SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #14

February 17, 2006

TOP OF THE NEWS

Judge Dismisses Data Negligence Case
University, Manufacturing Company Ban Google Desktop 3
US Lawmakers Lambaste US Tech Firms for Submitting to Censorship Pressure Abroad
AT&T Suing Nonprofit Organization for Fraudulent Long Distance Calls Made Through its System

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
Alleged NASA Cyber Attacker Seeks Assurance he Will Not be Tried Under Military Law
Brazilian Police Arrest 41 in Connection with Cyber Theft
Australian Man to Pay Fine and Restitution for Computer Intrusion
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Trojan for Mac OS X Released
Microsoft Issues Two Critical Updates
ATTACKS & INTRUSIONS & DATA THEFT
New Hampshire State Computer System Data Breach
Additional Information Emerges Regarding Compromised Debit Cards
MISCELLANEOUS
State Department to Aid Tech Firms' Struggle with Censorship

---

**************** Sponsored by SANS Special Webcast **********************
"What is The Real Threat to SCADA and PCS Systems?"
Wednesday, February 22 at 1:00 PM EST (1800 UTC/GMT)
http://www.sans.org/info.php?id=1028

This program is a special bonus for the 400 people coming to the SCADA Security Summit in Orlando (http://www.sans.org/scadasummit06/), to help them get a solid grounding in SCADA security before the Summit. But we are opening it up to everyone. It covers how control systems are being exploited and how exploits are changing and much more.

There is no cost. Just register and get online early.

*************************************************************************
World-Class Security Training Opportunities in the Next Few Weeks

SANS 2006 in Orlando (Feb 24- March 4) 36 tracks of extraordinary training - the best instructors in the world, and a great security tools exposition. Lots of people are bringing their families to Orlando to join them at the end of the program.
Plus: San Francisco, Phoenix, St. Louis, Brisbane, Tokyo, Ottawa

Or you can take SANS training anytime, anywhere with the new SANS On Demand.
Details on these and other programs: http://www.sans.org/index.php
*************************************************************************

---

TOP OF THE NEWS

Judge Dismisses Data Negligence Case (15 February 2006)

A US District Judge has thrown out a lawsuit brought by an individual against a student loan company for not encrypting a customer database that was on a laptop computer stolen from the home of a financial analyst. Stacy Lawton Guin maintained that the company was required to encrypt the data under the Gramm-Leach-Bliley Act, but the judge determined that GLB does not require data encryption and that the company "had a written security policy and other 'proper safeguards' for customers' information."
-http://software.silicon.com/security/0,39024655,39156463,00.htm
[Editor's Note (Schultz and others): This ruling is unfortunate. Encryption of data is not sufficient to protect data from unauthorized disclosure, but it is one of the most fundamental measures in achieving this goal. ]

University, Manufacturing Company Ban Google Desktop 3 (16 February 2006)

Cleveland State University and Johnson Controls, a manufacturing company, have both banned the use of Google Desktop 3 on their computer systems. The software has a new feature, Search Across Computers, that does what its name suggests while also storing copies of users' files on Google servers for up to 30 days. For the University, which is required to comply with laws like the Health Insurance Portability and Accountability Act (HIPAA) and the Family Educational Rights and Privacy Act (FERPA), the security risk of having data on public servers is too great. Similarly, Johnson Controls handles government contracts that include secure, classified information and its own intellectual property.
-http://www.zdnet.co.uk/print/?TYPE=story&AT=39252738-39020375t-10000007c
[Editor's Note (Weatherford) This is more than just a bad idea because as the article notes, the possibility of violating federal regulations is not trivial and voluntarily losing control of your data and intellectual property doesn't look good on a resume! ]

US Lawmakers Lambaste US Tech Firms for Submitting to Censorship Pressure Abroad (16/15 February 2006)

At a US House of Representatives Committee on International Relations hearing this week, US lawmakers took four US companies to task for their business practices in China. Microsoft, Yahoo, Google and Cisco Systems were criticized for bowing to pressure from the Chinese government as manifested in censoring web sites and providing the Chinese government with customer information that led to arrests. Legislators asserted that the companies appeared to be motivated by profits and that they neglected "social responsibility." The companies welcome the US government's guidance in their efforts to "expand in nations with poor human rights records," but cautioned that pulling out of those countries could encourage the growth of competitors that do not share the US government's concerns.
-http://news.bbc.co.uk/2/hi/technology/4699242.stm
(Please note: this site requires free registration)
-http://www.washingtonpost.com/wp-dyn/content/article/2006/02/15/AR2006021500301_
pf.html
-http://www.theregister.co.uk/2006/02/16/china_committee/print.html
-http://www.computerworld.com/printthis/2006/0,4814,108725,00.html
-http://www.usatoday.com/tech/news/techpolicy/2006-02-15-hearing_x.htm
[Editor's Note (Grefer): Why is it that what's good for the goose is not good for the gander? Apparently censorship and release of personally identifiable information to the government is a Bad Thing (tm) when done in China, but a "necessity" when done in the U.S.
(Schultz): All the rhetoric of this House of Representative Committee is, unfortunately, likely to do little or no good. These vendors will inevitably continue to do business in China as they have in the past. Regulations or statutes that reign in these business practices that are created and put into effect would in contrast make a huge difference.
(Weatherford): While they insist that they "comply with legally binding orders", most people see this as a moral issue and not a legal one.]

AT&T Suing Nonprofit Organization for Fraudulent Long Distance Calls Made Through its System (9 February 2006)

AT&T is suing a Salt Lake City-based nonprofit for long distance telephone charges it did not make. AT&T acknowledges that the organization, HealthInsight, did not make the calls in question, but says the company had been warned that attackers were using their systems and did not take adequate steps to prevent the unauthorized usage from happening. The attackers apparently made more than US$25,500 worth of phone calls through HealthInsight's system. AT&T is seeking the amount owed plus interest and legal costs.
-http://www.sltrib.com/business/ci_3489614

---

*************************** Sponsored Links: ****************************

1) ALERT: YOU vs Sober/Zotob/Bagle Variants? Is Your Internal Network Safe? Download FREE White Paper "Zotob: Zero-Hour Detection and Response"
http://www.sans.org/info.php?id=1029

2) Messaging Security, It's More Than Just E-Mail - CipherTrust Road Show
http://www.sans.org/info.php?id=1030

3) WhatWorks in Intrusion Prevention Systems: "Monitoring Unique Traffic with Retail Decisions"
Tuesday, February 21 at 1:00 PM EST (1800 UTC/GMT)
http://www.sans.org/info.php?id=1031

4) The e-Crime Congress in London March 30-31
Will examine the global issues and give a frank appraisal of the present state of 'the online nation' and assess the challenges and collective progress being made in the fight against hi-tech crime. More than 500 attendees are expected in this 4th annual event. They include Heads of Risk, Group Information Security, Director of Security, IT Security & Audit, IT Forensics, Fraud Investigations, Global Security Operations, COO, CTO, Financial Crime, Computer Audit. Special Rates for SANS NewsBites news subscribers save EUR100. Please enter the code SANS06 http://www.e-crimecongress.org/ecrime2006/website.asp
*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES

Alleged NASA Cyber Attacker Seeks Assurance he Will Not be Tried Under Military Law (16/14 February 2006)

At a hearing on Wednesday, February 15, UK district judge Nicholas Evers ruled that his court would deny extradition to the US for Gary McKinnon, the UK man who allegedly broke into computer systems belonging to the US military and NASA, unless the US could guarantee that he will not be treated as a terrorist. The concerns lie with the US's "military order number one," which allows terrorist suspects to be tried under military law.
-http://news.com.com/2102-7348_3-6040470.html?tag=st.util.print
-http://news.bbc.co.uk/2/hi/uk_news/4712700.stm
-http://news.com.com/2102-7348_3-6039337.html?tag=st.util.print
[Editor's Note (Honan): This gentleman has admitted breaking into these systems looking for evidence of extraterrestrial life. Whatever his motives were the old adage "if you can't do the time, don't do the crime" springs to mind. ]

Brazilian Police Arrest 41 in Connection with Cyber Theft (15 February 2006)

Brazilian federal police arrested 41 people who allegedly used an emailed Trojan horse program to steal BRL10 million (US$4.74 million) from 200 accounts in six banks. Twenty-four other suspects are still being sought.
-http://www.theage.com.au/news/breaking/brazilian-police-bust-hacker-gang/2006/02
/15/1139890794432.html

Australian Man to Pay Fine and Restitution for Computer Intrusion (14 February 2006)

An Australian man, Stephen Sussich, has been fined AU$2,000 (US$1476) and ordered to pay AU$3,000 (US$2214) in compensation for placing a rootkit on a server of Webcentral, a Brisbane-based company. Sussich pleaded guilty to two charges of unauthorized modification of data to cause impairment. There is no evidence that Sussich accessed credit card data or that his motivation was financial.
-http://www.theage.com.au/news/national/teen-hacker-fined-for-server-attack/2006/
02/13/1139679536471.html

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Trojan for Mac OS X Released (16 February 2006)

A link to proof-of-concept malicious code for Mac OS X has appeared on the Internet. The Trojan pretends to be screenshots of OS X "Leopard" 10.5. While it tries to send itself out to other machines through the iChat instant messaging system, it does not harm the system it has infected.
-http://www.securityfocus.com/brief/142
[Editors' Note (Multiple): The proof of concept status has been upgraded to "in the wild." It is no longer a theoretical threat - it's real. ]

Microsoft Issues Two Critical Updates (15 February 2006)

Microsoft's monthly security update for February contains seven patches, two of which are for vulnerabilities deemed critical. Both are remote code execution flaws that could allow attackers to gain control of vulnerable machines. One of the critical flaws lies in Internet Explorer's (IE) handling of WMF files and is addressed in MS06-004. The other critical flaw lies in Windows media player's handling of bitmap (.bmp) files and is addressed in MS06-005. One of the other patches, found in MS06-007 and addressing a TCP/IP flaw that could allow denial-of-service, requires that some users take extra steps to ensure that the patch installs properly.
-http://www.techworld.com/news/index.cfm?newsID=5379&printerfriendly=1
-http://today.reuters.co.uk/news/newsArticle.aspx?type=technologyNews&storyID
=2006-02-15T070706Z_01_N147895_RTRIDST_0_TECH-MICROSOFT-SECURITY-DC.XML
-http://www.computerworld.com/printthis/2006/0,4814,108704,00.html

ATTACKS & INTRUSIONS & DATA THEFT

New Hampshire State Computer System Data Breach (15 February 2006)

New Hampshire Governor John Lynch said the security of the state's computer system has been breached. The attackers may have been seeking credit card account information belonging to New Hampshire residents. The security breach involved computer and in-person transactions at motor vehicle offices, state liquor stores and other locations. People who have used credit cards for transactions with the state over the last six months are advised to scrutinize their statements for unauthorized transactions. The breach came to light when state technology experts found monitoring software installed on the system.
-http://www.washingtonpost.com/wp-dyn/content/article/2006/02/15/AR2006021502764_
pf.html
[Editor's Note (Pescatore): This story points out one of the biggest problems in how many enterprises reacted to worms and phishing attacks: they focused on patch management and the elusive "user education" and did not follow-up to see if any malicious payloads had been installed. Checking to see if their computers are patched, and blocking access to known phishing URLs is just part of what has to happen. Looking for dangerous software on internal machines needs to be part of continuous vulnerability management. There are plenty of scanning and network behavior analysis tools that provide this capability." ]

Additional Information Emerges Regarding Compromised Debit Cards (13 February 2006)

Sources are now indicating that the compromised debit cards reported earlier this week are related to two security breaches involving Wal-Mart and OfficeMax. Bank of America, Washington Mutual and a credit union cancelled 200,000 customer debit cards. The FBI and the Secret Service are investigating. Neither store has commented on their connections to the data breach although Wal-Mart did point to their December 2, 2005 announcement that customer credit card security had been breached at some Sams' Club gas pumps in late September and early October. The FBI also believes that the breach may be connected to an ongoing investigation in Sacramento, CA; that case involves the cancellation of about 1,500 debit cards at the Golden 1 Credit Union.
-http://news.com.com/2102-1029_3-6038405.html?tag=st.util.print
-http://news.com.com/2102-1029_3-6038287.html?tag=st.util.print
[Editor's Note (Weatherford): Sunshine is the best disinfectant and while it might not be the case here, it looks like they aren't being completely forthcoming...which churns the rumor mill. ]

MISCELLANEOUS

State Department to Aid Tech Firms' Struggle with Censorship (15/14/13 February 2006)

A US State Department task force will "help technology companies protect freedom of expression in countries like China that censor online content." The task force will help encourage the countries to allow broader freedom of expression and help the US technology companies figure out what to do when faced with "repressive laws." In a related story, Yahoo issued a statement saying it is committed to an unrestricted Internet.
-http://today.reuters.co.uk/news/newsArticle.aspx?type=internetNews&storyID=2
006-02-15T054457Z_01_N14367998_RTRIDST_0_OUKIN-UK-FREEDOM.XML&archived=False
-http://news.bbc.co.uk/2/hi/technology/4711654.stm
-http://www.theregister.co.uk/2006/02/14/yahoo_censorship_statement/print.html
-http://www.zdnet.co.uk/print/?TYPE=story&AT=39252127-39020369t-10000023c

---

===end===

NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian Honan, Clint Kreitner, Bill Murray, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan, Mark Weatherford

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/