SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VIII - Issue #54
July 11, 2006
TOP OF THE NEWS
New Payment Card Industry Rules Will Address Application Level SecurityConsultant Pleads Guilty to Exceeding Authorized Access of FBI Computers
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCESUK Interior Minister Approves McKinnon Extradition
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
Navy Investigating Aviator Data Exposure
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
BPI Asks ISPs to Close Accounts of Copyright Violators
File Sharing Up in Spite of Grokster Ruling
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Microsoft to Issue Seven Bulletins on July's Patch Tuesday
New Excel Flaw Reported
ATTACKS & INTRUSIONS & DATA THEFT & LOSS
Univ. of Tennessee Cyber Intruder Used Computer to Store Movies
STATISTICS, STUDIES & SURVEYS
Survey Finds Incidence of Breaches on the Rise
Which Security Tools Work With Windows98
********************* Sponsored By ArcSight, Inc. ***********************
Secrets for Sale! Attacks from malicious insiders are difficult to detect and often more devastating than outside security breaches. Learn how to prevent the loss of your confidential data in our free whitepaper, Addressing Insider Threats. Authored by ArcSight, the leader in security, compliance and insider threat.
http://www.sans.org/info.php?id=1217
*************************************************************************
Summer Security Training Extravaganza
Over the next two months, you may attend one or more of 50 SANS courses in 20 cities on four continents. And if you cannot make those events, because of travel restrictions, you may attend live SANS courses with the best teachers in the world, without leaving your home. You can even take SANS courses online at your own schedule. Attendance at SANS educational events is experiencing the largest growth spurt in half a decade. Pick your class and register early to get a seat.
http://www.sans.org/index.php
*************************************************************************
TOP OF THE NEWS
New Payment Card Industry Rules Will Address Application Level Security (7 July 2006)
Visa USA Inc. and MasterCard International plan to release new rules to update the Payment Card Industry (PCI) data security standard within the next two months. The updated rules will address application level security; many emerging threats are targeting application vulnerabilities. The new rules will also require third parties to establish controls for ensuring credit card data security. Companies not in compliance with the PCI standard could be fined or lose the privilege of processing credit cards.-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9001637
[Editor's Note (Schultz): Visa USA and MasterCard are most correct in recognizing that application-level security is rapidly becoming the new "playing field" in information security. I am particularly concerned about the almost universally inadequate logging of potentially important security-related events in applications. I also very much like the fact that these companies are putting pressure on third parties to establish controls for credit card security.]
Consultant Pleads Guilty to Exceeding Authorized Access of FBI Computers (6 July 2006)
Network engineer Joseph Thomas Colon has pleaded guilty to four charges of exceeding authorized access for breaking into FBI computers that held data regarding the Witness Protection Program and counterintelligence activities. Colon was working as a consultant on the now-scrapped Trilogy project at the time. He allegedly used an FBI agent's credentials to access a file that held 38,000 encrypted passwords for FBI system users. Colon reportedly obtained the password from an FBI agent to avoid "bureaucratic delays in performing 'such routine and mundane tasks as setting up workstations, printers, user accounts and to move individual computers from one operating system to another.'" Colon allegedly decrypted the passwords and used them to access the sensitive systems. Colon has been fired from his job and his top-secret security clearance has been revoked. He will be sentenced on July 13. "Prosecutors do not believe Colon was trying to damage national security or use the information for financial gain" and are seeking a sentence of approximately one year in prison.-http://www.securityfocus.com/brief/244
-http://www.msnbc.msn.com/id/13738637/
[Editor's Note (Honan): As demonstrated by this story, all the technology controls in place can be undermined by someone simply giving away their password in order to make life easier. When deploying controls and/or security policies it is essential that users are properly educated as to why it is necessary to have the controls in place.
(Weatherford): The prosecutors can trivialize it all they want but this is a bad guy! Exceeding authorized access is the least of his nefarious activities IMHO. He had a Top Secret security clearance, probably with some additional special accesses, and was working on a classified project. Colon knew what he was doing and that circumventing the security controls of an FBI system probably wouldn't look good on a resume. What did he do after decrypting passwords and accessing these systems? Simple curiosity? It will be interesting to see what his final sentence is and how much time he actually serves. ]
************************* SPONSORED LINKS ******************************
1) FREE Webcast - Simplify network security by consolidating security functions into proven, truly integrated UTM solutions.
http://www.sans.org/info.php?id=1215
2) ALERT: How do you protect what you can't see? Stop protecting while blind. Gain network visibility now. Download FREE White Paper "Network Behavior Analysis (NBA) in the Enterprise."
http://www.sans.org/info.php?id=1216
*************************************************************************
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCES
UK Interior Minister Approves McKinnon Extradition (7 July 2006)
John Reid, UK Secretary of State for the Home Department, has approved Gary McKinnon's extradition to the US to face charges of illegally accessing nearly 100 US government computers. McKinnon has two weeks to appeal the order. He admits he accessed the computers, but denies causing any damage. If tried, McKinnon could face up to 70 years in prison and fines of as much as US$1.75 million.-http://news.com.com/2102-7348_3-6091493.html?tag=st.util.print
[Editor's Note (Schmidt): This is another instance where we are holding criminals accountable for their actions. This is a clear case where international borders are not an impediment to prosecution.
(Grefer): Although Mr. McKinnon might not have caused any damage to the systems, there was still a substantial effort involved in tracking down what he did and how he did it. As such, there are indirect damages in the form of government contractor and employee hours that could not be dedicated to their regularly scheduled activities and tasks. ]
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
Navy Investigating Aviator Data Exposure (8 & 7 July 2006)
The Navy is investigating how the personal information belonging to more than 100,000 Navy and Marine Corps aviators became available on a public web site for more than six months. The file was removed from the Naval Safety Center (NSC) site as soon as officials became aware of the situation. NSC acknowledged the data include SSNs of all Navy and Marine aviators who have served over the last 20 years. The data were also included on disks sent to Navy and Marine Corps commands; NSC is attempting to recall the 1,083 disks and is notifying all those affected by the data security breach.-http://www.washingtonpost.com/wp-dyn/content/article/2006/07/07/AR2006070700945_
pf.html
-http://www.fcw.com/article95202-07-08-06-Web
-http://news.com.com/2102-1009_3-6091936.html?tag=st.util.print
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
BPI Asks ISPs to Close Accounts of Copyright Violators (10 July 2006)
The BPI, the trade association for the UK record industry, has asked two Internet service providers (ISPs) to suspend nearly 60 accounts it says are being used to share digital music files in violation of copyright law. The BPI used file-sharing networks to collect "unequivocal evidence of copyright infringement" and is now demanding that the ISPs, Tiscali and Cable & Wireless, "enforce their own terms of use" which prohibit the use of Internet accounts to infringe on others' copyrights.-http://news.zdnet.com/2100-9588_22-6092034.html
File Sharing Up in Spite of Grokster Ruling (30 June 2006)
Despite what some believed to be a landmark decision in favor of music copyright holders, the number of individuals who use file-sharing services has increased in the last year. One year ago, the US Supreme Court ruled that developers of file sharing programs could be held liable for copyright violations committed by the programs' users if it were established that the companies were encouraging digital piracy. Some file sharing companies shuttered their operations, but others are still in business.-http://www.siliconvalley.com/mld/siliconvalley/14941434.htm?template=contentModu
les/printstory.jsp
[Editor's Note(Schmidt): If the only issue about file sharing services involved copyright violations, it would be something only for intellectual property experts to worry about. Unfortunately, the number of corporate, government, and personal documents available in file sharing services mean that this is also a big security risk.
(Weatherford): I'm still convinced that the common P2P user doesn't understand the potential vulnerabilities associated with file sharing; those that do understand still don't take the threat seriously. ]
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Microsoft to Issue Seven Bulletins on July's Patch Tuesday (6 July 2006)
Microsoft will release seven security bulletins on Tuesday July 11. Four bulletins will address flaws in Microsoft Windows and three will address flaws in Microsoft Office. The maximum severity rating for the bulletins is critical; some of the fixes will require restarts.-http://www.microsoft.com/technet/security/bulletin/advance.mspx
New Excel Flaw Reported (6 July 2006)
Microsoft is investigating reports of a flaw in Microsoft Excel that could be exploited to take control of vulnerable systems. This marks the third reported flaw in Excel in just one month. Users would need to be convinced to open a maliciously crafted Excel file. The flaw affects Japanese, Korean and Chinese language users of Excel 2000, 2002 and 2003 and Office 2000, XP and 2003.-http://news.com.com/2102-1002_3-6091480.html?tag=st.util.print
ATTACKS & INTRUSIONS & DATA THEFT & LOSS
Univ. of Tennessee Cyber Intruder Used Computer to Store Movies (7 July 2006)
Someone broke into a University of Tennessee computer and used it to store and share movies. While the computer held the names, addresses and Social Security numbers (SSNs) of roughly 36,000 former and current university employees, school officials do not think the intruder used that information.-http://www.wbir.com/news/local/story.aspx?storyid=35838&provider=kns
STATISTICS, STUDIES & SURVEYS
Survey Finds Incidence of Breaches on the Rise (7 July 2006)
A survey from Computer Associates found that the incidence of security breaches has increased 17 percent over the last three years. Eighty-four percent of the 642 businesses and state and local government agencies surveyed said they had experienced a security breach within the last year. Of those reporting security breaches, 54 percent said the incident caused a loss in productivity, 20 percent said they lost revenue and 25 percent said their reputations suffered. Thirty-eight percent of the breaches were of internal origin.-http://www.eweek.com/print_article2/0,1217,a=182791,00.asp
[Editor's Note (Honan): It is interesting to note that this survey highlights the external threat is becoming more prevalent than the internal one.]
Which Security Tools Work With Windows98 (11 July 2006)
Microsoft's decision to stop supporting Windows98 leaves some users wondering how unsupported they are. Washington Post security journalist Brian Krebs tested dozens of tools to answer that question. Very readable.-http://blog.washingtonpost.com/securityfix/2006/07/a_look_at_windows_98mefriendl
y.html
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.
Chuck Boeckman is Lead Network Security Engineer supporting the US Transportation Command, responsible for the security of global military transportation command and control systems.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent language consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/