SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #100

December 19, 2006

Save $150 or more if you register by tomorrow (12/20) for SANS Bootcamp 2007 in Orlando in January. Join the 444 people who have already registered for the most intense training SANS provides.

Full program at http://www.sans.org/bootcamp07/event.php

---

TOP OF THE NEWS

Visa Incentive Program Rewards PCI Data Security Standard Compliance
SEC Extends Sarbanes-Oxley Compliance Deadlines for Smaller Public Companies

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Florida Motorists Win US$50 Million Class Action Settlement
Microsoft Wins Summary Judgment Against Man for Selling Spam Lists
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Cato Institute: Data Mining Treads on Civil Liberties and Won't Find Terrorists
POLICY & LEGISLATION
Senators Threaten to Repeal Real ID Act
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
China Signs Online Copyright Memorandum
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Worm Targets Patched Symantec Flaw
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Stolen Laptop Case Held Papers with Sensitive Student Data
MISCELLANEOUS
Some US Counties Purging Sensitive Personal Info from Web Sites
Cyber Intruder Wants Payment for Services
Vodafone Fined in Greek Wiretapping Case
Online Fraudsters Get Jail Time; Law Enforcement Unable to Access Encrypted Records

---

*************** Sponsored By Core Security Technologies *****************

Holiday Cash! WIN a $250 BestBuy gift card from Core Security Technologies! Listen to the joint Gartner and SANS webcast as they discuss the future of information security.
Register here http://www.sans.org/info/2506

View the webcast and automatically be entered into a drawing for a $250 gift card from Core Security Technologies!

*************************************************************************

TRAINING UPDATE: Great security courses in Orlando and San Diego -

Orlando: 15 immersion courses, January 13-19 http://www.sans.org/bootcamp07/
San Diego: 30 immersion courses, March 29-April 6 http://www.sans.org/sans2007/

*************************************************************************

---

TOP OF THE NEWS

Visa Incentive Program Rewards PCI Data Security Standard Compliance (14 December 2006)

Visa USA has announced a US$20 million incentive program aimed at ensuring that merchants are in compliance with the Payment Card Industry (PCI) data security standard. "Acquiring" financial institutions - those that provide approval to merchants to accept credit cards - will receive a monetary reward if all their members are in compliance with the PCI standard by August 31, 2007 and they have not experienced a data security breach. Institutions whose members are not in compliance by September 30, 2007 will face a fine of US$5,000 for each non-compliant merchant; after December 31, 2007, that fine will increase to US$25,000 for each non-compliant merchant. The compliance validation process includes demonstrating that all magnetic stripe, Card Verification Value and PIN data have been removed from point-of-sale and other systems.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=security&articleId=9006100&taxonomyId=17&intsrc=kc_top
-http://www.epaynews.com/index.cgi?survey=&ref=browse&f=view&id=11661
32169213202186154&block=

SEC Extends Sarbanes-Oxley Compliance Deadlines for Smaller Public Companies (15 December 2006)

The US Securities and Exchange Commission (SEC) has extended the deadline for complying with Sarbanes-Oxley financial reporting requirements for smaller public companies. Those companies, defined as having less than US$75 million in publicly held stock, will not be required to "provide a management assessment of internal controls over financial reporting in annual reports for fiscal years ending December 15, 2007 or later." They will also have "to have an auditor attest to the management assessment of the effectiveness of internal controls" starting with reports filed for fiscal years ending December 15, 2008 and later. The previous deadline was July 15, 2007. The SEC recently said it would provide guidelines for smaller businesses to help ease the burden of compliance, allowing them to focus on aspects of their businesses that have a greater impact on the accuracy of financial reporting. The deadlines may be extended again if the SEC does not provide the guidelines in a timely manner.
-http://www.networkworld.com/news/2006/121506-sarbanes-deadline-extension.html
[Editor's Note (Northcutt): The SEC press release can be found:
-http://www.sec.gov/news/press/2006/2006-210.htm
This has been in the works for a while and I think even more relief is really needed, SOX audits can be brutal and suck the oxygen out of the atmosphere keeping us from actually improving information security:
-http://useu.usmission.gov/Article.asp?ID=9428FFB8-7E45-49CB-A74E-363B5B211F98]

---

************************** Sponsored Links: ***************************

1) Make your organization an unwanted target for phishers. FREE report shows you how.
http://www.sans.org/info/2511

2) Disk encryption with SafeGuard(R) Easy software provides the ultimate in laptop security.
http://www.sans.org/info/2516

3) Meeting compliance regulations shouldn't mean sacrificing your security budget. Learn how to evaluate SIM solutions.
http://www.sans.org/info/2521

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Florida Motorists Win US$50 Million Class Action Settlement (15 December 2006)

A US District Court judge has approved a class action settlement granting US$50 million to compensate Florida motorists whose personally identifiable data were sold by the state to Fidelity Federal Bank and Trust. The bank used the data to send information about loans to people who had recently purchased cars. Each affected motorist will receive US$160. The sale of the data violated federal anti-stalking laws.
-http://www.insurancejournal.com/news/southeast/2006/12/15/74964.htm?print=1

Microsoft Wins Summary Judgment Against Man for Selling Spam Lists (15 December 2006)

A UK court granted a summary judgment against a man who was selling lists of email addresses for use in spamming schemes. A lawsuit filed by Microsoft alleged that Paul Martin McDonald's sale of the lists violated the Privacy and Electronic Communications Regulations. A summary of the case indicates the judge found that "the evidence plainly established that the business of
[McDonald's company ]
was supplying email lists of persons who had not consented to receive direct marketing mail and that it had encouraged purchasers of the lists to send emails to those people."
-http://www.out-law.com/page-7580

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

Cato Institute: Data Mining Treads on Civil Liberties and Won't Find Terrorists (13 December 2006)

A study from the DC-based Cato Institute says data mining will not help find terrorists and infringes individuals' civil liberties. Using a Congressional Research Service definition of data mining, which describes it as "the use of sophisticated data analysis tools to discover previously unknown, valid patterns and relationships in large data sets," the report states that "
[t ]
he one thing predictable about predictive data mining for terrorism is that it would be consistently wrong," as the frequency of terrorist activity too low to establish "valid predictive models."
-http://www.rawstory.com/news/2006/Expert_Data_mining_wont_catch_terrorists_1213.
html
[Editor's Note (Pescatore): This report basically sets up a false strawman just to knock it down. It classifies data analysis into two categories: subject based and pattern based. The report then concentrates on why pattern-based predictive data analysis isn't appropriate - while subject-based is actually much closer to what is actually done. ]

POLICY & LEGISLATION

Senators Threaten to Repeal Real ID Act (14 December 2006)

Two US senators have threatened to call for the repeal of the Real ID Act unless changes are made to enhance citizens' privacy and lower the cost to state governments. The act requires that state identification cards and licenses meet certain technical requirements if they are to be considered valid for access to government buildings and boarding aircraft. The Real ID Act requires new systems to collect sensitive personal information including Social Security numbers (SSNs), biometric identifiers and proof-of-residence documents; the systems would need to be linked to systems in other states. A compromised database could provide identity thieves with a treasure trove of information.
-http://www.techweb.com/showArticle.jhtml?articleID=196700218
[Editor's Note (Northcutt): Real ID was very bad law. It was attached to other bills and never received proper debate. Senator Akaka's press release is shown here:
-http://akaka.senate.gov/public/index.cfm?FuseAction=PressReleases.Home&month
=12&year=2006&release_id=1461
This was covered in NewsBites in October; here is a shorter version. Center for Democracy and Technology executive director Leslie Harris urged government entities to separate databases of information gathered by motor vehicle departments (to verify individuals' identities) separate from other computer systems. She and others expressed is concern that, because of the amount spent on creating the systems for the DMVs required under the Real ID Act of 2005, state officials could be tempted to use the information for other purposes to get the most value out of the money spent. Harris suggested that DHS include privacy protection in their regulations for implementing the Real ID Act. There is currently no mention of privacy or security in the Real ID Act.
-http://www.fcw.com/article96547-10-23-06-Web
DMVs are VERY bad places to store sensitive personal data; check this out:
-http://www.cdt.org/privacy/030131motorvehicle.shtml]

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

China Signs Online Copyright Memorandum (15 December 2006)

China has signed a memorandum of understanding with US and UK industry groups to help guard against online copyright infringement. The number of Internet users in China is estimated to be 123 million; only the US has more Internet users. As a result of the memorandum, China will receive lists of products to be protected from copyright infringement and information about instances of detected copyright violation. An estimated 86 percent of all software in China last year was pirated. The groups co-signing the memorandum are the Motion Picture Association of America, the Business Software Alliance, the Association of American Publishers and the Publishers Association of the UK.
-http://www.theage.com.au/news/Technology/China-signs-memorandum-to-crack-down-on
line-copyright-infringement/2006/12/15/1166162312395.html

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Worm Targets Patched Symantec Flaw (18 & 15 December 2006)

The Big Yellow worm spreads through a vulnerability in Symantec Antivirus and Symantec Client Security. Symantec has named the worm Sagevo. It commandeers infected computers' resources for use as part of a botnet. Symantec issued a patch for the vulnerability in May 2006, but many IT departments have not yet installed it.
-http://www.toptechnews.com/story.xhtml?story_id=102003ILKSHI
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=61975919-39000005c
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=security&articleId=9006160&taxonomyId=17&intsrc=kc_top
[Editor's Note (Skoudis): Unpatched Anti-Virus tools are really a problem. As an industry, over the past 2 years, we've gotten pretty good at patching Windows flaws (some would argue that we've had to -- if we hadn't, we'd be toast). But, many organizations haven't gotten very good at patching non-Windows systems and applications. If you have some spare cycles left this holiday season, or are looking for a useful project to start off '07, begin planning ways to streamline your testing and patching processes for other systems, like your Anti-Virus tools, Linux, Solaris, Cisco IOS, and so on. If that's too daunting a task, just pick one, and make your organization _a_lot_ better in rolling patches in that environment.
(Boecjman): If your security software does nothing other then take up disk space, at a minimum, it should not make you more vulnerable to attack. ]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Stolen Laptop Case Held Papers with Sensitive Student Data (14 December 2006)

Papers in the case of a laptop computer stolen from the car of a school nurse contain personally identifiable information of as many as 600 St. Vrain Valley (CO) School District students. The data include names, birthdates, parents' names, Medicaid numbers, the school each student attends and each student's grade level. The school district indicated the affected students would be notified by Friday, December 15. The computer itself holds no information, as it is used only to access the school computer network. School district IT staff accessed the computer remotely and changed its password.
-http://www.longmontfyi.com/Local-Story.asp?id=12861

MISCELLANEOUS

Some US Counties Purging Sensitive Personal Info from Web Sites (18 December 2006)

The Orange County (FL) comptroller's office spent US$750,000 over 18 months to remove personally identifiable information from public records posted on its web site. Many county web sites across the US contain public records such as title deeds, tax liens and court papers that include individuals' SSNs and banking and credit card account information. Other counties are beginning to follow Orange County's lead. The Kings County (WA) recorder's office must by virtue of an ordinance remove access to title deed documents. Grant County (IN) has removed documents images from the Internet in response to a lawsuit.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=277308&source=rss_topic17

Cyber Intruder Wants Payment for Services (18 December 2006)

Although Gerry Macridis pleaded guilty to breaking into New Zealand's Reserve Bank telephone system without authorization, the judge did not convict him, saying Macridis had acted honorably. Macridis broke into the system and then sent the bank a letter detailing the security problems he found. Macridis now wants the bank to pay him NZ$7,500 (US$5,177) because the bank used the information he provided to address vulnerabilities in the system.
-http://www.stuff.co.nz/stuff/3903065a11275.html
[Editor's Note (Schultz): How could Macridis have acted "honorably," and how could he press New Zealand's reserve bank to pay him when he gained unauthorized access? The events in this news item are a kind of information security "horror story." ]

Vodafone Fined in Greek Wiretapping Case (15 December 2006)

Vodafone has been fined 76 million Euros (US$99.5 million) for failing to prevent attackers "from subverting a legitimate surveillance system" and monitoring journalists' and government officials' phone calls during the 2004 Olympic games in Athens. The Ericsson surveillance software was installed on the Greek Vodafone network to allow government agencies to conduct wiretapping. Vodafone says it plans to challenge the fine. Investigators have not determined who monitored the phone communications.
-http://www.theregister.co.uk/2006/12/15/voda_fined_over_greek_wiretaps/print.htm
l
-http://news.bbc.co.uk/1/hi/business/6182647.stm

Online Fraudsters Get Jail Time; Law Enforcement Unable to Access Encrypted Records (18 December 2006)

Three men found guilty on various charges in connection with an identity fraud scheme have received jail sentences, but law enforcement authorities remain unable to crack the encryption on the gang's computer records. The gang stole credit card numbers, used them to make fraudulent purchases of expensive items and resold the items on eBay. The inability of law enforcement to crack the encryption means the true scope of the scheme may never be known.
-http://www.zdnet.co.uk/misc/print/0,1000000169,39285188-39001093c,00.htm
[Editor's Note (Schultz): This news item once again illustrates how encryption is a two-edged sword. It can protect against risks such as data security breaches, but it can also be used by criminals to render potential evidence worthless. ]

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/