OnDemand Includes 4 Months Access to Course Content - Special Offers Available Now!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume VIII - Issue #50

June 23, 2006


US House Committee Chairman Vows To "Change FISMA"
Gov. Agencies, Police Reportedly Getting Info from Data Brokers
Tech Companies Lobby on Behalf of Federal Data Privacy Rules
AT&T Rewords Privacy Policy, Says it Owns Customer Records


UK Peer Wants to Amend Proposed CMA Changes
More Flaws and Exploits for Excel
Microsoft Patch Creates Problems for Some Dial-Up Users
USDA Acknowledges Data Security Breach
Ohio Univ. Suspends Two Workers In Connection with Breaches
Study Shows Tech Firms Suffer from Security Problems, Too
DOJ Establishes 12 More Computer Hacking and Intellectual Property Units
UK Bank Says Glitch Sent Payments to Wrong Accounts

********* Sponsored By Check Point Software Technologies, Inc. *********

VoIP deployment promises efficiency, flexibility, and savings. However, telecom worms, theft of service, data breaches, service interruptions, and other risk factors can create an IT management nightmare that's expensive to fix. But these potential risks shouldn't be barriers to VoIP adoption and implementation. Learn how to ensure your network is secure once VoIP is deployed. http://www.sans.org/info.php?id=1202


Summer Security Training Extravaganza

Over the next two months, you may attend one or more of 50 SANS courses in 20 cities on four continents. And if you cannot make those events, because of travel restrictions, you may attend live SANS courses with the best teachers in the world, without leaving your home. You can even take SANS courses online at your own schedule. Attendance at SANS educational events is experiencing the largest growth spurt in half a decade. Pick your class and register early to get a seat.



US House Committee Chairman Vows To Change FISMA

House Veterans Affairs (VA) Committee Chair Steve Buyer said he would "change FISMA" to correct an error in the law that denied CIOs and CISOs the power to enforce security in their agencies. The Chairman had just heard testimony from VA officials saying that FISMA does not give the technology chief authority to enforce (security) policies.
[Editor's Note (Paller): What a breath of fresh air Chairman Buyer has brought to the debate. Now if Congress and OMB could just change the reporting and scoring methods used for FISMA, federal agencies might begin to lead by example in improving security. The fundamental error in FISMA scoring is that agencies that pay consultants to complete dozens or hundreds of C&A reports are given high scores even if those agencies do not harden and monitor the systems and networks to protect them from being compromised. Benjamin Franklin is said to have defined insanity as "doing the same thing over and over again and expecting different results." Isn't six years (and a billion dollars) long enough to have learned that the FISMA paper exercise is insane? ]

Gov. Agencies, Police Reportedly Getting Info from Data Brokers (20 June 2006)

According to a report from the Associated Press, US government agencies and local police have been using private data brokers to gather information for which subpoenas and warrants are normally required. The data are acquired in a matter of hours instead of days, as is the case with subpoenas and warrants. Some agencies stopped the practice of using data brokers following congressional inquiries. While brokers normally charge for their services, observers say the government and law enforcement officials have not had to pay for the service. Data brokers have been known to use devious means to obtain the information the collect; some have acknowledged that their methods violate US laws.

[Editor's Note (Shpantzer): What's worse is all the errors in those databases, and now with the epidemic of identity theft, lots more fake accounts, homes and property as well. Burden of proof is on us, in job interviews as well, when the HR folks do "background checks"... How to opt out (good luck) of some of these databases:

Tech Companies Lobby on Behalf of Federal Data Privacy Rules (21 June 2006)

Members of the Consumer Privacy Legislative Forum, including Google and eBay, testified before the House Energy and Commerce Committee's Subcommittee on Commerce, Trade and Consumer Protection in favor of federal legislation that would require companies to notify consumers when they are collecting personal data and to allow consumers to access that data and decide how it will be used. The companies say that variations in data privacy laws from state-to-state make compliance difficult. They also want the FTC to monitor how consumer data are collected and shared on line. (Please note this site requires free registration)

[Pescatore - as my version of the old saying goes, "Don't look a gift horse in the mouth, as long as you are really sure it is a horse and you really wanted a horse" Federal legislation moving towards an opt-in approach, where consumers have to opt-in to any use of their personal data would be a very good thing. However, legislation that just results in more postcards being sent to everyone describing the data collection that is going on would be a step backwards if it trumped stronger state laws.
(Paller): There is more happening on the federal privacy and security legislative front. Companies that sell security products, organized as the Computer Security Industry Association CSIA), see immediate revenue opportunities in consolidated federal legislation that trumps (and destroys) state breach disclosure requirements. Greed is blinding the security company executives who should have personal and national security uppermost in their minds. If pecuniary, commercial interests persuade Congress to destroy the requirement to inform people when their private data is lost or stolen, one of the most potent weapons in the war to improve cyber security will be lost. ]

AT&T Rewords Privacy Policy, Says it Owns Customer Records (22 June 2006)

AT&T has revised its written privacy policy to let its customers know that the information they hold about them constitute "business records that are owned by AT&T. As such, AT&T may disclose such records to protect its legitimate business interests, safeguard others, or respond to legal process." This revision follows in the wake of allegations that phone companies have been supplying the National Security Agency (NSA) with records of calls made in the US. AT&T says it has not changed its policy regarding customer information, just the policy's wording to make it clearer to customers. Customers now must agree to comply with the policy before using AT&T's services.
[Editor's Note (Pescatore): See what I mean? If new federal legislation means we will all get postcards like that, I'd just as soon save the trees. ]

*************************** Sponsored Links: ***************************

1) Upcoming ToolTalk Webcast: Auditors Present How to Reach Compliance Nirvana - PCI and Government Regulatory Compliance




UK Peer Wants to Amend Proposed CMA Changes (20 June 2006)

UK peer Lord Northesk wants changes made to the government's proposed amendments to the Computer Misuse Act. Lord Northesk is seeking to delete paragraph 1b of Clause 41 of the Police and Justice Bill which would amend the CMA to criminalize the release of tools that are "likely to be used" to commit cyber offenses. Lord Northesk has concerns that this could criminalize actions of legitimate security professionals as well as police. Also at issue is Clause 40 of the Police and Justice Bill which Lord Northesk wants to amend to address the concepts of recklessness and intent with regard to denial-of-service (DOS) attacks; Lord Northesk wants to ensure that organized civil disobedience would not be criminalized under the CMA.
[Editor's Note (Shpantzer): There's no way to know if a tool is 'likely to be used' in a criminal manner, so let's please focus on the monumental backlog of ACTUAL uncleared cases of people who have ACTUALLY committed cyber offenses...On this item Lord Northesk is a right honorable gentleman. What's curious is the concept that civil disobedience via DoS is OK... ]


More Flaws and Exploits for Excel (22, 21 & 20 June 2006)

Two more zero-day flaws in Microsoft's Excel spreadsheet program have been detected. A buffer overflow flaw could crash the program when a malicious file is opened and may allow arbitrary code execution. This vulnerability is known to affect Excel 2003 and Excel XP; other versions may be vulnerable as well. In addition, attackers could cause execution of malicious JavaScript code by embedding malicious Flash files in Excel worksheets. Three exploits for another zero-day Excel flaw have already been published. Microsoft is testing a patch for the flaw and has suggested a number of workarounds users can employ to protect themselves from the risk posed by the exploits, including blocking Excel attachments in email gateways, editing registry settings and avoiding unexpected Excel documents.



Microsoft Patch Creates Problems for Some Dial-Up Users (21 June 2006)

Microsoft users who rely on dial-up lines and use a terminal window or dial-up scripting are reporting problems caused by a patch released by Microsoft last week. The patch fixed two critical flaws addressed in security bulletin MS06-025. Microsoft is working on revising the patch; customers who use dial-up scripting or terminal window features are urged to wait for the new version.


USDA Acknowledges Data Security Breach (22 June 2006)

The US Department of Agriculture (USDA) has acknowledged that a computer security breach may have compromised personal data, including names, Social Security numbers (SSNs) and photographs belonging to approximately 26,000 agency employees and contractors. USDA Secretary Mike Johanns has ordered that all individuals affected by the breach be notified by email and in writing and be offered a year of free credit monitoring. USDA cyber security staff became aware of "suspicious activity" on several machines in early June, but initially believed the data were well enough protected that the intruders could not access it. "Subsequent forensic analysis
[indicated that it was ]
uncertain whether personal information was protected." The USDA inspector general and law enforcement agents are investigating the intrusion.


Ohio Univ. Suspends Two Workers In Connection with Breaches (21 June 2006)

Ohio University, in Athens, Ohio, has suspended two unnamed information technology supervisors pending an investigation of five computer security breaches that have taken place since March 2005, exposing personal data of as many as 173,000 students, alumni and employees to cyber thieves. The president of the university also plans to ask trustees for US$2 million to improve the school's computer security. Roughly two dozen people have informed Ohio University that they have been victims of identity fraud in the past year.
[Editor's Note (Schultz): The fact that two employees received disciplinary measures in connection with the security breaches that occurred could be a positive or a negative thing. It is positive if the university's policies and procedures clearly spelled out and communicated security-related responsibilities for employees such as the ones in question, but the employees did not conform to them. On the other hand, it is negative if these responsibilities were not delineated and communicated to the employees. ]


Study Shows Tech Firms Suffer from Security Problems, Too (22 & 21 June 2006)

A report from Deloitte Touche Tohmatsu says more than half of technology, media and telecommunications companies have experienced data security breaches that "potentially" compromised intellectual property and customer data. Deloitte gathered their data from surveys of executives at 150 companies. Of the companies that did experience data security breaches, one-third said they resulted in financial losses. Half of those companies said they "involved internal attacks or policy violations." Only 20 percent believe their organizations' intellectual property is effectively protected. More than half of the companies see security as a problem for IT departments instead of "a central business concern." Companies surveyed were not planning on increasing their security budgets significantly. Although 74 percent said they expected to see an increase in security spending, that increase averaged just nine percent. Less than 15 percent of companies that planned to increase security spending planned to do so by 20 percent or more.
[Editor's Note (Schultz): If over half of the companies represented in this survey fail to see security as a critical business concern, it is not difficult to understand why so many data security breaches are occurring. ]


DOJ Establishes 12 More Computer Hacking and Intellectual Property Units (20 June 2006)

The US Department of Justice (DOJ) has established Computer Hacking and Intellectual Property (CHIP) units in 12 additional cities, exceeding recommendations made by an intellectual property task force and bringing the total number of CHIPs nationwide to 25. There is also now an experienced prosecutor serving as an Intellectual Property Law Enforcement Coordinator (IPLEC) in Southeast Asia. Attorney General Alberto Gonzales says DOJ has met or exceeded all 31 recommendations made by the task force in 2004.

[Editor's Note (Northcutt): Their web site,
is not kept up well: lots of broken links. The list of CHIP units is shown below. Careful how you use it, however. This document, stored on the Department of Justice's public web site is labeled "For Official Law Enforcement Use Only":

UK Bank Says Glitch Sent Payments to Wrong Accounts (20 & 19 June 2006)

The UK bank Abbey says it is working to address a flaw in its online business banking system that inadvertently sent customer payments to the wrong accounts. Fewer than 100 accounts have been affected by the flaw.


NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan, Mark Weatherford

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/