SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VII - Issue #57

November 29, 2005

Training Update: SANS 2006 classes, in Orlando in February, are filling
up much faster than in previous years. Early registration makes sense
to get a seat in the classes that fit your needs.
http://www.sans.org/sans2006/

---

TOP OF THE NEWS

EU Parliamentary Committee Approves Revised Data Retention Directive
Court Orders Kazaa to Install Piracy-Thwarting Filters

THE REST OF THE WEEK'S NEWS

POLICY & LEGISLATION
Media Group Wants to Reap Benefits of EU Data Retention Directive
ATTACKS & INTRUSIONS & DATA THEFT
Scottrade Informs Customers of Third-Party Data Security Breach
STANDARDS & BEST PRACTICES
UK Colleges and Universities Get IT Security Guidelines and Toolkit
BS7799 British Security Standard Adoption on the Rise
STATISTICS, STUDIES & SURVEYS
Study of Take-Down Notices Under DMCA Section 512 Finds Potential for Abuse
FTC: Spam Blocking Technology is Getting Better
MISCELLANEOUS
System Lockdown an Effective Tool Against Malware
Export Regulations Prevent Symantec from Selling Tool Outside US and Canada
Manufacturer Offers Exchange for Trojan-Infected Hard Disks

---

***************** Sponsored by Watchfire AppScan ************************

Web application security vulnerabilities are a growing threat for anyone doing business online. See if your applications are vulnerable. Download a free trial copy of AppScan today. http://www.sans.org/info.php?id=938

**************************************************************************

---

TOP OF THE NEWS

EU Parliamentary Committee Approves Revised Data Retention Directive (25/24 November 2005)

The European Parliament's Civil Liberties Committee has approved a revised version of the EU data retention directive. The new draft requires that telecommunications providers retain Internet traffic data for six months and telephone call data for one year. It also requires governments to reimburse the providers for the costs incurred by data retention rules. In addition, only a judge may authorize access to the retained data. The bill now goes to the Council of Ministers for further changes; the Council has advocated longer retention periods. Council and Parliament will need to compromise on the directive before it becomes law.
-http://www.theregister.co.uk/2005/11/24/data_retention_ok/print.html
-http://www.zdnet.co.uk/print/?TYPE=story&AT=39238419-39020336t-10000014c
-http://www.europarl.eu.int/news/expert/infopress_page/013-2689-328-11-47-902-200
51118IPR02597-24-11-2005-2005--false/default_en.htm
-http://www.out-law.com/page-6384
-http://www.computerworld.com/printthis/2005/0,4814,106537,00.html

Court Orders Kazaa to Install Piracy-Thwarting Filters (28/25 November 2005)

To comply with a court order in Australia, Sharman Industries, the parent company of the Kazaa file-sharing network, is putting a filtering system in its Kazaa Media desktop software to keep people from finding and sharing copyrighted music files. The filtering system will include 3,000 terms and will be updated every two weeks; Kazaa will have 48 hours to incorporate each new update list. Kazaa is also required to ensure that users will not be able to circumvent their filtering program and to use dialog boxes to urge users to download the updated software. The Australian Record Industry Association says the filters have to be in place by December 5 or Kazaa will be shut down.
-http://news.bbc.co.uk/2/hi/technology/4478224.stm
-http://www.washingtonpost.com/wp-dyn/content/article/2005/11/28/AR2005112800170_
pf.html
-http://www.theregister.co.uk/2005/11/25/judge_sets_kazaa_deadline/print.html
-http://news.com.com/2102-1028_3-5973653.html?tag=st.util.print
[Editor's Note (Schultz): I seriously doubt that the filtering system that Sharman Industries must now put in place will do as much good as the Australian Record Industry Association thinks it will. KaZaA users with older versions of this software will somehow have to be persuaded to upgrade their software to the version that has the required filters. ]

---

************************ Sponsored Links ********************************

1) ALERT: Get the Industry's Best Web Filter For Thousands Less Than Websense. Check it out! http://www.sans.org/info.php?id=939

2) Earn your Master's degree in Information Security from an NSA - recognized online program. http://www.sans.org/info.php?id=940

**************************************************************************

---

THE REST OF THE WEEK'S NEWS

POLICY & LEGISLATION

Media Group Wants to Reap Benefits of EU Data Retention Directive (25 November 2005)

The Creative Media and Business Alliance (CMBA), a group of media companies including EMI, SonyBMG and TimeWarner, has asked European MPs not to restrict the data retention powers to "the prevention, investigation, detection and prosecution of serious criminal offenses" and to allow the members of the group to use the retained data to investigate digital media copyright violations. They would like to see it become "an effective instrument in the fight against piracy." Opponents of the group's position point out that if the data are made available as CMBA has requested, then those groups will be able to pursue criminal prosecution of copyright violators at taxpayer expense.
-http://software.silicon.com/security/0,39024888,39154562,00.htm
-http://news.bbc.co.uk/1/hi/technology/4469886.stm
[Editor's Note (Grefer): The CMBA lobbying appears to attempt to turn "innocent until proven guilty" into "guilty until proven innocent." Is this really the message they want to send? ]

ATTACKS & INTRUSIONS & DATA THEFT

Scottrade Informs Customers of Third-Party Data Security Breach (28 November 2005)

Scottrade, an online trading company, has informed its customers that the company's electronic checking provider, TROY Group, suffered a security breach which compromised personal data including names, driver's licenses, bank account and bank routing numbers and trading account numbers. The TROY Group acknowledged the security breach in an October 25 press release.
-http://www.securityfocus.com/brief/63
-http://blogs.washingtonpost.com/securityfix/2005/11/brokerage_firm_.html

STANDARDS & BEST PRACTICES

UK Colleges and Universities Get IT Security Guidelines and Toolkit (23 November 2005)

The Joint Information Systems Committee (JISC) and the Universities and Colleges Information Systems Association (USICA) have issued formal IT security guidance for UK institutes of higher education. The two groups have issued a security toolkit to help the schools assess and mitigate IT security risks. The guidelines recommend that the colleges and universities focus on complying with legislation such as the Data Protection Act and the Freedom of Information Act while developing policies that comply with the BS 7799 standard.
-http://news.zdnet.co.uk/internet/security/0,39020375,39237498,00.htm

BS7799 British Security Standard Adoption on the Rise (3 November 2005)

Statistics from the Information Security Management Systems (ISMS) International User Group and from Ernst & Young indicate that the adoption of the UK's BS7799 security standard is increasing across the globe. This can be attributed to the growth in outsourcing and the desire of companies in other countries to demonstrate to companies that they will take appropriate safeguards with the data with which they are entrusted. Some organizations feel that obtaining BS7799 certification would prove too complicated, so they are instead following the guidelines without the nod of formal certification.
-http://www.itweek.co.uk/itweek/analysis/2145504/offshoring-pushes-bs7799

STATISTICS, STUDIES & SURVEYS

Study of Take-Down Notices Under DMCA Section 512 Finds Potential for Abuse (28 November 2005)

Researchers at the University of California at Berkeley and the University of Southern California looked at 876 takedown requests made to web sites and search engines under the section 512 Digital Millennium Copyright Act (DMCA). Section 512 requires that hosting and search providers take down content and links to content to be exempt from copyright lawsuits. The notice needs no judicial review of whether or not a copyright has been infringed upon. The researchers found that more than half of the requests were made by companies against competitors, and that 30 percent of the requests were the ones in which it was questionable as to whether or not copyright had been infringed upon. There were only seven cases among those studied in which the questioned content was reinstated on web sites.
-http://www.vnunet.com/vnunet/news/2146807/dmca-hindrance-help
-http://www.securityfocus.com/brief/62
-http://lawweb.usc.edu/news/dmca.html
-http://mylaw.usc.edu/documents/512Rep-ExecSum_out.pdf
[Editor's Note (Pescatore):The DMCA is a pretty good example of how legislation aimed at technology usually has more wacky side effects than any actual positive effect. That said, it is pretty straightforward to file a counter-notification if someone has used DMCA improperly to cause legitimate content to be removed - the Electronic Frontier Foundation and a number of universities sponsor a site that provides information and templates on how to do so:
-http://www.chillingeffects.org/
(Schultz): The DMCA has been a proverbial can of worms ever since the day it went into law. Studies such as the ones at UC Berkeley and USC provide empirical evidence of some of the DMCA-related abuses that occur. The big question, however, is whether legislators will respond appropriately or whether they will continue to blindly support the industries that so strongly lobbied for this legislation.
(Hoepman): A similar study in the Netherlands found that the vast majority of ISP's, when presented with a take-down notice, prefer to err on the safe side and comply without checking the validity of the claim at all. ]

FTC: Spam Blocking Technology is Getting Better (28 November 2005)

A study conducted by the US Federal Trade Commission (FTC) indicates that Internet service providers (ISPs) are improving their spam blocking techniques. In a test, the FTC found that two unnamed web-based email service providers effectively blocked 96 percent of spam messages. However, the onus of filtering the bad messages from the good still falls to the ISPs. Spammers collect email addresses by "scraping," or using automated programs that look for the "@" sign present in all email addresses. The FTC recommends that if people need to post their email addresses on the Internet, they do so in an alternate syntax in order to avoid having their addresses added to spammers' lists.
-http://today.reuters.com/news/NewsArticle.aspx?type=internetNews&storyID=200
5-11-28T211837Z_01_SPI876594_RTRUKOC_0_US-SPAM.xml
[Editor's Note (Schmidt): From a personal perspective, using ISP tools with a "near free" toolbar, I have not had a single SPAM or Phising email in any of my 7 different email inboxes in going on 10 months. Progress is being made and the tools are there if people would just use them.
(Honan): Filtering Spam at the ISP level makes good business sense for the ISPs. It reduces the network overhead on their links while at the same time making for happier customers. A win win solution, except for the spammers. ]

MISCELLANEOUS

System Lockdown an Effective Tool Against Malware (28 November 2005)

IT managers should look not only at products to protect their systems from malware, but also at the possibility of locking down end-user computers. With system lockdown, users have limited abilities to compromise their systems. Most malware comes in the form of applications, most of which require some user interaction to gain a foothold within systems.
-http://www.thechannelinsider.com/print_article2/0,1217,a=166172,00.asp
[Editor's Note (Schmidt): There once was a time where this would create huge push back but given the wide use of broadband at home and use of mobile devices to stay connected there are many other options then using work machines. This may be more palatable as many that are successful at enterprise security have used configuration management around security to get there. ]

Export Regulations Prevent Symantec from Selling Tool Outside US and Canada (25 November 2005)

Symantec is no longer selling its LC5 password-auditing tool outside of the United States and Canada. The company maintains that it is restricted from doing so by US export regulations. The tool, which is a commercial version of L0phtCrack, was available on the @stake web site as recently as one month ago.
-http://www.theregister.co.uk/2005/11/25/symantec_l0phtcrack_export_controversy/p
rint.html

Manufacturer Offers Exchange for Trojan-Infected Hard Disks (25 November 2005)

I-O Data, a Japanese peripherals manufacturer, is offering to exchange certain of its hard disks after learning that they may have inadvertently been infected with the Tompai-A Trojan horse program. Portable hard disk drives in the company's HDP-U series are affected.
-http://www.channelregister.co.uk/2005/11/25/hdd_virus_prompts_recall/

---

===end===

NewsBites Editorial Board:
Kathy Bradford, Rohit Dhamankar, Roland Grefer, Richard Hayler,
Jaap-Henk Hoepman, Brian Honan, Stephen Northcutt, Alan Paller, John
Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz,
Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/