SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VIII - Issue #70
September 05, 2006
This Thursday, discover what cyber incidents have actually impacted electric utilities, pipelines and other industries that use industrial control systems and why attacks are increasing now. The *free* webcast summarizes data reported by 22 organizations plus information from penetration testers who have sensitive penetrated control systems from the open Internet. (Plus a couple of surprises) 9/7 3PM EDT: http://www.sans.org/webcasts/show.php?webcastid=90748
This Friday (Sept. 8) is the deadline for early registration for the largest Process Control & SCADA Security Conference and the largest security training program (Network Security 2006), both in Las Vegas in about 4 weeks.
SCADA Security Summit: http://www.sans.org/scadasummit_fall06/
Network Security 2006: http://www.sans.org/ns2006/caag.php
Finally, all SANS alumni in the US should now have received the paper newsletter summarizing the top new attack tools and the top ten trends that will shape cyber security in 2007, but 13,000 were returned with bad addresses. If you are a SANS US alumnus, and didn't get the newsletter, check your postal mailing address at portal.sans.org. And if you have registered for a SANS conference or are a SANS alumnus who lives outside the US, send us your surface mailing address (after verifying that it is correct at the SANS portal) and we'll mail you a copy right away. The trends will be presented in detail at SANS Network Security 2006 in Las Vegas.
Alan
TOP OF THE NEWS
Bank Fined US$50 Million for Buying Florida Drivers' DataCalifornia Wi-Fi Security Bill Heads for Governor's Desk
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS & SENTENCESIndian Call Center Employee Arrested on Charges of Fraud
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
GAO Report Finds Security Problems at FDIC
NIST Issues Three Security-Related Draft Publications
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Microsoft Says Attacks Not Up Despite New Exploits for MS06-040 Flaw
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Stolen Laptop Holds Chicago City Employees' Data
AT&T Data Thieves Used Info. for Targeted Phishing Attacks
Medical Lab to Notify Patients Affected by Theft of Computer
MISCELLANEOUS
CA Fixes AV Update That Identified Windows File as Malware
Browzar Faces Claims of Ad-Mongering and False Advertising
Google to Comply with Brazilian Court's Demand for User Data
*********************** Sponsored By SANS *****************************
The Process Control & SCADA Security Summit, September 28 - 30, is a must-attend event for the technical and procurement managers of any organization that relies on automated industrial control systems and for the system integrators and system vendors that support them.
http://www.sans.org/info.php?id=1331 And Network Security 2006 is the only place to find all 20 of SANS highest rated teachers. How Good Are The Courses at SANS Network Security 2006? Ask the alumni. ++ "I have attended courses by several of SANS rivals, and SANS blew them away." - Alton Thompson, US Marines ++ "This is the only conference/training I've ever attended at which I learned techniques and found tools I could apply immediately." - Dwight Leo, Defense Logistics Agency, DLA ++ "This program provided the opportunity to learn from many of the people who are defining the future direction of information technology" - - Larry Anderson, Computer Sciences Corp. ++ "The SANS classes have been uniformly excellent. To learn as much through traditional classes would have entailed weeks away from work." - - David Ritch, Department of Defense
See: http://www.sans.org/ns2006/caag.php
***********************************************************************
TOP OF THE NEWS
Bank Fined US$50 Million for Buying Florida Drivers' Data (29 August 2006)
Fidelity Bank & Trust has been ordered to pay US$50 million for purchasing 656,000 names and addresses from the Florida Department of Highway Safety and Motor Vehicles. The bank bought the data to use in a direct marketing campaign; the purchase violated the Drivers Privacy Protection Act of 1994, which aims to protect drivers' data from being distributed "because stalkers and other criminals had used motor vehicle records to locate victims." In 2004, a US District Court ruled the plaintiff "had to demonstrate actual damages before obtaining monetary compensation under the" law, but the 11th Circuit Court of Appeals overturned the lower court's ruling.-http://www.techweb.com/wire/192500110
-http://www.accessreports.com/statutes/DPPA1.htm
[Editor's Note (Ranum): Wait a minute! And the Florida MVA is blameless!? (Schultz): Fidelity Bank & Trust richly deserves the fine it received, but it seems strange that no individuals within the Florida Department of Highway Safety and Motor Vehicles have been punished so far for actually selling the personal data. ]
California Wi-Fi Security Bill Heads for Governor's Desk (4 & 1 September 2006)
Lawmakers in California have passed legislation requiring manufacturers of wireless Internet equipment to put security warnings on all products capable of receiving wireless signals. The bill, which is awaiting the governor's signature, would go into effect on October 1, 2007. The warnings may take several forms, including box stickers and notification in setup software; they would include information on how to secure files, folders and connections. The manufacturers would be required to place at least one sticker in such a way that users must remove it before using the device. US law regarding piggybacking, or using someone's wireless connection without permission, is sketchy. Recently, a California woman's attorney convinced the court that the RIAA lacked sufficient evidence to bring a case against her for illegal music downloading because her wireless network was not secure and the RIAA had no proof that it was she who downloaded the files in question.-http://www.theregister.co.uk/2006/09/04/wi-fi_warnings_legislated/print.html
-http://www.australianit.news.com.au/articles/0,7204,20323715%5E15322%5E%5Enbv%5E
,00.html
[Editor's Note (Grefer): May we assume that the RIAA has been lobbying since for closing said loophole, thereby helping to improve wireless security in the long-term? ]
************************* Sponsored Links: *****************************
1) Register today for Mu Security's SANS 'Ask The Expert Webcast': 'Eliminating Vulnerabilities Before Attackers Know They Exist'
http://www.sans.org/info.php?id=1332
*************************************************************************
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS & SENTENCES
Indian Call Center Employee Arrested on Charges of Fraud (4 & 2 September 2006)
Sulagna Ray, a call center employee in eastern India, has been arrested for allegedly using credit card information she obtained though her work to buy goods for herself over the Internet. Ray worked for Jaishree Infotech selling Dish TV to people in the US.-http://australianit.news.com.au/articles/0,7204,20349056%5E15331%5E%5Enbv%5E1530
6%2D15318,00.html
-http://timesofindia.indiatimes.com/articleshow/1950763.cms
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
GAO Report Finds Security Problems at FDIC (1 September 2006)
A report from the Government Accountability Office (GAO) says that while the Federal Deposit Insurance Corp. (FDIC) has addressed 18 of 24 security weaknesses found in a previous audit, the agency still "has not consistently implemented information security controls to properly protect the confidentiality, integrity and availability of its financial and sensitive information systems." The report also identifies 20 additional security problems FDIC needs to fix.-http://www.fcw.com/article95904-09-01-06-Web
-http://www.networkworld.com/news/2006/090106-gao-fed-security.html
-http://www.gao.gov/new.items/d06620.pdf
NIST Issues Three Security-Related Draft Publications (1 September 2006)
The National Institute of Standards and Technology (NIST) has released three draft publications for public comment. SP800-45A, Guidelines on Electronic Mail Security, is an update to an earlier publication; comments will be accepted until October 6. Comments on SP800-94, "Guide to Intrusion Detection and Prevention Systems" are due by October 20, and comments on SP800-95, "Guide to Secure Web Services" will be accepted through October 30.-http://www.fcw.com/article95885-09-01-06-Web
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Microsoft Says Attacks Not Up Despite New Exploits for MS06-040 Flaw (1 September 2006)
Microsoft is denying reports that attacks exploiting a vulnerability addressed in a recent security update, MS06-040, are on the rise. This is in spite of the discovery of two new variants of malware that exploit the vulnerability in Windows Server services, bringing the total detected so far to six. While the number of machines being compromised may not be increasing, the fact that attackers are continuing to target this particular flaw is of some concern.-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=viruses__worms_and_security_holes&articleId=9002953&taxonomyId=
85
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39408552-39000005c
[Editor's Note (Ullrich): I am not sure about the number. But there are at least a few dozen SDBot variants using MS06-040. Microsoft isn't going to get its customers trust back by putting out botched patches and hiding the true impact of vulnerabilities.
(Honan): Sticking their head in the sand and not acknowledging the problem will not help Microsoft gain customer trust in the security of their products. ]
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Stolen Laptop Holds Chicago City Employees' Data (August/September 2006)
A laptop computer stolen from the home of a contractor for the city of Chicago holds personally identifiable information, including names and Social Security numbers (SSNs), belonging to thousands of city employees. Nationwide Retirement Solutions (NRS) is notifying people whose data were on the computer by mail and will offer them one year of free credit monitoring along with US$25,000 of identity theft insurance. The computer was stolen in April 2005; local police and the company were notified promptly. However, the division of NRS that investigates computer thefts did not learn of it until July 2006. Since the theft, NRS has deployed encryption on all laptop computers.-http://www.wbbm780.com/pages/77513.php?contentType=4&contentId=198758
AT&T Data Thieves Used Info. for Targeted Phishing Attacks (1 September 2006)
Additional information has come to light about the recent data theft from AT&T's online store. After thieves stole personally identifiable information of 19,000 AT&T DSL customers, they immediately began to use some of that data to launch a sophisticated phishing attack. The phishing emails tried to elicit more data from their targets by including authentic-looking AT&T order numbers, the targets' home addresses and last four digits of their credit card numbers. The recipients were provided a link to a spoofed site where they were asked to update their credit card information.-http://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2006/09/01/BUGVBKSUIE1.DTL&a
mp;type=printable
Medical Lab to Notify Patients Affected by Theft of Computer (31 August 2006)
A computer stolen from a medical laboratory's sample collection center in Jersey holds personally identifiable information of an unspecified number of patients. LabCorp is sending letters to notify individuals whose data were on the machine, which was stolen in early June; the data include names and SSNs but not test results.-http://www.thnt.com/apps/pbcs.dll/article?AID=/20060831/NEWS/608310428/1001
MISCELLANEOUS
CA Fixes AV Update That Identified Windows File as Malware (4 September 2006)
CA has released a revised version of a recent update for its eTrust anti-virus software because the original version mistakenly labeled an essential Windows 2003 file as malware. If the file, Lsass.exe, is deleted from computers, it can cause them to crash and fail to reboot. CA has also posted an advisory that tells users how to remedy the situation if the file has already been removed from their computers.-http://software.silicon.com/security/0,39024655,39162022,00.htm
CA Advisory:
-http://supportconnect.ca.com/sc/kb/techdetail.jsp?searchID=TEC405236&docid=4
05236&bypass=yes&fromscreen=kbresult
[Editor's Note (Ullrich): Yet another sign of the futility of signature based anti-virus. Signature based AV software is not protecting you from any current threats, and sloppy quality assurance will even further delay updates as users try to fulfill this function. If you need meaningful malware protection: (1) Establish white-lists. (2) Apply the "deny by default" policy to executables.
(Kreitner): I hope this experience has motivated CA to adopt more thorough QA of impending releases of its e-Trust product. Users of anti-virus software have a right to assume these products are held to a higher standard than most software. ]
Browzar Faces Claims of Ad-Mongering and False Advertising (4 & 3 September 2006)
Browzar, an application that has been advertised to help computer users enhance their privacy while surfing, has been the target of recent criticism. Some say the application, which claims to leave no trail of web pages visited by automatically deleting files associated with web sites when the application is shut down, does not work as advertised. Apparently the deleted files are not wiped from the computer and are relatively easy to recover. Others have complained that Browzar's search engine serves up advertisements within search results. Users are permitted to use other search engines, which should address this problem. Browzar is an Internet Explorer (IE) shell available as a free download in beta.-http://www.theregister.co.uk/2006/09/04/browzar_backlash/print.html
-http://news.bbc.co.uk/2/hi/technology/5310114.stm
-http://isc.sans.org/diary.php?storyid=1671&isc=23e7aca4da273589441f9a80205ca
aaf
Google to Comply with Brazilian Court's Demand for User Data (2 September & 31 August 2006)
Google has said it will comply with a Brazilian court order to turn over user search data that will help authorities there identify individuals involved with "online communities that encourage racism, pedophilia and homophobia." Google is taking some heat for its decision, as it refused a US Department of Justice's demands for user search data to aid their efforts in fighting child pornography. Google says there are differences between the requests. While DOJ sought Google's whole search index for "a broad civil case," Brazil has asked for specific information from a social networking site known as Orkut. The Brazilian judge initially thought Google was resisting orders for the information because the orders had been sent to Google's Brazilian subsidiary rather than to US headquarters. (Please note this site requires free registration)-http://www.washingtonpost.com/wp-dyn/content/article/2006/09/01/AR2006090100608_
pf.html
-http://www.chron.com/disp/story.mpl/ap/fn/4155909.html
******************* The Editorial Board of SANS NewsBites ***************
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.
Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent language consultant based in Clearwater, Florida.
*************************************************************************
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/
