Don't Miss Pen Test Hackfest Summit & Training, November 2-9 near DC!

Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume VIII - Issue #39

May 16, 2006

An important guest editorial by Lynn Goodendorf appears in this issue
after the TOP OF THE NEWS section. Apparently ICANN is contemplating
an action that may cause damage to the security of the Internet. The
guest editorial explains the problem and gives you a name and email
where you can express your opinion.


PS. This Wednesday (May 17) is the early registration deadline for
SANSFIRE, the largest security training conference and exposition in
Washington DC, featuring eighteen immersion tracks. Wednesday is also
the early registration deadline for SANS London.
SANS London:


SCADA and Process Control Systems Vulnerable to Attacks
House Committee Proposes Another Data Security Breach Bill
Australia Eases Certain Copyright Restrictions


Former Dept. of Education Employee Gets Five Months in Prison for Accessing Supervisor's Computer
FBI Cyber Division Gets New Assistant Director
Regulators Hear About SOX Section 404 Compliance Woes
Kodak Online Photo Sharing Service Settles FTC Spam Charges
Apple Issues Security Alerts for OS X and QuickTime Media Player
FBI Investigating Malware Attack on Movie Theater Chain
Search Engines Return Malicious Links
India Seeks to Create Oversight Body for Outsourcing Firms
Real Estate Company Settles with FTC Over Data Security Charges

******************** Sponsored By Blue Coat Systems, Inc. ***************

New security ebook on Information Theft Prevention

In The Definitive Guide to Information Theft Prevention, security author Dan Sullivan provides advice on information protection and privacy regulations; how to tackle threats from unmanaged devices; how to secure managed devices; and how to leverage new security technologies. This guide also discusses risk management, incident responses and emerging best practices around information security. Download the eBook now.



SCADA and Process Control Systems Vulnerable to Attacks (8 May 2006)

Cyber security experts say the supervisory control and data acquisition (SCADA) and process control systems that control the nation's critical infrastructure are not secure. The systems often run on older hardware, built before security was a concern. An added problem is that some of the systems have been connected to the Internet. These control systems were one of six foci of critical vulnerabilities listed in a cyber security checklist from the US Department of Homeland Security (DHS)- funded Cyber Consequences Unit.
[Editor's Note (Schultz): I am currently one of the members of a team that is researching this issue. Some of the case studies we have gathered show that the problem of wide open SCADA and process control systems is far worse than most people assume.
(Paller): Gene Schultz is correct about the scale of the problem. If you want to know how big it really is, the highlights DVD from the SACDA Security Summit provides extraordinary evidence, but there is a promising development. One of the best things happening in information security is the consortium of more than 100 utilities and state governments and SCADA vendors that are developing consensus security specifications that buyers can put in their contracts to ensure every buyer can have state of the art security in their new and existing SCADA systems. Will Pelgrin, CISO or New York State, and Mike Assante and Rita Wells of Idaho National Laboratory, are presenting the current status of the project in a webcast on Thursday, May 18, at 1:00 PM EDT. You may tune in and ask questions at

House Committee Proposes Another Data Security Breach Bill (12/11 May 2006)

US House Judiciary Committee Chairman James Sensenbrenner (R-Wis.) has introduced another data security breach bill, the Cybersecurity Enhancement and Consumer Data Protection Act of 2006 (HR 5318). This bill would require organizations to inform the government within two weeks when they suffer electronic data security breaches affecting 10,000 or more individuals; notification of consumers could be delayed up to 30 days. Failure to comply would result in hefty fines and prison sentences.
[Editor's Note (Ranum): The overlapping bills regarding this topic are going to be a fertile playground for lawyers and are going to do nothing to improve security. As Bruce Schneier points out in his blog, some of the bills have already been carefully spun by lobbyists so that companies can fairly easily dodge the letter of the new laws as fast as they come out. ]

Australia Eases Certain Copyright Restrictions (15 May 2006)

Proposed changes to Australian copyright law will allow people to record television and radio shows to be replayed once, but prohibit them from lending the recordings to others. Current laws prohibit recording anything from television and CDs. The proposed changes will also allow people to move content between formats, for instance, from various media onto iPods and other mp3 players. Australian Attorney-General Philip Ruddock said "everyday consumers shouldn't be treated like copyright pirates." The new laws allow the use of copyrighted material for satire and parody and have exceptions for schools to use copyrighted material for non-commercial purposes. The laws would also make it easier to levy fines and impose other punishments on those who are guilty of copyright piracy.

GUEST EDITORIAL: Get ready to use subpoenas instead of Whois By Lynn Goodendorf, CISSP, CIPP How do you contact a website owner whose domain name is the source of a phishing or denial-of -service attack or appears to be generating spam? What steps do you take to deal with sites posting deceptive, infringing or other illegal content such as the fraudulent sites that appeared after Hurricane Katrina? The first step is to use the "Whois" database to obtain identity and contact information for the domain name registrant. If accuracy and completeness in the Whois database is critical to your organization, you need to communicate your views to ICANN (Internet Corporation for Assigned Names and Numbers) before Whois contact information goes away and your only recourse is to use more expensive and time-consuming legal processes such as subpoenas. Email Paul Twomey, President & CEO of ICANN at or Find details on this issue at:

*********************** Sponsored Link: ******************************

1) FREE Product Demo: Stop protecting while blind. Gain network visibility now.




Former Dept. of Education Employee Gets Five Months in Prison for Accessing Supervisor's Computer (12 May 2006)

Kenneth Kwak has been sentenced to five months in prison for using remote control software to access his former supervisor's computer without authorization. Kwak read his supervisor's email and kept an eye on his surfing habits; Kwak shared what he discovered with other employees. Kwak was at the time a computer security specialist at the Department of Education. Kwak will serve five months of home confinement once he has completed his prison sentence. He has also been ordered to pay US$40,000 in restitution to the US government and will be on parole for three years.
[Editor's Note (Honan): As with all positions of trust it is essential that appropriate controls, audit trails and mechanisms are put in place to ensure those entrusted with our security do not break that trust. In effect we have to be able to "watch the watchers" ]


FBI Cyber Division Gets New Assistant Director (10/8 May 2006)

James Finch has been named assistant director of the FBI's Cyber Division; Steve Martinez has been acting assistant director since Louis Riegel retired in February.


Regulators Hear About SOX Section 404 Compliance Woes (11 May 2006)

A roundtable discussion organized by the US Securities and Exchange Commission (SEC) and the Public Company Accounting Oversight Board (PCAOB) allowed companies to voice their concerns and complaints about complying with the Sarbanes-Oxley Act (SOX) Section 404. SEC and PCAOB representatives say they are willing to modify rules and standards to ease compliance with Section 404, the costs of which, company executives say, can outweigh the benefits of compliance. Section 404 hits small companies especially hard, as they do not have the internal resources to devote to compliance testing.
[Editor's Note (Ranum): There are appear to be very few benefits to compliance for the taxpayers, shareholders, and customers - SOX has rapidly become a jobs program for the high priesthood. You would think that, by now, we'd have gotten the idea that "check box security" does not work - it just looks good on paper.]


Kodak Online Photo Sharing Service Settles FTC Spam Charges (12/11 May 2006)

Kodak Imaging Network, an online photo sharing service once known as Ofoto, has agreed to pay US$26,331 in penalties for violating the US CAN-SPAM Act. The US Federal Trade Commission (FTC) charged that the company violated the law by sending two million messages that did not provide a means of opting out of receiving future email or a physical postal address. The settlement bars the company from violating CAN-SPAM at any time in the future; the company will also establish record-keeping practices to allow the FTC to monitor its compliance.
[Editor's Note (Grefer): At a price of 1.3 cents per message this sounds more like an invitation to follow their lead, rather than a penalty designed to scare potential offenders away. ]


Apple Issues Security Alerts for OS X and QuickTime Media Player (15/12 May 2006)

Apple Computer has issued two security alerts describing more than 30 flaws in Mac OS X and a dozen flaws in QuickTime media player software. The flaws in OS X could allow attackers "to execute arbitrary commands, bypass security restrictions, disclose sensitive information or cause a denial of service." The vulnerabilities in QuickTime present security concerns for both OS X and Windows computers; the flaws could be exploited to hijack vulnerable machines.


FBI Investigating Malware Attack on Movie Theater Chain (11 May 2006)

The FBI is investigating an incident in which a worm shut down showtime listings and ticket purchasing features at, a southeastern US movie theater chain. Point-of-sale systems were also hit by the worm, which prevented people from buying tickets with credit cards. A fire alarm had gone off less than half an hour before the malware disabled the systems, leaving company headquarters empty. A spokesperson for the company said the attack appeared to be designed to hurt the system but not to steal data. The server was running Windows 2000. Muvico issued a press release about the attack because it wanted to be forthcoming with its customers.

[Editor's Note (Honan): Muvico should be commended for admitting they were victims of an attack. Their admissions may encourage other companies to review their own security mechanisms. Nothing increases the sales of burglar alarms in a neighborhood like a break-in at a neighbor's house. ]


Search Engines Return Malicious Links (12 May 2006)

A study from McAfee found that people who use the five major search engines, Google, Yahoo, MSN, and AOL, visit malicious sites approximately 285 million times every month by clicking on results returned by the search engines. Sponsored links are nearly three times more likely to link to malicious sites than are regular search results. Measures being taken to protect search engine users include spyware detection and removal tools and pop-up blockers and anti-phishing filters in toolbars. Other search engines are taking steps to remove the malicious sites from their indices.

[Editor's Note (Schultz): If these findings are indeed true, they are terribly disconcerting. Most users cannot determine whether or not links go to malicious sites, so any help that users get must come from the search engines themselves. ]


India Seeks to Create Oversight Body for Outsourcing Firms (12 May 2006)

India's National Association of Software and Service Companies (NASSCOM) is establishing an oversight body to monitor companies that handle outsourcing contracts with foreign countries. Last year, several data security breaches at Indian outsourcing companies doing work for Western banks raised concerns. The organization would establish a code of ethics and make certain Indian companies adhere to them.
[Editor's Note (Schultz): NASSCOM's taking this initiative is likely to alleviate at least some of the security-related concerns that companies in the US and elsewhere have about outsourcing work to India. ]

Real Estate Company Settles with FTC Over Data Security Charges (10 May 2006)

The US Federal Trade Commission (FTC) has announced that Nations Holding Co. (NHC), a real estate company, has settled a case brought by the FTC alleging that NHC "allowed a common web attack to compromise customer data." Under the terms of the settlement, NHC must improve information security and "submit to biennial audits of its security practices for the next 20 years."


The Editorial Board of SANS NewsBites

Guest Editor Lynn Goodendorf, Vice President, Information Privacy
Protection, InterContinental Hotels Group

Eugene Schultz, Ph.D., CISM, CISSP is the author/ co-author of books on
Unix security, Internet security, Windows NT/2000 security, incident
response, and intrusion detection and prevention. He was also the
co-founder and original project manager of the Department of Energy's
Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College,

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.

Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers.
Schneier has regularly appeared on television and radio, has testified
before Congress, and is a frequent writer and lecturer on issues
surrounding security and privacy.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer
for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's @RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development
Authority (IDA) of the Singapore government.

Chuck Boeckman is Lead Network Security Engineer supporting the US
Transportation Command, responsible for the security of global military
transportation command and control systems.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin,

Roland Grefer is an independent language consultant based in Clearwater,

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit