SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #22

March 17, 2006

TOP OF THE NEWS

DHS Scores F on Cyber Security Report Card
One-Third of Gas and Electric Utility IT Execs Fear SCADA Attack
UK Bank Issues Free Two-Factor Authentication to All Internet Customers

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
Israeli Trojan Couple Plead Guilty
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
NIST Releases FIPS 186-3 Draft for Comments and Final Version of FIPS Pub 200
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Winny Exposes Data in Japan
Adobe Issues Fixes for Flash Flaws
Microsoft March Security Updates
Trojan Horse Holds Files for Ransom
ATTACKS & INTRUSIONS & DATA THEFT & LOSS
Stolen Ernst & Young Laptop Contains IBM Employee Data
OfficeMax Says "No Evidence of Security Breach"
MISCELLANEOUS
Judge to Rule Soon in Google Case

---

*************************** Sponsored by Permeo *************************
(Permeo Technologies was recently purchased by Blue Coat)

Get the latest SSL VPN buyer's guide

Considering SSL VPN for remote access? Download the latest Buyers Guide from security analyst Mark Bouchard (CISSP) to learn how to evaluate SSL VPN technology including features to look for and implementation best practices. In addition, Mark discusses the importance of integrated endpoint security and information controls.
Learn more. http://www.sans.org/info.php?id=1072

*************************************************************************
Upcoming Security Training in San Diego and Washington DC

Turbo charge your security career or the careers of any of your coworkers this spring in San Diego in early May: a dozen of SANS most popular courses and a vendor exposition right on the harbor.
http://www.sans.org/security06/

Or to come to Washington in July right after July 4 for the biggest SANSFIRE ever: with all 17 SANS immersion tracks and more than a dozen special courses, a big exposition, and an inside look at how the Internet's Early Warning System (Internet Storm Center) actually works Bring your family for the national fireworks show.
http://www.sans.org/sansfire06
*************************************************************************

---

TOP OF THE NEWS

DHS Scores F on Cyber Security Report Card (15 March 2006)

The US Department of Homeland Security (DHS) has received a failing grade for its cyber security from the House Government Reform Committee. The federal government is expected to receive an overall grade of D-plus. The grades are based on the federal agencies' compliance with requirements set out in the Federal Information Security Management Act (FISMA). Some believe that money spent documenting compliance would be better spent securing systems.
-http://www.washingtonpost.com/wp-dyn/content/article/2006/03/15/AR2006031501589_
pf.html
-http://www.infoworld.com/article/06/03/15/76516_HNfedsecurityfailures_1.html
[Editor's Note (Ranum): Money spent toward producing documentation and checking checkboxes ultimately does little more than create a priesthood of box-checkers. One thing that is clear: using budgetary controls to enforce standard compliance does not work.
(Schultz): The push for compliance within the US government arena has been tremendously blown out of proportion. I'd like to conduct a study in which standards frequently used for compliance such as NIST 800-026 and NIST 800-053 are followed to the "T" in a test environment, then launch a barrage of attacks against the computing systems in that environment. I'd wager a lot of money that many if not most of such attacks would succeed.
(Paller) DHS isn't perfect, but the agencies that got high grades are no better secured than the agencies that got low grades. Gene Schultz and Marcus Ranum are exactly right. If the agencies are to be held to a standard for security (as well they should be), let it be one that measures the readiness of the systems and people to withstand attacks and recover from them. ]

One-Third of Gas and Electric Utility IT Execs Fear SCADA Attack (February 2006)

A Trusted Network Technologies survey of 50 US gas and electric utility information technology (IT) executives found that 33 percent believe SCADA (supervisory control and data acquisition) or distribution systems will suffer an attack within the next two years. Twenty-one percent of the respondents indicated their own systems had experienced outside threats.
-http://www.trustednetworktech.com/documents/UtilityIT.pdf
[Editor's Note (Paller): At the SCADA Security Summit two weeks ago, 300 utilities and pipeline companies and other organizations saw just how their control systems can be penetrated. As a direct result, Will Pelgrin, CISO of New York State has taken on the leadership of a multi-national effort, now involving more than 100 utilities and others at risk, to develop consensus minimum security procurement language for maintenance of legacy control systems and for acquisition of new control systems. This is the most important and promising security project in the field; they expect to have a starter set of specifications within a month or two. If you work for an organization that purchases control systems and want to participate in the consensus project, email info@sans.org with the subject SCADA Security Specs.
(Weatherford): This is a good news/bad news story. The good news is that many of these IT executives recognize that there are threats to their SCADA systems and 70% believe they are both fully compliant with SOX requirements and that their internal controls are adequate and effective. The bad news is that one-third of those surveyed say they can *not* clearly identify "all interactions" of users and assets on their SCADA networks. ]

UK Bank Issues Free Two-Factor Authentication to All Internet Customers (16 March 2006)

Alliance & Leicester (A&L) has become the first bank in the UK to roll out free, two-factor authentication technology to all its Internet banking customers. Two other UK banks have been testing two-factor authentication technologies with limited groups of customers. A&L plans to add card-reading devices for its users to authenticate online purchases once UK banking industry group APACS has established applicable standards.
-http://www.vnunet.com/computing/news/2152053/bank-strikes-back-id-cheats
[Editor's Note (Pescatore): Ah, those pesky readers. The solution A&L is using is a product that fingerprints the user's PC, and uses that as the second factor - there is no token, thus no need for a reader. It also provides mutual authentication, an often overlooked need. However, people who make transactions from multiple computers either have to register multiple PCs or resort to standard shared secret verification. ]

---

************************** Sponsored Links: *****************************

1) Check out a FREE DEMO of our latest development "SANS OnDemand - Online Training & Assessments" - we're taking online training up a few notches!
http://www.sans.org/info.php?id=1073

2) Free Sourcefire sponsored SANS Tool Talk webcast next week - "True Intrusion Prevention - Protecting Against Threats From All Vectors, At All Times"
Tuesday, March 21 at 1:00 PM EST (1800 UTC/GMT)
http://www.sans.org/info.php?id=1074

3) Upcoming Free WhatWorks Webcast - "WhatWorks in Log Management: Caring for Logs with Northwestern Memorial Hospital" Tuesday, March 28 at 1:00 PM EST
http://www.sans.org/info.php?id=1075
*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES

Israeli Trojan Couple Plead Guilty (15 March 2006)

Ruth Brier-Haephrati and Michael Haephrati have pleaded guilty to industrial espionage charges in an Israeli court. The couple confessed to developing a Trojan horse program that was sold to private investigators who used it to spy on clients' business competitors. Ruth faces up to four years in prison; Michael faces up to two years. Both face a fine of one million New Israeli Shekels (US$214,000).
-http://www.theregister.co.uk/2006/03/15/spyware_trojan_guilty_plea/print.html

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY

NIST Releases FIPS 186-3 Draft for Comments and Final Version of FIPS Pub 200 (15/13 March 2006)

The National Institute of Standards and Technology (NIST) is accepting public comments on its draft Federal Information Processing Standard (FIPS) 186-3, Digital Signatures Standard, through June 12, 2006. It is designed to replace FIPS 186-2, first issued in 1994 and revised in 1999. FIPS 186-2 permitted 512-bit and 1,024-bit cryptographic keys; FIPS 186-3 would permit 1,024-bit, 2,048-bit and 3,072-bit keys. NIST has also released the final version of FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems. The publication established requirements in 17 areas, including access control, audit and accountability, contingency planning and incident response.
-http://www.fcw.com/article92589-03-13-06-Web
-http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn_daily&
story.id=40127
-http://csrc.nist.gov/publications/drafts.html
-http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Winny Exposes Data in Japan (16/9/7 March 2006)

The Winny file-sharing program has exposed data at several Japanese organizations. All Nippon Airways acknowledged that Winny exposed PINs (personal identification numbers) required to enter restricted areas of airports. A Toyama Hospital employee inadvertently allowed personal data belonging to 2,800 surgical patients to be uploaded to the Internet. Japan's National Police Agency has ordered that official and private computers used by officers be subject to spot checks following the discovery that information from investigations had been uploaded to the Internet. The NPA also prohibits officers from using Winny on their private computers. Japan's Chief Cabinet Secretary is encouraging citizens not to use Winny. A March 15 editorial in the Yomiuri Shimbun says that people should stop blaming Winny and take responsibility for protecting sensitive data.
-http://www.yomiuri.co.jp/dy/national/20060309TDY02002.htm
-http://www.yomiuri.co.jp/dy/national/20060316TDY02008.htm
-http://mdn.mainichi-msn.co.jp/national/news/p20060307p2a00m0na024000c.html
-http://www.yomiuri.co.jp/dy/editorial/20060315TDY04006.htm
[Editor's Note (Schultz): The "lessons-learned" continue, and they invariably point to the fact that file-sharing is downright dangerous. With the possible exception of Bit Torrent (which is used to download Linux patches), security-conscious organizations need to go far out of their way to ensure that file-sharing programs do not run on any of their computing systems. ]

Adobe Issues Fixes for Flash Flaws (15 March 2006)

Adobe has issued fixes for flaws in Flash Player version 8.0.22 and earlier, Breeze Meeting version 5.1 and earlier and Shockwave player, version 10.1.0.11 and earlier. Adobe encourages users to upgrade to Flash version 8.0.24.0. The vulnerabilities are serious enough to warrant a warning from Microsoft, which distributes Flash software with Windows.
-http://www.computerworld.com/printthis/2006/0,4814,109579,00.html
-http://news.zdnet.co.uk/internet/security/0,39020375,39257495,00.htm
Adobe Advisory:
-http://www.macromedia.com/devnet/security/security_zone/apsb06-03.html

Microsoft March Security Updates (14 March 2006)

Microsoft released bulletins describing to security updates on Tuesday, 14 March. MS06-012, addresses six critical remote code execution flaws in Microsoft Office; five of these could be exploited with maliciously crafted Excel files. The other update, MS06-011, addresses an "important" privilege escalation flaw in Windows.
-http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1172938,0
0.html
-http://www.computerworld.com/printthis/2006/0,4814,109553,00.html
-http://www.microsoft.com/technet/security/Bulletin/MS06-012.mspx
-http://www.microsoft.com/technet/security/Bulletin/MS06-011.mspx
[Editor's Note (Boeckman): While these are not extremely critical vulnerabilities by Microsoft standards, the combination of multiple vulnerabilities can increase the aggregate risk ]
. ]

Trojan Horse Holds Files for Ransom (15/14/13 March 2006)

The Cryzip Trojan horse program encrypts files on infected systems and then demands US$300 ransom in exchange for the password to decrypt the files. This particular piece of ransomware is flawed in that the password is stored in plaintext on victims' computers. Cryzip apparently searches for certain files once it has infected a computer and uses a commercial zip library to encrypt the purloined files. It is unclear how Cryzip is distributed.
-http://www.eweek.com/print_article2/0,1217,a=173408,00.asp
-http://www.securityfocus.com/brief/162
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39343678-39000005c
-http://www.theage.com.au/news/breaking/pc-file-kidnappers-demand-ransom/2006/03/
15/1142098506049.html

ATTACKS & INTRUSIONS & DATA THEFT & LOSS

Stolen Ernst & Young Laptop Contains IBM Employee Data (15 March 2006)

A laptop computer stolen from an Ernst & Young employee's car contains sensitive personal data belonging to thousands of current and former IBM employees. Ernst & Young does tax work for IBM's overseas employees. Ernst & Young has acknowledged the theft of five other laptops. One is known to have contained personal information including that of Sun Microsystems CEO Scott McNealy. Four others were stolen from a conference room.
-http://www.theregister.co.uk/2006/03/15/ernstyoung_ibm_laptop/print.html

OfficeMax Says "No Evidence of Security Breach" (15/14 March 2006)

Fourteen people, all US citizens, have been arrested in connection with a debit card fraud ring that forced the replacement of hundreds of thousands of cards. Recent stories have suggested that the fraud is linked to the theft of a block of debit card PINs from a major retailer; a county prosecutor says that the stolen data came from OfficeMax and other companies. OfficeMax says that both an internal investigation and an independent study found no evidence of a security breach exposing customer financial data. OfficeMax is continuing to work with the US federal law enforcement agencies in their investigation.
-http://news.com.com/2102-1029_3-6049758.html?tag=st.util.print
-http://news.com.com/2102-1029_3-6049290.html?tag=st.util.print

MISCELLANEOUS

Judge to Rule Soon in Google Case (15/14/10 March 2006)

US District Judge James Ware says he is likely to order Google to provide the US Justice Department with at least some of the data it has requested. Google initially refused to provide the Justice Department with the data it requested, claiming it would violate customer privacy and could potentially expose the company's trade secrets. The government's initial request was for one million random web site addresses and one week's work of query terms. The request has been scaled back to 50,000 web sites and 5,000 terms, with the Justice Department examining just twenty percent of those. The government has also agreed to compensate Google for eight days of programmers' time. AOL, Yahoo and MSN have complied with the government's request, which is being made in an effort to support its contention that filtering software is not effective in protecting children from inappropriate Internet content. The government is trying to defend the Child Online Protection Act (1998), which was blocked by the Supreme Court.
-http://www.silicon.com/0,39024831,39157220,00.htm
-http://www.usatoday.com/tech/news/internetprivacy/2006-03-14-google-judge_x.htm
-http://news.com.com/2102-1030_3-6048488.html?tag=st.util.print
-http://news.bbc.co.uk/1/hi/business/4804182.stm

---

===end===

NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan, Mark Weatherford

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/