SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VIII - Issue #17
February 28, 2006
We were all surprised that more than 420 people from 22 countries are
flying to Orlando for the first Process Control and SCADA Security
Summit this Thursday and Friday. As far as I know SANS has never had a
new security program that grew that large, that fast. Buyers of process
control systems appear to have decided it is time to join together, and
work with the vendors, to eliminate the major security vulnerabilities
in these critical systems. Kudos to them and to Chairman Dan Lungren of
the Cybersecurity Subcommittee of the House Homeland Security Committee,
who provided the initial energy that led to creation of the Summit and
who is helping with the 2006 SCADA Security Leadership Award
presentations at the Summit. If you didn't see the complete program -
it's quite amazing.
http://www.sans.org/scadasummit06/
Alan
TOP OF THE NEWS
Dept. of Justice Says Google's Privacy Concerns are UnfoundedOnline Medical Records Raise Privacy and Security Concerns
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCESChinese Engineer in Court for Mobile Phone Card Code Theft
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
Auditor's Report Finds Computer Security Problems at IRS
SPYWARE, SPAM & PHISHING
Tool Kits Boost Number of Phishing Sites
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Adobe Fixes Flaw in Macromedia Shockwave Player Installer
ATTACKS, INTRUSIONS & DATA THEFT & LOSS
Ernst & Young Loses Five Company Laptops
MISCELLANEOUS
FBI Expands Debit Card Fraud Investigation
Schwab Will Cover Losses from Online Fraud
Shared Digital Files Could Pose Security Risk
Author Describes Steps for Building Security in From the Start
************************** Sponsored by Symantec *************************
2006 Security Compliance Research Report: The Struggle to Manage Security Compliance for Multiple Regulations Sponsored by the Institute of Internal Auditors (IIA), the Computer Security Institute (CSI) and Symantec, this report provides survey results that describe how companies are managing requirements for multiple regulations, the proportion of their IT budgets being devoted to compliance, and how organizations are responding to improve security, demonstrate compliance and reduce costs.
Download now! http://www.sans.org/info.php?id=1046
**************************************************************************
UPCOMING SECURITY TRAINING
As you can see at www.sans.org, more and more SANS classes are sold out (the red triangles) so we have begun a policy of earlier posting of new conferences. If you are thinking about turbo charging your security career or the careers of any of your coworkers this spring, start planning now to go to San Diego in early May. You'll find more than a dozen of SANS most popular courses and a vendor exposition, right on the harbor in San Diego. http://www.sans.org/security06/ Or plan to come to Washington in July right after July 4 for the biggest SANSFIRE ever: with all 17 SANS immersion tracks and more than a dozed special courses, a big exposition, and an inside look at how the Internet's Early Warning System (Internet Storm Center) actually works Bring your family for the national fireworks show.
http://www.sans.org/sansfire06
*************************************************************************
TOP OF THE NEWS
Dept. of Justice Says Google's Privacy Concerns are Unfounded (27 February 2006)
A legal brief from the US Justice department says that Google's arguments for not complying with an order to provide DoJ with certain search data does not threaten individuals' privacy. DoJ requested a week's worth of search terms from Google as part of its efforts to defend the 1998 Child Online Protection Act (COPA), which has been challenged by the American Civil Liberties Union (ACLU). Google has also argued that providing the information requested would disclose trade secrets. The DoJ brief says they have "not asked Google to produce any information that would personally identify its users." Furthermore, "the government has a legitimate need for the disclosure of data that is uniquely in Google's possession" and has requested that Google be given 21 days to comply with the order.-http://news.com.com/2102-1028_3-6043338.html?tag=st.util.print
Online Medical Records Raise Privacy and Security Concerns (26 February 2006)
Individuals' medical records are slated to begin migration to online systems in Florida this year. Some are touting the benefits of a system that will put medical records online so they can be monitored and accessed by pharmacists and patients. Physicians will be able to file prescriptions online and see what other medications an individual is presently prescribed. This could help alert pharmacists to possible drug interactions and aid physicians when patients arrive at hospitals unconscious. Others are concerned about the privacy issues presented by having medical records available online. If the records were to become public, people could potentially lose jobs and be denied insurance coverage.-http://www.news-press.com/apps/pbcs.dll/article?AID=2006602260459
[Editor's Note (Schultz): If the US government does not in general adequately protect its systems and data, and if commercial and academic institutions experience security breaches that result in massive exposure of personal and financial data, is there any reason to expect that the state of Florida (or any other state, for that matter) will adequately protect online medical data? I think not. I fear that it will be only a short matter of time before medical data of Floridians will start to be compromised because of its online availability.
(Murray): By definition, leakage from such systems will have adverse consequences. The question that must be answered is whether or not that damage is worse than medical error and inefficiency.
(Kreitner): We have a history of coming up with new technologies and then trying to figure out how to use them effectively. In the early days of the last century, we built automobiles and then realized they didn't do very well in muddy roads that worked perfectly well for horses. Only then did we begin to build hard surface roads. ]
************************** Sponsored Links *******************************
1) 100% Network Discovery - Realtime, Agentless, Network Discovery. See your complete network for the 1st time. http://www.sans.org/info.php?id=1047
2) SANS offers intensive security training - unavailable anywhere else -- in three dozen other cities and online training, too. See http://www.sans.org/ for a complete listing.
**************************************************************************
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCES
Chinese Engineer in Court for Mobile Phone Card Code Theft (23 February 2006)
A Chinese computer engineer was in court last week for allegedly stealing three million yuan (US$373,100) in electronic codes for prepaid mobile phone cards. The man allegedly broke into the database of Beijing Mobile, stole the codes and sold them on a Chinese Internet auction web site. The man's scheme was discovered when some of the purchasers complained to Beijing Mobile about expired codes.-http://www.shanghaidaily.com/art/2006/02/23/243796/Code_hacker_heard_in_Beijing_
court.htm
[Editor's Note (Honan): This case highlights how one of the basic steps in protecting your infrastructure, the changing of the default and vendor supplied passwords once installation is complete, can protect you from unscrupulous engineers. ]
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
Auditor's Report Finds Computer Security Problems at IRS (27 February 2006)
According to a report from the Treasury Department's inspector general for tax administration (TIGTA), the Internal Revenue Service (IRS) has failed to maintain consistent security settings for its computers. Of 102 computers, just 41 percent are in compliance with the Federal Information Security Management Act (FISMA); the other 59 percent of computers are not in compliance or have at least one high-risk vulnerability. TIGTA says system administrators should be held accountable for "maintaining adequate security settings."-http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&
story.id=38341
[Editor's Note (Honan): Having "at least one high-risk vulnerability" in itself is not the problem. It is how the risks relating to that vulnerability are managed, that is critical.
(Grefer): Holding system administrators accountable is all nice and dandy, as long as said sysadmins are empowered to apply the necessary changes and updates in a timely fashion.
(Murray): It is naive for us to believe that government security is worse than other enterprises just because their audit reports are public. It is equally naive to believe FISMA by itself will improve government security. ]
SPYWARE, SPAM & PHISHING
Tool Kits Boost Number of Phishing Sites (27 February 2006)
The Anti-Phishing Working Group (APWG) says the number of phishing web sites increased from 4630 to 7179 between November and December of 2005. The number of phishing emails dropped in that same period. The increase in the number of sites is thought to be due to the availability of easy to use phishing tool kits.-http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=39240328-20000
61744t-10000005c
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Adobe Fixes Flaw in Macromedia Shockwave Player Installer (24/23 February 2006)
Adobe has issued an advisory, warning customers that a boundary error in a Macromedia Shockwave Player Installer ActiveX control could allow attackers to execute arbitrary code on vulnerable systems. The flaw affects Shockwave Player 10.1.0.11 and earlier and occurs only during installation. To exploit the flaw, attackers would need to trick users into visiting maliciously crafted web sites. Adobe has fixed the flaw.-http://www.eweek.com/print_article2/0,1217,a=172169,00.asp
ATTACKS, INTRUSIONS & DATA THEFT & LOSS
Ernst & Young Loses Five Company Laptops (26/25 February 2006)
Ernst & Young has acknowledged that it has lost a laptop computer containing customer data, including Social Security numbers. The company informed affected customers of the loss and potential data security breach, but the loss was not made public until recently. The computer was stolen from an employee's locked car. Scott MacNealy, Sun Microsystems CEO, was reportedly among those affected. Speaking at the RSA security conference, MacNealy indicated that he had been notified that his data were among some lost, and added that the company that lost the data is employed by Sun to determine its Sarbanes-Oxley compliance. In addition, four Ernst & Young laptop computers were stolen from a conference room on February 9, 2006. A surveillance camera caught footage of the laptop thieves, who were able to enter the room due to a built-in delay in the room's door locking mechanism.-http://www.theregister.co.uk/2006/02/25/ernst_young_mcnealy/print.html
-http://www.miami.com/mld/miamiherald/news/local/states/florida/counties/broward_
county/cities_neighborhoods/weston/13947682.htm?template=contentModules/printsto
ry.jsp
-http://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2006/02/25/BUG2IHEGCC1.DTL&a
mp;type=printable
-http://www.theregister.co.uk/2006/02/26/ey_laptops/print.html
[Editor's Note (Kreitner): Do you think that the continuing string of episodes like this one might be leading people to the conclusion that having other people's personal and other sensitive data on our laptop computers, unencrypted, is an unwise policy?
(Grefer): Cable locks are available for securing laptop computers. They do not provide perfect protection but tend to act as a reasonable deterrent. ]
MISCELLANEOUS
FBI Expands Debit Card Fraud Investigation (24 February 2006)
The FBI's investigation into a rash of fraudulent debit card activity has moved from the Sacramento office to Charlotte, North Carolina, after the agency learned that there may be a connection between the California case and a case in North Carolina. Beginning in late 2005, banks and credit unions in California started issuing new debit cards following fraudulent transactions conducted at overseas ATMs.-http://news.com.com/2102-7348_3-6042217.html?tag=st.util.print
Schwab Will Cover Losses from Online Fraud (23 February 2006)
Charles Schwab has said it will cover losses incurred by customers due to online fraud. Customers who knowingly share their log in information with others are not covered, but fraud resulting from phishing attacks and other malicious activity will be covered. E-Trade made a similar announcement in January.-http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2006/02/23/BUG
NEHCT5V1.DTL&type=printable
[Editor's Note (Pescatore): It is good to see E-Trade and Schwab take this step, but in reality most financial companies have been covering customer losses when it is clear that phishing or malware was the culprit. As those "make good" costs mount, the payoff of moving to stronger mutual authentication for Internet transactions becomes clearer and clearer.
(Schultz): Some momentum is starting to build for financial and brokerage institutions covering customer loss due to electronic fraud. Hopefully, others will follow suit. If not, I'd bet that some kind of federal legislation that includes this kind of provision will be passed sometime in the not so distant future.
(Murray): Like banks, brokerage firms are responsible for ensuring that all transactions are properly authorized. Like banks, they normally meet this obligation late, i.e., by confirming the transaction to the customer. Both are pretty good about making the customer whole. Banks have been a little better about acknowledging the obligation and some have even turned it to a marketing advantage. Brokerage firms have been better at confirming changes of address to the old, as well as the new, address; necessary to make the confirmation effective. ]
Shared Digital Files Could Pose Security Risk (23 February 2006)
Speaking at the recent RSA Security Conference, two consultants described what they believe will be the next vector of attack for cyber criminals: digital audio and video clips. Robert Baldwin and Kevin Kingdon say that audio and video content could be exploited to install spyware, steal data and attack systems because the content is able to bypass security measures and play directly on users' machines. The content could contain anti-piracy measures to prevent it from being copied unlawfully, but the same software prevents the content from being scanned by security programs.-http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1168617,0
0.html?track=sy160
Author Describes Steps for Building Security in From the Start (23 February 2006)
Gary McGraw's new book "Software Security: Building Security In" focuses on seven "touchpoints" for creating secure code from the beginning of the development process: code review, risk analysis, penetration testing, risk-based security tests, abuse cases, security requirements and security operations.-http://www.eweek.com/print_article2/0,1217,a=172134,00.asp
[Editor's Note (Murray): Wrong focus. Most of these "touchpoints" are about late flaw detection and removal. Demming tells us that one achieves quality only by a process that prevents the flaws in the first place. Programmers resist such methods. They prefer systems, languages, development environments, and tools that reserve the greatest flexibility to themselves. Management consents to this preference. ]
===end===
NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian
Honan, Clint Kreitner, Bill Murray, Stephen Northcutt, Alan Paller, John
Pescatore, Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer,
Koon Yaw Tan, Mark Weatherford
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/