From: The SANS Institute (NewsBitessans.org)
Date: Fri May 12 2006 - 12:42:16 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

*************************************************************************
SANS NewsBites May 12, 2006 Vol. 8, Num. 38
*************************************************************************

TOP OF THE NEWS
  DDoS Attacker Can be Tried Under CMA, Says High Court
  Three States Direct Officials to Take Extra Precautions with Diebold
     Touch Screen Machines
  Judge Rules McKinnon May be Extradited

THE REST OF THE WEEK'S NEWS
  SPYWARE, SPAM & PHISHING
    Hong Kong Court Says ISPs Must Divulge Names of Suspected Movie
       Downloaders
  COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
    Warner to Offer Digital Video Content Through BitTorrent
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
    Microsoft Patch Tuesday Addresses Two Critical Vulnerabilities
  ATTACKS & INTRUSIONS & DATA THEFT & LOSS
    Pentagon Notifying '01 Conference Registrants of Data Security Breach
    Chip and PIN Fraud Hits Lloyds TSB
    Nine Arrested In Connection with UK Shell Station Chip and Pin Fraud
  MISCELLANEOUS
    FBI Investigating Huge Cache of Personal Data Ripe for Identity Fraud
    St. Louis Police Investigating Gas Pump Reprogramming Incidents
    New Colorado Law Gives Teeth To State CISO

****************** SPONSORED BY SANSFIRE 2006 ***************************
TRAINING UPDATE SANSFIRE 2006 IN WASHINGTON DC
July 5-13 - Bring your family for the fireworks and stay for SANS
largest conference in Washington.

The industry's best security courses - extraordinary faculty;
authoritative up-to-the-minute material - shows you how to do the job
and gives you the confidence to go back and do it immediately.

"Jacked my paranoia level up around my ears, and then gave me the tools
to manage the threat." (Don Geiger, DCPS Division of Technology)

Offers every one of SANS' 17 immersion training courses plus 12 short
courses and a big exposition: SANS Security Essentials, Hacker
Exploits, System Forensics, Intrusion Detection, Auditing, plus training
for CISSP exam and all Technical certification required for DoD 8570 and
more. Plus special evening sessions by the global security leaders who
staff the Internet Storm Center.

http://www.sans.org/sansfire06/
*************************************************************************

TOP OF THE NEWS

 --DDoS Attacker Can be Tried Under CMA, Says High Court
(11 May 2006)
David Lennon, who saw charges against him for deliberately overwhelming
his former employer's system with five million email messages dismissed
in November 2005, now faces a retrial. Judges at the Royal Courts of
Justice have ruled that people deluging others with spam may be
prosecuted under the UK's Computer Misuse Act. The judges ruled that
the extent of consent to receive email should be decided on a
case-by-case basis; they overturned a district judge's ruling that there
was no case against Lennon.
http://today.reuters.co.uk/news/newsArticle.aspx?type=internetNews&storyID=2006-05-11T143243Z_01_L1190263_RTRIDST_0_OUKIN-UK-CRIME-BRITAIN-SPAM.XML
http://news.zdnet.co.uk/internet/security/0,39020375,39268334,00.htm

 --Three States Direct Officials to Take Extra Precautions with Diebold
    Touch Screen Machines
(10 May 2006)
Following the disclosure of a security hole in certain Diebold
electronic voting machines, officials in California, Iowa and
Pennsylvania have advised local officials to take steps to enhance the
security and reliability of electronic voting. A feature on Diebold
Election System touch screen voting machines could allow unauthorized
software to be loaded onto the machines. A Diebold spokesperson said
there is no evidence election results have been affected as the result
of the hole, but the company is nonetheless developing a fix to allay
fears. In Pennsylvania, local election registrars were instructed to
sequester the machines, and to reinstall the software just before
testing and certifying the machines. California and Iowa have seen
similar directives.
http://www.washingtonpost.com/wp-dyn/content/article/2006/05/10/AR2006051002276_pf.html
http://www.chicoer.com/news/bayarea/ci_3805089
[Editor's Note (Pescatore) Read the story below on people reprogramming
gas pumps and then read the Blackboxvoting report on the most recent
vulnerabilities in these electronic voting machines - eerily similar.
Now, I may be picky but I would sort of like my voting machines to be a
bit more secure than my gas pumps. What really, really needs to be
looked at is what sort of certification process the states use that
allowed these machines to be accepted. ]

 --Judge Rules McKinnon May be Extradited
(10 May 2006)
A British judge has ruled that Gary McKinnon may be extradited to the
United States to face charges of illegally accessing nearly 100
computers and damaging Army, Navy, Air Force and NASA computer systems.
McKinnon maintains he was merely searching for hidden evidence of UFOs.
British Home Secretary John Reid must decide within two months whether
or not to approve McKinnon's extradition. McKinnon fears that if he is
tried in the US, he could be prosecuted under anti-terror laws and sent
to Guantanamo Bay, though he has received assurances that he will not
face a military tribunal.
http://www.timesonline.co.uk/article/0,,11069-2174108,00.html
http://www.mercurynews.com/mld/mercurynews/business/14546132.htm

*********************** Sponsored Links: ******************************
 
1) Free WhatWorks Webcast next week - WhatWorks in Log Management:
"Judging Log Management with San Bernardino County Superior Court"
Tuesday, May 16 at 1:00 PM EDT (1700 UTC/GMT)
http://www.sans.org/info.php?id=1148
 
2) Free Webcast next week - The Mobile User - Remote Access and Security
Gateways (Part 2)
Wednesday, May 17 at 1:00 PM EDT (1700 UTC/GMT)
http://www.sans.org/info.php?id=1149
 
***********************************************************************

THE REST OF THE WEEK'S NEWS

SPYWARE, SPAM & PHISHING
 --Hong Kong Court Says ISPs Must Divulge Names of Suspected Movie Downloaders
(10 May 2006)
A Hong Kong court has ordered four Internet service providers (ISPs) to
reveal the identities of 49 people who are suspected of illegally
downloading several movies. While last year a man was sentenced to
three months in jail for making movies available on the Internet with
BitTorrent technology, this is the first legal action taken by film
companies in Hong Kong against suspected downloaders.
http://australianit.news.com.au/articles/0,7204,19088317%5E15319%5E%5Enbv%5E,00.html

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
 --Warner to Offer Digital Video Content Through BitTorrent
(9 May 2006)
Warner Bros. will begin offering movies and television shows through
BitTorrent peer-to-peer technology this summer. Movies will be
available for rental and purchase download on the Internet the same day
they are released in stores. The movies and television shows will play
only on the device used to download the content.
http://www.usatoday.com/tech/products/services/2006-05-09-warner-bros-p2p_x.htm
http://news.bbc.co.uk/2/hi/business/4753435.stm
[Editor's Note (Schultz): This is an innovative solution, one that is
well worth trying. I've said in previous editorial comments that the
entertainment industry is not faring well in its war against piracy, in
large part due to the fact that it has relied upon prosecuting those who
download movies and music. At the same time, however, Warner Bros.
should not expect smooth sailing with their new initiative. Many buyers
are likely to complain that under the new program they will be able to
play what they download on only one device.]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
 --Microsoft Patch Tuesday Addresses Two Critical Vulnerabilities
(10/9 May 2006)
Microsoft's monthly security bulletins for May address two critical
vulnerabilities, one in Exchange Server and the other in Adobe's
Macromedia Flash Player in Windows. A remote code execution flaw in
Microsoft Exchange Server could allow attackers to install programs,
alter and delete data and create new accounts. The flaw also has the
potential to be exploited by a worm. A problem in the way Adobe's
Macromedia Flash Player in Windows handles flash animation or .swf
files, could be exploited to run code remotely and gain control of
vulnerable systems. A third vulnerability, in the Microsoft Distributed
Transaction Coordinator (MSDTC), received a severity rating of moderate.
http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39358489-39000005c
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1187464,00.html
http://www.theregister.co.uk/2006/05/10/ms_patch_tuesday/print.html
[Editor's Note (Pescatore): A heads up to enterprises: the Exchange
patch contains a previously documented Exchange default configuration
change that does a good thing (reduces default privileges) but can break
applications such as RIM Blackberry services. Microsoft and RIM seemed
to have worked together on this, but applying the patch to Exchange may
require configuration changes.]
(Ranum): When is the patch madness going to stop? It's time for the
industry to realize that you cannot patch your way to security. That's
been an ongoing attempt for, what, 10 years now? It hasn't worked
because it isn't going to.
(Honan): This story highlights how important securing physical access
is in preventing data security breaches. Staff should be trained to
challenge people accessing areas or devices they should notand to verify
the identity of people claiming to be engineers or staff members from
supplier companies. ]

ATTACKS & INTRUSIONS & DATA THEFT & LOSS
 --Pentagon Notifying '01 Conference Registrants of Data Security Breach
(10 May 2006)
The Pentagon has acknowledged that a computer server in which a security
breach occurred in April contained personal data belonging to more than
14,000 people who registered for an August 2001 Defense Department
conference on health care fraud. Those affected are being contacted.
The data exposed includes names, Social Security numbers and credit card
information. Authorities are investigating the incident.
http://www.washingtonpost.com/wp-dyn/content/article/2006/05/09/AR2006050901725.html

 --Chip and PIN Fraud Hits Lloyds TSB
(11 May 2006)
Lloyds TSB has acknowledged it has been experiencing fraud problems with
chip and PIN technology; thieves are cloning credit and debit cards and
then using them at ATMs outside the UK. The bank does not monitor
foreign ATM transactions as part of its fraud detection system.
http://www.thisismoney.co.uk/saving-and-banking/article.html?in_article_id=408976&in_page_id=2&ito=1565
http://www.theregister.co.uk/2006/05/11/lloyds_tsb_chip_and_pin_fraud/print.html

 --Nine Arrested In Connection with UK Shell Station Chip and Pin Fraud
(8 May 2006)
The UK's Apacs says that the chip and pin fraud scam perpetrated at
Shell stations in the UK was "an inside job." Over GBP1 million
(US$1.88 million) was stolen from customers' accounts. Shell is
cooperating with a police investigation; nine people have already been
arrested. An Apacs spokesperson said that those responsible for the
scam must have had ready access to the PIN pads to be able to modify
them to allow the scam.
http://software.silicon.com/security/0,39024655,39158743,00.htm
[Editor's Note (Honan): Note recent TV reports claim the PIN pads were
changed by individuals masquerading as support engineers from the PIN
pad supplier company. ]

MISCELLANEOUS

 --FBI Investigating Huge Cache of Personal Data Ripe for Identity Fraud
(10 May 2006)
The FBI is investigating a cache of data containing personal information
belonging to thousands of people from countries around the world. The
information was discovered by Webroot software on a password-protected
FTP (file transfer protocol) server in the US and appears to be
connected to a Trojan horse program designed to activate when computer
users visit certain sites, in this case, certain banking and ecommerce
sites.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9000355&taxonomyId=17

 --St. Louis Police Investigating Gas Pump Reprogramming Incidents
(8 May 2006)
Police in St. Louis, Missouri are investigating gasoline thefts at two
area stations. Apparently someone has been opening gas pumps and
reprogramming their internal keypads to avoid paying for gas. According
to one gas station manager, he and his employees do not have the codes
for the gas pumps' internal keypads. A company that services one of the
gas stations addressed the problem by removing the internal keypads.
http://www.ksdk.com/news/news_article.aspx?storyid=96404
[Editor's Note (Pescatore): But did they remove DIP switch jumpers,
PCMCIA or USB connectors in there? If they did, they are actually more
secure than the voting machines.]

 --New Colorado Law Gives Teeth To State CISO
[From Mark Weatherford, CISO for the State of Colorado and NewsBites
editorial board member]
The Colorado State legislature has passed HB06-1157 "Concerning the
Security of Communication and Information Resources in Public Agencies"
with Senate Amendments; it now goes to Governor Owens for signature.
This model legislation provides for the formal appointment by the
Governor of a Chief Information Security Officer (CISO) and outlines
specific duties and responsibilities of the CISO. It also outlines the
responsibilities of Colorado public agencies to develop an information
security plan in accordance with CISO guidance. Most importantly, it
provides a specific timeline for implementation and also gives the CISO
authority to enforce the information security program. This legislation
will have a profound effect on our ability to secure the information
system resources in Colorado state government. This is not the
cleaned-up version the Governor will be signing.
http://www.leg.state.co.us/clics2006a/csl.nsf/fsbillcont3/1AC9702BE67DC94487257068005112E5?open&file=1157_ren.pdf

==end==

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is the author/ co-author of books on
Unix security, Internet security, Windows NT/2000 security, incident
response, and intrusion detection and prevention. He was also the
co-founder and original project manager of the Department of Energy's
Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.

Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers.
Schneier has regularly appeared on television and radio, has testified
before Congress, and is a frequent writer and lecturer on issues
surrounding security and privacy.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer
for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development
Authority (IDA) of the Singapore government.

Chuck Boeckman is Lead Network Security Engineer supporting the US
Transportation Command, responsible for the security of global military
transportation command and control systems.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin,
Ireland.

Roland Grefer is an independent language consultant based in Clearwater,
Florida.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)

iD8DBQFEZL+C+LUG5KFpTkYRAoGFAJ9F2S4q0P2YDjADXFCp7O5N+aE8KQCgh2DO
5PJNbko6xZ7nCrb6BdiJnjw=
=/64M
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]