From: The SANS Institute (NewsBitessans.org)
Date: Tue Mar 21 2006 - 15:49:52 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The "minimum security skills" standard for level one system
administrators is now ready for review and prioritization. More than 40
organizations helped develop the current draft. If you have teams of
system administrators and would be willing to help us complete this
important project by asking your sysadmins to rate the tasks, please
email infosans.org with the subject Level 1.

Also, the proposed new federal law on cybersecurity breach notification
deserves your attention. See the first story below.

                                          Alan

*************************************************************************
SANS NewsBites March 21, 2006 Vol. 8, Num. 23
*************************************************************************

TOP OF THE NEWS
  Proposed Data Breach Notification Law Draws Fire
  French Legislators Address Internet Piracy Penalties
  VeriSign Warns of New Type of DDoS Attack
  Visa Warns Transaction Software Could "Inadvertently" Store PINs and
    Other Sensitive Data

THE REST OF THE WEEK'S NEWS
  ARRESTS, CONVICTIONS AND SENTENCES
    Chinese Internet Journalist Receives Ten-Year Sentence
  HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
    DOD IG Report Says Missile Defense Agency Computer Network has
       Serious Security Flaws
    Red Cross VP/CIO Says Government Should Not Lead Emergency
       Response Plan
  SPYWARE, SPAM & PHISHING
    Microsoft Will File More Phishing Lawsuits
    Anti-Spyware Groups to Release Company Names This Week
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
    Apple Releases Third Patch for OS X This Month
  ATTACKS & INTRUSIONS & DATA THEFT & LOSS
    Bananas.com Informs Customers of Data Security Breach
  MISCELLANEOUS
    US Banks Offer Notification Services on Potentially Fraudulent
       Transactions
    Judge Orders Google to Turn Over Web Addresses but Not Query Terms
    Pennsylvania AG Seizes Newspaper's Hard Drives in Grand Jury Probe of
       Lancaster Coroner

************************** Sponsored by Permeo **************************
Blue Coat was formerly Permeo Technologies

New security ebook on Information Theft Prevention

In The Definitive Guide to Information Theft Prevention, security author
Dan Sullivan provides advice on information protection and privacy
regulations; how to tackle threats from unmanaged devices; how to secure
managed devices; and how to leverage new security technologies. This
guide also discusses risk management, incident responses and emerging
best practices around information security.

Download Chapter 1 now! http://www.sans.org/info.php?id=1077
*************************************************************************
SANS Training in San Diego, Munich, London and Washington DC

Turbo charge your security career or the careers of any of your
coworkers this spring in San Diego in early May: a dozen of SANS most
popular courses and a vendor exposition right on the harbor.
http://www.sans.org/security06/
Or in London at the end of June: http://www.sans.org/london06
Or Munich in early April: http://www.sans.org/munich06
Or Washington in July right after July 4 for the biggest SANSFIRE ever:
with all 17 SANS immersion tracks and more than a dozen special courses,
a big exposition, and an inside look at how the Internet's Early Warning
System (Internet Storm Center) actually works Bring your family for the
national fireworks show.
http://www.sans.org/sansfire06
*************************************************************************

TOP OF THE NEWS

 --Proposed Data Breach Notification Law Draws Fire
(16 March 2006)
The House Financial Service Committee has passed the Financial Data
Protection Act of 2005, drawing the ire of groups committed to promoting
and protecting consumer privacy. The bill, known as HR 3997, would
supersede state data breach notification laws. It requires
organizations to notify customers of security breaches only when they
believe there is reasonable risk of harm to those customers. In
addition, HR 3997 would supersede state laws allowing consumers to place
freezes on their credit reports as a preventive measure against identity
fraud; the bill would allow a freeze only after someone has already been
the victim of identity fraud.
http://www.computerworld.com/printthis/2006/0,4814,109619,00.html
[Editor's Note (Paller) The debate over this bill heralds the elevation
of cyber security to a national political issue. Lou Dobbs of CNN
understands the issues and has agreed to use his position to increase
pressure on Congress not to weaken the consumer protections that
state disclosure laws now provide. This is a hot enough issue that
it will move voters away from candidates who pander to commercial
interests over those of consumers. These consumer interests coincide
well with the interests of cybersecurity professionals who care about
effective cybersecurity.
(Schultz): To say that this bill represents a definite setback to
consumer interests in the US is a gross understatement. I'm especially
concerned that the judgment of organizations that experience security
breaches would according to this law become the basis for determining
whether or not consumers are notified. If an organization is not
sufficiently conscious to adequately defend its own systems, how could
it be competent enough to know when to inform consumers? Also, a bill
that might limit consumers' ability to put freezes on their own credit
reports to protect themselves against identity fraud is lamentable.
(Honan): This legislation seems to be forgetting that the data belongs
to the consumer and not the organizations holding that data.
(Shpantzer) This bill should emulate the highest standard in the various
state laws, not the lowest common denominator. It's interesting to note
that politicians who claim to advocate for state's rights trample on
state laws when enough lobbyists come to pay them a visit, so to speak.]

 --French Legislators Address Internet Piracy Penalties
(19/17 March 2006)
French legislators have passed a bill defining the penalties for people
convicted of Internet piracy. Those convicted of "supplying software
enabling users to break copyright protection on DVDs or CDs" could face
up to six months in jail and a fine of 30,000 Euros (US$36,500). People
convicted of possessing and/or using the software will face lesser fines
of between 750 - 3,750 Euros (US$913 - 4555). Amendments to the bill
could require companies that use digital rights management (DRM) to
publish details to allow the development of interoperable systems. The
bill would also make the development and use of peer-to-peer (P2P)
software illegal.
http://australianit.news.com.au/articles/0,7204,18498096%5E15306%5E%5Enbv%5E,00.html
http://www.computerworld.com/printthis/2006/0,4814,109720,00.html
[Editor's Note (Boeckman): Outlaw peer to peer software? Clearly, these
people do not understand how the software works, if they think they can
outlaw it.
(Grefer): Criminalizing the development and use of a whole category of
software (P2P) merely because there are people around who abuse it for
illegal and illegitimate purposes, sends the wrong message. Rather, the
misuse of said software should be criminalized. But, then again, it
already is. Once again, a case where special interest groups are using
politics to push through nonsensical legislation.]

 --VeriSign Warns of New Type of DDoS Attack
(17/16 March 2006)
VeriSign has warned of a new breed of distributed denial-of-service
(DDoS) attacks. Instead of using a botnet to inundate a targeted server
or network with queries, these attacks send huge quantities of queries
to domain name system (DNS) servers with the spoofed return address of
the intended victim, so the DNS server is, in essence, attacking the
target.
http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39344151-39000005c
http://www.techworld.com/security/news/index.cfm?NewsID=5586
http://www.cnn.com/2006/TECH/internet/03/16/internet.attack.ap/index.html

**************************** Sponsored Links: ***************************

1) FREE Case Study/White Paper - SIEM Log Management Capability and
Capacity at EDS:
http://www.sans.org/info.php?id=1078

2) Free WhatWorks in Log Management Webcast next week - "Meeting HIPPA
Compliance Requirements for Log Monitoring at Northwestern Memorial
Hospital" Tuesday, March 28 at 1:00 PM EST
http://www.sans.org/info.php?id=1079

3) Audit 522: SANS(R) +S(TM) Training for the CISA(R) Certification Exam
via SANSHome starts March 23!
http://www.sans.org/athome/details.php?id=1419
See http://www.sans.org/athome/ for complete SANSHome listings.
*************************************************************************

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
 --Chinese Internet Journalist Receives Ten-Year Sentence
(20/17 March 2006)
Chinese school teacher Ren Zhiyuan was found guilty of "subversion of
state power," and sentenced to ten years in prison. Ren posted an
article to the Internet that said people have the right to use violence
to overthrow a tyrannical government. Ren pleaded innocent at his
trial; his lawyer plans to appeal. International organization Reporters
Without Borders has condemned the sentence.
http://www.computerworld.com/securitytopics/security/privacy/story/0,10801,109726,00.html
http://www.rsf.org/article.php3?id_article=16785

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
 --DOD IG Report Says Missile Defense Agency Computer Network has
    Serious Security Flaws
(20 March 2006)
A report from the Defense Department (DOD) inspector general (IG) noted
serious security flaws in the Missile Defense Agency's (MDA) computer
network. MDA and Boeing, a DOD contractor, permitted the use of group
passwords on the unencrypted portions of the Ground-based Midcourse
Defense (GMD) Communications Network (GCN). GCN, which links MDA radar
systems, missile sites and command centers, has no backup contingency
plan. In addition, GCN does not have "a system to conduct automated log
audits" despite the fact that DOD policies require network monitoring.
http://www.fcw.com/article92665-03-20-06-Print
http://www.fcw.com/article92672-03-20-06-Web

 --Red Cross VP/CIO Says Government Should Not Lead Emergency Response Plan
(16 March 2006)
Red Cross senior VP and CIO Steve Cooper says there needs to be a
national information technology emergency response plan, but does not
believe the federal government should be in charge of creating it.
Instead, Cooper suggests looking to the private sector. Cooper gave the
keynote address at the Information Processing Interagency Conference
2006 in Orlando, Florida. One panelist at the conference said the
government should not be left out of first response plans; another said
government should be kept out of everything but policy decisions.
http://www.fcw.com/article92624-03-16-06-Web
[Editor's Note (Shpantzer): Cooper may be onto something here. Whereas
the various levels of government failed miserably in certain aspects of
the Katrina recovery, we saw the private sector, with charities big and
small as well as corporations such as Wal Mart, help tremendously in
bringing their logistical savvy to bear on the catastrophe. ]

SPYWARE, SPAM & PHISHING
 --Microsoft Will File More Phishing Lawsuits
(20 March 2006)
Microsoft plans to file more than 100 lawsuits against phishing groups
in Europe, the Middle East and Africa. The lawsuits are part of
Microsoft's Global Phishing Enforcement Initiative and have grown out
of investigations by Microsoft, Interpol and police forces in various
countries. A round of similar lawsuits in the US brought about the
closure of more than 4,700 fraudulent sites.
http://news.bbc.co.uk/2/hi/technology/4825072.stm
http://www.theregister.co.uk/2006/03/20/ms_phishing_lawsuits/print.html
[Editor's Note (Honan): Kudos to Microsoft.]

 --Anti-Spyware Groups to Release Company Names This Week
(20 March 2006)
Two anti-spyware groups plan to release lists this week naming adware
companies and the advertisers that use the software. The Center for
Democracy and technology (CDT) will release a list of the advertisers
that use adware; the Stopbadware Coalition will publish a report naming
programs on its Badware Watch List.
http://www.techworld.com/security/news/index.cfm?NewsID=5593
http://www.stopbadware.org/
http://www.cdt.org/press/20060320adwarerelease.pdf

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

 --Apple Releases Third Patch for OS X This Month
(17 March 2006)
Apple has released another patch for Macintosh OS X, the third this
month. The patch is believed to address problems with an earlier patch
which itself was issued in part to address problems with a previous
security update. Version 1.1 of the 2006-002 patch was released on
March 17; the original version was released on March 13. The SANS
Internet Storm center urges users to apply the patch immediately.
http://www.techworld.com/security/news/index.cfm?NewsID=5590

ATTACKS & INTRUSIONS & DATA THEFT & LOSS
 --Bananas.com Informs Customers of Data Security Breach
(16 March 2006)
Bananas.com, a musical instrument and equipment web site, has notified
274 people that their credit card data may have been stolen as the
result of a security breach. The breach was uncovered when someone
offered the data for sale in an Internet chat room. Site administrators
added security measures after they became aware of the breach; they have
not yet discovered how the intruder got into the system.
http://news.yahoo.com/s/ap/20060317/ap_on_hi_te/web_site_breach
[Editor's Note (Pescatore): The article reads as a good lesson on what
not to do if you are accepting credit cards online. On a lighter note,
bananas.com seems to be largely alone in the "web sites named after
tropical fruit" category - they might have been assuming attackers would
first target kumquats, lemons or limes.]

MISCELLANEOUS

 --US Banks Offer Notification Services on Potentially Fraudulent Transactions
(17 March 2005)
In response to increasing concern about electronic data theft, some US
financial institutions have taken steps to keep their customers apprised
of questionable account transactions. Bank of America is offering
customers a service that will notify them of suspicious account activity
by email or text message. Washington Mutual Bank is providing a similar
service. Both banks were recently obliged to reissue thousands of debit
cards following a rash of fraudulent transactions.
http://software.silicon.com/security/0,39024655,39157302,00.htm
[Editor's Note (Honan): This is a welcome initiative and one that, I
hope, other banks will take on. Banks are in a better position than
consumers at early identification of possible fraudulent transactions.
This proactive measure is one that should be seen as an example of how
security measures can be used to enhance the marketing of a company's
product or service.]

 --Judge Orders Google to Turn Over Web Addresses but Not Query Terms
(20/19 March 2006)
US District Judge James Ware has ordered Google to submit 50,000 web
addresses to the US Justice Department, but denied the government's
request for a list of query terms. The Justice Department is seeking
the data in an effort to defend the Child Online Protection Act (COPA,
1998), which was ruled unconstitutional by the US Supreme Court because
of how it was to be enforced. The US government hopes to demonstrate
that filtering technologies are not effective in preventing minors from
accessing inappropriate content.
http://news.bbc.co.uk/2/hi/technology/4821858.stm
http://www.zdnetasia.com/news/internet/printfriendly.htm?AT=39344741-39001260c
http://www.computerworld.com/printthis/2006/0,4814,109718,00.html
http://i.n.com.com/pdf/ne/2006/google_case.pdf

 --Pennsylvania AG Seized Newspaper's Hard Drives in Grand Jury Probe
    of Lancaster Coroner
(16 March 2006)
In an attempt to gather evidence in a grand jury probe into whether or
not Lancaster (PA) coroner G. Gary Kirchner provided journalists with
his "password to a secure law-enforcement web site," the Pennsylvania
Attorney General's office has seized four computer hard drives from the
Lancaster Intelligencer Journal newsroom. The state supreme court had
earlier in the week upheld a lower court ruling that rejected the
newspaper's attempts to withhold the information. The attorney
general's office says it will limit its examination of the computer hard
drives to that particular web site.
http://www.yorkdispatch.com/pennsylvania/ci_3608667
http://mediachannel.org/blog/node/3696

===end===

NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian
Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore,
Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw
Tan, Mark Weatherford

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEIFPB+LUG5KFpTkYRApRhAKCCyxthQn7apRFDqP85C8S0U3elNACeMXx4
u3xK/yME+AobTEKGvbrnNQU=
=Fikq
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]