SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #94

November 28, 2006

TOP OF THE NEWS

Guidelines for Financial Institution End-User Authentication May Not be Strong Enough
Phishers Hit VoIP
Mac OS X Spyware Detected
Panel Condemns SWIFT Actions

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Pirated Software Purveyors to Pay US$100,000 in Damages
DHS Hit with Complaint After Failing to Comply with FOIA Request
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Report Considers Software Threats for DOD
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Could DMCA Protect Malware?
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Stolen Computers Hold Women's Health Information
Woman Allegedly Used National Lab Computer to Access Singer's Phone Account
MISCELLANEOUS
Disneyland Launches Biometric Ticketing
Metronet May be Fined for Software Problem that Shut Down Underground
Visa to Introduce Contactless Payment for Small Purchases in UK
HS Students' Parents Fight Expulsion for Cyber Intrusion

---

******** Sponsored By Check Point Software Technologies, Inc. **********

Secure your unsafe guest PCs. By giving you control over remote access by guest PCs, Check Point solves the problem of unmanaged remote endpoints compromising enterprise security. Our solutions stop password theft and enforce NAC policy, without pre-installed agents. To learn more, download the Solutions Brief on Remote Guest PC Access.

http://www.sans.org/info/2021

*************************************************************************

SANS 2007 (SANS' biggest annual conference, San Diego Mar. 29-Apr. 6) just opened for registration. SANS annual conferences stand out from all other programs because of the multitude of learning opportunities in one place (51 courses and lots of exhibits and BOFs) http://www.sans.org/sans2007/

"Fantastic! Ton's of information. My mind is now Jello- I'll be back next year" Kurt Danielson, National Marrow Donor Program

"My 4th SANS conference! Each time the instructors are top-notch and I come away amazed and educated." Bill Wildprett, Washington State CTED

"This conference really taught me the skills I needed to immediately improve the processes where I work." Karissa Truitt, AT&T Government Solutions

Or: Washington DC, Dec. 9 (16 courses) http://www.sans.org/cdieast06/
Orlando Bootcamp, Jan. 13 (25 courses): http://www.sans.org/bootcamp07/
Or San Jose, Phoenix, Prague, or Brisbane (5 or 6 courses)

See complete list of more than 70 upcoming programs in cities around the world at http://www.sans.org/training_events/?ref=1433

*************************************************************************

---

TOP OF THE NEWS

Guidelines for Financial Institution End-User Authentication May Not be Strong Enough (27 November 2006)

IT analysts and managers are concerned that federal guidelines for end-user authentication do not go far enough to secure customer data. While the "strong authentication" measures recommended by the Federal Financial Institutions Examination Council (FFIEC) are a step in the right direction, there are other vectors through which financial data security could be breached. The FFIEC guidelines are designed to bolster single-factor authentication; some attackers have already developed methods for circumventing the one-time password measures some banks have implemented in their two-factor authentication schemes. Financial institutions may also want to consider transaction-level controls and real-time online account activity monitoring.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=security&articleId=274881&taxonomyId=17&intsrc=kc_top
[Editor's Note (Pescatore): The FFIEC guidance focused on "risk based authentication" and does *not* just say "use strong authentication." - From the guidance "Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks." ]

Phishers Hit VoIP (26 November 2006)

Voice over Internet Protocol (VoIP) has become the latest vector of attack for phishers. Some attacks come in the form of emails asking the recipients to call a certain number to verify sensitive account data; the call is recorded. Other attacks come as phone calls in which the caller already knows the recipient's credit card number and asks for the security code for verification purposes.
-http://www.usatoday.com/money/industries/technology/2006-11-26-phishing-usat_x.h
tm?csp=34
[Editor's Note (Skoudis): We've seen cases in which the bad guys use VoIP services with phone numbers in large US cities (212, anyone?) to forward calls to an open-source PBX overseas, where users are greeted with voice prompts recorded directly from legit banks in the US. User education is paramount. Tell your users that they should call only the number on their credit cards to interact with their card provider. And, if the card is lost, get a phone number from the most recent billing statement. ]

Mac OS X Spyware Detected (27 & 24 November 2006)

The first spyware program for Mac OS X has been detected. The proof-of-concept code could potentially be installed without users' knowledge. The program, known as iAdware, installs itself as a System Library. It does not exploit a flaw, but takes advantage of a feature in Mac OS X to run each time an application is loaded.
-http://www.eweek.com/print_article2/0,1217,a=194912,00.asp
-http://www.theregister.co.uk/2006/11/24/mac_os_x_adware/print.html
[Editor's Note (Skoudis): Mac users must fight the feeling that they are invulnerable simply because they are using a different kind of computer. As a very happy Mac user myself, I feel this temptation, but it must be resisted. Macs are getting increased scrutiny as their numbers go up. I'm especially concerned about client-side vulnerabilities on the Mac, including Safari and Mail:App, which haven't gotten nearly as much scrutiny as IE, Firefox, and Outlook. Keep your Macs patched, and practice safe computing from them. ]

Panel Condemns SWIFT Actions (26 November 2006)

The Article 29 Working Party, a group looking into the issue of the Society for Worldwide Interbank Financial Telecommunication (SWIFT) sharing transaction information with the US says that SWIFT must inform clients that their personal financial information could be given to US authorities. The group found that EU banks using SWIFT to conduct their financial transactions "share culpability" for the data exposure. The group also said that "the ... systematic, ... long-term transfer of personal data by SWIFT to the UST (US Treasury) in a confidential, non-transparent ... manner for years without effective legal grounds and without the possibility of independent control by public data protection supervisory authorities" violates EU data protection laws. The panel recommends that SWIFT stop violating the laws or face sanctions.
-http://www.independent.com.mt/news.asp?newsitemid=42551
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9005387&source=rss_topic17

---

************************ Sponsored Links: *****************************

1) "Top 5 Identity Theft Attacks on Web Applications" whitepaper - What they are, how they work & how to stop them.
http://www.sans.org/info/2026

2) "Top 10 Questions You Must Ask Before Purchasing a SIM Solution"-a must-read for SIM shoppers.
http://www.sans.org/info/2031

3) Protected against Malware? Think again! Download the Anti-Malware whitepaper from Secure Computing today.
http://www.sans.org/info/2036

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Pirated Software Purveyors to Pay US$100,000 in Damages (24 November 2006)

The Software and Information Industry Alliance (SIIA) has settled a case against two individuals who had been selling pirated copies of Norton security software on eBay over the past two years. Kevin Liu and GT Tian will pay US$100,000 in damages and have agreed to stop selling pirated software and to turn over records of their customers and suppliers to SIIA.
-http://www.theregister.co.uk/2006/11/24/ebay_pirates_payup/print.html
-http://www.zdnet.co.uk/misc/print/0,1000000169,39284855-39001084c,00.htm

DHS Hit with Complaint After Failing to Comply with FOIA Request (23 November 2006)

The Electronic Frontier Foundation (EFF) has filed a legal complaint against the US Department of Homeland Security (DHS). DHS failed to reply to an earlier Freedom of Information Act (FOIA) request for documents regarding the way in which European airline passenger data are retained, shared, used and secured.
-http://www.zdnet.co.uk/misc/print/0,1000000169,39284843-39001093c,00.htm
-http://www.theregister.co.uk/2006/11/23/eff_suit_us_passenger_data/print.html
-http://www.eff.org/flag/dhs/dhs_complaint.pdf

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

Report Considers Software Threats for DOD (27 November 2006)

A report from the Defense Science Board (DSB), due out in early 2007, will caution the US military that software made overseas could pose a serious security threat. The report will not recommend that all DOD software be made in the US, but will "call for a variety of prevention and detection measures," including peer reviews of code, the use of scanning tools to detect malicious code embedded in software and the enforcement of industry standards. Opinions differ on the level of risk posed by software written outside the US versus software developed domestically. The report will say that malware is a more serious issue than ever for DOD due to "the greater complexity of systems, their increased connectivity and the globalization of the software industry."
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=security&articleId=274599&taxonomyId=17&intsrc=kc_top
[Editor's Note (Northcutt): SANS Postgraduate college recently posted an article on outsourcing and offshoring:
-http://www.sans.edu/resources/HardRealitiesofITOutsourcing.pdf
(Grefer): To assume domestically developed software is any safer is foolhardy. The same scrutiny and due diligence should be applied in either case. ]

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

Could DMCA Protect Malware? (27 November 2006)

The Digital Millennium Copyright Act (DMCA) could conceivably prevent anti-virus products from scanning malware protected by digital rights management (DRM) technology. According to Dave Marcus, security research manager at McAfee's Avert laboratories, whatever the content may be, DMCA rules would make it illegal to scan beyond DRM.
-http://www.itpro.co.uk/security/news/98862/copyright-protected-files-could-mask-
viruses.html
[Editor's Note (Skoudis): Most malware researchers want to isolate and thwart the replicating abilities of malicious code, which increasingly is protected using DRM mechanisms very similar to commercial software. One person's spyware is another person's meal ticket. Thus, by shutting off those malware "protection" mechanisms, the researcher could expose himself to legal challenge. For this reason, in our research practice, we don't "reverse engineer" malware, we "analyze" it. ]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Stolen Computers Hold Women's Health Information (25 November 2006)

Two computers stolen from a Jeffersonville, IN health center on November 6 contain sensitive personal information of more than 7,500 Indiana women. The health center had a contract with the state of Indiana to manage data for the state's Breast and Cervical Cancer Program. The data on the computers include names, addresses, birth dates, Social Security numbers (SSNs) and medical and billing information. The data are password protected at two levels. The women whose data were on the computers were sent letters notifying them of the theft.
-http://www.courierpress.com/news/2006/nov/25/women-alerted-to-id-theft-risk/

Woman Allegedly Used National Lab Computer to Access Singer's Phone Account (25 November 2006)

A former Sandia National Laboratories employee used the lab's computer to break into a cell phone company's web site and access the phone and email records of Linkin Park lead singer Chester Bennington. The woman allegedly viewed Bennington's phone bill, a list of the numbers he had dialed and pictures he had taken with his phone. The woman, Devon Townsend, also allegedly broke into Bennington's wife's email account.
-http://www.mercurynews.com/mld/mercurynews/entertainment/16098934.htm

MISCELLANEOUS

Disneyland Launches Biometric Ticketing (27 November 2006)

Disneyland has begun to implement biometric ticketing. Customers who choose to take advantage of Disneyland's Ticket Tag system provide their fingerprint, which is converted to a numeric value, run through a hash and encrypted. The system is also capable of detecting blood flow and cartilage to guard against the use of phony fingerprints. The system does not require Disney to store the entire fingerprint image, thus avoiding the associated security concerns. Customers are relieved of the need to provide photo IDs to prove their identities. The Ticket Tag system is currently available at Disneyworld in Florida and at two turnstiles at Disneyland Hong Kong. Visitors who do not want to submit fingerprints may still opt to show photo IDs.
-http://www.zdnet.co.uk/misc/print/0,1000000169,39284864-39001108c,00.htm
[Editor's Note (Pescatore): This is an anti-fraud effort Disney has been since 2005. The tradeoff is that the biometric system often slows entrance down - from the Disney ticket tag web site: "During times of the day when lines of guests waiting to get into the park are long, some parks will turn off the biometric scanners to allow faster entry for everyone. This is not always done and cannot be counted on to happen." ]

Metronet May Be Fined for Software Problem that Shut Down Underground (24 November 2006)

Metronet may face a fine of GBP 1 million (US$1.94 million) after a software problem caused the London Underground to shut down during rush hour last Monday; the problem caused delays throughout the rest of the week. New software uploaded over the previous weekend contained a revised timetable. Metronet is a "public-private partnership responsible for maintaining two thirds of the London Underground network."
-http://www.zdnet.co.uk/misc/print/0,1000000169,39284859-39001068c,00.htm
-http://www.itweek.co.uk/computing/news/2169497/crash-behind-tube-chaos
[Editor's Note (Schultz): On the surface, Metronet's problem sounds like a failure to properly test software that is moved to production environments. ]

Visa to Introduce Contactless Payment for Small Purchases in UK (24 November 2006)

Visa is slated to introduce contactless payment in the UK by the end of 2007. Customers will be able to make small purchases, typically under GBP 10 (US$19), by waving their debit cards in front of a reader without the need to enter PINs or sign receipts. The system could also be used for toll roads, parking meters and other "unattended payment situations." The payment system will be piloted in London and then brought to locations throughout the UK.
-http://www.silicon.com/financialservices/0,3800010364,39164313,00.htm
[Editor's Note (Pescatore): Let's hope that the Visa UK contactless cards will actually turn on the security features built into the cards, rather than ignore security as seems to have happened in the early US rollouts.]

HS Students' Parents Fight Expulsion for Cyber Intrusion (22 November 2006)

The parents of two Central York High School students in Pennsylvania are fighting the expulsion of their children for allegedly breaking into the school district's computer system. The appeals filed against the Central York School Board claim the school district is violating the boys' civil rights by expelling them and ask the court to invalidate the expulsions. The students were initially suspended over the October intrusion.
-http://www.yorkdispatch.com/portlet/article/html/fragments/print_article.jsp?art
icleId=4704172&siteId=138
[Editor's Note (Schultz): The actions of the parents in this case show who the enablers of illegal behaviors such as the ones mentioned in this news item, namely the parents who are blaming everything and everyone except their own children--those who ostensibly stepped outside the boundaries of the law.
(Kreitner): Whatever happened to the time when, if you got into trouble in school, you were automatically in trouble with your parents, who respected the authority of teachers and school administrators? ]

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/