SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #16

February 24, 2006

TOP OF THE NEWS

Major Mac OS X Flaw Surfaces
Compliance Does Not Mean Security
EU Justice Ministers Pass Data Retention Directive

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
Acxiom Data Thief Draws Eight-Year Sentence
CardSystems Solutions Settles FTC Charges
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
eDonkey Server Shut Down
ATTACKS & INTRUSIONS & DATA THEFT
University of Northern Iowa Informs Employees of Possible Data Breach
MISCELLANEOUS
Deloitte & Touche Loses Disk with McAfee Employee Data
Metadata Provides Identifying Info About Anonymous Source
BP Takes Step Toward Deperimeterization of Security
Canterbury University (NZ) Closes Online Record Access

---

***** SPONSORED BY SANS SECUITY SAN DIEGO and SANSFIRE WASHINGTON ******

As you can tell from the web site (www.sans.org), more and more classes are filling early (the red triangles). If you are thinking about turbo charging you security career or the career of any of your coworkers this spring, start planning now to go to San Diego in early May. You'll find more than a dozen of SANS most popular courses and a vendor exposition all right on the harbor in San Diego.
http://www.sans.org/security06/

Or plan to come to Washington in July right after July 4 (bring your family for the national fireworks show) for the biggest SANSFIRE ever: with all 17 SANS immersion tracks and more than a dozed special courses and a big exposition.
http://www.sans.org/sansfire06
*************************************************************************

---

TOP OF THE NEWS

Major Mac OS X Flaw Surfaces (22/21 February 2006)

A major flaw in Mac OS X allows attackers to run shell scripts on vulnerable computers simply by tricking users into visiting maliciously crafted web sites with the Safari browser. Apple says it is working on a fix for the problem but has not specified when it will be available. This is the third security issue to hit Mac OS X in a short period of time; a Trojan horse program and a worm that affect the operating system were detected recently. The new problem lies in the Mac OS Finder, an operating system component that is used to view and organize files. The OS decides which application to use to handle a file based on its permissions, not its extension. While no attacks have been detected, proof-of-concept exploit code is available. Meanwhile, users can disable the "Open safe files after downloading" Safari option.
-http://www.techworld.com/security/news/index.cfm?RSS&NewsID=5429
-http://news.com.com/2102-1002_3-6041685.html?tag=st.util.print
Internet Storm center coverage:
-http://isc.sans.org/diary.php?storyid=1138
[Editors Note (Paller, with guest editors Brian Caswell of SourceFire, Jeff Plum of MedData and Brian Goldberg of Carbonite Labs): Attacks have been seen; Macs are now being infected. They get infected just by visiting an infected web site. To find out whether your system is vulnerable, use the test at Secunia:
-http://secunia.com/mac_os_x_command_execution_vulnerability_test/
To remove the vulnerability from your Mac, until Apple fixes the problem, is to disable "Open safe files after downloading" option in the Safari Browser. ]

Compliance Does Not Mean Security (22 February 2006)

Bruce Brody, former chief cyber security officer at the departments of Energy and Veterans Affairs and current VP of information security at a private market analysis company, says that compliance with federally mandated IT security processes does not provide a good picture of government systems' cyber security. The grades assigned to various agencies based on Federal Information Security Management Act (FISMA) compliance do not have much meaning. Brody made the statements to the press following a closed-door meeting with CSOs from the Federal Communications Commission (FCC), Departments of State, Commerce, Treasury, Transportation and Housing and Urban development as well as the US Senate. An August 2005 survey of CSOs found that FISMA compliance is taking more time every year.
-http://www.govexec.com/story_page.cfm?articleid=33439&printerfriendlyVers=1&
amp;
[Editor's Note (Schultz) I couldn't agree with Mr. Brody more. Considering compliance and good security practices as equivalent is specious. At the same time, however, a complete lack of compliance is likely to equate to poor security practices.
(Paller): Bruce's comments are accurate and troubling. The amount of money being wasted on federal contactors writing reports that are never read, meeting compliance standards drafted by people who may never have secured a computer, has reached crisis levels. Many agencies have to choose between writing reports and securing their systems. Unreasonable pressure from OMB forces them to spend so much money on the reports that many do not have sufficient resources to infest in securing systems.
(Boeckman): This observation is absolutely correct. It makes one wonder why the government spends so much time and money to comply with these standards. It also begs the question that if FISMA is not a good measure of security, what is? (Answer from Paller: the best hope for a useful replacement for FISMA is the new BOSS benchmark being constructed by 80 companies and government agencies working with the Center for Internet Security. It has enough detail to be useful, has repeatable measures, and reflects all the lessons learned in the VISA/PCI security standards being used in tens of thousands of organizations that process credit cards.) ]

EU Justice Ministers Pass Data Retention Directive (22/21 February 2006)

On Tuesday, EU Justice ministers passed a data retention directive requiring Internet service providers (ISPs) and both mobile and fixed line telecommunications providers to retain customers' communications records for as long as two years. The data kept will include the date, duration and destination of each instance of communication; content will not be retained. Service providers will bear the cost of storing the data. EU member countries must comply with the directive by August 2007. The directive was proposed following the 2004 train bombings in Madrid. Some member states wanted the data retained for longer than two years; other groups have expressed concern that the directive threatens citizens' civil liberties.
-http://networks.silicon.com/telecoms/0,39024659,39156685,00.htm
-http://www.eubusiness.com/Telecoms/060221132715.m5qi2yet
-http://today.reuters.co.uk/news/newsArticle.aspx?type=internetNews&storyID=2
006-02-21T123127Z_01_L21613483_RTRIDST_0_OUKIN-UK-SECURITY-EU-DATA.XML
[Editor's Note (Multiple): ISPs hate the idea. They gave the UK government "Internet villain of the Year" status for pushing this standard:
-http://news.zdnet.co.uk/0,39020330,39254218,00.htm]

---

*************************** SPONSORED LINKS *****************************

1) "Top 10 Database Vulnerabilities" whitepaper - What they are, how they work & how to stop them.
http://www.sans.org/info.php?id=1040

2) New Chapter Alert: "Understanding Information Protection & Privacy Regulations" from The Definitive Guide to Information Theft Prevention. Learn more.
http://www.sans.org/info.php?id=1041

3) Upcoming Webcasts next week - "Anatomy of an Attack" and "VoIP Security"
http://www.sans.org/info.php?id=1042 and http://www.sans.org/info.php?id=1043

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES

Acxiom Data Thief Draws Eight-Year Sentence (23 February 2006)

A Florida man has been sentenced to eight years in prison for breaking into Acxiom Corp.'s database of consumer information and stealing more than one billion records. Scott Levine was convicted in August 2005 of 120 counts of unauthorized access to a computer connected to the Internet, two counts of device fraud and one count of obstruction of justice. There is no evidence that Levine used the data to commit identity fraud. Levine will also pay a fine of US$12,300; the amount of restitution has not yet been decided. Levine is the former CEO of Snipermail.com, a bulk emailing company.
-http://news.com.com/2102-7348_3-6042290.html?tag=st.util.print
-http://www.computerworld.com/printthis/2006/0,4814,108921,00.html

CardSystems Solutions Settles FTC Charges (23 February 2006)

CardSystems Solutions has settled charges of failing to protect sensitive customer data. The charges were brought by the Federal Trade Commission (FTC) following a security breach that resulted in more than 260,000 cases of identity fraud. The company had been retaining data from the magnetic strips of credit and debit cards and holding it without adequate security measures. The company, which was bought by Pay By Touch in December, will "implement a comprehensive security program and obtain independent audits every other year for 20 years." 40 million accounts were determined to have been vulnerable.
-http://www.washingtonpost.com/wp-dyn/content/article/2006/02/23/AR2006022301047_
pf.html
-http://www.eweek.com/print_article2/0,1217,a=172109,00.asp

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

eDonkey Server Shut Down (23/22 February 2006)

Police raids in Belgium and Switzerland have shut down Razorback2, believed to be one of the largest index servers on the eDonkey file sharing network. The servers held an index of an estimated 170 million pirated files, according to RIAA. The server's owner was arrested in Switzerland; equipment was seized in Belgium.
-http://news.bbc.co.uk/2/hi/technology/4743052.stm
-http://www.reghardware.co.uk/2006/02/22/cops_close_razorback2/print.html
-http://today.reuters.co.uk/news/newsArticle.aspx?type=internetNews&storyID=2
006-02-22T112125Z_01_L22660639_RTRIDST_0_OUKIN-UK-MEDIA-EDONKEY.XML
[Editor's Note (Murray): It is sad the debate over this regulation degenerated into one over the length of time of the retention to the exclusion of the wisdom of it. This information will be abused and misused; it will leak. Its cost will be disproportionate to its value.]

ATTACKS & INTRUSIONS & DATA THEFT

University of Northern Iowa Informs Employees of Possible Data Breach (17 February 2006)

The University of Northern Iowa has sent letters to 6,000 employees informing them that their personal data relating to Internal Revenue Service W-2 forms were contained on a laptop computer that suffered a security breach. University officials say there is no evidence that personal information was accessed; a virus was found on the computer. The employees were encouraged to monitor their financial accounts for any suspicious transactions.
-http://desmoinesregister.com/apps/pbcs.dll/article?AID=/20060217/SPORTS0207/6021
7017/1001&template=printart

MISCELLANEOUS

Deloitte & Touche Loses Disk with McAfee Employee Data (23 February 2006)

A McAfee spokesperson said that an external auditing firm lost a CD containing the unencrypted names, Social Security numbers and McAfee stock holdings of an unspecified number of current and former employees. Deloitte & Touche acknowledged that an employee left the unlabelled CD in the seat back pocket on an airplane. The missing disk was reported to McAfee on January 11, 2006. The affected employees have been notified.
-http://news.com.com/2102-1029_3-6042544.html?tag=st.util.print
[Editor's Note (Pescatore): Since the old Network Associates (now McAfee) had bought a large number of security companies, this incident is actually impacting a lot of security folks! Hearing that companies doing SOX audits allow their employees to carry sensitive customer data on CDs to use on airplanes (exposing that data as a minimum to their seat mates) is pretty depressing.
(Schmidt): Why would any one have sensitive data like this on removable media and not encrypted? When are policies about encrypting data on media going to be standard? People will forget things and the need for encryption of mobile devices/removable media is great then ever. Imagine how many flash drives have been lost that are not even talked about. ]

Metadata Provides Identifying Info About Anonymous Source (22 February 2006)

Images accompanying a Washington Post story about a young man who spoke anonymously about his botnet activities have been removed from the paper's web site after it was discovered that they included metadata tags that provided clues to the individual's identity. The article's author declined to comment, citing confidentiality agreements with his source.
-http://www.eweek.com/print_article2/0,1217,a=172028,00.asp
[Editor's Note (Murray): This man is not Robin Hood. He steals capacity and then uses it to contaminate the network and diminish trust. He cannot decide whether he wants to make money or brag; he will find that he cannot have it both ways. His customers are not much better than he. If we are going to put reporters in jail for protecting whistle-blowers and politicians, surely we can find a prosecutor and a judge to put one in jail for protecting criminal scum.]

BP Takes Step Toward Deperimeterization of Security (21 February 2006)

BP has removed 18,000 company laptop computers from a local area network (LAN) and set them up so they connect directly to the Internet even while in the office. BP is a founding member of the Jericho Forum, which espouses deperimeterization and encourages organizations to harden all parts of their networks instead of relying on outward-facing points.
-http://software.silicon.com/security/0,39024655,39156608,00.htm
[Editor's Note (Pescatore): This makes very little sense. BP still has perimeter firewalls, it has to protect the servers and the rest of the network. Any large corporation has to secure their laptops anyway - they are often used outside the corporate firewalls. So, there really isn't anything new here - it is really just a new name for defense in depth. The Jericho Forum list of "What de-perimeterisation is *not*" pretty much points that out. ]

Canterbury University (NZ) Closes Online Record Access (20 February 2006)

Canterbury University in New Zealand has closed online access to student records after discovering that some students were able to view others' records. The University is looking into the source of the problem, which occurred during the school's enrollment period.
-http://www.nbr.co.nz/home/column_article.asp?id=14415&cid=3&cname=Techno
logy

---

===end===

NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian Honan, Clint Kreitner, Bill Murray, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan, Mark Weatherford

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/