS immersion tracks and more than a dozen special courses, a big exposition, and an inside look at how the Internet's Early Warning System (Internet Storm Center) actually works Bring your family for the national fireworks show. http://www.sans.org/sansfire06
TOP OF THE NEWS
Proposed Data Breach Notification Law Draws Fire (16 March 2006)The House Financial Service Committee has passed the Financial Data Protection Act of 2005, drawing the ire of groups committed to promoting and protecting consumer privacy. The bill, known as HR 3997, would supersede state data breach notification laws. It requires organizations to notify customers of security breaches only when they believe there is reasonable risk of harm to those customers. In addition, HR 3997 would supersede state laws allowing consumers to place freezes on their credit reports as a preventive measure against identity fraud; the bill would allow a freeze only after someone has already been the victim of identity fraud.
[Editor's Note (Paller) The debate over this bill heralds the elevation of cyber security to a national political issue. Lou Dobbs of CNN understands the issues and has agreed to use his position to increase pressure on Congress not to weaken the consumer protections that state disclosure laws now provide. This is a hot enough issue that it will move voters away from candidates who pander to commercial interests over those of consumers. These consumer interests coincide well with the interests of cybersecurity professionals who care about effective cybersecurity.
(Schultz): To say that this bill represents a definite setback to consumer interests in the US is a gross understatement. I'm especially concerned that the judgment of organizations that experience security breaches would according to this law become the basis for determining whether or not consumers are notified. If an organization is not sufficiently conscious to adequately defend its own systems, how could it be competent enough to know when to inform consumers? Also, a bill that might limit consumers' ability to put freezes on their own credit reports to protect themselves against identity fraud is lamentable.
(Honan): This legislation seems to be forgetting that the data belongs to the consumer and not the organizations holding that data.
(Shpantzer) This bill should emulate the highest standard in the various state laws, not the lowest common denominator. It's interesting to note that politicians who claim to advocate for state's rights trample on state laws when enough lobbyists come to pay them a visit, so to speak. ]
French Legislators Address Internet Piracy Penalties (19/17 March 2006)French legislators have passed a bill defining the penalties for people convicted of Internet piracy. Those convicted of "supplying software enabling users to break copyright protection on DVDs or CDs" could face up to six months in jail and a fine of 30,000 Euros (US$36,500). People convicted of possessing and/or using the software will face lesser fines of between 750 - 3,750 Euros (US$913 - 4555). Amendments to the bill could require companies that use digital rights management (DRM) to publish details to allow the development of interoperable systems. The bill would also make the development and use of peer-to-peer (P2P) software illegal.
[Editor's Note (Boeckman): Outlaw peer to peer software? Clearly, these people do not understand how the software works, if they think they can outlaw it.
(Grefer): Criminalizing the development and use of a whole category of software (P2P) merely because there are people around who abuse it for illegal and illegitimate purposes, sends the wrong message. Rather, the misuse of said software should be criminalized. But, then again, it already is. Once again, a case where special interest groups are using politics to push through nonsensical legislation. ]
VeriSign Warns of New Type of DDoS Attack (17/16 March 2006)VeriSign has warned of a new breed of distributed denial-of-service (DDoS) attacks. Instead of using a botnet to inundate a targeted server or network with queries, these attacks send huge quantities of queries to domain name system (DNS) servers with the spoofed return address of the intended victim, so the DNS server is, in essence, attacking the target.
Visa Warns Transaction Software Could "Inadvertently" Store PINs and Other Sensitive Data (20/17/16 March 2006)Visa has warned card payment processors that two versions of cash register software from Fujitsu Transaction solutions "may inadvertently store sensitive customer information," including personal identification numbers (PINs). Over the past two months, several financial institutions have replaced more than 200,000 debit cards following fraudulent transactions. Customers were told the thieves stole the data necessary for the transactions from a major retailer. Bank officials and law enforcement have said that a common factor among those whose accounts were fraudulently accessed was that they shopped at OfficeMax; the retailer says it has uncovered no evidence that it suffered a security breach. Some systems retain data they are not supposed to keep, unbeknownst to the retailers that use them. Companies that use such software would be well advised to have an assessment done to test the security of the system.
**************************** Sponsored Links: ***************************
1) FREE Case Study/White Paper - SIEM Log Management Capability and Capacity at EDS:
2) Free WhatWorks in Log Management Webcast next week - "Meeting HIPAA Compliance Requirements for Log Monitoring at Northwestern Memorial Hospital"
Tuesday, March 28 at 1:00 PM EST
3) Audit 522: SANS(R) +S(TM) Training for the CISA(R) Certification Exam via SANS@Home starts March 23!
See http://www.sans.org/athome/ for complete SANS@Home listings.
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCES
Chinese Internet Journalist Receives Ten-Year Sentence (20/17 March 2006)Chinese school teacher Ren Zhiyuan was found guilty of "subversion of state power," and sentenced to ten years in prison. Ren posted an article to the Internet that said people have the right to use violence to overthrow a tyrannical government. Ren pleaded innocent at his trial; his lawyer plans to appeal. International organization Reporters Without Borders has condemned the sentence.
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
DOD IG Report Says Missile Defense Agency Computer Network has Serious Security Flaws (20 March 2006)A report from the Defense Department (DOD) inspector general (IG) noted serious security flaws in the Missile Defense Agency's (MDA) computer network. MDA and Boeing, a DOD contractor, permitted the use of group passwords on the unencrypted portions of the Ground-based Midcourse Defense (GMD) Communications Network (GCN). GCN, which links MDA radar systems, missile sites and command centers, has no backup contingency plan. In addition, GCN does not have "a system to conduct automated log audits" despite the fact that DOD policies require network monitoring.
Red Cross VP/CIO Says Government Should Not Lead Emergency Response Plan (16 March 2006)Red Cross senior VP and CIO Steve Cooper says there needs to be a national information technology emergency response plan, but does not believe the federal government should be in charge of creating it. Instead, Cooper suggests looking to the private sector. Cooper gave the keynote address at the Information Processing Interagency Conference 2006 in Orlando, Florida. One panelist at the conference said the government should not be left out of first response plans; another said government should be kept out of everything but policy decisions.
[Editor's Note (Shpantzer): Cooper may be onto something here. Whereas the various levels of government failed miserably in certain aspects of the Katrina recovery, we saw the private sector, with charities big and small as well as corporations such as Wal Mart, help tremendously in bringing their logistical savvy to bear on the catastrophe.]
SPYWARE, SPAM & PHISHING
Microsoft Will File More Phishing Lawsuits (20 March 2006)Microsoft plans to file more than 100 lawsuits against phishing groups in Europe, the Middle East and Africa. The lawsuits are part of Microsoft's Global Phishing Enforcement Initiative and have grown out of investigations by Microsoft, Interpol and police forces in various countries. A round of similar lawsuits in the US brought about the closure of more than 4,700 fraudulent sites.
[Editor's Note (Honan): Kudos to Microsoft. ]
Anti-Spyware Groups to Release Company Names This Week (20 March 2006)Two anti-spyware groups plan to release lists this week naming adware companies and the advertisers that use the software. The Center for Democracy and technology (CDT) will release a list of the advertisers that use adware; the Stopbadware Coalition will publish a report naming programs on its Badware Watch List.
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Apple Releases Third Patch for OS X This Month (17 March 2006)Apple has released another patch for Macintosh OS X, the third this month. The patch is believed to address problems with an earlier patch which itself was issued in part to address problems with a previous security update. Version 1.1 of the 2006-002 patch was released on March 17; the original version was released on March 13. The SANS Internet Storm center urges users to apply the patch immediately.
ATTACKS & INTRUSIONS & DATA THEFT & LOSS
Bananas.com Informs Customers of Data Security Breach (16 March 2006)Bananas.com, a musical instrument and equipment web site, has notified 274 people that their credit card data may have been stolen as the result of a security breach. The breach was uncovered when someone offered the data for sale in an Internet chat room. Site administrators added security measures after they became aware of the breach; they have not yet discovered how the intruder got into the system.
[Editor's Note (Pescatore): The article reads as a good lesson on what not to do if you are accepting credit cards online. On a lighter note, bananas.com seems to be largely alone in the "web sites named after tropical fruit" category - they might have been assuming attackers would first target kumquats, lemons or limes. ]
US Banks Offer Notification Services on Potentially Fraudulent Transactions (17 March 2006)In response to increasing concern about electronic data theft, some US financial institutions have taken steps to keep their customers apprised of questionable account transactions. Bank of America is offering customers a service that will notify them of suspicious account activity by email or text message. Washington Mutual Bank is providing a similar service. Both banks were recently obliged to reissue thousands of debit cards following a rash of fraudulent transactions.
[Editor's Note (Honan): This is a welcome initiative and one that, I hope, other banks will take on. Banks are in a better position than consumers at early identification of possible fraudulent transactions. This proactive measure is one that should be seen as an example of how security measures can be used to enhance the marketing of a company's product or service. ]
Judge Orders Google to Turn Over Web Addresses but Not Query Terms (20/19 March 2006)US District Judge James Ware has ordered Google to submit 50,000 web addresses to the US Justice Department, but denied the government's request for a list of query terms. The Justice Department is seeking the data in an effort to defend the Child Online Protection Act (COPA, 1998), which was ruled unconstitutional by the US Supreme Court because of how it was to be enforced. The US government hopes to demonstrate that filtering technologies are not effective in preventing minors from accessing inappropriate content.
Pennsylvania AG Seized Newspaper's Hard Drives in Grand Jury Probe of Lancaster Coroner (16 March 2006)In an attempt to gather evidence in a grand jury probe into whether or not Lancaster (PA) coroner G. Gary Kirchner provided journalists with his "password to a secure law-enforcement web site," the Pennsylvania Attorney General's office has seized four computer hard drives from the Lancaster Intelligencer Journal newsroom. The state supreme court had earlier in the week upheld a lower court ruling that rejected the newspaper's attempts to withhold the information. The attorney general's office says it will limit its examination of the computer hard drives to that particular web site.
NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan, Mark Weatherford
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/