SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #74

September 19, 2006

TOP OF THE NEWS

US Judge Orders Spamhaus to Pay US$11.7 Million Damages and Post Apology
EU Considering Data Breach Notification Law

THE REST OF THE WEEK'S NEWS

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
DHS to Announce Appointment of Cyber Security Chief
Authorities Recover Stolen Computer Holding VA Data
Dept. of Agriculture to Move Data Processing Hardware Away from Hurricane Risk
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Serious ActiveX Vulnerability in IE 5.01 and 6.0
Mozilla Releases Firefox 1.5.0.7 to Address Seven Flaws
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Computer Stolen From Auditor's Car Holds Law Firm Pension Data
Univ. of Texas San Antonio Server Breached
Nikon World Magazine Subscribers' Data Exposed
Employee Files Found in Dumpster
STATISTICS, STUDIES & SURVEYS
Gartner Says Antivirus Sales Helped Boost Security Spending in 2005
MISCELLANEOUS
House Committee to Hold Hearing on HP Pretexting

---

************************** TRAINING UPDATE ******************************

SANS Security Summits on SCADA Security and on Laptop Encryption **

(1) The Process Control & SCADA Security Summit, September 28 - 30, in Las Vegas, focuses on the most critical vulnerabilities in control systems that run power plants, chemical plants, transportation systems, pipelines, and more, and shows what can be done now secure these critical systems.
http://www.sans.org/info.php?id=1349

(2) The Secure Storage and Encryption Summit, December 6 - 7 near Washington, DC, offers the only user-to-user program on what works in securing laptops and PDAs and other places where data is at rest. Lessons learned, surprises, problems; just what you need to reduce the pain in deploying encryption and other storage security technology. Very limited seating for this one, so if you are going to be investing your time in improving mobile data security, server security, or even database security, please register very soon.
http://www.sans.org/mclean06/

*************************************************************************

---

TOP OF THE NEWS

US Judge Orders Spamhaus to Pay US$11.7 Million Damages and Post Apology (15 September 2006)

A federal judge has ordered Spamhaus to pay US$11.7 million in damages to a company that the spam-fighting organization had blacklisted. The judge also ordered Spamhaus to stop blocking email from e360 Insight LLC in any way and to post an apology on its web site indicating e360 Insight is not a spammer. Spamhaus, which is based in the UK, has posted a statement on its website that says "default judgments obtained in US county, state or federal courts have no validity in the UK and cannot be enforced under the British legal system." Spamhaus says e360 Insight violates UK antispam laws and that it has no intention of removing that company from its blacklist.
-http://www.msnbc.msn.com/id/14855085/
-http://www.zdnet.co.uk/print/?TYPE=story&AT=39283356-39020375t-10000025c
[Editor's Note (Northcutt): Before coming to any conclusions you probably want to read the Spamhaus response:
-http://www.spamhaus.org/legal/answer.lasso?ref=3
(Grefer): Please bear in mind that this was a default judgment, since the defendant did not show up in court. As such, no jury was involved in determining the merit of said wrongdoings. In addition, the court accepted a case where the defendant is located outside its jurisdiction.
-http://www.userfriendly.org/cartoons/archives/06sep/uf009518.gif
-http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK7008
(Ullrich): As a network administrator, I expect to be able to accept or deny traffic from certain networks. However, subscribing to any blocklist like this blindly will hand over control of your e-mail policy to a third party. Although DShield could produce blacklists, we have avoided the temptation to publish large blacklists, in part because anti spam blocklists have been used as a denial of service mechanism against us in the past.
(Honan): I don't know if this story has any relevance to the above, but "Spamhaus repels DDoS attack" seems too much of a coincidence.
-http://www.theregister.co.uk/2006/09/18/spamhaus_ddos_attack/
(Schultz): Has Spamhaus gone off on a limb, or will it be able to continue to block e360 Insight traffic on the grounds that this company is a bona fide spammer without intervention by the US government? The subsequent events in this fascinating case are bound to be extremely interesting. ]

EU Considering Data Breach Notification Law (13 September 2006)

The European Commission is considering legislation requiring telecommunications companies to inform regulators and affected customers in the event of a data security breach. Current rules dictate that the companies inform customers of security risks, but make no provisions for notification of breaches. The proposed law would require the companies to "notify customers of any breach of security leading to the loss, modification or destruction of, or unauthorized access to, personal customer data." The proposed law would also require telecommunications companies to notify regulators when a breach of security results in interruptions of service.
-http://www.out-law.com/default.aspx?page=7287
[Editor's Note (Grefer): This is a much more customer-friendly proposal than data breach notification bills introduced in the U.S. that are tainted by strong industry lobbying.
(Honan): Current EU Data Protection laws dictate companies should adequately protect their customers and employees' personal data, but there is no legislation or mechanism to inform those same people if those protections fail or have been breached. This is a positive move by the EU, although I am disappointed that it is currently restricted to telecommunications companies.]

---

********************** Sponsored Links: *******************************

1) Use NetFlow to gain valuable network visibility to protect and optimize your network security. Download FREE White Paper "Network Behavior Analysis (NBA) in the Enterprise."
http://www.sans.org/info.php?id=1353

2) SANS WhatWorks webcast 9/21 at 1pm-2pm EDT, "Messaging Application Gateway Security with Baptist Health System"
http://www.sans.org/info.php?id=1354

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

DHS to Announce Appointment of Cyber Security Chief (18 September 2006)

There are reports that Greg Garcia will be appointed assistant secretary for cybersecurity and telecommunications at the Department of Homeland Security (DHS). The position has remained vacant since its creation in July 2005; the DHS has had a difficult time finding qualified candidates who were willing to take a cut in pay and perks to work in the public sector. Garcia is currently vice president for information security policy and programs at the Information Technology Association of America. Donald "Andy" Purdy Jr. is currently serving as acting cybersecurity director.
-http://www.foxnews.com/story/0,2933,214364,00.html
-http://news.com.com/2061-10789_3-6116920.html

Authorities Recover Stolen Computer Holding VA Data (15 September 2006)

A desktop computer stolen from a Unisys Corp. in Reston, Virginia in August has been recovered; the computer held unencrypted insurance claim forms with names, addresses and personal identifiers that belong to approximately 16,000 patients treated by Veterans Affairs Department (VA) medical centers in Philadelphia and Pittsburgh. A man, Khalil Abdullah-Raheem, who worked as a temporary employee at Unisys, has been arrested in connection with the theft of the computer and charged with theft of government property. He was released after posting a US$50,000 personal recognizance bond. The FBI is analyzing the computer to see if the data were compromised; VA Secretary Jim Nicholson says the computer was not targeted because of the information it contained.
-http://www.gcn.com/online/vol1_no1/42012-1.html?topic=security

-http://www.govexec.com/story_page.cfm?articleid=35028&printerfriendlyVers=1&
amp;
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9003365&intsrc=news_ts_head
[Editor's Note (Honan): Once a computer has been compromised and outside your direct control then always assume the worst. The FBI agents are trained to forensically examine the computer for signs of access and also to access computers without leaving a trace, others with less altruistic motives also have similar skills.
(Schultz): Mr. Nicholson seems to not be taking this incident very seriously, something that further undermines his and the VA's credibility, especially in light of the highly publicized VA data security breaches that have occurred in the recent past. ]

Dept. of Agriculture to Move Data Processing Hardware Away from Hurricane Risk (15 September 2006)

The US Department of Agriculture plans to move its National Finance Center data processing hardware from New Orleans to Denver to protect it from the threat of hurricanes. The agency moved the hardware to Philadelphia following Hurricane Katrina, but the move was meant to be temporary. Permanent relocation is expected to take place in spring 2007. The agency's primary concern in moving the hardware is to maintain continuity of operations.
-http://www.govexec.com/story_page.cfm?articleid=35020&printerfriendlyVers=1&
amp;

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Serious ActiveX Vulnerability in IE 5.01 and 6.0 (18 & 15 September 2006)

Microsoft is investigating reports of a flaw in the Microsoft DirectAnimation Path ActiveX Control in Internet Explorer (IE) that could be exploited to allow remote code execution. Proof-of-concept code has been published, but there are no reports of active attacks that exploit this flaw. Microsoft recommends that until a fix is released, users disable ActiveX and active scripting controls. The vulnerability affects IE versions 5.01 and 6.0.
-http://isc.sans.org/diary.php?storyid=1705
-http://www.theregister.co.uk/2006/09/18/ie_flaw_warnings_grow/print.html
-http://software.silicon.com/security/0,39024888,39162464,00.htm
-http://www.vnunet.com/vnunet/news/2164423/internet-explorer-vulnerability
-http://www.microsoft.com/technet/security/advisory/925444.mspx

Mozilla Releases Firefox 1.5.0.7 to Address Seven Flaws (18 & 15 September 2006)

Mozilla released Firefox 1.5.0.7, addressing seven vulnerabilities in earlier versions of the browser. Four are rated critical, two are rated moderate and one is rated low. The flaws could allow cross-site scripting, spoofing and man-in-the-middle attacks.
-http://isc.sans.org/diary.php?storyid=1702
-http://isc.sans.org/diary.php?storyid=1708
-http://news.com.com/2102-1002_3-6116267.html?tag=st.util.print
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9003346
-http://www.mozilla.org/projects/security/known-vulnerabilities.html#Firefox

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Computer Stolen From Auditor's Car Holds Law Firm Pension Data (18 September 2006)

A laptop computer stolen from an employee of auditor Morris, Davis & Chan held unencrypted, personally identifiable pension plan data, including names and Social Security numbers (SSNs) of employees from San Francisco law firm Howard, Rice, Nemerovski, Canady, Falk & Rabkin. The breach affects approximately 500 individuals. All current and former partners, associates and employees of the firm have been informed of the breach, according to the firm's executive director.
-http://www.law.com/jsp/legaltechnology/PubArticleFriendlyLT.jsp?id=1158311123646
[Editor's Note (Honan): Cost of laptop EUR 1,000. Encryption software EUR 100. Not encrypting data on a laptop and losing that laptop while it contained information belonging to the staff of a legal firm, priceless (or whatever the lawsuit determines) ]

Univ. of Texas San Antonio Server Breached (15 September 2006)

A security breach of a server at the University of Texas at San Antonio (UTSA) is under investigation by a university technology team, local police and state and federal officials. The compromised server contains four years' worth of data, including names, addresses and SSNs, that belong to 53,000 current and former students who have received financial aid and 11,000 current and former faculty and staff members. All 64,000 individuals received letters apprising them of the situation. The breach was discovered during a routine risk assessment in mid-August. A university spokesperson said the problem was detected before any information could be taken.
-http://www.mysanantonio.com/news/metro/stories/MYSA091606.02B.UTSAHACKER.2e77063
.html

Nikon World Magazine Subscribers' Data Exposed (14 September 2006)

The names, addresses and credit card numbers of 3,235 subscribers to Nikon World magazine were accessible on the Internet for approximately nine hours last week. The problem was discovered on September 13 when an Alabama camera store employee attempted to subscribe to the magazine on line. The sensitive subscriber data were accessible from a link in an email from Nikon World. Nikon says it has contacted everyone whose data were compromised. The breach affects people who subscribed to the magazine after January 1, 2006.
-http://www.ledger-enquirer.com/mld/ledgerenquirer/news/local/15519104.htm

Employee Files Found in Dumpster (11 September 2006)

Following the buyout of a telemarketing company, employees found personnel files and files containing consumer data dumped in the trash. The employee files included photocopies of driver's licenses and Social Security cards. The state attorney general's office plans to examine the discarded files. Federal law requires businesses to take measures to destroy personal data beyond simply tossing it in the trash.
-http://www.theindychannel.com/news/9818472/detail.html
-http://www.theindychannel.com/call6/9824917/detail.html
[Editor's Note (Honan): Just because a company has finished using personal data, such as Social Security numbers, names, date of birth, belonging to the consumer does not mean the consumer has finished using it! Companies need to ensure personal data they no longer require is securely destroyed when being discarded. ]

STATISTICS, STUDIES & SURVEYS

Gartner Says Antivirus Sales Helped Boost Security Spending in 2005 (12 September 2006)

Statistics from Gartner indicate that worldwide security market revenues in 2005 increased 14.8 percent over those in 2004, to US$7.4 billion. Increased sales of antivirus software helped boost the figure; revenue for antivirus software alone in 2005 totaled US$4 billion.
-http://www.vnunet.com/vnunet/news/2164068/security-software-spend-hit-4bn

MISCELLANEOUS

House Committee to Hold Hearing on HP Pretexting (17 & 15 September 2006)

The US House Energy and Commerce Committee plans to hold a two-day investigative hearing regarding the legality of telephone pretexting, or pretending to be someone else to obtain their phone records. The hearing was prompted by the recent scandal at Hewlett Packard in which it was revealed that a company hired by an HP contractor to discover the source of corporate information leaks used pretexting to conduct its investigation. One day of the hearing will focus on HP; company executives, board members and others are likely to be called as witnesses. HP was given until Monday, September 18 to submit numerous documents to the committee; HP has said it will supply all documents requested.
-http://management.silicon.com/government/0,39024852,39162461,00.htm
-http://www.usatoday.com/money/companies/management/2006-09-17-hp-usat_x.htm

---

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center, to the Editorial Board.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/