From: The SANS Institute (NewsBitessans.org)
Date: Fri Mar 17 2006 - 14:03:51 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

*************************************************************************
SANS NewsBites March 17, 2006 Vol. 8, Num. 22
*************************************************************************

TOP OF THE NEWS
  DHS Scores F on Cyber Security Report Card
  One-Third of Gas and Electric Utility IT Execs Fear SCADA Attack
  UK Bank Issues Free Two-Factor Authentication to All Internet Customers

THE REST OF THE WEEK'S NEWS
  ARRESTS, CONVICTIONS AND SENTENCES
    Israeli Trojan Couple Plead Guilty
  HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
    NIST Releases FIPS 186-3 Draft for Comments and Final Version of FIPS Pub 200
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
    Winny Exposes Data in Japan
    Adobe Issues Fixes for Flash Flaws
    Microsoft March Security Updates
    Trojan Horse Holds Files for Ransom
  ATTACKS & INTRUSIONS & DATA THEFT & LOSS
    Stolen Ernst & Young Laptop Contains IBM Employee Data
    OfficeMax Says "No Evidence of Security Breach"
  MISCELLANEOUS
    Judge to Rule Soon in Google Case

*************************** Sponsored by Permeo *************************
         (Permeo Technologies was recently purchased by Blue Coat)

Get the latest SSL VPN buyer's guide

Considering SSL VPN for remote access? Download the latest Buyers Guide
from security analyst Mark Bouchard (CISSP) to learn how to evaluate SSL
VPN technology including features to look for and implementation best
practices. In addition, Mark discusses the importance of integrated
endpoint security and information controls.
Learn more. http://www.sans.org/info.php?id=1072

*************************************************************************
Upcoming Security Training in San Diego and Washington DC

Turbo charge your security career or the careers of any of your
coworkers this spring in San Diego in early May: a dozen of SANS most
popular courses and a vendor exposition right on the harbor.
http://www.sans.org/security06/

Or to come to Washington in July right after July 4 for the biggest
SANSFIRE ever: with all 17 SANS immersion tracks and more than a dozen
special courses, a big exposition, and an inside look at how the
Internet's Early Warning System (Internet Storm Center) actually works
Bring your family for the national fireworks show.
http://www.sans.org/sansfire06
*************************************************************************

TOP OF THE NEWS

 --DHS Scores F on Cyber Security Report Card
(15 March 2006)
The US Department of Homeland Security (DHS) has received a failing
grade for its cyber security from the House Government Reform Committee.
The federal government is expected to receive an overall grade of
D-plus. The grades are based on the federal agencies' compliance with
requirements set out in the Federal Information Security Management Act
(FISMA). Some believe that money spent documenting compliance would be
better spent securing systems.
http://www.washingtonpost.com/wp-dyn/content/article/2006/03/15/AR2006031501589_pf.html
http://www.infoworld.com/article/06/03/15/76516_HNfedsecurityfailures_1.html
[Editor's Note (Ranum): Money spent toward producing documentation and
checking checkboxes ultimately does little more than create a priesthood
of box-checkers. One thing that is clear: using budgetary controls to
enforce standard compliance does not work.
(Schultz): The push for compliance within the US government arena has
been tremendously blown out of proportion. I'd like to conduct a study
in which standards frequently used for compliance such as NIST 800-026
and NIST 800-053 are followed to the "T" in a test environment, then
launch a barrage of attacks against the computing systems in that
environment. I'd wager a lot of money that many if not most of such
attacks would succeed.
(Paller) DHS isn't perfect, but the agencies that got high grades are
no better secured than the agencies that got low grades. Gene Schultz
and Marcus Ranum are exactly right. If the agencies are to be held to a
standard for security (as well they should be), let it be one that
measures the readiness of the systems and people to withstand attacks
and recover from them.]

 --One-Third of Gas and Electric Utility IT Execs Fear SCADA Attack
(February 2006)
A Trusted Network Technologies survey of 50 US gas and electric utility
information technology (IT) executives found that 33 percent believe
SCADA (supervisory control and data acquisition) or distribution systems
will suffer an attack within the next two years. Twenty-one percent of
the respondents indicated their own systems had experienced outside
threats.
http://www.trustednetworktech.com/documents/UtilityIT.pdf
[Editor's Note (Paller): At the SCADA Security Summit two weeks ago, 300
utilities and pipeline companies and other organizations saw just how
their control systems can be penetrated. As a direct result, Will
Pelgrin, CISO of New York State has taken on the leadership of a
multi-national effort, now involving more than 100 utilities and others
at risk, to develop consensus minimum security procurement language for
maintenance of legacy control systems and for acquisition of new control
systems. This is the most important and promising security project in
the field; they expect to have a starter set of specifications within a
month or two. If you work for an organization that purchases control
systems and want to participate in the consensus project, email
infosans.org with the subject SCADA Security Specs.
(Weatherford): This is a good news/bad news story. The good news is
that many of these IT executives recognize that there are threats to
their SCADA systems and 70% believe they are both fully compliant with
SOX requirements and that their internal controls are adequate and
effective. The bad news is that one-third of those surveyed say they
can *not* clearly identify "all interactions" of users and assets on
their SCADA networks.]

 --UK Bank Issues Free Two-Factor Authentication to All Internet Customers
(16 March 2006)
Alliance & Leicester (A&L) has become the first bank in the UK to roll
out free, two-factor authentication technology to all its Internet
banking customers. Two other UK banks have been testing two-factor
authentication technologies with limited groups of customers. A&L plans
to add card-reading devices for its users to authenticate online
purchases once UK banking industry group APACS has established
applicable standards.
http://www.vnunet.com/computing/news/2152053/bank-strikes-back-id-cheats
[Editor's Note (Pescatore): Ah, those pesky readers. The solution A&L
is using is a product that fingerprints the user's PC, and uses that as
the second factor - there is no token, thus no need for a reader. It
also provides mutual authentication, an often overlooked need. However,
people who make transactions from multiple computers either have to
register multiple PCs or resort to standard shared secret verification.]

************************** Sponsored Links: *****************************

1) Check out a FREE DEMO of our latest development "SANS OnDemand -
Online Training & Assessments" - we're taking online training up a few
notches!
http://www.sans.org/info.php?id=1073

2) Free Sourcefire sponsored SANS Tool Talk webcast next week - "True
Intrusion Prevention - Protecting Against Threats From All Vectors, At
All Times"
Tuesday, March 21 at 1:00 PM EST (1800 UTC/GMT)
http://www.sans.org/info.php?id=1074

3) Upcoming Free WhatWorks Webcast - "WhatWorks in Log Management:
Caring for Logs with Northwestern Memorial Hospital" Tuesday, March 28
at 1:00 PM EST
http://www.sans.org/info.php?id=1075
*************************************************************************

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
 --Israeli Trojan Couple Plead Guilty
(15 March 2006)
Ruth Brier-Haephrati and Michael Haephrati have pleaded guilty to
industrial espionage charges in an Israeli court. The couple confessed
to developing a Trojan horse program that was sold to private
investigators who used it to spy on clients' business competitors. Ruth
faces up to four years in prison; Michael faces up to two years. Both
face a fine of one million New Israeli Shekels (US$214,000).
http://www.theregister.co.uk/2006/03/15/spyware_trojan_guilty_plea/print.html

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
 --NIST Releases FIPS 186-3 Draft for Comments and Final Version of FIPS Pub 200
(15/13 March 2006)
The National Institute of Standards and Technology (NIST) is accepting
public comments on its draft Federal Information Processing Standard
(FIPS) 186-3, Digital Signatures Standard, through June 12, 2006. It
is designed to replace FIPS 186-2, first issued in 1994 and revised in
1999. FIPS 186-2 permitted 512-bit and 1,024-bit cryptographic keys;
FIPS 186-3 would permit 1,024-bit, 2,048-bit and 3,072-bit keys. NIST
has also released the final version of FIPS Publication 200, Minimum
Security Requirements for Federal Information and Information Systems.
The publication established requirements in 17 areas, including access
control, audit and accountability, contingency planning and incident
response.
http://www.fcw.com/article92589-03-13-06-Web
http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn_daily&story.id=40127
http://csrc.nist.gov/publications/drafts.html
http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
 --Winny Exposes Data in Japan
(16/9/7 March 2006)
The Winny file-sharing program has exposed data at several Japanese
organizations. All Nippon Airways acknowledged that Winny exposed PINs
(personal identification numbers) required to enter restricted areas of
airports. A Toyama Hospital employee inadvertently allowed personal
data belonging to 2,800 surgical patients to be uploaded to the
Internet. Japan's National Police Agency has ordered that official and
private computers used by officers be subject to spot checks following
the discovery that information from investigations had been uploaded to
the Internet. The NPA also prohibits officers from using Winny on their
private computers. Japan's Chief Cabinet Secretary is encouraging
citizens not to use Winny. A March 15 editorial in the Yomiuri Shimbun
says that people should stop blaming Winny and take responsibility for
protecting sensitive data.
http://www.yomiuri.co.jp/dy/national/20060309TDY02002.htm
http://www.yomiuri.co.jp/dy/national/20060316TDY02008.htm
http://mdn.mainichi-msn.co.jp/national/news/p20060307p2a00m0na024000c.html
http://www.yomiuri.co.jp/dy/editorial/20060315TDY04006.htm
[Editor's Note (Schultz): The "lessons-learned" continue, and they
invariably point to the fact that file-sharing is downright dangerous.
With the possible exception of Bit Torrent (which is used to download
Linux patches), security-conscious organizations need to go far out of
their way to ensure that file-sharing programs do not run on any of
their computing systems.]

 --Adobe Issues Fixes for Flash Flaws
(15 March 2006)
Adobe has issued fixes for flaws in Flash Player version 8.0.22 and
earlier, Breeze Meeting version 5.1 and earlier and Shockwave player,
version 10.1.0.11 and earlier. Adobe encourages users to upgrade to
Flash version 8.0.24.0. The vulnerabilities are serious enough to
warrant a warning from Microsoft, which distributes Flash software with
Windows.
http://www.computerworld.com/printthis/2006/0,4814,109579,00.html
http://news.zdnet.co.uk/internet/security/0,39020375,39257495,00.htm
Adobe Advisory:
http://www.macromedia.com/devnet/security/security_zone/apsb06-03.html

 --Microsoft March Security Updates
(14 March 2006)
Microsoft released bulletins describing to security updates on Tuesday,
14 March. MS06-012, addresses six critical remote code execution flaws
in Microsoft Office; five of these could be exploited with maliciously
crafted Excel files. The other update, MS06-011, addresses an
"important" privilege escalation flaw in Windows.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1172938,00.html
http://www.computerworld.com/printthis/2006/0,4814,109553,00.html
http://www.microsoft.com/technet/security/Bulletin/MS06-012.mspx
http://www.microsoft.com/technet/security/Bulletin/MS06-011.mspx
[Editor's Note (Boeckman): While these are not extremely critical
vulnerabilities by Microsoft standards, the combination of multiple
vulnerabilities can increase the aggregate risk].]

 --Trojan Horse Holds Files for Ransom
(15/14/13 March 2006)
The Cryzip Trojan horse program encrypts files on infected systems and
then demands US$300 ransom in exchange for the password to decrypt the
files. This particular piece of ransomware is flawed in that the
password is stored in plaintext on victims' computers. Cryzip
apparently searches for certain files once it has infected a computer
and uses a commercial zip library to encrypt the purloined files. It
is unclear how Cryzip is distributed.
http://www.eweek.com/print_article2/0,1217,a=173408,00.asp
http://www.securityfocus.com/brief/162
http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39343678-39000005c
http://www.theage.com.au/news/breaking/pc-file-kidnappers-demand-ransom/2006/03/15/1142098506049.html

ATTACKS & INTRUSIONS & DATA THEFT & LOSS
 --Stolen Ernst & Young Laptop Contains IBM Employee Data
(15 March 2006)
A laptop computer stolen from an Ernst & Young employee's car contains
sensitive personal data belonging to thousands of current and former IBM
employees. Ernst & Young does tax work for IBM's overseas employees.
Ernst & Young has acknowledged the theft of five other laptops. One is
known to have contained personal information including that of Sun
Microsystems CEO Scott McNealy. Four others were stolen from a
conference room.
http://www.theregister.co.uk/2006/03/15/ernstyoung_ibm_laptop/print.html

 --OfficeMax Says "No Evidence of Security Breach"
(15/14 March 2006)
Fourteen people, all US citizens, have been arrested in connection with
a debit card fraud ring that forced the replacement of hundreds of
thousands of cards. Recent stories have suggested that the fraud is
linked to the theft of a block of debit card PINs from a major retailer;
a county prosecutor says that the stolen data came from OfficeMax and
other companies. OfficeMax says that both an internal investigation and
an independent study found no evidence of a security breach exposing
customer financial data. OfficeMax is continuing to work with the US
federal law enforcement agencies in their investigation.
http://news.com.com/2102-1029_3-6049758.html?tag=st.util.print
http://news.com.com/2102-1029_3-6049290.html?tag=st.util.print

MISCELLANEOUS
 --Judge to Rule Soon in Google Case
(15/14/10 March 2006)
US District Judge James Ware says he is likely to order Google to
provide the US Justice Department with at least some of the data it has
requested. Google initially refused to provide the Justice Department
with the data it requested, claiming it would violate customer privacy
and could potentially expose the company's trade secrets. The
government's initial request was for one million random web site
addresses and one week's work of query terms. The request has been
scaled back to 50,000 web sites and 5,000 terms, with the Justice
Department examining just twenty percent of those. The government has
also agreed to compensate Google for eight days of programmers' time.
AOL, Yahoo and MSN have complied with the government's request, which
is being made in an effort to support its contention that filtering
software is not effective in protecting children from inappropriate
Internet content. The government is trying to defend the Child Online
Protection Act (1998), which was blocked by the Supreme Court.
http://www.silicon.com/0,39024831,39157220,00.htm
http://www.usatoday.com/tech/news/internetprivacy/2006-03-14-google-judge_x.htm
http://news.com.com/2102-1030_3-6048488.html?tag=st.util.print
http://news.bbc.co.uk/1/hi/business/4804182.stm

===end===

NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian
Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore,
Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw
Tan, Mark Weatherford

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEGwrR+LUG5KFpTkYRAs82AKCUUphGP7Cr1+k68VRy57xHBQLiYACfcR8I
KNyfbXSNB9DBBlSi/HwXXqI=
=WcR3
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]