SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VII - Issue #40
September 30, 2005
TOP OF THE NEWS
OnGuardOnLine.gov Provides Internet Security Awareness EducationEU Parliament, Member States Try to Hash Out Data Retention Proposals
South Korean Government to Establish Internet Data Privacy Rules
THE REST OF THE WEEK'S NEWS
SPAM & PHISHINGPhishers Target World Cup Football Fans
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Future Versions of Limewire to Retard Sharing Copyrighted Content
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Flaw in RealNetworks' Media Players Allows Attackers to Take Control of Vulnerable Computers
ATTACKS & INTRUSIONS & DATA THEFT
University of Georgia Investigating Security Breach
Judge Asks for Documents Regarding Credit Card Companies' Relationship with CardSystems Solutions
STATISTICS, STUDIES & SURVEYS
Clear and Timely Communication Key to Retaining Customers After Data Security Breach
MISCELLANEOUS
IAAC Publishes Digital Forensics Guide for Businesses
UK Revenue and Customs Apologizes for Losing Disk of Investment Account Data
************** SPONSORED BY SANS Network Security 2005 ******************
Los Angeles, CA October 24-30. Sixteen immersion training tracks and many special short courses on the hottest technologies and the newest techniques used by attackers. Special programs for auditors and security managers along with a huge offering for security professionals. Plus a big exposition and many evening sessions. A great conference.
Information: http://www.sans.org/ns2005/
Why people who care about security attend SANS training: "This training is like nothing else. No vendor-bias, no marketing spiel, just detailed theory and practice that will make a real, immediate difference to my job." Jon King, VANCO
*************************************************************************
TOP OF THE NEWS
OnGuardOnLine.gov Provides Internet Security Awareness Education (27 September 2005)
The US Federal Trade Commission (FTC), along with government and private sector cyber security specialists, has launched OnGuardOnline.gov, a web site that aims to educate consumers about phishing, spam, spyware and conducting business over the Internet securely. The site also provides links to forms for reporting fraud and attacks. The goal of the web site is to empower consumers to protect their computers and their personal data on the Internet. Partners in the project include MSN, the US Postal Service and eBay.-http://www.technewsworld.com/story/46373.html
-http://blogs.washingtonpost.com/securityfix/2005/09/several_federal.html
-http://onguardonline.gov/index.html
EU Parliament, Member States Try to Hash Out Data Retention Proposals (29/28/26 September 2005)
The European Parliament has voted against a draft Framework Decision from the Council of Ministers that outlines a plan for an EU data retention policy. Members of the European Parliaments felt the proposal was out of line with the threat they were charged with addressing. A proposal from the European Commission would require telecommunications companies to retain data for one year and would compensate the companies for the costs incurred. The four member states supporting the Framework Decision want data retained for a longer period of time - up to three years. Neither proposal asks to store the content of the communications.-http://www.computerworld.com/printthis/2005/0,4814,105036,00.html
-http://www.out-law.com/page-6164
-http://www.theregister.co.uk/2005/09/26/eu_dp_sceptical/
[Editor's Note (Schultz): Data retention requirements compromise a very controversial and difficult issue, especially when one requirement must apply to many different countries. I predict that it will take a very long time to achieve resolution on this issue. ]
South Korean Government to Establish Internet Data Privacy Rules (28 September 2005)
Officials from South Korea's Ministry of Information and Communication say that by the beginning of 2008, web site operators and telecommunications companies will need to ask permission before sharing or selling members' personal information, including telephone numbers, addresses and resident registration numbers. In addition, web sites will be required to specify why they are asking individuals for their personal data when they collect it. If the sites want to sell the data, they must identify the entity purchasing the information. Most portal sites in South Korea require resident registration numbers before allowing people to use the sites' services. The Ministry also plans to put final touches on a plan to establish an alternative method of Internet identification so that the information would not be useful to data thieves.-http://joongangdaily.joins.com/200509/27/200509272221542009900090609061.html
[Editor's Note (As described, South Korea's Data Privacy Rules do not appear to go far enough in protecting individuals' privacy, but then again,
THE REST OF THE WEEK'S NEWS
SPAM & PHISHING
Phishers Target World Cup Football Fans (26 September 2005)
The Federation Internationale de Football Association (FIFA) is warning that phishers are targeting World Cup football fans around the world. The email messages purport to be announcements that the recipient has won a lottery; the people are then asked to supply personal data, including bank account information, to claim the prize money. The unsolicited messages claim the lotteries are operating on behalf of or in association with FIFA; FIFA urges people not to provide any personal data in response to the email.-http://www.fifa.com/en/media/index/0,1369,110056,00.html
[Editor's Note (Schmidt): Phishing will continue to target the item that has high interest and best potential. I still think we are past the point where MANY people are fooled by this but we will always have people fall for scams, in the "real world" or online. At some point these are not even news. ]
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Future Versions of Limewire to Retard Sharing Copyrighted Content (26 September 2005)
Developers of the P2P client Limewire are modifying their code to help prevent users from sharing copyrighted material. The current version of the software "strongly discourages" sharing copyright protected content; before downloading current versions of Limewire, users must promise not to use it to share copyrighted material without authorization. Future versions of the software may check to see if a file is copyright protected before allowing it to be shared; users will be permitted to share their own work and files with Creative Commons licenses.-http://www.theregister.co.uk/2005/09/26/limewire_piracy_prevention/print.html
-http://www.slyck.com/news.php?story=927
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Flaw in RealNetworks' Media Players Allows Attackers to Take Control of Vulnerable Computers (27 September 2005)
Exploit code for a flaw in RealNetworks' RealPlayer version 10.0.5.756 Gold and Helix Player 10.0.5.575 has been circulating on the Internet. A format string error that results from clicking on a malformed .rp or .rt file and launching either of the media players could allow attackers to gain remote control of vulnerable systems. RealNetworks has been notified about the flaws but has not yet released fixes.-http://news.com.com/2102-7349_3-5884096.html?tag=st.util.print
ATTACKS & INTRUSIONS & DATA THEFT
University of Georgia Investigating Security Breach (29 September 2005)
The University of Georgia is working with state and federal officials to investigate a security breach that may have exposed the personal data of more than 1,600 current and former employees. The breach was detected on September 19, 2005. People whose data were compromised by the breach are being informed by email or by post. (Note: This site requires free registration.)-http://www.washingtonpost.com/wp-dyn/content/article/2005/09/29/AR2005092900392_
pf.html
-http://www.computerworld.com/printthis/2005/0,4814,105049,00.html
Judge Asks for Documents Regarding Credit Card Companies' Relationship with CardSystems Solutions (28 September 2005)
San Francisco Superior Court Judge Richard Kramer has asked Visa and MasterCard to share documents that will clarify their relationships with CardSystems Solutions, the company that suffered a security breach exposing the personal data of millions of credit card holders. This case will test the California law requiring organizations to notify individuals when the security of their data has been breached. The California law places the burden of consumer notification on the entity or entities that "own or license" Californians' personal data; Visa and MasterCard maintain that because their relationships are with the issuing banks and not the card holders, they are not responsible for notifying the card holders. Another hearing in this case is scheduled for October 24, 2005.-http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=39214744-20000
61744t-10000005c
STATISTICS, STUDIES & SURVEYS
Clear and Timely Communication Key to Retaining Customers After Data Security Breach (28/27 September 2005)
[Note: this blurb one is extra long, but as you'll see, it is important ]
Recent research indicates that the manner in which companies that have experienced security breaches inform their customers has great bearing on whether those customers stay with the company or take their business elsewhere. The National Survey on Data Breach Notifications, an online survey sponsored by law firm White & Case LLP and conducted by the Ponemon Institute, focused on the experience and comments of 1,109 individuals who said they had been notified that their personal information was compromised as the result of a computer security breach. Nearly half of those people said the notification they received was difficult to understand and did not provide details, especially about what was currently being done to protect their data. 20 percent of the people said they ended their relationships with the organizations whose security had been breached, an additional; 40 percent were considering ending their professional relationships with the organizations and 5 percent had hired legal help. The data indicate that companies who did not notify their customers of the breach in a "clear, consistent and timely fashion" were four times more likely to experience customer attrition due to the breach. Organizations using email and or form letters to notify customers could expect an attrition rate three times that of organizations that used personalized letters and follow-up phone calls. Nearly 12 percent said their confidence in the company increased after they were informed of the breach. The best advice for companies faced with notifying customers of a data security breach is to notify them quickly, in language free of legal and technical jargon, provide detailed information about the incident and offer a hotline for further assistance.
-http://www.computerworld.com/printthis/2005/0,4814,105015,00.html
-http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1129155,0
0.html
[Editor's Note (Schmidt): This should be required reading for all business executives and legal teams so they can see what many in the security and privacy communities already understand. Notify, Notify fast and make it plain what happened and what you did. Oh, one more thing! Fix the ID Management systems before it happens again! ]
MISCELLANEOUS
IAAC Publishes Digital Forensics Guide for Businesses (27 September 2005)
The UK's Information Assurance Advisory Council (IAAC) has published The Directors and Corporate Advisors' Guide to Digital Investigations and Evidence, which is designed to help organizations capture and preserve digital evidence in conditions that make it admissible in legal cases. The guidelines include information on procedures, techniques and other sources on digital forensics.-http://www.theregister.co.uk/2005/09/27/computer_forensics_guide/print.html
-http://www.iaac.org.uk/Default.aspx?tabid=65
UK Revenue and Customs Apologizes for Losing Disk of Investment Account Data (20 September 2005)
UK investment bank UBS Laing and Cruickshank has informed an unspecified number of Personal Equity Plan investors that their personal account information, including addresses, dates of birth, national insurance numbers and account numbers and balances, that were on a disk that was lost by Revenue and Customs. The Revenue had requested the information from the bank and has issued an apology for losing the disk; the Revenue is investigating the incident. A UBS spokesperson said affected customers would be permitted to change their account numbers.-http://news.bbc.co.uk/1/hi/business/4264148.stm
===end===
NewsBites Editorial Board:
Kathy Bradford, Rohit Dhamankar, Roland Grefer, Stephen Northcutt, Alan
Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier,
Eugene Schultz, Gal Shpantzer, Koon Yaw Tan
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
