SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #83

October 20, 2006

Three nice things to help you with security

1. Good awareness videos and a contest to find more, sponsored by
Educause:
Winners from last year: http://www.educause.edu/SecurityVideoContest2006/7103
This year's contest: http://www.educause.edu/SecurityVideoContest2007

2. The best response to the NewsBites item about CISO survival prospects, from a guy with the great title. You'll find it at the end of this issue. Also any SANS alumnus may request the summary of CISO success strategies by emailing ciso@sans.org.

3. We have almost completed user coverage of the main choices for laptop, database and storage system encryption for the Secure Storage and Encryption Summit in Washington December 6-7 (www.sans.org/mclean06). That means youll get to hear from users who actually know what works (and what doesn't) and make decisions about your short list right at the conference. We would love to have more users talking about their experiences - lessons learned, methods used, horror stories, it all helps people who will be buying and deploying this technology. Most importantly, we still would like to hear from more users who have purchased storage or encryption solutions from any of the following vendors: Guardium, Neoscale, HP, Sun, Pointsec, Aladdin, Lumigent, Hitachi, SSH, Vericept, Verisign, Western Digital, Ingrian, Decru, Imperva, nCipher or Application Security. They can be good stories or bad stories. Email paller@sans.org if you can help.

Alan

---

TOP OF THE NEWS

Interior Dept. CIO Seeks FISMA Compliance Metric Alternatives
Spamhaus to Fight Judgment in e360 Insight Case
IFPI Files 8,000 More Filesharing Lawsuits Worldwide

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS & SENTENCES
Man Indicted in Dollar Tree Data Theft Case
POLICY & LEGISLATION
Swiss Banks Broke Laws by Not Informing Customers of Info Sharing
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Visa and MasterCard Stop Accepting Purchases from AllofMP3.com
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Information Disclosure Flaw in IE7
Some Video iPods are Infected with Windows Worm
Oracle Issues 101 Patches
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
SEC Sees Upsurge in Attacks on Online Brokerage Accounts
STANDARDS & BEST PRACTICES
Microsoft Releases Privacy Guidelines
MISCELLANEOUS
FBI Director Calls for ISPs to Retain Records of Users' Activities
Ireland Now Issuing e-Passports
High School Students Suspended for Accessing School PINs

---

**************** Sponsored By Core Security Technologies ****************

WIN a $250 BestBuy gift card from Core Security Technologies! Listen to the joint Gartner and SANS webcast as they discuss the future of information security. Register here http://www.sans.org/info/1459

View the webcast and automatically be entered into a drawing for a $250 gift card from Core Security Technologies!

*************************************************************************

Where To Get the Technical Skills You Need To Lead Security Programs? Major US SANS Training Events in the Next 60 Days New Orleans ( http://www.sans.org/neworleans06/ ) and Washington, DC ( http://www.sans.org/cdieast06/ ) Plus Amsterdam where we added an extra class because of the sell-out.

How Good Are SANS Courses. ++ "I have attended courses by several of SANS rivals, and SANS blew them away." - Alton Thompson, US Marines ++ "This is the only conference/training I've ever attended at which I learned techniques and found tools I could apply immediately." - Dwight Leo, Defense Logistics Agency, DLA ++ "The SANS classes have been uniformly excellent. To learn as much through traditional classes would have entailed weeks away from work." - - David Ritch, Department of Defense Programs are scheduled in more than 40 cities in the next few months or you can attend live classes (or on-demand courses) without leaving your home, or you may even study online. Schedule: http://sans.org

*************************************************************************

---

TOP OF THE NEWS

Interior Dept. CIO Seeks FISMA Compliance Metric Alternatives (18 October 2006)

The Interior Department CIO's office is working with the department's inspector general (IG) to examine ways to "create metrics that consider broader methods of whether and how agencies are meeting Federal Information Security Management Act (FISMA) requirements." Interior Department CIO Hord Tipton said, "We need to do something different than just checking boxes." Tipton said that despite his agency's poor showing on the most recent FISMA report card, cyber security at the Interior Department is stronger than ever.
-http://www.gcn.com/online/vol1_no1/42328-1.html?topic=security

Spamhaus to Fight Judgment in e360 Insight Case (18 October 2006)

Spamhaus now says it will appeal a US$11.7 million judgment against it from a US court. Spamhaus had previously indicated it would ignore the ruling, saying the US court has no jurisdiction over the UK-based organization, but changed course when faced with the threat of domain seizure. Spamhaus's initial decision to ignore the order led e360 to call for an order to suspend the Spamhaus domain. The judge has not signed that order, and ICANN says it does not have the authority to suspend the domain.
-http://www.theregister.co.uk/2006/10/18/spamhaus_fight_back/print.html

IFPI Files 8,000 More Filesharing Lawsuits Worldwide (18 October 2006)

The International Federation of the Phonographic Industry (IFPI) has brought 8,000 lawsuits against alleged illegal filesharers around the world, including the first such lawsuits ever in Brazil, Mexico and Poland. Many of the people facing lawsuits are parents of minors who have shared files in violation of copyright law. This brings the total number of lawsuits brought by IFPI outside the US to 13,000.
-http://australianit.news.com.au/articles/0,7204,20601881%5E15306%5E%5Enbv%5E,00.
html
-http://news.bbc.co.uk/2/hi/technology/6058912.stm

---

************************* Sponsored Links: ****************************

1) Security professionals will focus on fighting the most common threats to data at the SANS Secure Storage & Encryption Summit, December 6-7.
http://www.sans.org/info/1460

2) "Top 10 Questions You Must Ask Before Purchasing a SIM Solution" -a must-read for SIM shoppers.
http://www.sans.org/info/1461

************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS & SENTENCES

Man Indicted in Dollar Tree Data Theft Case (6 October 2006)

One man has been indicted in connection with theft of money from bank accounts of Dollar Tree customers in California and Oregon. Parkev Krmoian allegedly used gift cards that had been reprogrammed as ATM cards to withdraw funds from bank accounts without authorization. Investigators also hope to learn the identity of a man who appears in a surveillance photo taken at an ATM where the cards were used.
-http://www.kcra.com/news/10012058/detail.html

POLICY & LEGISLATION

Swiss Banks Broke Laws by Not Informing Customers of Info Sharing (17 October 2006)

Switzerland's Federal Data Protection Commissioner Hanspeter Thur says banks in his country broke the law when they failed to inform their customers that they were sharing data with US authorities. The Society for Worldwide Interbank Financial Telecommunication (SWIFT), which manages international payments between banks, has allowed US authorities access to transaction data since September 11. Earlier this year, the Belgian Data Privacy Commission said SWIFT violated privacy laws by sharing the data in the first place.
-http://www.theregister.co.uk/2006/10/17/swiss_swift_transfers_illegal/print.html

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

Visa and MasterCard Stop Accepting Purchases from AllofMP3.com (19 October 2006)

Visa International and MasterCard have stopped accepting credit card purchases from AllofMP3.com, a Russian web site that allegedly sells music in violation of copyright law. AllofMP3.com's web site operator says that because the web site pays royalties to a Russian licensing group, it is in compliance with Russian law. However, the music industry maintains "the Russian licensing group does not have the authority to collect and distribute royalties."
-http://www.smh.com.au/news/Technology/Russian-music-download-site-denies-violati
ng-copyright-laws/2006/10/18/1160850958655.html
-http://news.bbc.co.uk/2/hi/business/6065492.stm

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Information Disclosure Flaw in IE7 (19 October 2006)

There are reports of a security flaw in Microsoft's newly released Internet Explorer (IE) 7. The same information disclosure flaw reported in IE6 last spring reportedly affects IE7 on Windows XP SP2. The flaw could be exploited when a user visits a maliciously crafted web site; it would allow the attacker to read data from another secure site to which the user is logged in. An attack would require manipulating the user into visiting the specially crafted site and knowing when the user might have another site with desirable information open.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9004259&intsrc=news_ts_head
-http://www.theregister.co.uk/2006/10/19/ie7_first_bug/print.html
In a related story, there are reports of spoofed email circulating that appears to come from Microsoft and offer a link to download IE7, but actually places a Trojan horse program on users' computers. The link sends uses to a site that looks like a Microsoft download site.
-http://www.vnunet.com/vnunet/news/2166697/spoof-microsoft-ie-emails
-http://www.theregister.co.uk/2006/10/18/hack_site_spoofs_ie7_download/print.html
[Editor's Note (Tan and Honan): Microsoft is aware of the vulnerability but has responded that this is not due to the newly released Internet Explorer (IE) 7. It is due to another Windows component in Outlook Express. This may exonerate IE 7, but it shows a major flaw has existed for a long time.
-http://blogs.technet.com/msrc/archive/2006/10/19/information-on-reports-of-ie-7-
vulnerability.aspx
-http://isc.sans.org/diary.php?storyid=1797]

Some Video iPods are Infected with Windows Worm (19 & 18 October 2006)

A small percentage of video iPods sold after September 12 were inadvertently infected with a worm that can spread to Windows PCs and connected external drives when the players are connected to the computers. The source of the worm has been identified as a Windows computer that was used to test the media player's software during the manufacturing process. The worm is known alternately as RavMovE.exe and W32/Rjump.worm, and opens a backdoor on infected devices. Apple has not recalled the infected iPods, and says current anti-virus signatures should detect and remove the malware. The worm does not affect iPods or Mac OSes. (Please note this site requires free registration)
-http://www.washingtonpost.com/wp-dyn/content/article/2006/10/18/AR2006101801711_
pf.html
-http://www.usatoday.com/tech/products/2006-10-18-ipod-virus_x.htm
-http://www.securityfocus.com/brief/332
-http://www.apple.com/support/windowsvirus/
[Editor's Note (Honan) This story and several others show why people need to virus check all media and devices they attach to their PCs and networks before using them. ]

Oracle Issues 101 Patches (17 October 2006)

Oracle's quarterly security update includes patches for 101 vulnerabilities. Sixty-three of the patches are for flaws in the company's database products, 14 for flaws in application server products, 13 for flaws in e-business suites and nine for flaws in PeopleSoft and J.D. Edwards software. With the exception of the patches for vulnerabilities in e-business suites, all the fixes released on Wednesday are cumulative. Wednesday's update also marks the start of a new practice for Oracle's quarterly updates: the inclusion of additional information to help users understand what the patches do and which are the most critical to apply.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9004202

[Editor's Note (Schultz): Oracle CEO Larry Ellison once called Oracle "hack proof," something that very much runs contrary to the announced presence of 101 vulnerabilities in Oracle products. The consolation (however small) is that Oracle appears to be trying harder in communicating information about vulnerabilities in its products.
(Tan): Oracle continues to refuse to disclose the details of the vulnerabilities, but this time around, Oracle moved a step forward by adopting CVSS and providing the CVSS rating. This will help organizations to assess the risk and impact caused by the many vulnerabilities.
-http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct20
06.html
-http://blogs.oracle.com/security/2006/10/11#a33
-http://isc.sans.org/diary.php?storyid=1795]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

SEC Sees Upsurge in Attacks on Online Brokerage Accounts (16, 15 & 14 October 2006)

The US Securities and Exchange Commission (SEC) says there has been a noticeable increase in the number of attacks on online brokerage accounts in recent months. Cyber thieves are using keystroke loggers and spyware to help them access and drain unsuspecting individuals' accounts. The attacks appear to be emanating from Eastern Europe, Russia and the Ukraine. Approximately 25 percent of retail stock trades in the US are conducted online. Online broker Ameritrade said earlier this year that it would reimburse customers whose online accounts are looted by cyber thieves. Canada's Investment Dealers Association has noted similar attacks.
-http://msnbc.msn.com/id/15255062/
-http://software.silicon.com/security/0,39024655,39163261,00.htm
-http://www.itbusiness.ca/it/client/en/ComputerCanada/News.asp?id=40877
[Editor's Note (Pescatore): Phishing attacks are definitely moving towards higher value accounts. The protections put in place, both at the customer authentication side and at the back end fraud detection capabilities, both need to be upgraded. A coordinated approach to both will cost less per customer account than the costs of the successful attacks.]

STANDARDS & BEST PRACTICES

Microsoft Releases Privacy Guidelines (18 & 17 October 2006)

Microsoft has released privacy guidelines based on the company's own internal policies with the hope that organizations will implement "cohesive standards for safeguarding people's personal information." Topics covered include installing software on a customer's system, deploying a web site, storing and processing user data at the company and interacting with children.
-http://www.usatoday.com/tech/news/computersecurity/2006-10-17-microsoft-privacy_
x.htm
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9004220
-http://www.microsoft.com/downloads/details.aspx?FamilyID=c48cf80f-6e87-48f5-83ec
-a18d1ad2fc1f&displaylang=en

MISCELLANEOUS

FBI Director Calls for ISPs to Retain Records of Users' Activities (18 October 2006)

Robert Mueller, director of the FBI, said on Tuesday that he wants Internet service providers (ISPs) to keep records of customers' online activities. Mueller cited the need to "find a balance between the legitimate need for privacy and law enforcement's clear need for access" to information regarding the activity of suspected criminals. Law enforcement organizations say that by the time they contact ISPs for information on suspects, the information they need is no longer available. Those in the information industry say law enforcement needs to act more quickly. ISPs generally do not keep records beyond those needed for business reasons. However, the Electronic Communication Transactional Records Act requires ISPs to keep records already in their possession for up to 90 days at the request of law enforcement.
-http://news.com.com/2102-7348_3-6126877.html?tag=st.util.print
[Editor's Note (Honan): The European Data Retention Directive requires all telcos and ISPs operating within the EU to retain call and Internet traffic for a minimum of 6 months and has resulted in major controversy regarding the invasion of citizen's liberties and privacy rights. The European Data Protection Supervisor, Peter Hustinx, has voiced concerns over the law and the group Digital Rights Ireland has started a legal action against the Irish Government. To quote Benjamin Franklin "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
(Ullrich): Its more then a balance of "need for privacy and law enforcement's clear need for access". Technical feasibility and cost are other important factors. ]

Ireland Now Issuing e-Passports (17 October 2006)

Ireland has launched e-passports, which contain microchips with biometric data about the holders. A chip reader is required to read the information on the embedded microchip and digital signatures can alert authorities if the data contained in the chip has been altered. The passport's chip also holds a digital image identical to the image in the passport. The arrival of Ireland's e-passport comes just days in advance of an October 26 deadline set by the US requiring machine readable biometric data on passports for those who wish to "take advantage of the visa waiver programme for short stays."
-http://www.theregister.co.uk/2006/10/17/ireland_epassport_launched/print.html
-http://www.siliconrepublic.com/news/news.nv?storyid=single7203

High School Students Suspended for Accessing School PINs (12 October 2006)

An unspecified number of North Branch (MN) high school students have been suspended for accessing a list of student and staff PIN numbers used in the school lunchroom and media center. There is no evidence the students used the information they accessed, and at no time were data such as health records, grades or financial information ever accessed. A school computer lab manager detected the breach while performing a file clean up. The school is in the process of issuing new PINs. There are no plans to pursue criminal charges against the students.
-http://www.ecmpostreview.com/2006/October/12nbstsufoha.html
[Editor's Note (Ullrich): Germany started issuing "biometric passports" earlier this year. Biometric information is derived from the passport photo submitted by the applicant. The strict requirements for these photos have brought new live to small photographers as it is almost impossible to obtain them without professional help. On the other hand, important identifiers used in the past (e.g. ears) may now be missing from the picture.]

---

BEST RESPONSE TO THE CISO SURVIVAL NOTE

I am currently serving as a contractor for the US Army as the Technical Chief Information Security Officer for several military networks in Stuttgart Germany. Three years ago, I was appointed to my current position, replacing an individual who treated the position as one of 'cop', 'you will do as I say'. I was appointed to the position, with the promise on my part, and orders on my boss's part, to turn information assurance into a service. My job, as I see it, is not to enforce standards, that is really the CIO's job, but to provide technical advice to the CIO, advice which would match his own risk acceptance profile. I'm responsible for security, he is responsible for providing services, and security impacts that in a very significant way. Faced with security problems, my office doesn't direct, we don't have the authority. We provide alternatives and recommendations. The people responsible for operations and maintenance of systems also must satisfy the needs of the CIO, and know full well that operations include security, and the CIO here has made that clear. So rather than working in opposition to the systems administrators, we are really working with them, toward the goal of meeting the CIO's expectations, though sometimes looking at the problem from different angles. Sometimes I must adjust, sometimes they must adjust. We rarely go before the CIO with a disagreement. When I first took this job, I received a lot of help, advice, from more experienced information assurance professionals in the Department of Defense. I was warned that is a big mistake to try to think of security as a service. My experience has been that it is certainly more difficult, but my shop has been more successful. I have just been awarded the Presidents Award (essentially, employee of the year - 114 out of over 15,000 employees) for my efforts. I guess that was positive feedback.

David M. Funk, CISSP, CISA Technical Chief of Information Security Computer Sciences Corp HQ USEUCOM

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center, to the Editorial Board.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/