SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #56

July 18, 2006

Short Deadline Free Training Opportunity: Free SCADA and Process Control Security Courses (Las Vegas, September 28 - 30), sponsored by the Department of Homeland Security and the Department of Energy; taught by the experts at Idaho National Labs - one for management; one hands-on for practitioners -- both engineers and It people.

Register immediately to get one of the seats. (Please forward this note to your engineering staff if they don't get NewsBites; the courses are great for getting process control engineers smart about security.)

And if you have any substantial role in deploying and/or securing SCADA or process control systems, you'll want to stay for the SCADA Security Summit where 300 asset owners are coming together to get an update on the size and character of the threat and to launch the new security procurement standards that all SCACAD and process control system buyers will use to ensure their systems are delivered with state of the art security.

-- Details and registration at http://www.sans.org/scadasummit_fall06/

And if they really want to master security, they can stay for courses at Network Security 2006, the largest computer security training program in the world, held in the same hotel in Las Vegas, starts at the end of the Summit.

Research Opportunity: The SANS Log Management Summit was a success and a lot of valuable information was shared by the presenters. Two great community research projects came out of it. They are listed as the last item in this issue.

---

TOP OF THE NEWS

White House Data Encryption Directive
OMB Directive Requires Reports of Suspected as Well as Confirmed Security Incidents
State Dept. Acknowledges Attacks on Systems
Attempt to Amend UK's Police and Justice Bill 2006 Appears to be Unsuccessful

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
Man Gets House Arrest for Exceeding Authorized Access to FBI Computer System
China Jails Internet Writer for Subversion
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
Appeals Court Reverses Order to Disconnect Interior from Internet
DHS Has Yet to Hire Assistant Secretary for Cybersecurity
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Dutch Court Says ISPs Don't Have to Disclose Identities of Suspected File Sharers
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Zero-Day PowerPoint Flaw Already Being Exploited
ATTACKS & INTRUSIONS & DATA THEFT & LOSS
Northwestern Notifies Affected Students and Applicants of Data Security Breach
STATISTICS, STUDIES & SURVEYS
CA Study Finds 20 Percent of Irish Internet Users Wary of Online Transactions
MISCELLANEOUS
Microsoft Pulls Private Folder 1.0 in Wake of Data Recovery Concerns
Links to Documents Containing Personal Data Removed from Web Site
Computer Containing Personally Identifiable Info. Removed from Va. Courthouse
Research Opportunities To Help With Log Management and SEIM

---

********* Sponsored By Check Point Software Technologies, Inc. *********

View FREE webcast and learn how Check Point's UTM solutions simplify security deployment by integrating proven security functions, including firewall, intrusion prevention, antivirus, anti-spyware, Web application firewall, endpoint security enforcement, and IPSec and SSL VPN connectivity. These solutions eliminate the need for many standalone security solutions, and provide universal updateability and centralized management and reporting.
http://www.sans.org/info.php?id=1232
*************************************************************************
Summer Security Training Extravaganza

Over the next two months, you may attend one or more of 50 SANS courses in 20 cities on four continents. And if you cannot make those events, because of travel restrictions, you may attend live SANS courses with the best teachers in the world, without leaving your home. You can even take SANS courses online at your own schedule. Attendance at SANS educational events is experiencing the largest growth spurt in half a decade. Pick your class and register early to get a seat.
http://www.sans.org/training_events
*************************************************************************

---

TOP OF THE NEWS

White House Data Encryption Directive (17 July 2006)

The White House has issued a directive that requires government agencies to encrypt all sensitive data by early August. However, some security professionals have expressed concern that the government may not be paying adequate attention to other issues that have an impact on data security, such as the location of sensitive data, restriction of access to that data and adequate budgets and allocations. Others question the practicality of encrypting all data.
-http://www.eweek.com/print_article2/0,1217,a=183507,00.asp

OMB Directive Requires Reports of Suspected as Well as Confirmed Security Incidents (14 & 13 July 2006)

The Office of Management and Budget (OMB) issued a memorandum on July 12 expanding the types of incidents that need to be reported within one hour. The new rule includes all security incidents that potentially threaten the security of "personally identifiable information." The one-hour rule applies to physical and computer security and to suspected as well as confirmed breaches. The previous time frame for reporting incidents involving improper usage of personally identifiable information was one week.
-http://www.govexec.com/story_page.cfm?articleid=34555&printerfriendlyVers=1&
amp;
-http://www.gcn.com/online/vol1_no1/41334-1.html
[Editor's Note (Pescatore): There was already a one hour reporting requirement for unauthorized access incidents (category 1) in NIST SP 800-61, which the OMB memo references. What changed from weekly reporting to one hour are "improper usage" incidents (category 4) that involve personally identifiable information. Improper usage is a very broad category - they need to be more specific here. They did give more specific guidance in a very good area: the memo says "You should report all incidents involving personally identifiable information in electronic or physical form and should not distinguish between suspected and confirmed breaches" which basically eliminates the "well, there is no proof anyone actually used the data, let's wait and see" reasons for not reporting.
(Schultz): I like the idea of requiring prompt notification, but one hour seems much too short. For one thing, many events that initially appear to be security-related incidents do not turn out to be such after more evidence is collected and analyzed over time. With a one hour reporting requirement, many false alarms are thus likely to be reported as incidents, something that unfortunately will cause considerable fallout. ]

State Dept. Acknowledges Attacks on Systems (13 July 2006)

The US State Department says it is working with Carnegie Mellon University's Computer Emergency Response Team and the FBI on the investigation into cyber attacks that targeted US embassies in the East Asia-Pacific region and State Department headquarters in Washington DC. The systems attacked were unclassified and an initial investigation indicates "no compromise of sensitive US government information." A department spokesperson said the attacks were not the result of problems with computer security policies.
-http://www.informationweek.com/showArticle.jhtml?articleID=190303153
[Editor's Note (Multiple): The State Department seems to be using its great skill at "spin" to use words that imply State Department systems were not compromised. Their systems were compromised; that's the problem.
(Ranum): Other news sources such as
-http://news.yahoo.com/s/ap/20060711/ap_on_go_ca_st_pe/hackers_state_department
make it sound as if the penetration was somewhat more successful, and also raise interesting questions. Why was SSL shut off? Was it being used as an encrypted control channel to bypass firewalls? The InformationWeek report on the story appears to be carefully downplaying the severity of the incident; there is a difference between "attacked" and "penetrated."
(Paller): US Government officials have been very successful in pretending that sensitive systems are well protected. They accomplish that by using FOUO (for official use only) and security classifications to stop their employees and contractors from talking about the myriad penetrations. The net impact is that the agencies and contractors avoid public embarrassment for not securing their systems. In one case, senior government officials even extended the FOUO secrecy to help their friends in a private think tank hide the fact that visitors to the think tank's web site were being infected. The infected visitors still don't know how their problems began. The public has no clue about the huge number of government and government contractor systems that are penetrated or the number of government and contractor systems that have been under the control of outside, unauthorized and malicious people and nation-states. Because the public and Congress are kept in the dark about the size of the problem, Congress feels no pressure to fix the problem. ]

Attempt to Amend UK's Police and Justice Bill 2006 Appears to be Unsuccessful (July 2006)

An amendment to the Police and Justice Bill 2006, which was created to amend UK's Computer Misuse Act, "did not pass committee stage discussions," leaving the peer who introduced it doubting if it will ever be made into law. Lord Northesk had proposed the amendment because the new law could be interpreted to criminalize legitimate actions of police and security professionals. Lord Northesk hoped to delete a portion of the Act that says people who make available tools that could be used to break into computers are committing a criminal act. Lord Northesk is also concerned that the law could criminalize penetration testing and ethical hacking.
-http://www.zdnet.co.uk/print/?TYPE=story&AT=39278707-39020375t-10000025c

---

************************* Sponsored Links: ****************************

1) FREE WhatWorks Webcast: Deep IMPACT: Justifying the Security Budget You Need Using Automated Penetration Testing Thursday, July 20 at 8:00 AM EDT (1200 UTC/GMT)
http://www.sans.org/info.php?id=1233

2) Track & Recover Stolen Laptops - Guaranteed! Download a free white paper on Laptop Security.
Computrace Complete:
http://www.sans.org/info.php?id=1234

3) Simple Solutions for Email Defense - Webinar featuring Michael Osterman - July 26th. Click here!
http://www.sans.org/info.php?id=1235
*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES

Man Gets House Arrest for Exceeding Authorized Access to FBI Computer System (14 July 2006)

Joseph Thomas Colon, the computer consultant who pleaded guilty to exceeding authorized access to FBI computers, has been sentenced to six months of home detention and ordered to pay US$20,000 in restitution. Colon could have received an 18-month prison sentence. Colon said an FBI agent provided him with the password to an FBI system to help expedite his work.
-http://www.msnbc.msn.com/id/13861887/
[Editor's Note (Boeckman): So he hacks the FBI and gets grounded? No wonder the criminals are not worried about getting caught. ]

China Jails Internet Writer for Subversion (14 July 2006)

China has sent another Internet journalist to jail. Li Yuanlong received a two-year sentence; his lawyer said he would appeal. In February, Li was charged with publishing essays that "fabricated, distorted and exaggerated facts, incited subversion of the state and (sought) to overthrow the socialist system." In 2003, another man who faced the same charges received a five-year prison sentence; in March, a teacher was sentenced to 10 years in prison for posting writings critical of the Chinese government on the Internet.
-http://www.silicon.com/research/specialreports/china/0,3800011742,39160301,00.ht
m

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY

Appeals Court Reverses Order to Disconnect Interior from Internet (17 July 2006)

The US Court of Appeals for the District of Columbia has reversed a lower court order requiring the Interior Department to disconnect computer systems from the Internet. The opinion of the appellate court acknowledges security problems with Interior's systems, but said the potential disruption caused by "the disconnection order outweighs the class members' need for an injunction." The opinion also expressed concern that "if (they) granted injunctive relief here, based only on (the department's) security vulnerabilities and not on a showing of some imminent threat .... (they) would essentially be justifying perpetual judicial oversight of Interior's computer systems." The appellate court also reassigned the case to a different judge.
-http://www.fcw.com/article95289-07-17-06-Print&printLayout

DHS Has Yet to Hire Assistant Secretary for Cybersecurity (14 & 13 July 2006)

The position of Assistant Secretary for Cybersecurity and Telecommunications at the Department of Homeland Security (DHS) is still vacant, one year after it was created. The person in this position will report to one of three top-level officials who report directly to DHS Secretary Michael Chertoff. A spokesperson said DHS would be naming a candidate for the Assistant Secretary position soon.
-http://news.com.com/2102-7348_3-6094055.html?tag=st.util.print
-http://www.gcn.com/online/vol1_no1/41332-1.html

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

Dutch Court Says ISPs Don't Have to Disclose Identities of Suspected File Sharers (14 July 2006)

A Dutch appeals court has upheld a lower court's decision not to order ISPs to provide BREIN, a Dutch anti-piracy group, with the names of suspected filesharers. The court determined that the methods used to obtain IP addresses "had no lawful basis under European privacy laws." BREIN plans to take its case to a higher court.
-http://www.theregister.co.uk/2006/07/14/fileswappers_protected/print.html

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Zero-Day PowerPoint Flaw Already Being Exploited (14 July 2006)

Microsoft is investigating reports of a zero-day vulnerability in PowerPoint. Users' machines would become infected only if they are tricked into opening a maliciously crafted PowerPoint document. Attacks exploiting the flaw have already been detected; a PowerPoint attachment to spam has been found to contain the PPDDropper.b Trojan horse program, which places a backdoor called Bifrozse.e on infected computers.
-http://www.techweb.com/wire/190400376
[Editor's Note(Pescatore): There is always a swarming effect in vulnerability discovery. The Microsoft Office package is currently experiencing it - a steady stream of Word, Excel and Powerpoint vulnerabilities is coming out. Vulnerability and patch management processes need to include more than just operating systems.]

ATTACKS & INTRUSIONS & DATA THEFT & LOSS

Northwestern Notifies Affected Students and Applicants of Data Security Breach (16 & 15 July 2006)

Cyber intruders accessed nine desktop computers at Northwestern University's Office of Admissions and Financial Aid. School officials are notifying approximately 17,000 students and applicants whose personal data were held on those computers; there is no evidence the intruders accessed the data. The intrusion was detected in May and has been under investigation for two months. The breach occurred after troubleshooting software, which allowed remote computer access, was installed in the machines.
-http://www.suntimes.com/output/news/cst-nws-hack15.html
-http://www.chicagotribune.com/news/local/chicago/chi-0607160386jul16,1,3634321.s
tory?coll=chi-newslocalchicago-hed

STATISTICS, STUDIES & SURVEYS

CA Study Finds 20 Percent of Irish Internet Users Wary of Online Transactions (17 & 14 July 2006)

A Computer Associates-sponsored survey of 1,200 Irish citizens ages 15 and older found that Irish consumers' concern about identity fraud could be costing Irish Internet businesses as much as 250 million Euros (US$312.9 million) annually. Twenty-five percent of respondents do not conduct online transactions; if extrapolated, the statistic indicates 350,000 Irish Internet users are not conducting business online.
-http://www.theregister.co.uk/2006/07/17/irish_security_conscious/print.html
-http://www.siliconrepublic.com/news/news.nv?storyid=single6743

MISCELLANEOUS

Microsoft Pulls Private Folder 1.0 in Wake of Data Recovery Concerns (17 July 2006)

Microsoft has "pulled" Private Folder 1.0, a Windows add-on. The free software allowed users to protect folders with passwords; the purpose of the software is to help people who share PCs protect their data from others who use the same computer. The software was available to users participating in Microsoft's Windows Genuine Advantage software verification program. Corporate users complained the software could create situations in which company data would be inaccessible to those who need it.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9001814
-http://www.vnunet.com/vnunet/news/2160481/microsoft-axes-private-folder
-http://news.zdnet.co.uk/software/windows/0,39020396,39278939,00.htm
[Editor's Note (Pescatore): Encryption always seems so simple until you think through the key management issues. ]

Links to Documents Containing Personal Data Removed from Web Site (16 July 2006)

The Mississippi Secretary of State's office has disabled links to thousands of documents that made citizens' personal data, including names and SSNs, publicly accessible. The documents, known as Uniform Commercial Code filings, are created when people put up collateral for a loan and are public.
-http://www.clarionledger.com/apps/pbcs.dll/article?aid=/20060716/news/607160386/
1001

Computer Containing Personally Identifiable Info. Removed from Va. Courthouse (14 July 2006)

A computer found to contain the names and SSNs of hundreds of people was removed from the Hampton (Virginia) Circuit Court building last week. The computer had been placed in the building to allow title searchers to check for back taxes on properties. Police are examining the computer's hard drive and trying to figure out who had access to the data.
-http://www.dailypress.com/news/dp-74086sy0jul14,0,2456559.story?track=dmodtemail
edlink

Research Opportunities To Help With Log Management and SEIM

One of the conclusions by the Log Management Summit attendees was that a better methodology is needed to assist organizations that have not yet implemented a log management solution or who need to implement a much better one. If you have experience in implementing a SIEM or industrial strength syslog parser and are willing to share some of your tips, please write Stephen@sans.org with your tips. We will put your name in the SCORE checklist (if you wish) and give you first access to the completed work assuming there is enough participation to complete the project.

The second research project, led by Chris Calabrese, will work toward establishing consensus standards for applications and system to deliver logs to log management systems. The vendors and users are desperate for such standards. If you can help, because you have built links between applications and log consolidation software, or if you have any other relevant experience, email ccalabrese@sans.org.

---

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/