From: The SANS Institute (NewsBitessans.org)
Date: Tue Feb 28 2006 - 14:20:53 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We were all surprised that more than 420 people from 22 countries are
flying to Orlando for the first Process Control and SCADA Security
Summit this Thursday and Friday. As far as I know SANS has never had a
new security program that grew that large, that fast. Buyers of process
control systems appear to have decided it is time to join together, and
work with the vendors, to eliminate the major security vulnerabilities
in these critical systems. Kudos to them and to Chairman Dan Lungren of
the Cybersecurity Subcommittee of the House Homeland Security Committee,
who provided the initial energy that led to creation of the Summit and
who is helping with the 2006 SCADA Security Leadership Award
presentations at the Summit. If you didn't see the complete program -
it's quite amazing.
http://www.sans.org/scadasummit06/

                                 Alan

*************************************************************************
SSANS NewsBites February 28, 2006 Vol. 8, Num. 17
*************************************************************************

TOP OF THE NEWS
  Dept. of Justice Says Google's Privacy Concerns are Unfounded
  Online Medical Records Raise Privacy and Security Concerns

THE REST OF THE WEEK'S NEWS
  ARRESTS, CONVICTIONS AND SENTENCES
    Chinese Engineer in Court for Mobile Phone Card Code Theft
  HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
    Auditor's Report Finds Computer Security Problems at IRS
  SPYWARE, SPAM & PHISHING
    Tool Kits Boost Number of Phishing Sites
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
    Adobe Fixes Flaw in Macromedia Shockwave Player Installer
  ATTACKS, INTRUSIONS & DATA THEFT & LOSS
    Ernst & Young Loses Five Company Laptops
  MISCELLANEOUS
    FBI Expands Debit Card Fraud Investigation
    Schwab Will Cover Losses from Online Fraud
    Shared Digital Files Could Pose Security Risk
    Author Describes Steps for Building Security in From the Start

************************** Sponsored by Symantec *************************

2006 Security Compliance Research Report: The Struggle to Manage
Security Compliance for Multiple Regulations Sponsored by the Institute
of Internal Auditors (IIA), the Computer Security Institute (CSI) and
Symantec, this report provides survey results that describe how
companies are managing requirements for multiple regulations, the
proportion of their IT budgets being devoted to compliance, and how
organizations are responding to improve security, demonstrate compliance
and reduce costs.
Download now! http://www.sans.org/info.php?id=1046

**************************************************************************
UPCOMING SECURITY TRAINING
As you can see at www.sans.org, more and more SANS classes are sold out
(the red triangles) so we have begun a policy of earlier posting of new
conferences. If you are thinking about turbo charging your security
career or the careers of any of your coworkers this spring, start
planning now to go to San Diego in early May. You'll find more than a
dozen of SANS most popular courses and a vendor exposition, right on the
harbor in San Diego. http://www.sans.org/security06/
Or plan to come to Washington in July right after July 4 for the biggest
SANSFIRE ever: with all 17 SANS immersion tracks and more than a dozed
special courses, a big exposition, and an inside look at how the
Internet's Early Warning System (Internet Storm Center) actually works
Bring your family for the national fireworks show.
http://www.sans.org/sansfire06

*************************************************************************

TOP OF THE NEWS

 --Dept. of Justice Says Google's Privacy Concerns are Unfounded
(27 February 2006)
A legal brief from the US Justice department says that Google's
arguments for not complying with an order to provide DoJ with certain
search data does not threaten individuals' privacy. DoJ requested a
week's worth of search terms from Google as part of its efforts to
defend the 1998 Child Online Protection Act (COPA), which has been
challenged by the American Civil Liberties Union (ACLU). Google has
also argued that providing the information requested would disclose
trade secrets. The DoJ brief says they have "not asked Google to
produce any information that would personally identify its users."
Furthermore, "the government has a legitimate need for the disclosure
of data that is uniquely in Google's possession" and has requested that
Google be given 21 days to comply with the order.
http://news.com.com/2102-1028_3-6043338.html?tag=st.util.print

 --Online Medical Records Raise Privacy and Security Concerns
(26 February 2006)
Individuals' medical records are slated to begin migration to online
systems in Florida this year. Some are touting the benefits of a system
that will put medical records online so they can be monitored and
accessed by pharmacists and patients. Physicians will be able to file
prescriptions online and see what other medications an individual is
presently prescribed. This could help alert pharmacists to possible
drug interactions and aid physicians when patients arrive at hospitals
unconscious. Others are concerned about the privacy issues presented
by having medical records available online. If the records were to
become public, people could potentially lose jobs and be denied
insurance coverage.
http://www.news-press.com/apps/pbcs.dll/article?AID=2006602260459
[Editor's Note (Schultz): If the US government does not in general
adequately protect its systems and data, and if commercial and academic
institutions experience security breaches that result in massive
exposure of personal and financial data, is there any reason to expect
that the state of Florida (or any other state, for that matter) will
adequately protect online medical data? I think not. I fear that it will
be only a short matter of time before medical data of Floridians will
start to be compromised because of its online availability.
(Murray): By definition, leakage from such systems will have adverse
consequences. The question that must be answered is whether or not that
damage is worse than medical error and inefficiency.
(Kreitner): We have a history of coming up with new technologies and
then trying to figure out how to use them effectively. In the early
days of the last century, we built automobiles and then realized they
didn't do very well in muddy roads that worked perfectly well for
horses. Only then did we begin to build hard surface roads.]

************************** Sponsored Links *******************************

1) 100% Network Discovery - Realtime, Agentless, Network Discovery.
See your complete network for the 1st time.
http://www.sans.org/info.php?id=1047

2) SANS offers intensive security training - unavailable anywhere else
- - in three dozen other cities and online training, too.
See http://www.sans.org/ for a complete listing.
**************************************************************************

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
 --Chinese Engineer in Court for Mobile Phone Card Code Theft
(23 February 2006)
A Chinese computer engineer was in court last week for allegedly
stealing three million yuan (US$373,100) in electronic codes for prepaid
mobile phone cards. The man allegedly broke into the database of
Beijing Mobile, stole the codes and sold them on a Chinese Internet
auction web site. The man's scheme was discovered when some of the
purchasers complained to Beijing Mobile about expired codes.
http://www.shanghaidaily.com/art/2006/02/23/243796/Code_hacker_heard_in_Beijing_court.htm
[Editor's Note (Honan): This case highlights how one of the basic steps
in protecting your infrastructure, the changing of the default and
vendor supplied passwords once installation is complete, can protect you
from unscrupulous engineers.]

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
 --Auditor's Report Finds Computer Security Problems at IRS
(27 February 2006)
According to a report from the Treasury Department's inspector general
for tax administration (TIGTA), the Internal Revenue Service (IRS) has
failed to maintain consistent security settings for its computers. Of
102 computers, just 41 percent are in compliance with the Federal
Information Security Management Act (FISMA); the other 59 percent of
computers are not in compliance or have at least one high-risk
vulnerability. TIGTA says system administrators should be held
accountable for "maintaining adequate security settings."
http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=38341
[Editor's Note (Honan): Having "at least one high-risk vulnerability"
in itself is not the problem. It is how the risks relating to that
vulnerability are managed, that is critical.
(Grefer): Holding system administrators accountable is all nice and
dandy, as long as said sysadmins are empowered to apply the necessary
changes and updates in a timely fashion.
(Murray): It is naive for us to believe that government security is
worse than other enterprises just because their audit reports are
public. It is equally naive to believe FISMA by itself will improve
government security.]

SPYWARE, SPAM & PHISHING
 --Tool Kits Boost Number of Phishing Sites
(27 February 2006)
The Anti-Phishing Working Group (APWG) says the number of phishing web
sites increased from 4630 to 7179 between November and December of 2005.
The number of phishing emails dropped in that same period. The increase
in the number of sites is thought to be due to the availability of easy
to use phishing tool kits.
http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=39240328-2000061744t-10000005c

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
 --Adobe Fixes Flaw in Macromedia Shockwave Player Installer
(24/23 February 2006)
Adobe has issued an advisory, warning customers that a boundary error
in a Macromedia Shockwave Player Installer ActiveX control could allow
attackers to execute arbitrary code on vulnerable systems. The flaw
affects Shockwave Player 10.1.0.11 and earlier and occurs only during
installation. To exploit the flaw, attackers would need to trick users
into visiting maliciously crafted web sites. Adobe has fixed the flaw.
http://www.eweek.com/print_article2/0,1217,a=172169,00.asp

ATTACKS, INTRUSIONS & DATA THEFT & LOSS
 --Ernst & Young Loses Five Company Laptops
(26/25 February 2006)
Ernst & Young has acknowledged that it has lost a laptop computer
containing customer data, including Social Security numbers. The
company informed affected customers of the loss and potential data
security breach, but the loss was not made public until recently. The
computer was stolen from an employee's locked car. Scott MacNealy, Sun
Microsystems CEO, was reportedly among those affected. Speaking at the
RSA security conference, MacNealy indicated that he had been notified
that his data were among some lost, and added that the company that lost
the data is employed by Sun to determine its Sarbanes-Oxley compliance.
In addition, four Ernst & Young laptop computers were stolen from a
conference room on February 9, 2006. A surveillance camera caught
footage of the laptop thieves, who were able to enter the room due to a
built-in delay in the room's door locking mechanism.
http://www.theregister.co.uk/2006/02/25/ernst_young_mcnealy/print.html
http://www.miami.com/mld/miamiherald/news/local/states/florida/counties/broward_county/cities_neighborhoods/weston/13947682.htm?template=contentModules/printstory.jsp
http://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2006/02/25/BUG2IHEGCC1.DTL&type=printable
http://www.theregister.co.uk/2006/02/26/ey_laptops/print.html
[Editor's Note (Kreitner): Do you think that the continuing string of
episodes like this one might be leading people to the conclusion that
having other people's personal and other sensitive data on our laptop
computers, unencrypted, is an unwise policy?
(Grefer): Cable locks are available for securing laptop computers. They
do not provide perfect protection but tend to act as a reasonable
deterrent.]

MISCELLANEOUS

 --FBI Expands Debit Card Fraud Investigation
(24 February 2006)
The FBI's investigation into a rash of fraudulent debit card activity
has moved from the Sacramento office to Charlotte, North Carolina, after
the agency learned that there may be a connection between the California
case and a case in North Carolina. Beginning in late 2005, banks and
credit unions in California started issuing new debit cards following
fraudulent transactions conducted at overseas ATMs.
http://news.com.com/2102-7348_3-6042217.html?tag=st.util.print

 --Schwab Will Cover Losses from Online Fraud
(23 February 2006)
Charles Schwab has said it will cover losses incurred by customers due
to online fraud. Customers who knowingly share their log in information
with others are not covered, but fraud resulting from phishing attacks
and other malicious activity will be covered. E-Trade made a similar
announcement in January.
http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2006/02/23/BUGNEHCT5V1.DTL&type=printable
[Editor's Note (Pescatore): It is good to see E-Trade and Schwab take
this step, but in reality most financial companies have been covering
customer losses when it is clear that phishing or malware was the
culprit. As those "make good" costs mount, the payoff of moving to
stronger mutual authentication for Internet transactions becomes clearer
and clearer.
(Schultz): Some momentum is starting to build for financial and
brokerage institutions covering customer loss due to electronic fraud.
Hopefully, others will follow suit. If not, I'd bet that some kind of
federal legislation that includes this kind of provision will be passed
sometime in the not so distant future.
(Murray): Like banks, brokerage firms are responsible for ensuring that
all transactions are properly authorized. Like banks, they normally
meet this obligation late, i.e., by confirming the transaction to the
customer. Both are pretty good about making the customer whole. Banks
have been a little better about acknowledging the obligation and some
have even turned it to a marketing advantage. Brokerage firms have been
better at confirming changes of address to the old, as well as the new,
address; necessary to make the confirmation effective.]

 --Shared Digital Files Could Pose Security Risk
(23 February 2006)
Speaking at the recent RSA Security Conference, two consultants
described what they believe will be the next vector of attack for cyber
criminals: digital audio and video clips. Robert Baldwin and Kevin
Kingdon say that audio and video content could be exploited to install
spyware, steal data and attack systems because the content is able to
bypass security measures and play directly on users' machines. The
content could contain anti-piracy measures to prevent it from being
copied unlawfully, but the same software prevents the content from being
scanned by security programs.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1168617,00.html?track=sy160
 --Author Describes Steps for Building Security in From the Start
(23 February 2006)
Gary McGraw's new book "Software Security: Building Security In" focuses
on seven "touchpoints" for creating secure code from the beginning of
the development process: code review, risk analysis, penetration
testing, risk-based security tests, abuse cases, security requirements
and security operations.
http://www.eweek.com/print_article2/0,1217,a=172134,00.asp
[Editor's Note (Murray): Wrong focus. Most of these "touchpoints" are
about late flaw detection and removal. Demming tells us that one
achieves quality only by a process that prevents the flaws in the first
place. Programmers resist such methods. They prefer systems,
languages, development environments, and tools that reserve the greatest
flexibility to themselves. Management consents to this preference.]

===end===

NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian
Honan, Clint Kreitner, Bill Murray, Stephen Northcutt, Alan Paller, John
Pescatore, Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer,
Koon Yaw Tan, Mark Weatherford

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFEBKPV+LUG5KFpTkYRAgyiAJ0WDK9gD3HUhxN1lkLcunH6/oPbrQCfSJeI
otJE7gafN3UU6gKdSAAMbuw=
=9rPz
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]