SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #60

August 01, 2006

TOP OF THE NEWS

GAO: DHS Not Prepared for Major Cyber Security Event
Visa Will Require Some Merchants to Adhere to Stricter Security Rules
US Army Computers Required to Incorporate TPM

THE REST OF THE WEEK'S NEWS

POLICY & LEGISLATION
Foreign Companies Face SOX Compliance Deadline
SPYWARE, SPAM & PHISHING
GSA Warns of Phishing Scheme
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Firm Will Pay US$525,000 for Using Unlicensed Software
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
JavaScript Could be Used to Map Networks, Launch Attacks
Flaw in IKE Protocol in Cisco VPN 3000 Series Concentrators
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Insurance Co. Notifies Claimants of Data Theft
CIS Employee Data Exposed
MISCELLANEOUS
Banks Will be Audited Against FFIEC Guidelines

---

********* Sponsored By Check Point Software Technologies, Inc. *********

Download FREE white paper and learn how Check Point's UTM solutions simplify security deployment by integrating proven security functions, including firewall, intrusion prevention, antivirus, anti- spyware, Web application firewall, endpoint security enforcement, and IPSec and SSL VPN connectivity. These solutions eliminate the need for many standalone security solutions, and provide universal updateability, centralized management and reporting.
http://www.sans.org/info.php?id=1245

*************************************************************************

Summer Security Training Extravaganza

Over the next two months, you may attend one or more of 50 SANS courses in 20 cities on four continents. And if you cannot make those events, because of travel restrictions, you may attend live SANS courses with the best teachers in the world, without leaving your home. You can even take SANS courses online at your own schedule. Attendance at SANS educational events is experiencing the largest growth spurt in half a decade. Pick your class and register early to get a seat.
http://www.sans.org/index.php

*************************************************************************

---

TOP OF THE NEWS

GAO: DHS Not Prepared for Major Cyber Security Event (28 July 2006)

According to a report from the Government Accountability Office (GAO), the US is not adequately prepared to deal with a major failure of the Internet. The Department of Homeland Security (DHS) has been given the task of "coordinating cyberspace security and recovery," but the GAO's report indicates "the initiatives so far lack authority and the relationship between the initiatives is unclear." Senator Tom Coburn (R-Okla.) chastised the DHS for being late in submitting testimony for a senate subcommittee hearing and for spending "millions of dollars over the past year" with little to show for it. Coburn was also displeased that DHS "released the national infrastructure protection plan three years late and has not hired an assistant secretary in charge of cyber security and Internet recovery." The GAO's report identifies the challenges faced in creating an Internet recovery plan, including "leadership and organizational uncertainties within DHS, the private sector's reluctance to share information and the nature of the Internet itself."
-http://www.govexec.com/story_page.cfm?articleid=34657&printerfriendlyVers=1&
amp;
-http://www.fcw.com/article95466-07-28-06-Web
-http://www.gcn.com/online/vol1_no1/41519-1.html?topic=security
-http://news.com.com/2102-7348_3-6099753.html?tag=st.util.print
-http://www.gao.gov/new.items/d06863t.pdf
[Editor's Note (Ranum): DHS was given a charter with no enforcement powers, over a problem for which they lack the skills. The fact that they are hopelessly helpless shouldn't surprise anyone. ]

Visa Will Require Some Merchants to Adhere to Stricter Security Rules (26 July 2006)

Visa USA has reclassified roughly 1,000 merchants under the Payment Card Industry (PCI) standards program, making them subject to more stringent security requirements. Merchants who processed fewer than 6 million card transactions annually were previously designated Level 4, but have been moved to Level 2, meaning they are "required to submit quarterly network-vulnerability scans" and complete a self-assessment questionnaire. Level 4 merchants were not required to comply, though VISA USA has suggested they do. The affected merchants must be in compliance with the security measures by September 30, 2007. In addition, approximately 1,000 merchants who process fewer than 1 million card transactions annually will be moved from level 3 to level 4, diminishing their security requirements.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9002011
[Editor's Note (Schultz): The fact that VISA USA is requiring merchants to conform to more rigorous security standards is a very positive development in the fight against identity theft and other types of fraud. However, the fact that VISA USA has relaxed security requirements for other merchants without offering any explanation is troubling. ]

US Army Computers Required to Incorporate TPM (31 & 28 July 2006)

All new US Army computers will soon be required to have the Trusted Platform Module (TPM) to enhance security. If TPM proves successful in US Army computers, the Joint Task Force for Global Network operations may make it a requirement across the Defense Department. US Army officials believe TPM provides "strong data protection and authentication to access the network."
-http://www.fcw.com/article95467-07-31-06-Print
-http://www.securityfocus.com/brief/265
[Editor's Note (Northcutt): TPM, Trusted Platform Module, is a hardware chip built into newer laptops to store passwords, encryption keys, and digital certificates. Implemented correctly, it increases the security of encrypted data and gives managers tools to enhance identity and authentication. It "plays nicely" with PKI, so Army-wide implementation should be possible. However, serious testing is needed. The Dell laptops we are receiving at SANS come with TPM and a listening service on port 10001. They vulnerability of that services should be checked. In addition, some TPM the implementations run with system privileges and this is allowed by the TCG specifications. It is important to understand if your TPM implementation allows remote access and at what privilege level.
(Boeckman): Years ago the DoD mandated that all computers purchased have a PCMCIA slot on them so the could be secured with "Fortezza" cards that were being distributed by the MISSI program. I suspect this TPM solution will be just as successful. If step 1 in your security plan involves buying some sort of silver bullet and step 2 is to load a whole bunch of really horrible software, you will probably never succeed. ]

---

********************** Sponsored Links: *******************************

1) Free software! Patch & Spyware Management! A complete security solution from Shavlik.
http://www.sans.org/info.php?id=1246

2) Using Real-Time Log Analysis to Defend Against Network Attacks and Insider Abuse - Live Webinar
http://www.sans.org/info.php?id=1247

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

POLICY & LEGISLATION

Foreign Companies Face SOX Compliance Deadline (26 July 2006)

Non-US companies listed in the US now have one year or less to comply with certain provisions of the Sarbanes-Oxley Act (SOX). Section 404 of SOX requires foreign companies to establish internal security policies and controls by the end of their fiscal years following July 15, 2006. Some companies have been making changes with an eye to SOX compliance for several years. Public US companies were required to be SOX compliant by November 2004.
-http://www.silicon.com/financialservices/0,3800010364,39160788,00.htm

SPYWARE, SPAM & PHISHING

GSA Warns of Phishing Scheme (31 July 2006)

The US General Services Administration (GSA) has issued a warning about a phishing scam that pretends to come from fraud@firstgov.gov. The phony email asks recipients to click on a link to Money Access Online to ensure the account has not been compromised; if people click on the link, they are asked to provide their credit card numbers. GSA says people who receive the email should not respond. The agency is investigating.
-http://www.gcn.com/online/vol1_no1/41521-1.html?topic=security

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

Firm Will Pay US$525,000 for Using Unlicensed Software (31 July 2006)

A US-based chemical transport company has agreed to pay US$525,000 for using unlicensed software. The vendor of the software, Achiever Business Solutions, had not been able to reach an agreement with the unnamed company, but the Federation Against Software Theft provided the company with evidence that convinced them they needed to settle the claim.
-http://www.theregister.co.uk/2006/07/31/fast_finds_pirate/print.html

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

JavaScript Could be Used to Map Networks, Launch Attacks (31 July 2006)

JavaScript could be used to map networks and launch browser-based attacks on connected devices. If malicious JavaScript is embedded in a web page, it will run with no warnings. The attacks will not be stopped by firewalls because they run through the users' browsers. The JavaScript could be on a specially crafted site, or it could be placed on other websites through cross-site scripting.
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39378884-39000005c

Flaw in IKE Protocol in Cisco VPN 3000 Series Concentrators (27 & 26 July 2006)

A vulnerability in the Internet Key Exchange (IKE) Protocol in Cisco Systems' VPN 3000 Series concentrators could be exploited to cause a denial-of-service condition. Attackers do not need to be logged in to exploit the flaw. Cisco says the flaw affects version 1 of the IKE Protocol. Because the problem is with the protocol, a patch may be difficult to develop; the flaw "is not related to a vendor-specific implementation." Cisco will look into workarounds for the various products that use the protocol.
-http://www.informationweek.com/story/showArticle.jhtml?articleID=191501225
-http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1205052,0
0.html

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Insurance Co. Notifies Claimants of Data Theft (29 July 2006)

Wisconsin-based Sentry Insurance has acknowledged that the personal information of 72 individuals who had filed worker's compensation claims was stolen and sold on the Internet. Data belonging to more than 112,000 other claimants was also stolen, but Sentry said it has not seen evidence that the other data were sold. The information includes names and Social Security numbers (SSNs); no medical records were compromised. Sentry has notified all individuals affected by the security breach. The Secret Service has arrested a consultant hired by Sentry in connection with the data theft.
-http://www.mercurynews.com/mld/mercurynews/business/technology/15153907.htm
-http://www.wbay.com/Global/story.asp?S=5213937

CIS Employee Data Exposed (27 July 2006)

A US Citizenship and Immigration Services (CIS) employee inadvertently posted personal information belonging to 8,700 CIS employees to the Department of Homeland Security (DHS) Intranet. The data include SSNs and levels of pay. The link was accessed a dozen times before it was removed. Officials do not know how long the information was available. The incident is under investigation. In addition to this incident, CIS has exposed sensitive information twice in recent months.
-http://washingtontimes.com/functions/print.php?StoryID=20060727-120633-3965r

MISCELLANEOUS

Banks Will be Audited Against FFIEC Guidelines (28 July 2006)

US banks have until December 31, 2006 to comply with the Federal Financial Institutions Examination Council's (FFIEC) guidelines for authenticating online banking customers. Some banks used the October 2005 release of the guidelines as a jumping-off point for incorporating strong authentication into their systems. Other banks may not be ready for the deadline because the guidelines do not tell them what methods of authentication to use and they are not mandatory. The guidelines offer flexibility for the banks to determine which methods will work best in their situations. Although the guidelines are not mandatory, "banks will be audited against them starting" in 2007. Gartner's Avivah Litan estimates that just 20 percent of US banks are presently in compliance with the guidelines.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9002085

---

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent language consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/