SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #31

April 18, 2006

A big change coming in how system security is monitored: vulnerability
management and configuration auditing tools are being upgraded into
combined testing and remediation programs. This is a major change in
the way security will be done - combining auditing and operations.
What's the point of knowing that there are problems if the problems are
not being fixed. Today (Tuesday April 18) at 1 PM EDT a user who has
implemented such a solution will be interviewed in a SANS WhatWorks web
cast. To listen in or join the discussion pick the top web cost at
http://www.sans.org/webcasts/
Alan

---

TOP OF THE NEWS

UK's Computer Misuse Act to be Updated
China Will Ban Sale of Computers Without Pre-Installed Operating Systems
Judges Finds Wells Fargo Not Negligent in Data Theft Case
Interest in Data Retention Laws is Growing

THE REST OF THE WEEK'S NEWS

POLICY & LEGISLATION
Texas Governor Issues Executive Order Limiting P2P Use on State Systems
SPYWARE, SPAM & PHISHING
Australian Court Says Company and Owner Will Face Penalties for Spam
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Mozilla Releases Firefox Updates
ATTACKS & INTRUSIONS & DATA THEFT & LOSS
Univ. of South Carolina Students' SSNs Accidentally Exposed
STATISTICS, STUDIES & SURVEYS
Rootkit Attacks, Stealth Technologies Rise Sharply
MISCELLANEOUS
Company Reaches Settlement Regarding Deceptive Security Product
RFID Zapper

---

****************** SPONSORED SANS SECURITY SAN DIEGO ******************
Wednesday, April 19 Is Early Registration Deadline for SANS Security 2006

The industry's best courses - extraordinary faculty; authoritative
up-to-the-minute material - shows you how to do the job and gives you
the confidence to go back and do it immediately.

SANS Security Essentials, Hacker Exploits, System Forensics, Intrusion
Detection, Auditing, plus training for CISSP exam and all Technical
certification required for DoD 8570.

Join 600 security professionals in San Diego in May for SANS best
instructors, a great security product expo, and evening networking and
new technology sessions. Bonus: Smalle classes than the national
conferences: Register by Wednesday for the discount:
http://www.sans.org/security06/
*************************************************************************

---

TOP OF THE NEWS

UK's Computer Misuse Act to be Updated (13 April 2006)

The UK's new Police and Justice Bill will update the outdated Computer Misuse Act (CMA) of 1990 this summer. Section Three of the CMA will be revised to make any unauthorized act performed against a computer an offense. The term "unauthorized act" is deliberately undefined; the law will no longer require data modification to have taken place to deem an act an offense. In addition, denial-of-service has been made a specific offense. People found guilty under the revised law will find themselves faced with longer jail sentences.
-http://www.silicon.com/publicsector/0,3800010403,39158043,00.htm
[Editor's Note (Schultz): To say that the CMA has been badly out of date for quite a long time now is quite an understatement. On numerous occasions individuals accused to launching denial of service and other types of attacks could not be prosecuted in the UK under the provisions of the CMA. The new bill will do a lot to bring this legislation up to where it needs to be, particularly by greatly broadening the definition of computer-related offenses.
(Ranum): If "unauthorized" includes spyware, this could be interesting. ]

China Will Ban Sale of Computers Without Pre-Installed Operating Systems (15 April 2006)

In an effort to fight software piracy, China expects to ban the sale of computers without operating systems by the end of this year. While computers sold without operating systems installed are less expensive, some people have been installing pirated copies on their new computers. An official with the Beijing Copyright Bureau says government departments will be required to purchase computers with legitimate software already installed.
-http://www.shanghaidaily.com/art/2006/04/15/261660/IPR_protections_plan_in_Beiji
ng.htm
[Editor's ote (Schultz): I have seen firsthand how blatant software piracy is in some of the cities I have visited in China. By going ahead with these plans, China will be making a giant contribution to the war against software piracy. ]

Judges Finds Wells Fargo Not Negligent in Data Theft Case (14 April 2006)

A US District Judge in Minnesota ruled that two people who had filed a class action lawsuit against Wells Fargo had not actually suffered any damages and were thus unable to demonstrate "reasonably certain future injury" due to the theft of computer hardware from a Wells Fargo contractor. The hardware contained unencrypted Wells Fargo customer data. The judge said the thieves never used the information and that time and effort the plaintiffs spent monitoring their credit reports "was not the result of any present injury, but rather the anticipation of future injury that has not materialized." The judge found Wells Fargo not negligent because the information was never misused by the thieves.
-http://news.zdnet.com/2102-9595_22-6061400.html?tag=printthis
[Editor's Note (Honan): This is a prime example of where the lack of Data Protection legislation in the United States impacts negatively on people affected by a company's lack of adequate controls to protect customers' personal information.
(Schultz): This ruling constitutes an obvious setback in the struggle to make organizations more accountable in handling and protecting personal and financial information. I can nevertheless understand the judge's logic, which in essence says that if you cannot show tangible damage or loss due from a data confidentiality breach, the plaintiffs cannot collect damages. At the same time, however, ruling that Wells Fargo was not negligent makes little sense given the current impetus for financial institutions to exercise due care in protecting customer data. ]

Interest in Data Retention Laws is Growing (14 April 2006)

The idea of requiring Internet service providers (ISPs) to retain records of customers' online activities is gaining interest among US legislators. One US legislator says a data retention bill would help law enforcement officials investigate crimes against children. Privacy advocates are concerned about the passage of such legislation because it would require the retention of data that would normally be kept for only brief periods of time or not at all. ISPs also have reservations and concerns about retaining data. Who will have authority to access the stored records; who will pay the added costs of storing the retained data; and do the current systems hinder police investigations, provided the investigations are conducted in a timely manner? Both Department of Homeland Security (DHS) Secretary Michael Chertoff and FBI Director Robert Mueller have made comments that indicate they are in favor of data retention.
-http://news.com.com/2102-1028_3-6061187.html?tag=st.util.print

---

**************************** Sponsored Links: ***************************
1) Free White Paper: The Future of Perimeter Security by Norm
Laudermilch, CSO of Trust Digital
http://www.sans.org/info.php?id=1116

2) A managed service offers the best defense for your email network -
find out why!
http://www.sans.org/info.php?id=1114

3) "Top 5 Identity Theft Attacks on Web Applications" whitepaper -
What they are, how they work & how to stop them.
http://www.sans.org/info.php?id=1115
*************************************************************************

---

THE REST OF THE WEEK'S NEWS

POLICY & LEGISLATION

Texas Governor Issues Executive Order Limiting P2P Use on State Systems (13 April 2006)

Texas Governor Rick Perry has issued an executive order that prohibits the unauthorized or illegal use of peer-to-peer (P2P) software on state computer systems. Perry's order says the file-sharing software poses a potential threat to network resources. In addition, P2P networks are often used to share pirated copies of digital content. The policy would not apply to the legislative nor judicial branches of Texas government or to Constitutional state officers.
-http://www.fcw.com/article94067-04-13-06-Web
-http://www.governor.state.tx.us/divisions/press/exorders/rp58
[Editor's Note (HONAN): An effective computer use policy will stipulate that only authorized software should be installed on an organization's computer systems and the necessary controls put in place to enforce and monitor the policy. In this case, focusing on P2P software is not necessarily the issue. One has to ask why are state employees allowed to install software, of any kind, on their PCs in the first place? ]

SPYWARE, SPAM & PHISHING

Australian Court Says Company and Owner Will Face Penalties for Spam (13 April 2006)

An Australian Federal Court has rejected claims made by Wayne Mansfield and his company Clarity1 in defense of their sending commercial email messages. Mansfield claimed that the recipients of 56 million commercial email messages had agreed to receive them and that the company was allowed to use lists of harvested email addresses they acquired before Australia's Spam Act took effect in April 2004. Mansfield and Clarity1 will face penalties that have yet to be determined.
-http://www.zdnet.com.au/news/communications/print.htm?TYPE=story&AT=39251708
-2000061791t-10000003c

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Mozilla Releases Firefox Updates (14 April 2006)

Mozilla has released an updated version of its Firefox browser, Firefox 1.5.0.2, which includes support for Mac OS X running on Intel processors. Mozilla says the update is a "stability and security" release because it includes fixes for critical security flaws as well as other problems. Mozilla also released fixes for flaws in older versions of Firefox and in the Sea Monkey browser suite. Some of the Firefox flaws could be exploited by simply tricking users into viewing maliciously crafted web pages.
-http://www.computerworld.com/printthis/2006/0,4814,110541,00.html
-http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=39251987-20000
61744t-10000005c
Intrenet StormCenter:
-http://isc.sans.org/diary.php?storyid=1261
-http://www.techweb.com/wire/185302849

ATTACKS & INTRUSIONS & DATA THEFT & LOSS

Univ. of South Carolina Students' SSNs Accidentally Exposed (14 April 2006)

A database containing the Social Security numbers of as many as 1,400 University of South Carolina students was inadvertently attached to an email regarding summer classes. The affected students have been notified and advised to take steps to protect themselves from identity fraud. The University of South Carolina is in the middle of switching from using Social Security numbers as student identifiers to assigning new student ID numbers; the change is scheduled to be complete in fall 2007.
-http://www.msnbc.msn.com/id/12322162/

STATISTICS, STUDIES & SURVEYS

Rootkit Attacks, Stealth Technologies Rise Sharply (17 April 2006)

According to statistics from McAfee's Avert Labs group, the number of rootkit attacks detected in the first quarter of 2006 is 700 percent greater than the number detected during the same period a year ago. The number of rootkits designed to attack Windows-based systems increased by 2300 percent between 2001 and 2005. In addition, Avert found that the use of stealth technologies has increased more than 600 percent in just three years.
-http://news.com.com/2102-7349_3-6061878.html?tag=st.util.print
-http://www.eweek.com/print_article2/0,1217,a=175797,00.asp
[Editor's Note (Boeckman): In the article, McAfee cites an "open-source environment" as part of the problem with rootkit proliferation. This would imply that if it was possible to stifle free speech on the web, the problem would go away. I suspect it has more to do with fact that most Windows users operate with administrative privileges. ]

MISCELLANEOUS

Company Reaches Settlement Regarding Deceptive Security Product (13 April 2006)

SoftwareOnline.com has agreed to a US$190,000 settlement in a case brought by the Washington state Attorney General's (AG's) office. A four-month investigation conducted by the AG's office resulted in allegations that the company was offering computer users ineffective free scans that inundated their computers with unwanted pop-up ads. The company was also accused of not having an effective uninstall mechanism and of adding products and services to customers' checkout forms. The agreement stipulates that SoftwareOnline make changes to its marketing practices and offer refunds to people who file complaints or request refunds.
-http://www.computerworld.com/printthis/2006/0,4814,110538,00.html

RFID Zapper

(Northcutt): Last week we ran a story on DDoS testing for RFID networks. Chris Byrnes was kind enough to send me this link from a Gartner security blog. What fun, what an important concept for people associated with RFID technology to be aware of, an RFID Zapper:
-https://events.ccc.de/congress/2005/wiki/RFID-Zapper(EN)

---

===end===

NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian
Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore,
Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw
Tan, Mark Weatherford

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/