SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #72

September 12, 2006

TOP OF THE NEWS

IT Security Industry Changes: Trouble on the Horizon
Credit Card Companies Update PCI

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS & SENTENCES
Software Pirate Gets Record Sentence
SPYWARE, SPAM & PHISHING
Company's Reputation Suffers After Spammers Assume its Identity
US$2 Million Fine for Malware Spreaders
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Malicious Files on Samsung Web Site
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Second Life Data Security Breach
Investigation Launched into Cyber Intrusions at Gov. Schwarzenegger's Office
Chase Loses Tapes with 2.6 Million Circuit City Card Holders' Data
MISCELLANEOUS
Investigators in HP Leak Case Used Pretexting to Obtain Journalists Phone Records
Phone Companies Need to Address Account Security

---

********************* Sponsored By ArcSight, Inc. ***********************
Secrets for Sale! Attacks from malicious insiders are difficult to detect and often more devastating than outside security breaches. Learn how to prevent the loss of your confidential data in our free whitepaper, Addressing Insider Threats. Authored by ArcSight, the leader in security, compliance and insider threat.
http://www.sans.org/info.php?id=1341

*************************************************************************

Network Security 2006 (Las Vegas, Oct. 1-8) is the only place to find all 20 of SANS highest rated teachers. How Good Are The Courses at SANS Network Security 2006? Ask the alumni. ++ "I have attended courses by several of SANS rivals, and SANS blew them away." - Alton Thompson, US Marines ++ "This is the only conference/training I've ever attended at which I learned techniques and found tools I could apply immediately." - Dwight Leo, Defense Logistics Agency, DLA ++ "This program provided the opportunity to learn from many of the people who are defining the future direction of information technology" - - Larry Anderson, Computer Sciences Corp. ++ "The SANS classes have been uniformly excellent. To learn as much through traditional classes would have entailed weeks away from work." - - David Ritch, Department of Defense
See: http://www.sans.org/ns2006/caag.php

***********************************************************************

---

TOP OF THE NEWS

IT Security Industry Changes: Trouble on the Horizon (September 2006)

As companies complete SOX and GLBA compliance efforts they are often reorganizing and managers and consultants with soft skills are being let go, but maturing regulation isn't the only factor impacting job prospects. The emergence of regulatory requirements within the last several years initially provided numerous jobs and comfortable budgets for IT managers and consultants. However, once "what it takes to comply" with the regulations became clearer, executives began to tire of spending money on overpriced consultants and unnecessary reports. Budget growth slowed, and some security managers were reorganized into positions of diminished power. Additionally, certain IT organizational best practices and standards encourage restructuring that sometimes "relegate(s) security to a second-class activity." Finally, there has been a recent movement toward personal accountability for IT systems' security, often meaning people lose jobs in the event of a security breach. On the other hand, IT security management jobs within the government and government contractors appear to be relatively secure in the near term. This can be attributed largely to the implementation of the Federal Information Security Management Act (FISMA) and its attendant demand for voluminous reports on government IT systems' compliance. Even here, however, "change seems to be in the air" as government officials begin to question FISMA's efficacy. Several strategies that can be used by private and government security managers to increase their chances of holding onto their jobs, are described in the article written by Stephen Northcutt.
-http://www.sans.edu/resources/ITSecurityIndustryChanges.pdf
[Editor's Note (Schultz): FISMA's value is very much open to question. FISMA compliance is, unfortunately, more of a bureaucratic paper creation and shuffling exercise than anything else. I know of a government laboratory with terrible security practices--it has more security breaches than any other site operated by a certain government agency--yet this laboratory got very high marks on a recent FISMA audit.
(Pescatore): I think a real key to making sure you protect customer and business data, which in turn leads to keeping your job, is to make sure you have a "network of friends" in your company. Having a network of trust with compadres in the audit and financial groups, as well as the business units, is the best way to make sure security is part of all those informal processes where the actual work (not just what gets presented to auditors) gets done. Being part of a "hallway design review" to make sure security is baked in somewhere is infinitely more valuable than just being able to point at policies, procedures and processes - not that there's anything wrong with those. ]

Credit Card Companies Update PCI (8 September 2006)

The five major credit card companies, American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International, have formed the Payment Card Industry Security Standards Council, marking the first time all have agreed on a common framework for payment card security. Their first order of business was to update the current PCI Data Security Standard by providing instructions for implementing the requirements and clarifying the language, for instance, replacing vague terms, such as "regularly," with specifics, such as "annually" or "quarterly." The council's goal is "to enhance payment account security by fostering broad adoption of the PCI Data Security Standard."
-http://www.zdnet.co.uk/print/?TYPE=story&AT=39282935-39020645t-10000019c
-https://www.pcisecuritystandards.org/about/faqs.htm#pcidss
[Editor's Note (Paller): The PCI updates were needed. Great job. ]

---

************************** Sponsored Links: *****************************

1) Register for LogLogic's Live Demo Find out why companies like VeriSign are offering LogLogic's log services
http://www.sans.org/info.php?id=1343

2) Learn why Web filtering should be your first line of defense when protecting HTTP traffic.
http://www.sans.org/info.php?id=1342

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS & SENTENCES

Software Pirate Gets Record Sentence (10 & 8 September 2006)

Nathan Peterson has been sentenced to 87 months in a federal prison for software piracy. Peterson pleaded guilty in December to charges of criminal copyright infringement. He was also ordered to pay more than US$5.4 million in restitution; that is equal to the amount he earned by selling pirated copies of software over the Internet and by mail. The FBI shut down Peterson's operation in February 2005. Peterson's sentence is the longest ever imposed for software piracy in the US.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9003131&intsrc=news_ts_head
-http://news.zdnet.com/2102-3513_22-6114012.html

SPYWARE, SPAM & PHISHING

Company's Reputation Suffers After Spammers Assume its Identity (6 September 2006)

A Queensland Australia company is suffering from the fallout of a spam attack that spoofed its good name. Clients of the National Online Talent Management (NOTM) agency as well as people unfamiliar with the company have deluged it with angry email messages about unsolicited commercial email that appeared to come from NOTM. The phony email had copied large portions of text from a legitimate NOTM email. NOTM is unsure how to repair its professional relationships and redeem its reputation. The individuals responsible for the phony email messages reside outside of Australia.
-http://www.zdnet.com.au/news/security/soa/Qld_firm_s_reputation_ruined_by_e_mail
_scam/0,130061744,339270871,00.htm

US$2 Million Fine for Malware Spreaders (8 & 6 September 2006)

Two California companies and three individuals have agreed to pay a US$2 million fine to settle Federal Trade Commission (FTC) charges of false and deceptive practices. Enternet Media, Conspy & Co, Lida Rohbani, Nima Hakimi and Baback Hakimi ran a scheme that purported to offer antivirus and antispam protection, but actually downloaded malware onto people's computers. Computer users would receive a pop-up ad warning them of problems with their browsers and offering free protection. Users who declined the download kept receiving the pop-up ad. People who downloaded the protection found their computers infested with hard-to-remove spyware and tracking software. The defendants used additional tactics to trick people into downloading the malware onto their computers, including offering free music files, cell phone ring tones and wallpaper. The terms of the settlement permanently bar the defendants from interfering with a consumer's computer use. The FTC estimates that as many as 18 million computers worldwide were infected with malware as a result of these schemes.
-http://www.internetnews.com/bus-news/article.php/3630621
-http://www.theage.com.au/news/security/spyware-affected-18m-computer-users/2006/
09/08/1157222295731.html?page=fullpage#contentSwap1

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Malicious Files on Samsung Web Site (8 September 2006)

Last week, Samsung Electronics' US web site was hosting a Trojan horse program capable of logging keystrokes and disabling antivirus software. Users had to be tricked into downloading the code onto their computers; there is no evidence of an exploit that downloaded the malware without user interaction. The malicious files appear to have been removed from the site.
-http://news.zdnet.com/2102-1009_22-6113611.html
-http://www.theregister.co.uk/2006/09/08/samsung_telecom_spyware_alert/print.html
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9003101&intsrc=news_ts_head
[Editor's Note (Shpantzer): Companies should look into scrubbing browser traffic for malware via web proxies as this attack vector isn't going anywhere but up.]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Second Life Data Security Breach (11 September 2006)

Players of Second Life have been asked to change their passwords after someone broke into a database holding personally identifiable information about all 650,000 members of the virtual community. The compromised data include names, addresses, passwords and encrypted credit card numbers. The breach was detected on September 6 and users were notified by email on September 8.
-http://news.bbc.co.uk/2/hi/technology/5333996.stm
-http://www.usatoday.com/tech/gaming/2006-09-11-second-life-breach_x.htm
-http://www.eweek.com/print_article2/0,1217,a=188272,00.asp

Investigation Launched into Cyber Intrusions at Gov. Schwarzenegger's Office (11 September 2006)

High tech investigators from the California Highway Patrol (CHP) have launched an investigation into three incidents of unauthorized access to computers in the office of California Governor Arnold Schwarzenegger. The investigation follows disclosure that a digital recording of a meeting between the governor and staff members was leaked to the media came from a computer in that office. CHP is also investigating the state of computer security in the governor's office.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9003171&intsrc=news_ts_head
-http://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2006/09/11/MNG8KL3A051.DTL&a
mp;type=printable
-http://www.mercurynews.com/mld/mercurynews/news/local/states/california/northern
_california/15493835.htm

Chase Loses Tapes with 2.6 Million Circuit City Card Holders' Data (7 September 2006)

Computer tapes containing personally identifiable account information of more than 2.6 million Circuit City credit card holders were accidentally thrown away, according to Chase Card Services. Chase believes the tapes were compacted, destroyed and buried. Chase is monitoring the accounts of affected customers.
-http://news.moneycentral.msn.com/provider/providerarticle.asp?feed=AP&Date=2
0060907&ID=6002314

MISCELLANEOUS

Investigators in HP Leak Case Used Pretexting to Obtain Journalists Phone Records (12, 11 & 8 September 2006)

Update today: Chairwoman Dunn will step down from her current position but stay on the board. CEO Mark Hurd will take over as Chairman of the Board.
-http://www.eetimes.com/news/latest/showArticle.jhtml?articleID=192701297
Members of Hewlett Packard's board of directors were not the only ones whose private phone records were obtained through deceptive means. California's attorney general says that private investigators hired by HP to find out who leaked confidential company information to the media also obtained phone records of nine journalists, including two CNET journalists who covered the story in January 2006. The records were obtained through a method known as pretexting, in which the person seeking the records pretends to be the account holder. As of mid-day Monday, HP's board of directors had not released any sort of decision regarding the fate of chairwoman Patricia Dunn, who ordered the investigation. The board was expected to meet again Monday afternoon.
-http://www.silicon.com/cxoextra/0,3800005419,39162207,00.htm

-http://www.securityfocus.com/brief/298
-http://www.theage.com.au/news/Technology/California-attorney-general-says-prosec
ution-likely-in-HP-scandal/2006/09/07/1157222208119.html
(please note this site requires free registration)
-http://www.washingtonpost.com/wp-dyn/content/article/2006/09/07/AR2006090701543_
pf.html

Phone Companies Need to Address Account Security (11 September 2006)

HP's recent revelation that it authorized an investigation that employed deceptive means to obtain individuals' phone records serves as a reminder that phone companies need to take more precautions to safeguard their customers' data. Several months ago, news stories described how phone records were being offered for sale on the Internet. In response, US lawmakers introduced legislation that would criminalize pretexting, or pretending to be someone you are not to obtain that person's records. Authentication methods for accessing phone records typically require knowledge of the phone number and the last four digits of that individual's Social Security number (SSN). Customers are encouraged to create individualized passwords, but this is not often a requirement. There are some exceptions; one company requires the person requesting access to the record to provide information printed on the bill or to answer questions pertaining to that specific account. Other ideas for tightening the reins of security include calling back the individuals requesting access and notifying customers by email or text messaging when their accounts are being accessed.
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39434572-39000005c

---

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center, to the Editorial Board.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit

http://portal.sans.org/