SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VIII - Issue #81
October 13, 2006
Two more emails came in this week about CISOs who lost their jobs. The rising pressure on CISOs is just coming into focus, and the second story this week (about Irish IT managers' views of compliance) may add some illumination. People who justified their security budgets using SOX and HIPAA and other regulations are being pushed out in favor of people who can operationally secure the systems. We are picking up a lot of data saying that CEOs and operations-oriented people are losing their fear of these regulations and their patience with security people who write policies but don't secure systems. If you have a story about similar pressures that are emerging at your organization, please share it (paller@sans.org). In return I'll send the key survival strategies we have discovered for CISO survival and success. If you are not a CISO, and aspire to management, a small suggestion. Try to make sure you have the deep technical skills to make security into a hands-on technical service organization helping the operating units become secure. At the same time, keep as far away as you can from the people who have made their security departments into "departments of delegation" where their main role is to tell other people what to do.
Alan
TOP OF THE NEWS
Data Stolen From 2,300 British Computers Found in The United StatesIrish IT Managers Say Compliance Interferes with Efficiency
ICANN Will Not Suspend Spamhaus if Ordered by Court
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS, SENTENCES & LEGAL ACTIONJudge Throws Out Class Action Lawsuit Against Acxiom
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
IG: IRS Still Needs to Deal with Security Issues
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Vietnamese Authorities Fine Company for Software Piracy
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Microsoft Issues Ten Bulletins on Patch Tuesday
Oracle to Provide More Info About Flaws
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Cyber Thief Steals Data on Brock University Donors
Stolen Computers Hold UTA Student Information
STATISTICS, STUDIES & SURVEYS
An Inside Look At Cyber Crime
Survey: Teleworkers Have False Sense of Security
More Than Half of Higher Education Institutions Surveyed had Security Breaches Last Year
MISCELLANEOUS
Television Program on Call Center Data Theft Prompts Investigation
************************** SPONSORED LINKS ****************************
1) Maximize your Training Budget! Save 15-30% on SANS training & certification! SANS Program that pays you credits and delivers flexibility. Are you looking for a creative way to finance training?
Visit: http://www.sans.org/info/1410
2) Register today for Forrester Research & RippleTech's 'Monitoring Database Transactions and Safeguarding Confidential Data' webcast
http://www.sans.org/info/1411
*************************************************************************
TOP OF THE NEWS
Data Stolen From 2,300 British Computers Found in The United (11 October 2006)
The Metropolitan Policy (Scotland Yard) are investigating the theft of credit card data and passwords from thousands of personal computers in the United Kingdom and potentially tens of thousands more around the world. The stolen data were discovered on computers in the United States. Police are informing the people whose data were stolen.-http://www.guardian.co.uk/uklatest/story/0,,-6139406,00.html
-http://news.zdnet.co.uk/internet/security/0,39020375,39284001,00.htm
Irish IT Managers Say Compliance Interferes with Efficiency (12 October 2006)
A survey of 300 information managers at Irish companies found that regulatory compliance is at odds with the drive toward efficiency. Eighty-eight percent of respondents said they are affected by regulatory compliance issues; the Data Protection Act, the Freedom of Information Act and the Sarbanes-Oxley Act were the three most frequently cited. Compliance increases the technical burden assumed by the companies. Forty percent of those responding said they felt vendors were more interested in the business opportunity presented by compliance requirements than they were in helping their customers' with compliance.-http://www.siliconrepublic.com/news/news.nv?storyid=single7185
[Editor's Note (Kreitner): If compliance is regarded as the natural byproduct of a well-run enterprise, a recent research study released by the IT Process Institute (www.itpi.org) would disagree with this kind of complaint, which is based on a view of compliance as an effort to satisfy externally imposed requirements. The ITPI study revealed that compared with low performing IT organizations, high performing IT organizations practice tightly disciplined change management and configuration management, have low levels of unplanned work and firefighting, and very high System/System Administrator ratios. This sort of enterprise discipline produces efficiency and compliance becomes a natural consequence.
(Schultz): Compliance is a two-edged sword. It forces organizations that have deficient security practices to improve. At the same time, however, a one-to-one relationship between controls needed for compliance and controls needed to mitigate actual security risk within organizations does not by any means exist. Organizations that have responsible security practices are thus penalized because of other, less responsible organizations. ]
ICANN Will Not Suspend Spamhaus if Ordered by Court (12 & 10 October 2006)
ICANN says it will not comply should a judge sign a proposed order from a US district court in Illinois to suspend Spamhaus.com's web site. An ICANN spokesperson says the organization does not have the authority to suspend the web site. Spamhaus was sued by US company e360 Insight LLC because it claims Spamhaus has wrongly put its name on a spam blacklist. The court ruled that Spamhaus must pay e360 US$11.7 million and remove the company's name from its blacklist. Spamhaus has not complied with the court's ruling and did not appear in court regarding the case, as the organization maintains the court has no jurisdiction over the company, which is located in the UK.-http://www.zdnetasia.com/news/internet/printfriendly.htm?AT=61959117-39001260c
-http://www.theage.com.au/news/Technology/Antispam-group-warns-it-may-lose-domain
-name-potentially-unleashing-more-junk-mail/2006/10/10/1160246101148.html
-http://www.theregister.co.uk/2006/10/12/icaan_spamhuas_dispute_latest/print.html
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS, SENTENCES & LEGAL ACTION
Judge Throws Out Class Action Lawsuit Against Acxiom (12 October 2006)
US District Judge William Wilson has dismissed a class action lawsuit against data aggregator Acxiom, citing "lack of standing;" there is no evidence that data stolen from Acxiom's databases had been used to send spam or junk mail. Scott Levine was sentenced to eight-years in prison for unauthorized access to Acxiom computers. Levine ran a company that had been identified as a spammer, but there is no evidence the company used the information taken from the Acxiom databases. An attorney for the plaintiffs says no decision has been made yet on whether they plan to appeal the judge's ruling.-http://news.com.com/2102-7348_3-6125028.html?tag=st.util.print
-http://www.politechbot.com/docs/acxiom.order.class.action.101106.pdf
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
IG: IRS Still Needs to Deal with Security Issues (11 October 2006)
A report from the Treasury Inspector General for Tax Administration (TIGTA) says the Internal Revenue Service (IRS) has failed to install security patches on all of its computers; as a result, sensitive taxpayer data could be at risk of exposure. Earlier reports from TIGTA said the IRS needed to strengthen patch management and address other security issues. The risk of data exposure is rising due to the increased connectivity of computers and employee use of laptops. The IRS plans to have a patch installation system deployed agency-wide by February 2007. An earlier TIGTA report also found that the IRS failed to effectively "collect, review and retain audit trails of activities to detect unauthorized access" to its systems.-http://www.gcn.com/online/vol1_no1/42279-1.html?topic=security
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Vietnamese Authorities Fine Company for Software Piracy (12 October 2006)
A Daewoo Corp. affiliate in Vietnam has been fined for using pirated software. Daewoo Hanel Electronic Corp. was ordered to pay 15 million dong (US$934) for using pirated copies of Microsoft Windows, Microsoft office, Auto CAD and other software. According to the chief inspector of Vietnam's Ministry of Culture and Information, the pirated software was found in a raid on the company last week. A Daewoo Hanel executive said the software was already installed on the computers when they were purchased and the company did not know it was pirated. Vietnam hopes to join the WTO and has committed to cracking down on piracy.-http://www.smh.com.au/news/Technology/Vietnam-fines-South-Korean-Daewoos-affilia
te-for-software-piracy/2006/10/12/1160246221290.html
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Microsoft Issues Ten Bulletins on Patch Tuesday (12 & 10 October 2006)
Microsoft released ten bulletins addressing six critical flaws on Tuesday, October 10. All of the flaws could be used to gain access to unpatched computers. Attackers were already exploiting three of the vulnerabilities. Four other patches released on Tuesday address less serious flaws. Microsoft's early notification announcement last week said the company would issue 11 security bulletins, but a company representative said one of the scheduled patches did not meet quality standards and will instead be released in November. Microsoft experienced problems with its automated update system earlier this week, but they have since been fixed.-http://www.msnbc.msn.com/id/15212652/
-http://software.silicon.com/security/0,39024655,39163140,00.htm
Oracle to Provide More Info About Flaws (12 & 11 October 2006)
Oracle plans to provide more information about the vulnerabilities addressed in its quarterly updates. Starting with the update scheduled for October 17, Oracle will provide summaries of the flaws as well as assign a rating to the severity of each flaw with the use of the Common Vulnerability Scoring System (CVSS). The change reportedly comes in response to customer comments. Users had been frustrated because they were unable to determine which of the fixes in the update were the most important to apply. Oracle will also "specifically identify those critical vulnerabilities that may be remotely exploitable without requiring authentication to the targeted system."-http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=339271603-1300
61744t-110000005c
-http://www.securityfocus.com/brief/326
-http://blogs.oracle.com/security/2006/10/11#a33
[Editor's Note (Boeckman): This is good news. Some of the bulletins they have written in the past were so cryptic, I would have sworn they were written in Aramaic. ]
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Cyber Thief Steals Data on Brock University Donors (12 October 2006)
A cyber thief broke into the Brock University computer system and accessed the personal data of approximately 70,000 individuals who have made donations to the Ontario, Canada school. The intruder had the passwords necessary to access the information. The intrusion occurred on September 22 and took just four minutes, according to Brock vice-president academic Terry Boak. The data include names, addresses, email addresses and in some cases, bank account and credit card numbers. Individuals whose financial account numbers were taken received phone calls within 24 hours of the school learning of the data theft; the others were sent letters notifying them of the breach. Boak said the school did not see the need to make a public statement about the breach, as those affected had been notified.-http://www.cbc.ca/technology/story/2006/10/12/tech-brock.html
Stolen Computers Hold UTA Student Information (12 October 2006)
Two computers stolen from the home of a University of Texas at Arlington faculty member hold personally identifiable information of approximately 2,500 university students. The data include names, Social Security numbers (SSNs), grades and email addresses of students who were enrolled in computer science and engineering classes between fall 2000 and fall 2006. A school spokesman said they are notifying affected students of the data security breach. The theft occurred on September 29th; the university has created a web page with more information for students.-http://www.chron.com/disp/story.mpl/metropolitan/4253257.html
-http://oit.uta.edu/oit/ss/datatheft/
STATISTICS, STUDIES & SURVEYS
An Inside Look At Cyber Crime
The folks at USA Today have published a revealing look at two of the criminal groups involved heavily in cybercrime. They o into the competition and poaching practiced by these groups and tell about the tools and sharing techniques they use. Highly illuminating.-http://www.usatoday.com/tech/news/computersecurity/infotheft/2006-10-11-cybercri
me-hacker-forums_x.htm
Survey: Teleworkers Have False Sense of Security (10 October 2006)
According to a survey commissioned by Cisco Systems, teleworkers are not as security savvy as they think they are. While two-thirds of the more than 1,000 respondents from 10 countries said they are aware of security concerns associated with working from a remote location, many admitted to habits that present security risks. More than 20 percent say they let relatives or other non-employees to use their work computers to access the Internet. Other habits that pose risks include accessing neighbors' wireless networks, and opening email from unknown sources.-http://www.vnunet.com/vnunet/news/2166038/security-pros-should-target
-http://software.silicon.com/security/0,39024888,39163092,00.htm
[Editor's Note (Pescatore): People falling for Three-card Monte scams over the past century or so have *all* felt they were more security savvy then they really are, so not surprising that computer users make the same mistake. People working at home tend to act more like home users than corporate users - the trick is building secure telework approaches that take that as a given.]
More Than Half of Higher Education Institutions Surveyed had Security Breaches Last Year (10 October 2006)
The Higher Education IT Security Report Card, which this year surveyed 182 higher education IT directors and managers across the US, found that 58 percent said they had experienced at least one security incident within the past year. Thirty-three percent said they had experienced data loss or theft; nine percent said student data was lost or stolen. The biggest roadblocks to effective security, according to respondents, are inadequate staff resources and funding.-http://www.fcw.com/article96412-10-10-06-Web&printLayout
[Editor's Note (Boeckman): The other part of this story is that 42% of institutions of higher education can not detect intrusions. ]
MISCELLANEOUS
Television Program on Call Center Data Theft Prompts Investigation (10 October 2006)
A recent television program has prompted the UK's Information Commissioner's Office to launch an investigation into security breaches at Indian call centers that have exposed UK citizens' bank account information. The ICO will look into the practices of the mobile phone companies that have outsourced call centers to India. The ICO has the authority to prevent the companies from sending work outside the country.-http://www.theregister.co.uk/2006/10/10/data_centre_probe_announced/print.html
[Editor's Note (Pescatore): Will they also investigate the call centers that have *not* been outsourced? There is a lot of jingoism going on - an outsourced call center might be less secure, or it might be more secure, than the original corporate one. Enterprises who make security a top criterion in outsourcing decisions can maintain or increase security. Those who rush to outsource without considering security can drastically reduce security - but those enterprises are also the ones most likely to be doing a bad job at running their own call center securely.]
(Schultz): The downsides of "offshoring," especially security-related liabilities, are becoming increasingly evident. I thus predict a reversal in the trend to outsource work to countries where it can be done much more cheaply. ]
=========================================================================
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center, to the Editorial Board.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.
Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/
