SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VIII - Issue #62
August 08, 2006
Five billion dollars of damage from viruses - says Consumer Reports at their new Cyber Insecurity special section: http://www.consumerreports.org/cro/electronics-computers/cyber-insecurity/cyber-
TOP OF THE NEWSGoogle Warns Users Who Click on Potentially Malicious Sites
Agencies Face OMB Data Security Deadline
US Ratifies Convention on Cybercrime
THE REST OF THE WEEK'S NEWSARRESTS, CONVICTIONS & SENTENCES
Two Arrested in Connection with VA Laptop Theft
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
DHS IG's Report Points to Security Problems in Transportation Worker Identification Credential
Laptops Missing from UK Government Departments
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Music Groups Sue LimeWire
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
One Arrested in Thai Credit Card Fraud Scheme
Australian University Server Hosted Phony Microsoft Patch
Chemical Sector Seeks Partners in Cyber Security
AOL Red-Faced Over Search Data Exposure
Cal Poly-St. Luis Obispo to Move Away from SSNs as Unique Identifiers for Students
Additional Data on Last Week's Story About IT Workers Earning Extra Pay for Skills and Certifications
********************* Sponsored By Shavlik Technologies *****************
Minimize the Impact of MS Patch Tuesday: Shavlik Security Webinar, August 9th, Register here: http://www.sans.org/info.php?id=1252
SECURITY TRAINING UPDATE
Whether you need 8570 training or just want to be sure your technical and management people have the skills needed to protect your systems, take advantage of SANS Network Security in Las Vegas in early October. More than 20 immersion training tracks from Security Essentials to hacker Exploits. A big exposition of great security tools; one and two-day Stay Sharp courses; free evening sessions on the most important new developments in security. Definitely the most cost-effective training opportunity in security: http://www.sans.org/ns2006/
And if you have any responsibility for reliability or security of process control networks, for power, pipeline, transportation, chemical manufacturing, etc. come early for the Process Control and SCADA Security (and Reliability) Summit
TOP OF THE NEWS
Google Warns Users Who Click on Potentially Malicious Sites (7 August 2006)Google now warns its users when they have clicked on a link that is known to host spyware or other malware. The sites identified as potentially malicious are determined by information from the Stop Badware Coalition. The warnings will move from the general to the specific as researchers determine how the malware on the identified sites interacts with users' computers. Google will not prevent users from visiting the flagged sites. A report from May 2006 determined that on average, approximately five percent of sites returned with each search were infected with malware. Certain keywords, such as "free screensavers," returned significantly higher percentages of malware-infested sites.
[Editor's Note (Schultz): Google's actions are another big step forward in improving Internet security. Most users currently have no idea whatsoever whether or not sites they reach by clicking on links are safe or unsafe. ]
Agencies Face OMB Data Security Deadline (4 August 2006)In late June, the Office of Management and Budget (OMB) mandated that federal agencies take certain steps to safeguard the privacy of personally identifiable information stored on mobile devices. A deadline for implementing the OMB's security guidelines was Monday, August 7, 2006. The checklist to protect remote information is based on National Institute of Standards and Technology (NIST) requirements; inspectors general (IGs) at several agencies have already begun reviewing compliance with the checklist. The memorandum also recommended four actions agencies should take to improve security, including encrypting data on all devices that hold agency data and the implementation of two-factor authentication where one of the factors is separate from the computer seeking access.
[Editor's Note (Pescatore): The laptop encryption and two factor authentication were actually the lesser impact of the four OMB requirements. Another requires that agencies assure that all database extractions of sensitive information are deleted within 90 days unless proven to still be required. While this sort of data retention policy is a very good thing, implementation is a huge issue - and not a 45 day project. ]
US Ratifies Convention on Cybercrime (4 August 2006)The US Senate has ratified the Council of Europe's Convention on Cybercrime. The treaty aims to align laws pertaining to Internet crime in the 43 countries that have already signed. It also looks toward "improving investigative techniques and increasing cooperation among nations." US Attorney General Alberto Gonzales says the treaty "is in full accord with all US constitutional protections ...and will require no change to US laws." The US may decline to cooperate when requests violate free speech or other rights.
Convention on Cybercrime text:
[Editor's Note (Grefer): Finally ... after almost five years. ]
************************ Sponsored Links: *****************************
1) Using Real-Time Log Analysis to Defend Against Network Attacks and Insider Abuse Live Webinar
2) Get end-to-end network visibility that (1) optimizes your network, (2) secures your network and (3) tracks user identity? Download FREE White Paper "Network Behavior Analysis (NBA) in the Enterprise."
3) Webcast: August 9, 11amPT/2pmET - How Log Intelligence is Transforming IT - Why Log Analysis is increasingly part of good IT strategy.
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS & SENTENCES
Two Arrested in Connection with VA Laptop Theft (6 August 2006)Two 19-year-old Maryland men were arrested on Saturday, August 5 in connection with the May theft of a laptop computer from a Veterans Affairs Department (VA) employee's home. Charges are also pending against a juvenile. Jesus Alex Pineda and Christian Brian Montado were both charged with first-degree burglary and theft; Montano was also charged with conspiracy to commit first-degree burglary and conspiracy to commit theft. According to authorities, the men did not specifically target the VA employee's home and were unaware the stolen hard drive held the personal data of 26.5 million US veterans and active-duty service members. Police indicated that the men are suspects in several other burglaries. VA secretary Jim Nicholson says termination procedures are underway for the VA employee who took the unencrypted data to his home. Nicholson also acknowledged that VA officials share the blame for the data theft due to lax security policies and practices. (please note this site requires free registration)
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
DHS IG's Report Points to Security Problems in Transportation Worker Identification Credential (4 & 3 August 2006)A report from the Department of Homeland Security (DHS) IG Richard Skinner says the Department's Transportation Worker Identification Credential (TWIC) has a number of "security-related issues
may threaten the confidentiality, integrity and availability of sensitive TWIC data." The version of the report made available to the public was redacted to remove information about the specific security problems, but it is known that they involve default security settings and patch management. The report also says the program does not comply with certain requirements of the Federal Information Security Management Act (FISMA). TWIC plans to issue biometric identification cards to US transportation workers.
Laptops Missing from UK Government Departments (3 August 2006)A recent Freedom of Information enquiry provided Silicon.com with data about the numbers of missing laptop computers from various UK government departments. The Ministry of Defence reported 21 stolen laptops, the Home Office reported 19 and the Department of Trade and Industry reported 16. The Department of Health said it could not account for 18 laptops, but did not clarify if they had been stolen or lost. A determined data thief could access information on stolen laptops rather quickly; the best method to prevent thieves from accessing data is full disk encryption. The enquiry also turned up information about the numbers of mobile phones missing from government departments.
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Music Groups Sue LimeWire (6 & 4 August 2006)A lawsuit filed in Manhattan federal court last week alleged the makers of the LimeWire file sharing software allow users to download music without paying for it, in violation of copyright laws. The plaintiffs in the case are Universal Music Group, Sony BMG, EMI Group PLC and Warner Music Group Corp. The suit against LimeWire LLC seeks US$150,000 in damages for each song downloaded without permission and alleges the company and its executives "had a direct financial interest in and derived substantial benefit from, the infringement of the plaintiffs' copyrighted sound recordings." Last year, the US Supreme Court ruled that the holders of the violated copyrights could sue technology companies that encourage illegal downloading. KaZaA recently agreed to pay fines in excess of US$100 million in and convert to a legitimate business model to resolve two lawsuits.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
One Arrested in Thai Credit Card Fraud Scheme (4 & 3 August 2006)Police in Thailand have arrested one person and expect to arrest others in connection with a credit card fraud ring. The thieves allegedly intercepted credit card data being transmitted between merchants and banks, loaded the data on an MP3 player and sent it to Malaysia where accomplices manufactured phony cards. The cards were sent back to Thailand where they were used to steal at least 60 million THB (US$1.6 million) in goods and services. Suspected fraudulent transactions totaling 30 million THB (US$9.5 million) are under investigation.
Australian University Server Hosted Phony Microsoft Patch (1 August 2006)The University of New South Wales's (UNSW) School of Media, Film and theatre last week took a server offline after discovering it was hosting a possibly malicious file. Spam email provided a link to the server, claiming the file was a Microsoft security patch. The "from" address of the spam was spoofed to appear to come from a Microsoft support address. The system administrator said the situation was odd because the server in question was a Mac system.
Chemical Sector Seeks Partners in Cyber Security (7 August 2006)The Chemical Sector Cyber Security Program (CSCSP) is actively seeking partners in its effort to streamline security within the industry. CSCSP has been focusing on bringing in IT vendors as affiliates and encourage them to address security in their products in the development stage.
AOL Red-Faced Over Search Data Exposure (7 August 2006)AOL has apologized for releasing data on 19 million searches conducted by approximately 658,000 individuals. While AOL maintains there was no personally identifiable information accompanying the data, some of the queries potentially could be traced back to specific individuals. AOL has launched an internal investigation to determine how the data came to be released and to ensure that it will not happen again. The data was apparently made available for research purposes, but the request for the data was not reviewed by an internal data privacy group as it should have been. AOL has removed the data.
Cal Poly-St. Luis Obispo to Move Away from SSNs as Unique Identifiers for Students (2 August 2006)Starting this fall, entering students at Cal Poly - St Luis Obispo will not be identified in school computer systems by their Social Security numbers (SSNs), but will use a new numbering scheme, as will faculty and most staff members. The shift away from SSNs as unique identifiers will be broadened to include older students as well, though school officials did not say when the shift would be complete. The school will continue to use SSNs for other purposes, including financial aid and health information. Other campuses in the University of California system have already begun the move away from SSNs as universal unique identifiers.
Additional Data on Last Week's Story About IT Workers Earning Extra Pay for Skills and Certifications (1 August 2006)Last week we included a story from Foote Partners saying that more than half of IT workers earn additional pay for specific skills and certifications. Editor Stephen Northcutt ran an independent validation survey and...
[Editor Comment (Northcutt): This report appears to be significantly flawed. The "more than half" finding did not square with my experience. so I wrote a number of my peers. 32 of 33 people who responded said they do not get skills based pay. Then we ran a survey on isc.sans.org. Results so far for the question "Do you get skills based bonus pay?":
5.2 % =>Yes
39.5 % =>No
55.4 % =>What is "hot skills pay"? Never heard of it.
Total Answers: 697]
***************** The Editorial Board of SANS NewsBites ****************
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.
Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent language consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/