SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #13

February 14, 2006

TOP OF THE NEWS

Proposed Legislation Would Require Web Sites to Purge Obsolete Personal Data
RIAA Says Selling Loaded iPods Violates Copyright Laws
Google Desktop 3 Poses Data Privacy Risk

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
Botnet Suspect Indicted
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
GAO Report Finds Fault with TSA's Secure Flight Development Process
NIST Releases Revised Guide for Systems Security
SPYWARE, SPAM & PHISHING
PCs With IE 20x More Likely to Suffer Spyware Infections than Those With Firefox
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
IBM Issues Patch for Lotus Vulnerabilities
Microsoft Will Not Patch IE Drag and Drop Hole Immediately
Microsoft Fixes Flaw that Misidentified Symantec Programs as Spyware
Bluetooth Vulnerability Leaves Some Sony Ericsson Phones Susceptible to DoS Attack
ATTACKS & INTRUSIONS & DATA THEFT
FBI Investigating Intrusions at Indiana Clinic
Security Breach Prompts Cancellation of Bank of America Debit Cards
STATISTICS, STUDIES & SURVEYS
National Cyber Security Survey

---

****************** SPONSORED BY SANS TRAINING **************************
World-Class Security Training Opportunities in the Next Few Weeks

SANS 2006 in Orlando (Feb 24- March 4) 36 tracks of extraordinary training - the best instructors in the world, and a great security tools exposition. Lots of people are bringing their families to Orlando to join them at the end of the program.
Plus: San Francisco, Phoenix, St. Louis, Brisbane, Tokyo, Ottawa

Or you can take SANS training anytime, anywhere with the new SANS On Demand.
Details on these and other programs: http://www.sans.org/index.php

And the SCADA Security Summit is 88% full. If you want to attend, register this week. An amazing agenda. If you know anyone responsible for control systems in industry or utilities, make sure they get to this program.
http://www.sans.org/scadasummit06/
*************************************************************************

---

TOP OF THE NEWS

Proposed Legislation Would Require Web Sites to Purge Obsolete Personal Data (8 February 2006)

US Congressman Ed Markey (D-MA) has introduced legislation that would "require owners of Internet websites to destroy obsolete data containing personal information." The Eliminate Warehousing of Consumer Internet Data Act of 2006 would apply to all web site operators, including non-profits, bloggers, charities and individuals. Sites would be allowed to retain data for "a legitimate business purpose," but some have expressed concern that the bill gives the federal government the power to determine what constitutes a legitimate purpose. The bill is designed to address data theft issues as well as privacy issues akin to those raised by Google's refusal to comply with a subpoena from the Department of Justice requesting data about customer searches.
-http://news.zdnet.com/2102-9595_22-6036951.html?tag=printthis
-http://www.politechbot.com/docs/markey.data.deletion.bill.020806.pdf
[Editor's Note (Schultz): Despite any apparent limitations, if passed this legislation would yield many benefits to the American public. The threat of identity theft has never been greater; this proposed legislation aims to lower the probability of the occurrence of this kind of crime.
(Murray): Legislate in haste, repent at leisure ]

RIAA Says Selling Loaded iPods Violates Copyright Laws (13/9 February 2006)

The Recording Industry Association of America (RIAA) says that selling iPods without first removing the music stored on them violates copyright law. The RIAA says it will seek out people who do not take time to remove their music. Andrew Bridges, a copyright and trademark attorney, says the law is a bit fuzzy. If someone deliberately loaded up iPods with music and sold them at a premium, there would be a legal problem. However, if an individual merely wishes to dispose of an old iPod and does not erase its contents, that probably would not be considered copyright violation. While only a copyright holder has the right to distribute copies, there is a provision that allows a lawfully obtained copy to be distributed by an individual without violating the copyright.
-http://www.reghardware.co.uk/2006/02/13/riaa_ipod_warning/print.html
-http://www.mtv.com/news/articles/1524099/20060209/story.jhtml

Google Desktop 3 Poses Data Privacy Risk (10/9 February 2006)

The Electronic Frontier Foundation (EFF) has warned that Google's newest version of Google Desktop, Google Desktop 3, poses a threat to users' privacy. Google Desktop is software that allows users to organize information on their computers. The most recent version of the software includes a feature, Search Across Computers, that allows users to search content on several computers; it also allows Google to store personal data on its servers for up to 30 days. Google maintains that the data transferred from users' hard drives will be encrypted and access to the data will be restricted. Because the data would be on Google servers, the government could demand the files with a subpoena.
-http://news.bbc.co.uk/1/hi/technology/4700002.stm
-http://www.theregister.co.uk/2006/02/10/google_desktop_privacy_kerfuffle/print.h
tml
-http://www.eff.org/news/archives/2006_02.php#004400
[Guest Editor's Note (Frantzen): Users of .mac solutions and users of mailboxes at ISPs, hotmail, (gmail as well), customers of ASP services all store their data at a central location. None of them are complaining. So why this noise for a company that does take care by refusing to comply with the government out of privacy fears and that does give ample warning of the effects?
(Murray): I cannot imagine that the risk of this new Google system ranks with that of gmail, or, for that matter, Hotmail, Yahoo! mail, or e-mail in general. "Privacy is dead; get over it." ]

---

**************************** Sponsored Links: ***************************

1) SAINT Exploit - The markets first integrated vulnerability assessment scanner and penetration testing tool available this week on Feb 15th.
http://www.sans.org/info.php?id=1026

2) FREE WEBINAR: Deploying Network Access Control without Disruptions. Hosted by Security Incite and ForeScout Technologies on Feb 23rd.
http://www.sans.org/info.php?id=1027

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES

Botnet Suspect Indicted (13 February 2006)

A federal grand jury in Seattle has indicted Christopher Maxwell on charges related to a botnet that that earned him and two unnamed co-conspirators US$100,000 for installing adware; Maxwell and the unnamed pair were also indicted on charges of launching a botnet attack on a Seattle-area hospital that disabled doctors' pagers and shut down the intensive care unit. If is convicted of all changes against him, Maxwell could face a ten-year prison sentence and a fine of US$250,000.
-http://www.computerworld.com/printthis/2006/0,4814,108643,00.html

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY

GAO Report Finds Fault with TSA's Secure Flight Development Process (10 February 2006)

A report from the Government Accountability Office (GAO) says that the Department of Homeland Security's (DHS) Secure Flight program, which is designed to screen airline passengers against terrorist watch lists, did not include "a rigorous and disciplined lifecycle process" and therefore "is at serious risk" of not meeting program goals. The Transportation Security Administration (TSA) used a "rapid development method;" the design phase of the project was complete before system requirements were established. GAO is also concerned that Secure Flight may fail to provide adequate privacy and security controls for the data it holds.
-http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&
story.id=38230

NIST Releases Revised Guide for Systems Security (10 February 2006)

The National Institute of Standards and Technology (NIST) has released SP800-18, Guide for Developing Security Plans for Federal Information Systems, Revision 1.
-http://csrc.nist.gov/publications/nistpubs/800-18-Rev1/sp800-18-Rev1-final.pdf
[Editor's Note (Murray): I have not had a chance to look at this version but one of my colleagues told me today that it is a big improvement over the earlier version. (The earlier version resulted in plans that described an end state but never said who was going to do what or when. This may be a general failing of government plans which seem designed to avoid accountability for results.)
(Paller): This document provides substantially none of the specific guidance agencies need to write effective security plans. The prescriptions it provides are weak, verging on irrelevance.
(Kreitner): With FIPS-199, FIPS-200, 800-53, and now 800-18, NIST provides a solid framework for: (1) ranking systems as to potential impact on confidentiality/integrity/availability, (2) determining and applying appropriate security control baselines (low, medium, high) to systems, (3) choosing individual controls from a comprehensive controls set, and (4) putting it all together in a System Security Plan. However, the devil is always in the details, so implementing and sustaining the appropriate controls via management, operational, and technical discipline ultimately determines the outcome of success and failure. ]

SPYWARE, SPAM & PHISHING

PCs With IE 20x More Likely to Suffer Spyware Infections than Those With Firefox (9 February 2006)

Academic researchers from the University of Washington say that people who use Internet Explorer are more than 20 times more likely to have spyware on their PCs than people who use the Firefox browser. The researchers exposed unpatched versions of both browsers to drive-by downloads at 45,000 web sites.
-http://www.informationweek.com/security/showArticle.jhtml%3B?articleID=179102695
[Editor's Note (Boeckman): This should come as no surprise, as we have consistently seen Microsoft show a lack of responsibility in releasing timely patches. You need to look no further then this issue of NewsBites to see evidence of this. (Microsoft Will Not Patch IE Drag and Drop Hole Immediately) ]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

IBM Issues Patch for Lotus Vulnerabilities (13/10 February 2006)

IBM has released a patch for six highly critical remote code execution flaws in Lotus Notes. The vulnerabilities affect Lotus Notes versions 6.5.4 and 7.0 and earlier. IBM released Lotus notes 7.0.1 this week; Lotus notes 6.5.5 was released in December 2005.
-http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=39237968-20000
61744t-10000005c
-http://www.informationweek.com/story/showArticle.jhtml?articleID=179103442

Microsoft Will Not Patch IE Drag and Drop Hole Immediately (13 February 2006)

A security flaw in Internet Explorer's (IE) drag and drop function could be exploited to run malicious code and take control of vulnerable computers. Microsoft was alerted to the flaw in August 2005. Microsoft reportedly does not plan to issue a patch soon; instead, the company plans to address the flaw in Windows Server 2003 SP2 and Windows XP SP3.
-http://www.computerworld.com/printthis/2006/0,4814,108654,00.html

Microsoft Fixes Flaw that Misidentified Symantec Programs as Spyware (13 February 2006)

Microsoft has fixed a problem with a signature update to its Windows AntiSpyware program that erroneously identified two Symantec antivirus programs as spyware and recommended their removal. The flaw lies in a signature update for Windows AntiSpyware Beta 1. The program prompts users to remove registry keys and subkeys essential to the Symantec products. The update that contains the problem is signature set 5805; the problem is fixed in a newly issued signature set, 5807.
-http://www.computerworld.com/printthis/2006/0,4814,108642,00.html
-http://www.techweb.com/wire/180200671

Bluetooth Vulnerability Leaves Some Sony Ericsson Phones Susceptible to DoS Attack (10 February 2006)

A vulnerability in several models of Sony Ericsson mobile phones could be remotely exploited to cause denial-of-service on the devices. The flaw lies in an error in Bluetooth that does not properly handle malformed L2CAP (Logical Link Control and Adaptation Layer Protocols). Malformed code could crash the phones; when they are restarted, they would have normal functionality. Users are advised to turn off the "discoverable mode" in their Bluetooth settings. The flaw affects Sony Ericsson models K600i, V600i, W800i and T68i.
-http://www.computerworld.com/printthis/2006/0,4814,108575,00.html
-http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=39237688-20000
61744t-10000005c

ATTACKS & INTRUSIONS & DATA THEFT

FBI Investigating Intrusions at Indiana Clinic (10 February 2006)

The FBI is investigating unauthorized changes made to a MySQL database that underlies an electronic medical record system at an Indiana-based orthopedics clinic. Orthopedics Northeast (ONE) noticed significant performance slowdowns in January. The changes were apparently made by an intruder who gained initial access to the system through a back door in WebChart software from Medical Informatics Engineering (MIE). On one occasion, the intruder appended characters to a database query, causing it to crash. On another occasion, the intruder deleted a print-server directory. Analysis demonstrated the intruder accessed the WebChart system through a proxy server at a hospital; ONE is connected to the hospital via a virtual private network (VPN).
-http://www.computerworld.com/printthis/2006/0,4814,108585,00.html

Security Breach Prompts Cancellation of Bank of America Debit Cards (11/10 February 2006)

In response to a data security breach at an unnamed California office supply store, Bank of America (BofA) and Washington Mutual have canceled an undisclosed number of debit cards. A BofA spokesperson said there is no evidence of customer account compromise. An investigation is underway. Affected BofA customers received letters informing them their debit cards were canceled and encouraging them to be vigilant about scrutinizing their statements for unauthorized transactions.
-http://www.securityfocus.com/brief/136
-http://news.com.com/2102-1029_3-6037619.html?tag=st.util.print
-http://www.eweek.com/article2/0,1895,1925426,00.asp?kc=ewnws021306dtx1k0000599
[Editor's Note (Murray): I encourage people to use check cards in credit card mode at the point of sale so as not to expose both the mag-stripe data and the PIN to an untrusted device. ]

STATISTICS, STUDIES & SURVEYS

National Cyber Security Survey (10 February 2006)

The Justice Department's Bureau of Justice Statistics and the DHS National Cyber Security Division will together "conduct a comprehensive survey ... to create the first national baseline to measure the extent of cybercrime and its effects on businesses." The National Computer Security Survey will gather data from thousands of organizations across 37 industries. The data will be gathered through the end of the year. The data gathered will include types of incidents and associated costs, as well as security measures used by participating organizations.
-http://www.fcw.com/article92291-02-10-06-Web&RSS=yes
-http://www.ojp.usdoj.gov/bjs/survey/ncss/ncss.htm

---

===end===

NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian Honan, Clint Kreitner, Bill Murray, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan, Mark Weatherford

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/