SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VIII - Issue #38
May 12, 2006
TOP OF THE NEWS
DDoS Attacker Can be Tried Under CMA, Says High CourtThree States Direct Officials to Take Extra Precautions with Diebold Touch Screen Machines
Judge Rules McKinnon May be Extradited
THE REST OF THE WEEK'S NEWS
SPYWARE, SPAM & PHISHINGHong Kong Court Says ISPs Must Divulge Names of Suspected Movie Downloaders
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Warner to Offer Digital Video Content Through BitTorrent
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Microsoft Patch Tuesday Addresses Two Critical Vulnerabilities
ATTACKS & INTRUSIONS & DATA THEFT & LOSS
Pentagon Notifying '01 Conference Registrants of Data Security Breach
Chip and PIN Fraud Hits Lloyds TSB
Nine Arrested In Connection with UK Shell Station Chip and Pin Fraud
MISCELLANEOUS
FBI Investigating Huge Cache of Personal Data Ripe for Identity Fraud
St. Louis Police Investigating Gas Pump Reprogramming Incidents
New Colorado Law Gives Teeth To State CISO
****************** SPONSORED BY SANSFIRE 2006 ***************************
TRAINING UPDATE SANSFIRE 2006 IN WASHINGTON DC
July 5-13 - Bring your family for the fireworks and stay for SANS largest conference in Washington.
The industry's best security courses - extraordinary faculty; authoritative up-to-the-minute material - shows you how to do the job and gives you the confidence to go back and do it immediately.
"Jacked my paranoia level up around my ears, and then gave me the tools to manage the threat." (Don Geiger, DCPS Division of Technology)
Offers every one of SANS' 17 immersion training courses plus 12 short courses and a big exposition: SANS Security Essentials, Hacker Exploits, System Forensics, Intrusion Detection, Auditing, plus training for CISSP exam and all Technical certification required for DoD 8570 and more. Plus special evening sessions by the global security leaders who staff the Internet Storm Center.
http://www.sans.org/sansfire06/
*************************************************************************
TOP OF THE NEWS
DDoS Attacker Can be Tried Under CMA, Says High Court (11 May 2006)
David Lennon, who saw charges against him for deliberately overwhelming his former employer's system with five million email messages dismissed in November 2005, now faces a retrial. Judges at the Royal Courts of Justice have ruled that people deluging others with spam may be prosecuted under the UK's Computer Misuse Act. The judges ruled that the extent of consent to receive email should be decided on a case-by-case basis; they overturned a district judge's ruling that there was no case against Lennon.-http://today.reuters.co.uk/news/newsArticle.aspx?type=internetNews&storyID=2
006-05-11T143243Z_01_L1190263_RTRIDST_0_OUKIN-UK-CRIME-BRITAIN-SPAM.XML
-http://news.zdnet.co.uk/internet/security/0,39020375,39268334,00.htm
Three States Direct Officials to Take Extra Precautions with Diebold Touch Screen Machines (10 May 2006)
Following the disclosure of a security hole in certain Diebold electronic voting machines, officials in California, Iowa and Pennsylvania have advised local officials to take steps to enhance the security and reliability of electronic voting. A feature on Diebold Election System touch screen voting machines could allow unauthorized software to be loaded onto the machines. A Diebold spokesperson said there is no evidence election results have been affected as the result of the hole, but the company is nonetheless developing a fix to allay fears. In Pennsylvania, local election registrars were instructed to sequester the machines, and to reinstall the software just before testing and certifying the machines. California and Iowa have seen similar directives.-http://www.washingtonpost.com/wp-dyn/content/article/2006/05/10/AR2006051002276_
pf.html
-http://www.chicoer.com/news/bayarea/ci_3805089
[Editor's Note (Pescatore) Read the story below on people reprogramming gas pumps and then read the Blackboxvoting report on the most recent vulnerabilities in these electronic voting machines - eerily similar. Now, I may be picky but I would sort of like my voting machines to be a bit more secure than my gas pumps. What really, really needs to be looked at is what sort of certification process the states use that allowed these machines to be accepted.]
Judge Rules McKinnon May be Extradited (10 May 2006)
A British judge has ruled that Gary McKinnon may be extradited to the United States to face charges of illegally accessing nearly 100 computers and damaging Army, Navy, Air Force and NASA computer systems. McKinnon maintains he was merely searching for hidden evidence of UFOs. British Home Secretary John Reid must decide within two months whether or not to approve McKinnon's extradition. McKinnon fears that if he is tried in the US, he could be prosecuted under anti-terror laws and sent to Guantanamo Bay, though he has received assurances that he will not face a military tribunal.-http://www.timesonline.co.uk/article/0,,11069-2174108,00.html
-http://www.mercurynews.com/mld/mercurynews/business/14546132.htm
*********************** Sponsored Links: ******************************
1) Free WhatWorks Webcast next week - WhatWorks in Log Management:
"Judging Log Management with San Bernardino County Superior Court"
Tuesday, May 16 at 1:00 PM EDT (1700 UTC/GMT)
http://www.sans.org/info.php?id=1148
2) Free Webcast next week - The Mobile User - Remote Access and Security Gateways (Part 2)
Wednesday, May 17 at 1:00 PM EDT (1700 UTC/GMT)
http://www.sans.org/info.php?id=1149
***********************************************************************
THE REST OF THE WEEK'S NEWS
SPYWARE, SPAM & PHISHING
Hong Kong Court Says ISPs Must Divulge Names of Suspected Movie Downloaders (10 May 2006)
A Hong Kong court has ordered four Internet service providers (ISPs) to reveal the identities of 49 people who are suspected of illegally downloading several movies. While last year a man was sentenced to three months in jail for making movies available on the Internet with BitTorrent technology, this is the first legal action taken by film companies in Hong Kong against suspected downloaders.-http://australianit.news.com.au/articles/0,7204,19088317%5E15319%5E%5Enbv%5E,00.
html
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Warner to Offer Digital Video Content Through BitTorrent (9 May 2006)
Warner Bros. will begin offering movies and television shows through BitTorrent peer-to-peer technology this summer. Movies will be available for rental and purchase download on the Internet the same day they are released in stores. The movies and television shows will play only on the device used to download the content.-http://www.usatoday.com/tech/products/services/2006-05-09-warner-bros-p2p_x.htm
-http://news.bbc.co.uk/2/hi/business/4753435.stm
[Editor's Note (Schultz): This is an innovative solution, one that is well worth trying. I've said in previous editorial comments that the entertainment industry is not faring well in its war against piracy, in large part due to the fact that it has relied upon prosecuting those who download movies and music. At the same time, however, Warner Bros. should not expect smooth sailing with their new initiative. Many buyers are likely to complain that under the new program they will be able to play what they download on only one device. ]
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Microsoft Patch Tuesday Addresses Two Critical Vulnerabilities (10/9 May 2006)
Microsoft's monthly security bulletins for May address two critical vulnerabilities, one in Exchange Server and the other in Adobe's Macromedia Flash Player in Windows. A remote code execution flaw in Microsoft Exchange Server could allow attackers to install programs, alter and delete data and create new accounts. The flaw also has the potential to be exploited by a worm. A problem in the way Adobe's Macromedia Flash Player in Windows handles flash animation or .swf files, could be exploited to run code remotely and gain control of vulnerable systems. A third vulnerability, in the Microsoft Distributed Transaction Coordinator (MSDTC), received a severity rating of moderate.-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39358489-39000005c
-http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1187464,0
0.html
-http://www.theregister.co.uk/2006/05/10/ms_patch_tuesday/print.html
[Editor's Note (Pescatore): A heads up to enterprises: the Exchange patch contains a previously documented Exchange default configuration change that does a good thing (reduces default privileges) but can break applications such as RIM Blackberry services. Microsoft and RIM seemed to have worked together on this, but applying the patch to Exchange may require configuration changes.
(Ranum): When is the patch madness going to stop? It's time for the industry to realize that you cannot patch your way to security. That's been an ongoing attempt for, what, 10 years now? It hasn't worked because it isn't going to.
(Honan): This story highlights how important securing physical access is in preventing data security breaches. Staff should be trained to challenge people accessing areas or devices they should not and to verify the identity of people claiming to be engineers or staff members from supplier companies.]
ATTACKS & INTRUSIONS & DATA THEFT & LOSS
Pentagon Notifying '01 Conference Registrants of Data Security Breach (10 May 2006)
The Pentagon has acknowledged that a computer server in which a security breach occurred in April contained personal data belonging to more than 14,000 people who registered for an August 2001 Defense Department conference on health care fraud. Those affected are being contacted. The data exposed includes names, Social Security numbers and credit card information. Authorities are investigating the incident.-http://www.washingtonpost.com/wp-dyn/content/article/2006/05/09/AR2006050901725.
html
Chip and PIN Fraud Hits Lloyds TSB (11 May 2006)
Lloyds TSB has acknowledged it has been experiencing fraud problems with chip and PIN technology; thieves are cloning credit and debit cards and then using them at ATMs outside the UK. The bank does not monitor foreign ATM transactions as part of its fraud detection system.-http://www.thisismoney.co.uk/saving-and-banking/article.html?in_article_id=40897
6&in_page_id=2&ito=1565
-http://www.theregister.co.uk/2006/05/11/lloyds_tsb_chip_and_pin_fraud/print.html
Nine Arrested In Connection with UK Shell Station Chip and Pin Fraud (8 May 2006)
The UK's Apacs says that the chip and pin fraud scam perpetrated at Shell stations in the UK was "an inside job." Over GBP1 million (US$1.88 million) was stolen from customers' accounts. Shell is cooperating with a police investigation; nine people have already been arrested. An Apacs spokesperson said that those responsible for the scam must have had ready access to the PIN pads to be able to modify them to allow the scam.-http://software.silicon.com/security/0,39024655,39158743,00.htm
[Editor's Note (Honan): Note recent TV reports claim the PIN pads were changed by individuals masquerading as support engineers from the PIN pad supplier company. ]
MISCELLANEOUS
FBI Investigating Huge Cache of Personal Data Ripe for Identity Fraud (10 May 2006)
The FBI is investigating a cache of data containing personal information belonging to thousands of people from countries around the world. The information was discovered by Webroot software on a password-protected FTP (file transfer protocol) server in the US and appears to be connected to a Trojan horse program designed to activate when computer users visit certain sites, in this case, certain banking and ecommerce sites.-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=security&articleId=9000355&taxonomyId=17
St. Louis Police Investigating Gas Pump Reprogramming Incidents (8 May 2006)
Police in St. Louis, Missouri are investigating gasoline thefts at two area stations. Apparently someone has been opening gas pumps and reprogramming their internal keypads to avoid paying for gas. According to one gas station manager, he and his employees do not have the codes for the gas pumps' internal keypads. A company that services one of the gas stations addressed the problem by removing the internal keypads.-http://www.ksdk.com/news/news_article.aspx?storyid=96404
[Editor's Note (Pescatore): But did they remove DIP switch jumpers, PCMCIA or USB connectors in there? If they did, they are actually more secure than the voting machines. ]
New Colorado Law Gives Teeth To State CISO
(From Mark Weatherford, CISO for the State of Colorado and NewsBites editorial board member)The Colorado State legislature has passed HB06-1157 "Concerning the Security of Communication and Information Resources in Public Agencies" with Senate Amendments; it now goes to Governor Owens for signature. This model legislation provides for the formal appointment by the Governor of a Chief Information Security Officer (CISO) and outlines specific duties and responsibilities of the CISO. It also outlines the responsibilities of Colorado public agencies to develop an information security plan in accordance with CISO guidance. Most importantly, it provides a specific timeline for implementation and also gives the CISO authority to enforce the information security program. This legislation will have a profound effect on our ability to secure the information system resources in Colorado state government. This is not the cleaned-up version the Governor will be signing.
-http://www.leg.state.co.us/clics2006a/csl.nsf/fsbillcont3/1AC9702BE67DC944872570
68005112E5?open&file=1157_ren.pdf
==end==
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is the author/ co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.
Chuck Boeckman is Lead Network Security Engineer supporting the US Transportation Command, responsible for the security of global military transportation command and control systems.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent language consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/
