From: The SANS Institute (NewsBitessans.org)
Date: Tue Dec 20 2005 - 14:21:39 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A real Christmas present from the US Department of Homeland Security and
the US Department of Energy for everyone involved in securing SCADA and
control systems. Four very good courses on how to secure control
systems and SCADA systems will be given for free in Orlando on March 1,
as part of the SCADA Security Summit. Registration will open later this
week. All the free seats will be taken in a about a week, so if you are
involved in building or operating or securing SCADA or other control
systems, or if you know someone who is, send an email (or have them send
an email) to infosans.org with subject SCADA courses and your name and
organization and email and we'll get you word the minute the
registration site goes live later this week. The seats are available
first-come, first served, and there is no restriction to US citizens.

Preliminary information on the Summit http://www.sans.org/scadasummit06
Final information will be posted when the site goes live this week.

                                  Alan

*************************************************************************
SANS NewsBites December 20, 2005 Vol. 7, Num.63
*************************************************************************

TOP OF THE NEWS
  Security Software Firm Hacked, Customer Records Stolen
  IEEE Working Group Hones Data Storage Encryption Standards

THE REST OF THE WEEK'S NEWS

  POLICY & LEGISLATION
    NY State Legislators Propose Anti-Phishing Law
  
  SPYWARE, SPAM & PHISHING
    FTC to Deliver Report on Effectiveness of CAN-SPAM Act
  
  COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
    Kazaa Parent Company May Face Contempt Charges for Failing to Deploy Filters
    New RIAA Copyright Infringement Lawsuits Push Total past 17,000
  
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
    IE Patch Causes problems With Side-by-Side IE6, IE7 Beta Install
    Dasher Worm Exploits MSDTC Flaw
  
  ATTACKS & INTRUSIONS & DATA THEFT
    Cyber Extortionists Hit Game Company
    Sam's Club Data Breach May be Larger than First Believed
  
  STANDARDS & BEST PRACTICES
    NIST Releases Draft Specifications for Federal ID Card Biometric Data
  
  STATISTICS, STUDIES & SURVEYS
    Gartner Predicts IT Spending Will Grow Twice as Fast in 2006
  
*********************** Sponsored by Permeo *****************************
New eBook provides advice on combating information theft. "The
Definitive Guide to Information Theft Prevention" provides IT/ Security
professionals with advice on combating and preventing information theft
across the network. This eBook discusses information protection, privacy
regulations, threat identification and information security best
practices. You'll also get advice on risk management, incident response
& emerging security technologies.
Click here to download the eBook.
http://www.sans.org/info.php?id=969
*************************************************************************

TOP OF THE NEWS
  
 --Security Software Firm Hacked, Customer Records Stolen
(20 December 2005)
Guidance Software, maker of forensics software used by law enforcement
and corporate investigators, sent letters last week informing customers
of the theft of their credit card data including the 3-digit CCV numbers
that are not authorized to be stored. One victim already reported
$20,000 in unauthorized charges against a credit card that was one of
those affected.
(registration required)
http://news.google.com/url?sa=t&ct=/0-0&fp=43a8ae9c2bfdbdc7&ei=PUqoQ5evEsqi6AGo09CLAg&url=http%3A//www.washingtonpost.com/wp-dyn/content/article/2005/12/19/AR2005121900928.html&cid=1103071978

 --IEEE Working Group Hones Data Storage Encryption Standards
(15 December 2005)
The IEEE's Security in Storage Working Group is fine-tuning encryption
standards for data stored on disk and tape. The need for standards is
underscored by the loss of unencrypted tapes containing customer data
in several high profile cases. The working group anticipates approval
of the proposed standards, IEEE P1619 and P1619.1, Standard Architecture
for Encrypted Shared Storage Media, next year. The standards define
three encryption algorithms and a key management "method". Other
encryption protocols, such as Secure Sockets Layer (SSL), Secure Shell
(SSH) and IPSec encrypt "data in transit."
http://www.networkworld.com/news/2005/121505-tape-encryption.html?fsrc=netflash-rss
[Editor's Note (Pescatore) Anything that makes it easier to encrypt data
at rest is probably a good thing. Back in September, the big credit card
bureaus announced they were working on common standards for stored data
encryption - let's hope it is harmonized with this IEEE effort.
(Shpantzer): This is great and necessary for backups. However,
encrypting laptops and smartphones with sensitive information is just
as important, since unlike for backups destined for storage, there is
virtually no measure of physical security for these mobile computing
assets. Companies should also conduct audits of sensitive content on
laptops, such as offline copies of databases, which account for many of
the higher profile data losses in the past few years.]

************************ Sponsored Links: *******************************

1) Email threat protection for small and medium-sized businesses - get
our white paper now!
http://www.sans.org/info.php?id=970

2) Earn your Master's degree from a program that challenges you, but
enables you to be proud to be one of the information security elite.
http://http://www.sans.edu
*************************************************************************

THE REST OF THE WEEK'S NEWS

POLICY & LEGISLATION
 --NY State Legislators Propose Anti-Phishing Law
(18/16 December 2005)
Two New York state lawmakers have proposed the Anti-Phishing Act of
2005, legislation that would allow the state Attorney General and
legitimate companies whose systems and identities were used by phishers
to file civil claims against the perpetrators. They would be allowed
to sue for the greater of US$500 or actual damages for each violation.
California passed anti-phishing legislation in October 2005, and both
houses of Congress have bills in progress. A recent study found that
approximately 25 percent of Internet users receive phishing emails every
month; seven in 10 of those people believed the scam emails were
legitimate.
http://www.newsday.com/news/local/wire/newyork/ny-bc-ny--internetphishing1218dec18,0,2841265,print.story
http://www.tmcnet.com/usubmit/2005/dec/1226779.htm

SPYWARE, SPAM & PHISHING
 --FTC to Deliver Report on Effectiveness of CAN-SPAM Act
(18 December 2005)
On Tuesday, December 20, 2005, the Federal Trade Commission (FTC) will
issue a report to Congress on the effectiveness of the CAN-SPAM Act,
two-year-old legislation aimed at curbing unsolicited commercial email.
Executives at companies whose business it is to block spam believe
CAN-SPAM has not been effective in stemming the flow of spam.
http://www.computerworld.com/printthis/2005/0,4814,107187,00.html
[Editor's Note (Schultz): The fact that the CAN-SPAM Act has not been
very effective is pretty obvious, but you have to start somewhere, and
CAN-SPAM represents a bona fide start in the US. The most critical
advance in the war against spam would be to pass legislation in
countries that currently have no anti-spam legislation; many spammers
currently operate out of these countries without having to worry about
legal consequences.
(Grefer): I have yet to see even a single piece of CAN-SPAM compliant spam.]

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
 --Kazaa Parent Company May Face Contempt Charges for Failing to Deploy Filters
(16 December 2005)
Kazaa parent company Sharman networks may find itself in contempt of
court if record companies have their way. Sharman missed a
court-ordered December 5 deadline to deploy a keyword filter to its
software to prevent illegal file sharing. Sharman instead chose to
block people visiting its site from Australian ISPs from downloading
its file-sharing software and warned people in Australia not to use the
software. The court will consider the contempt motion on January 30,
2006. The charges carry a prison sentence.
http://www.pcworld.com/news/article/0,aid,123943,00.asp
http://www.smh.com.au/news/breaking/kazaa-facing-new-charges/2005/12/16/1134676443156.html

 --New RIAA Copyright Infringement Lawsuits Push Total past 17,000
(16/15 December 2005)
The Recording Industry Association of America (RIAA) has filed copyright
infringement lawsuits against 751 individuals, including students at
several universities across the country, for allegedly sharing music
files on P2P networks. These are called "John Doe" suits because the
RIAA does not know the identities of the defendants; the RIAA will seek
court permission to proceed to discover the identities. RIAA has filed
an additional 105 lawsuits against named defendants in 12 states who
were at one time "John Does" as well. The RIAA has filed copyright
infringement lawsuits against more than 17,000 people since September
2003.
http://www.techweb.com/wire/ebiz/175004658
http://ww6.infoworld.com/products/print_friendly.jsp?link=/article/05/12/15/HNriaalawsuits_1.html

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
 --IE Patch Causes problems With Side-by-Side IE6, IE7 Beta Install
(19 December 2005)
One of the patches Microsoft issued for Internet Explorer (IE) last week
is reportedly causing problems for people testing a beta of IE7
alongside IE6. Among the symptoms are blank links, multiple windows
opening when the browser is started and browser hang. A side-by-side
installation of IE6 and IE7 is "unsupported" according to IE security
project manager Jeremy Dallman, who recommended a fix that involves
deleting a Windows registry key and reinstalling IE7 in a way that
overwrites the existing IE6 install.
http://www.computerworld.com/printthis/2005/0,4814,107189,00.html

 --Dasher Worm Exploits MSDTC Flaw
(16/15 December 2005)
The Dasher worm exploits a flaw in the Microsoft Windows Distributed
Transaction Coordinator (MSDTC) that was patched in October, 2005. At
least 3,000 systems were infected as of Friday, December 16. Once the
worm has infected a computer, it "contacts a central control server" and
receives a command to download a malicious payload from a remote FTP
server. Users are urged to apply the patch for the flaw that
accompanies Microsoft Security bulletin MS05-051; if they are unable to
do so, they should filter unsolicited inbound traffic on TCP port 1025.
There is concern that problems with the patch prevented some users from
installing it successfully. The MSDTC flaw is rated "critical" for
Windows 2000 systems.
http://www.techweb.com/wire/security/175004429
http://ww6.infoworld.com/products/print_friendly.jsp?link=/article/05/12/15/HNmsmalware_1.html
[Editor's Note (Pescatore): Users of Windows 2000 that have been unable
or unwilling to move to SP4 have been getting hit by exploits like this
one or Zotob, since Windows 2003 SP3 has been unsupported since July of
this year. Microsoft doesn't produce patches for W2000 SP3 or or even
mention it in the patch releases since then. Back in late 2004
Microsoft gave plenty of warning about this, so folks staying with SP3
are consciously taking a risk. The only real choices are to enter into
a custom support contract with Microsoft, or put host-based intrusion
prevention software on all Windows 2000 SP3 machines.]

ATTACKS & INTRUSIONS & DATA THEFT
 --Cyber Extortionists Hit Game Company
(19 December 2005)
Cyber extortionists have targeted White Wolf Publishing, a creator of
role-playing computer games. On December 11, the company received a
message from cyber thieves telling them they had broken through the
company's security measures and gained access to customer data. They
demanded money in exchange for not posting the information on the
Internet. White Wolf did not comply, and the cyber extortionists
emailed individual customers, telling them they could buy their data
back for US$10. White Wolf took down its online store for several days
to address the security flaw the intruders exploited. The FBI is
investigating.
http://news.com.com/2102-7349_3-6001566.html?tag=st.util.print
[Editor's Note (Northcutt): Part of White Wolf's response is a public
letter posted on their web site and others. This action may help other
people that receive extortion letters develop the courage to say no. I
certainly hope to see some folks from White Wolf's IT shop in Orlando
at SANS 2006, it would be great to get the story from their perspective:
http://www.white-wolf.com/
http://www.gamingreport.com/article.php?sid=19618]
(Pescatore) This is a good example of how it almost invariably less
expensive to protect your customers' data than it is to deal with the
problems that occur when you don't.
(Schmidt): A good investigation and successful prosecution of the
suspects in this case should help send a clear message that you can be
prosecuted for doing this and maybe get more victims to report these
incidents. The more people that report this to the authorities the
better chance we have to catch those involved.]

 --Sam's Club Data Breach May be Larger than First Believed
(16/14 December 2005)
Evidence is mounting that the credit card data security breach reported
by Sam's Club earlier this month may have occurred over a longer period
of time and affected more people than was first believed. On December
2, 2005, Sam's Club said the credit card data were stolen between
September 21 and October 2, 2005 from people who bought gas at Sam's
Club fuel stations; at that time, Sam's Club said it was aware of
approximately 600 people who were affected by the breach. A California
man who experienced fraudulent activity on his credit card account says
he believes his account details were stolen by a card-skimming device
attached to the pump at Sam's Club on either November 2 or November 17,
considerably later than the dates Sam's Club had indicated. In addition,
the Alabama Credit Union issued new cards to 500 customers after
learning of the breach from the Credit Union National Association. If
just one financial institution had to block and reissue 500 cards, it
is likely that the number of people affected by the breach is greater
than first acknowledged.
http://www.computerworld.com/printthis/2005/0,4814,107067,00.html
http://www.al.com/business/huntsvilletimes/index.ssf?/base/business/1134728260278180.xml&coll=1
[Editor's Note (Northcutt): Another strong vote for the Visa/Mastercard
Payment Card Industry standard to prevent these sorts of incidents:
http://www.sans.org/sans2006/description.php?tid=264
(Kreitner): The required adoption of the Payment Card Industry Standard
should significantly improve credit card security as the many players
in the credit/debit card industry implement the twelve basic security
practices required by the standard. Other sectors would do well to
adopt the PCI Standard as a baseline of good information security
practice.]

STANDARDS & BEST PRACTICES
 --NIST Releases Draft Specifications for Federal ID card Biometric Data
(16 December 2005)
The National Institute of Standards and Technology (NIST) has released
draft specifications for biometric data used in federal identity cards.
The biometric specification for Federal Information Processing Standard
201, Personal Identity Verification, includes an interoperable standard
for storing "data extracted from fingerprint images," known as minutiae.
US federal agencies are required to start distributing the cards to
employees and contractors by October 27, 2006. NIST is accepting
comments on the draft specifications until January 13, 2006. The draft
specification also addresses facial biometrics.
http://www.fcw.com/article91747-12-16-05-Web
http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=37790
http://csrc.nist.gov/publications/drafts/800-76Draft/sp-800-76_draft.pdf

STATISTICS, STUDIES & SURVEYS
 --Gartner Predicts IT Spending Will Grow Twice as Fast in 2006
(16/15 December 2005)
Gartner's Financial Management Compliance survey indicates that between
10 and 15 percent of IT budgets will be spent on financial compliance
and corporate governance in 2006. IT spending is expected to grow at
twice the rate it did in 2005, due largely to Sarbanes Oxley and other
international corporate governance regulations. Gartner found that
large portions of discretionary resources are being redirected to
compliance with regulatory measures. The survey "polled 326 audit,
finance and IT professionals in North America and Western Europe."
http://news.zdnet.co.uk/business/management/0,39020654,39242336,00.htm
http://www.it-observer.com/articles.php?id=998

===end===

NewsBites Editorial Board:
Kathy Bradford, Rohit Dhamankar, Roland Grefer, Richard Hayler,
Jaap-Henk Hoepman, Brian Honan, Clint Kreitner, Stephen Northcutt, Alan
Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Eugene Schultz,
Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFDqFFg+LUG5KFpTkYRAr8MAJwMZR6ApWbZIt7vGekegShczHwN5QCZAUtf
8c6p0u/E5tDlC8IWQ/3RbrE=
=iOlU
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]