From: The SANS Institute (NewsBitessans.org)
Date: Fri Feb 24 2006 - 14:40:19 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

*************************************************************************
SANS NewsBites February 24, 2006 Vol. 8, Num. 16
*************************************************************************

TOP OF THE NEWS
  Major Mac OS X Flaw Surfaces
  Compliance Does Not Mean Security
  EU Justice Ministers Pass Data Retention Directive

THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCES
    Acxiom Data Thief Draws Eight-Year Sentence
    CardSystems Solutions Settles FTC Charges
  COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
    eDonkey Server Shut Down
  ATTACKS & INTRUSIONS & DATA THEFT
    University of Northern Iowa Informs Employees of Possible Data Breach
  MISCELLANEOUS
    Deloitte & Touche Loses Disk with McAfee Employee Data
    Metadata Provides Identifying Info About Anonymous Source
    BP Takes Step Toward Deperimeterization of Security
    Canterbury University (NZ) Closes Online Record Access

***** SPONSORED BY SANS SECUITY SAN DIEGO and SANS FIRE WASHINGTON ******
As you can tell from the web site (www.sans.org), more and more classes
are filling early (the red triangles). If you are thinking about turbo
charging you security career or the career of any of your coworkers this
spring, start planning now to go to San Diego in early May. You'll find
more than a dozen of SANS most popular courses and a vendor exposition
all right on the harbor in San Diego.
http://www.sans.org/security06/
Or plan to come to Washington in July right after July 4 (bring your
family for the national fireworks show) for the biggest SANS Fire ever:
with all 17 SANS immersion tracks and more than a dozed special courses
and a big exposition.
http://www.sans.org/sansfire06
*************************************************************************

TOP OF THE NEWS

 --Major Mac OS X Flaw Surfaces
(22/21 February 2006)
A major flaw in Mac OS X allows attackers to run shell scripts on
vulnerable computers simply by tricking users into visiting maliciously
crafted web sites with the Safari browser. Apple says it is working on
a fix for the problem but has not specified when it will be available.
This is the third security issue to hit Mac OS X in a short period of
time; a Trojan horse program and a worm that affect the operating system
were detected recently. The new problem lies in the Mac OS Finder, an
operating system component that is used to view and organize files. The
OS decides which application to use to handle a file based on its
permissions, not its extension. While no attacks have been detected,
proof-of-concept exploit code is available. Meanwhile, users can
disable the "Open safe files after downloading" Safari option.
http://www.techworld.com/security/news/index.cfm?RSS&NewsID=5429
http://news.com.com/2102-1002_3-6041685.html?tag=st.util.print
Internet Storm center coverage: http://isc.sans.org/diary.php?storyid=1138
[Editors Note (Paller, with guest editors Brian Caswell of SourceFire,
Jeff Plum of MedData and Brian Goldberg of Carbonite Labs): Attacks have
been seen; Macs are now being infected. They get infected just by
visiting an infected web site. To find out whether your system is
vulnerable, use the test at Secunia:
http://secunia.com/mac_os_x_command_execution_vulnerability_test/
To remove the vulnerability from your Mac, until Apple fixes the
problem, is to disable "Open safe files after downloading" option in the
Safari Browser.]

 --Compliance Does Not Mean Security
(22 February 2006)
Bruce Brody, former chief cyber security officer at the departments of
Energy and Veterans Affairs and current VP of information security at a
private market analysis company, says that compliance with federally
mandated IT security processes does not provide a good picture of
government systems' cyber security. The grades assigned to various
agencies based on Federal Information Security Management Act (FISMA)
compliance do not have much meaning. Brody made the statements to the
press following a closed-door meeting with CSOs from the Federal
Communications Commission (FCC), Departments of State, Commerce,
Treasury, Transportation and Housing and Urban development as well as
the US Senate. An August 2005 survey of CSOs found that FISMA
compliance is taking more time every year.
http://www.govexec.com/story_page.cfm?articleid=33439&printerfriendlyVers=1&
[Editor's Note (Schultz) I couldn't agree with Mr. Brody more.
Considering compliance and good security practices as equivalent is
specious. At the same time, however, a complete lack of compliance is
likely to equate to poor security practices.
(Paller): Bruce's comments are accurate and troubling. The amount of
money being wasted on federal contactors writing reports that are never
read, meeting compliance standards drafted by people who may never have
secured a computer, has reached crisis levels. Many agencies have to
choose between writing reports and securing their systems. Unreasonable
pressure from OMB forces them to spend so much money on the reports that
many do not have sufficient resources to infest in securing systems.
(Boeckman): This observation is absolutely correct. It makes one
wonder why the government spends so much time and money to comply with
these standards. It also begs the question that if FISMA is not a good
measure of security, what is? (Answer from Paller: the best hope for a
useful replacement for FISMA is the new BOSS benchmark being constructed
by 80 companies and government agencies working with the Center for
Internet Security. It has enough detail to be useful, has repeatable
measures, and reflects all the lessons learned in the VISA/PCI security
standards being used in tens of thousands of organizations that process
credit cards.)]

 --EU Justice Ministers Pass Data Retention Directive
(22/21 February 2006)
On Tuesday, EU Justice ministers passed a data retention directive
requiring Internet service providers (ISPs) and both mobile and fixed
line telecommunications providers to retain customers' communications
records for as long as two years. The data kept will include the date,
duration and destination of each instance of communication; content will
not be retained. Service providers will bear the cost of storing the
data. EU member countries must comply with the directive by August
2007. The directive was proposed following the 2004 train bombings in
Madrid. Some member states wanted the data retained for longer than two
years; other groups have expressed concern that the directive threatens
citizens' civil liberties.
http://networks.silicon.com/telecoms/0,39024659,39156685,00.htm
http://www.eubusiness.com/Telecoms/060221132715.m5qi2yet
http://today.reuters.co.uk/news/newsArticle.aspx?type=internetNews&storyID=2006-02-21T123127Z_01_L21613483_RTRIDST_0_OUKIN-UK-SECURITY-EU-DATA.XML
[Editor's Note (Multiple): ISPs hate the idea. They gave the UK
government "Internet villain of the Year" status for pushing this
standard: http://news.zdnet.co.uk/0,39020330,39254218,00.htm]

*************************** SPONSORED LINKS *****************************
1) "Top 10 Database Vulnerabilities" whitepaper - What they are, how
they work & how to stop them. http://www.sans.org/info.php?id=1040

2) New Chapter Alert: "Understanding Information Protection & Privacy
Regulations" from The Definitive Guide to Information Theft Prevention.
Learn more. http://www.sans.org/info.php?id=1041

3) Upcoming Webcasts next week - "Anatomy of an Attack" and "VoIP
Security" http://www.sans.org/info.php?id=1042 and http://
www.sans.org/info.php?id=1043
*************************************************************************

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
 --Acxiom Data Thief Draws Eight-Year Sentence
(23 February 2006)
A Florida man has been sentenced to eight years in prison for breaking
into Acxiom Corp.'s database of consumer information and stealing more
than one billion records. Scott Levine was convicted in August 2005 of
120 counts of unauthorized access to a computer connected to the
Internet, two counts of device fraud and one count of obstruction of
justice. There is no evidence that Levine used the data to commit
identity fraud. Levine will also pay a fine of US$12,300; the amount
of restitution has not yet been decided. Levine is the former CEO of
Snipermail.com, a bulk emailing company.
http://news.com.com/2102-7348_3-6042290.html?tag=st.util.print
http://www.computerworld.com/printthis/2006/0,4814,108921,00.html

 --CardSystems Solutions Settles FTC Charges
(23 February 2006)
CardSystems Solutions has settled charges of failing to protect
sensitive customer data. The charges were brought by the Federal Trade
Commission (FTC) following a security breach that resulted in more than
260,000 cases of identity fraud. The company had been retaining data
from the magnetic strips of credit and debit cards and holding it
without adequate security measures. The company, which was bought by
Pay By Touch in December, will "implement a comprehensive security
program and obtain independent audits every other year for 20 years."
40 million accounts were determined to have been vulnerable.
http://www.washingtonpost.com/wp-dyn/content/article/2006/02/23/AR2006022301047_pf.html
http://www.eweek.com/print_article2/0,1217,a=172109,00.asp

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
 --eDonkey Server Shut Down
(23/22 February 2006)
Police raids in Belgium and Switzerland have shut down Razorback2,
believed to be one of the largest index servers on the eDonkey file
sharing network. The servers held an index of an estimated 170 million
pirated files, according to RIAA. The server's owner was arrested in
Switzerland; equipment was seized in Belgium.
http://news.bbc.co.uk/2/hi/technology/4743052.stm
http://www.reghardware.co.uk/2006/02/22/cops_close_razorback2/print.html
http://today.reuters.co.uk/news/newsArticle.aspx?type=internetNews&storyID=2006-02-22T112125Z_01_L22660639_RTRIDST_0_OUKIN-UK-MEDIA-EDONKEY.XML
[Editor's Note (Murray): It is sad the debate over this regulation
degenerated into one over the length of time of the retention to the
exclusion of the wisdom of it. This information will be abused and
misused; it will leak. Its cost will be disproportionate to its value. ]

ATTACKS & INTRUSIONS & DATA THEFT
 --University of Northern Iowa Informs Employees of Possible Data Breach
(17 February 2006)
The University of Northern Iowa has sent letters to 6,000 employees
informing them that their personal data relating to Internal Revenue
Service W-2 forms were contained on a laptop computer that suffered a
security breach. University officials say there is no evidence that
personal information was accessed; a virus was found on the computer.
The employees were encouraged to monitor their financial accounts for
any suspicious transactions.
http://desmoinesregister.com/apps/pbcs.dll/article?AID=/20060217/SPORTS0207/60217017/1001&template=printart

MISCELLANEOUS
 --Deloitte & Touche Loses Disk with McAfee Employee Data
(23 February 2006)
A McAfee spokesperson said that an external auditing firm lost a CD
containing the unencrypted names, Social Security numbers and McAfee
stock holdings of an unspecified number of current and former employees.
Deloitte & Touche acknowledged that an employee left the unlabelled CD
in the seat back pocket on an airplane. The missing disk was reported
to McAfee on January 11, 2006. The affected employees have been
notified.
http://news.com.com/2102-1029_3-6042544.html?tag=st.util.print
[Editor's Note (Pescatore): Since the old Network Associates (now
McAfee) had bought a large number of security companies, this incident
is actually impacting a lot of security folks! Hearing that companies
doing SOX audits allow their employees to carry sensitive customer data
on CDs to use on airplanes (exposing that data as a minimum to their
seat mates) is pretty depressing.
(Schmidt): Why would any one have sensitive data like this on removable
media and not encrypted? When are policies about encrypting data on
media going to be standard? People will forget things and the need for
encryption of mobile devices/removable media is great then ever.
Imagine how many flash drives have been lost that are not even talked
about.]

 --Metadata Provides Identifying Info About Anonymous Source
(22 February 2006)
Images accompanying a Washington Post story about a young man who spoke
anonymously about his botnet activities have been removed from the
paper's web site after it was discovered that they included metadata
tags that provided clues to the individual's identity. The article's
author declined to comment, citing confidentiality agreements with his
source.
http://www.eweek.com/print_article2/0,1217,a=172028,00.asp
[Editor's Note (Murray): This man is not Robin Hood. He steals capacity
and then uses it to contaminate the network and diminish trust. He
cannot decide whether he wants to make money or brag; he will find that
he cannot have it both ways. His customers are not much better than he.
If we are going to put reporters in jail for protecting whistle-blowers
and politicians, surely we can find a prosecutor and a judge to put one
in jail for protecting criminal scum. ]

 --BP Takes Step Toward Deperimeterization of Security
(21 February 2006)
BP has removed 18,000 company laptop computers from a local area network
(LAN) and set them up so they connect directly to the Internet even
while in the office. BP is a founding member of the Jericho Forum,
which espouses deperimeterization and encourages organizations to harden
all parts of their networks instead of relying on outward-facing points.
http://software.silicon.com/security/0,39024655,39156608,00.htm
[Editor's Note (Pescatore): This makes very little sense. BP still has
perimeter firewalls, it has to protect the servers and the rest of the
network. Any large corporation has to secure their laptops anyway - they
are often used outside the corporate firewalls. So, there really isn't
anything new here - it is really just a new name for defense in depth.
The Jericho Forum list of "What de-perimeterisation is *not*" pretty
much points that out.]

 --Canterbury University (NZ) Closes Online Record Access
(20 February 2006)
Canterbury University in New Zealand has closed online access to
student records after discovering that some students were able to view
others' records. The University is looking into the source of the
problem, which occurred during the school's enrollment period.
http://www.nbr.co.nz/home/column_article.asp?id=14415&cid=3&cname=Technology

===end===

NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian
Honan, Clint Kreitner, Bill Murray, Stephen Northcutt, Alan Paller, John
Pescatore, Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer,
Koon Yaw Tan, Mark Weatherford

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFD/1kr+LUG5KFpTkYRAqQYAJ46P4HSFn1pwXYQOhzquimMmHwTzACeLO/T
y788DdpnkyqC4J5f0Y0qgyQ=
=UKxk
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]