From: The SANS Institute (NewsBitessans.org)
Date: Tue Apr 18 2006 - 09:24:07 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A big change coming in how system security is monitored: vulnerability
management and configuration auditing tools are being upgraded into
combined testing and remediation programs. This is a major change in
the way security will be done - combining auditing and operations.
What's the point of knowing that there are problems if the problems are
not being fixed. Today (Tuesday April 18) at 1 PM EDT a user who has
implemented such a solution will be interviewed in a SANS WhatWorks web
cast. To listen in or join the discussion pick the top web cost at
http://www.sans.org/webcasts/
                                   Alan

*************************************************************************
SANS NewsBites April 18, 2006 Vol. 8, Num. 31
*************************************************************************

TOP OF THE NEWS
  UK's Computer Misuse Act to be Updated
  China Will Ban Sale of Computers Without Pre-Installed Operating Systems
  Judges Finds Wells Fargo Not Negligent in Data Theft Case
  Interest in Data Retention Laws is Growing

THE REST OF THE WEEK'S NEWS
  POLICY & LEGISLATION
    Texas Governor Issues Executive Order Limiting P2P Use on State Systems
  SPYWARE, SPAM & PHISHING
    Australian Court Says Company and Owner Will Face Penalties for Spam
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
    Mozilla Releases Firefox Updates
  ATTACKS & INTRUSIONS & DATA THEFT & LOSS
    Univ. of South Carolina Students' SSNs Accidentally Exposed
  STATISTICS, STUDIES & SURVEYS
    Rootkit Attacks, Stealth Technologies Rise Sharply
  MISCELLANEOUS
    Company Reaches Settlement Regarding Deceptive Security Product
    RFID Zapper

****************** SPONSORED SANS SECURITY SAN DIEGO ******************
Wednesday, April 19 Is Early Registration Deadline for SANS Security 2006

The industry's best courses - extraordinary faculty; authoritative
up-to-the-minute material - shows you how to do the job and gives you
the confidence to go back and do it immediately.

SANS Security Essentials, Hacker Exploits, System Forensics, Intrusion
Detection, Auditing, plus training for CISSP exam and all Technical
certification required for DoD 8570.

Join 600 security professionals in San Diego in May for SANS best
instructors, a great security product expo, and evening networking and
new technology sessions. Bonus: Smalle classes than the national
conferences: Register by Wednesday for the discount:
http://www.sans.org/security06/

*************************************************************************

TOP OF THE NEWS

 --UK's Computer Misuse Act to be Updated
(13 April 2006)
The UK's new Police and Justice Bill will update the outdated Computer
Misuse Act (CMA) of 1990 this summer. Section Three of the CMA will be
revised to make any unauthorized act performed against a computer an
offense. The term "unauthorized act" is deliberately undefined; the law
will no longer require data modification to have taken place to deem an
act an offense. In addition, denial-of-service has been made a specific
offense. People found guilty under the revised law will find themselves
faced with longer jail sentences.
http://www.silicon.com/publicsector/0,3800010403,39158043,00.htm
[Editor's Note (Schultz): To say that the CMA has been badly out of date
for quite a long time now is quite an understatement. On numerous
occasions individuals accused to launching denial of service and other
types of attacks could not be prosecuted in the UK under the provisions
of the CMA. The new bill will do a lot to bring this legislation up to
where it needs to be, particularly by greatly broadening the definition
of computer-related offenses.
(Ranum): If "unauthorized" includes spyware, this could be interesting.]

 --China Will Ban Sale of Computers Without Pre-Installed Operating Systems
(15 April 2006)
In an effort to fight software piracy, China expects to ban the sale of
computers without operating systems by the end of this year. While
computers sold without operating systems installed are less expensive,
some people have been installing pirated copies on their new computers.
An official with the Beijing Copyright Bureau says government
departments will be required to purchase computers with legitimate
software already installed.
http://www.shanghaidaily.com/art/2006/04/15/261660/IPR_protections_plan_in_Beijing.htm
[Editor's ote (Schultz): I have seen firsthand how blatant software
piracy is in some of the cities I have visited in China. By going ahead
with these plans, China will be making a giant contribution to the war
against software piracy.]

 --Judges Finds Wells Fargo Not Negligent in Data Theft Case
(14 April 2006)
A US District Judge in Minnesota ruled that two people who had filed a
class action lawsuit against Wells Fargo had not actually suffered any
damages and were thus unable to demonstrate "reasonably certain future
injury" due to the theft of computer hardware from a Wells Fargo
contractor. The hardware contained unencrypted Wells Fargo customer
data. The judge said the thieves never used the information and that
time and effort the plaintiffs spent monitoring their credit reports
"was not the result of any present injury, but rather the anticipation
of future injury that has not materialized." The judge found Wells
Fargo not negligent because the information was never misused by the
thieves.
http://news.zdnet.com/2102-9595_22-6061400.html?tag=printthis
[Editor's Note (Honan): This is a prime example of where the lack of
Data Protection legislation in the United States impacts negatively on
people affected by a company's lack of adequate controls to protect
customers' personal information.
(Schultz): This ruling constitutes an obvious setback in the struggle
to make organizations more accountable in handling and protecting
personal and financial information. I can nevertheless understand the
judge's logic, which in essence says that if you cannot show tangible
damage or loss due from a data confidentiality breach, the plaintiffs
cannot collect damages. At the same time, however, ruling that Wells
Fargo was not negligent makes little sense given the current impetus for
financial institutions to exercise due care in protecting customer
data.]

 --Interest in Data Retention Laws is Growing
(14 April 2006)
The idea of requiring Internet service providers (ISPs) to retain
records of customers' online activities is gaining interest among US
legislators. One US legislator says a data retention bill would help
law enforcement officials investigate crimes against children. Privacy
advocates are concerned about the passage of such legislation because
it would require the retention of data that would normally be kept for
only brief periods of time or not at all. ISPs also have reservations
and concerns about retaining data. Who will have authority to access
the stored records; who will pay the added costs of storing the retained
data; and do the current systems hinder police investigations, provided
the investigations are conducted in a timely manner? Both Department
of Homeland Security (DHS) Secretary Michael Chertoff and FBI Director
Robert Mueller have made comments that indicate they are in favor of
data retention.
http://news.com.com/2102-1028_3-6061187.html?tag=st.util.print

**************************** Sponsored Links: ***************************

1) Free White Paper: The Future of Perimeter Security by Norm
Laudermilch, CSO of Trust Digital
http://www.sans.org/info.php?id=1116

2) A managed service offers the best defense for your email network -
find out why!
http://www.sans.org/info.php?id=1114

3) "Top 5 Identity Theft Attacks on Web Applications" whitepaper -
What they are, how they work & how to stop them.
http://www.sans.org/info.php?id=1115
*************************************************************************

THE REST OF THE WEEK'S NEWS
POLICY & LEGISLATION
 --Texas Governor Issues Executive Order Limiting P2P Use on State Systems
(13 April 2006)
Texas Governor Rick Perry has issued an executive order that prohibits
the unauthorized or illegal use of peer-to-peer (P2P) software on state
computer systems. Perry's order says the file-sharing software poses a
potential threat to network resources. In addition, P2P networks are
often used to share pirated copies of digital content. The policy would
not apply to the legislative nor judicial branches of Texas government
or to Constitutional state officers.
http://www.fcw.com/article94067-04-13-06-Web
http://www.governor.state.tx.us/divisions/press/exorders/rp58
[Editor's Note (HONAN): An effective computer use policy will stipulate
that only authorized software should be installed on an organization's
computer systems and the necessary controls put in place to enforce and
monitor the policy. In this case, focusing on P2P software is not
necessarily the issue. One has to ask why are state employees allowed
to install software, of any kind, on their PCs in the first place?]

SPYWARE, SPAM & PHISHING
 --Australian Court Says Company and Owner Will Face Penalties for Spam
(13 April 2006)
An Australian Federal Court has rejected claims made by Wayne Mansfield
and his company Clarity1 in defense of their sending commercial email
messages. Mansfield claimed that the recipients of 56 million
commercial email messages had agreed to receive them and that the
company was allowed to use lists of harvested email addresses they
acquired before Australia's Spam Act took effect in April 2004.
Mansfield and Clarity1 will face penalties that have yet to be
determined.
http://www.zdnet.com.au/news/communications/print.htm?TYPE=story&AT=39251708-2000061791t-10000003c

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
 --Mozilla Releases Firefox Updates
(14 April 2006)
Mozilla has released an updated version of its Firefox browser, Firefox
1.5.0.2, which includes support for Mac OS X running on Intel
processors. Mozilla says the update is a "stability and security"
release because it includes fixes for critical security flaws as well
as other problems. Mozilla also released fixes for flaws in older
versions of Firefox and in the Sea Monkey browser suite. Some of the
Firefox flaws could be exploited by simply tricking users into viewing
maliciously crafted web pages.
http://www.computerworld.com/printthis/2006/0,4814,110541,00.html
http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=39251987-2000061744t-10000005c
Intrenet StormCenter: http://isc.sans.org/diary.php?storyid=1261
http://www.techweb.com/wire/185302849

ATTACKS & INTRUSIONS & DATA THEFT & LOSS
 --Univ. of South Carolina Students' SSNs Accidentally Exposed
(14 April 2006)
A database containing the Social Security numbers of as many as 1,400
University of South Carolina students was inadvertently attached to an
email regarding summer classes. The affected students have been
notified and advised to take steps to protect themselves from identity
fraud. The University of South Carolina is in the middle of switching
from using Social Security numbers as student identifiers to assigning
new student ID numbers; the change is scheduled to be complete in fall
2007.
http://www.msnbc.msn.com/id/12322162/

STATISTICS, STUDIES & SURVEYS
 --Rootkit Attacks, Stealth Technologies Rise Sharply
(17 April 2006)
According to statistics from McAfee's Avert Labs group, the number of
rootkit attacks detected in the first quarter of 2006 is 700 percent
greater than the number detected during the same period a year ago. The
number of rootkits designed to attack Windows-based systems increased
by 2300 percent between 2001 and 2005. In addition, Avert found that
the use of stealth technologies has increased more than 600 percent in
just three years.
http://news.com.com/2102-7349_3-6061878.html?tag=st.util.print
http://www.eweek.com/print_article2/0,1217,a=175797,00.asp
[Editor's Note (Boeckman): In the article, McAfee cites an
"open-source environment" as part of the problem with rootkit
proliferation. This would imply that if it was possible to stifle free
speech on the web, the problem would go away. I suspect it has more to
do with fact that most Windows users operate with administrative
privileges.]

MISCELLANEOUS
 --Company Reaches Settlement Regarding Deceptive Security Product
(13 April 2006)
SoftwareOnline.com has agreed to a US$190,000 settlement in a case
brought by the Washington state Attorney General's (AG's) office. A
four-month investigation conducted by the AG's office resulted in
allegations that the company was offering computer users ineffective
free scans that inundated their computers with unwanted pop-up ads. The
company was also accused of not having an effective uninstall mechanism
and of adding products and services to customers' checkout forms. The
agreement stipulates that SoftwareOnline make changes to its marketing
practices and offer refunds to people who file complaints or request
refunds.
http://www.computerworld.com/printthis/2006/0,4814,110538,00.html

 --RFID Zapper
(Northcutt): Last week we ran a story on DDoS testing for RFID networks.
Chris Byrnes was kind enough to send me this link from a Gartner
security blog. What fun, what an important concept for people associated
with RFID technology to be aware of, an RFID Zapper:
https://events.ccc.de/congress/2005/wiki/RFID-Zapper(EN)

===end===

NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian
Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore,
Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw
Tan, Mark Weatherford

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFERPOC+LUG5KFpTkYRAja4AJ9v8DuOz3BqmDRGhwZKc1SZWh9j7QCfXbI4
Tm39MaOWLpzsPfqGc1OaPms=
=+Oew
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]