From: The SANS Institute (NewsBitessans.org)
Date: Tue May 16 2006 - 14:12:14 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

An important guest editorial by Lynn Goodendorf appears in this issue
after the TOP OF THE NEWS section. Apparently ICANN is contemplating
an action that may cause damage to the security of the Internet. The
guest editorial explains the problem and gives you a name and email
where you can express your opinion.
                                   Alan

PS. This Wednesday (May 17) is the early registration deadline for
SANSFIRE, the largest security training conference and exposition in
Washington DC, featuring eighteen immersion tracks. Wednesday is also
the early registration deadline for SANS London.
SANSFIRE: http://www.sans.org/sansfire06/
SANS London: http://www.sans.org/london06/index.php

*************************************************************************
SANS NewsBites May 16, 2006 Vol. 8, Num. 39
*************************************************************************

TOP OF THE NEWS
  SCADA and Process Control Systems Vulnerable to Attacks
  House Committee Proposes Another Data Security Breach Bill
  Australia Eases Certain Copyright Restrictions

THE REST OF THE WEEK'S NEWS
  ARRESTS, CONVICTIONS AND SENTENCES
    Former Dept. of Education Employee Gets Five Months in Prison for
       Accessing Supervisor's Computer
  HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
    FBI Cyber Division Gets New Assistant Director
  POLICY & LEGISLATION
    Regulators Hear About SOX Section 404 Compliance Woes
  SPYWARE, SPAM & PHISHING
    Kodak Online Photo Sharing Service Settles FTC Spam Charges
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
    Apple Issues Security Alerts for OS X and QuickTime Media Player
    FBI Investigating Malware Attack on Movie Theater Chain
  STATISTICS, STUDIES & SURVEYS
    Search Engines Return Malicious Links
  MISCELLANEOUS
    India Seeks to Create Oversight Body for Outsourcing Firms
    Real Estate Company Settles with FTC Over Data Security Charges

******************** Sponsored By Blue Coat Systems, Inc. ***************

New security ebook on Information Theft Prevention

In The Definitive Guide to Information Theft Prevention, security author
Dan Sullivan provides advice on information protection and privacy
regulations; how to tackle threats from unmanaged devices; how to secure
managed devices; and how to leverage new security technologies. This
guide also discusses risk management, incident responses and emerging
best practices around information security.
Download the eBook now.
http://www.sans.org/info.php?id=1166

*************************************************************************

TOP OF THE NEWS

 --SCADA and Process Control Systems Vulnerable to Attacks
(8 May 2006)
Cyber security experts say the supervisory control and data acquisition
(SCADA) and process control systems that control the nation's critical
infrastructure are not secure. The systems often run on older hardware,
built before security was a concern. An added problem is that some of
the systems have been connected to the Internet. These control systems
were one of six foci of critical vulnerabilities listed in a cyber
security checklist from the US Department of Homeland Security (DHS)-
funded Cyber Consequences Unit.
http://www.fcw.com/article94273-05-08-06-Print
[Editor's Note (Schultz): I am currently one of the members of a team
that is researching this issue. Some of the case studies we have
gathered show that the problem of wide open SCADA and process control
systems is far worse than most people assume.
(Paller): Gene Schultz is correct about the scale of the problem. If you
want to know how big it really is, the highlights DVD from the SACDA
Security Summit provides extraordinary evidence, but there is a
promising development. One of the best things happening in information
security is the consortium of more than 100 utilities and state
governments and SCADA vendors that are developing consensus security
specifications that buyers can put in their contracts to ensure every
buyer can have state of the art security in their new and existing SCADA
systems. Will Pelgrin, CISO or New York State, and Mike Assante and
Rita Wells of Idaho National Laboratory, are presenting the current
status of the project in a webcast on Thursday, May 18, at 1:00 PM EDT.
You may tune in and ask questions at
http://www.sans.org/webcasts/show.php?webcastid=90722]

 --House Committee Proposes Another Data Security Breach Bill
(12/11 May 2006)
US House Judiciary Committee Chairman James Sensenbrenner (R-Wis.) has
introduced another data security breach bill, the Cybersecurity
Enhancement and Consumer Data Protection Act of 2006 (HR 5318). This
bill would require organizations to inform the government within two
weeks when they suffer electronic data security breaches affecting
10,000 or more individuals; notification of consumers could be delayed
up to 30 days. Failure to comply would result in hefty fines and prison
sentences.
http://www.internetnews.com/bus-news/print.php/3605666
http://news.com.com/2102-7348_3-6071216.html?tag=st.util.print
[Editor's Note (Ranum): The overlapping bills regarding this topic are
going to be a fertile playground for lawyers and are going to do nothing
to improve security. As Bruce Schneier points out in his blog, some of
the bills have already been carefully spun by lobbyists so that
companies can fairly easily dodge the letter of the new laws as fast as
they come out.]

 --Australia Eases Certain Copyright Restrictions
(15 May 2006)
Proposed changes to Australian copyright law will allow people to record
television and radio shows to be replayed once, but prohibit them from
lending the recordings to others. Current laws prohibit recording
anything from television and CDs. The proposed changes will also allow
people to move content between formats, for instance, from various media
onto iPods and other mp3 players. Australian Attorney-General Philip
Ruddock said "everyday consumers shouldn't be treated like copyright
pirates." The new laws allow the use of copyrighted material for satire
and parody and have exceptions for schools to use copyrighted material
for non-commercial purposes. The laws would also make it easier to levy
fines and impose other punishments on those who are guilty of copyright
piracy.
http://www.smh.com.au/news/breaking/new-laws-to-limit-use-of-tv-recording/2006/05/14/1147545211338.html

GUEST EDITORIAL: Get ready to use subpoenas instead of Whois
By Lynn Goodendorf, CISSP, CIPP
How do you contact a website owner whose domain name is the source of a
phishing or denial-of -service attack or appears to be generating spam?
What steps do you take to deal with sites posting deceptive, infringing
or other illegal content such as the fraudulent sites that appeared
after Hurricane Katrina? The first step is to use the "Whois" database
to obtain identity and contact information for the domain name
registrant. If accuracy and completeness in the Whois database is
critical to your organization, you need to communicate your views to
ICANN (Internet Corporation for Assigned Names and Numbers) before Whois
contact information goes away and your only recourse is to use more
expensive and time-consuming legal processes such as subpoenas.
Email Paul Twomey, President & CEO of ICANN at twomeyicann.org or
icannicann.org Find details on this issue at:
http://gnso.icann.org/issues/whois-privacy/tf-report-15mar06.htm

*********************** Sponsored Link: ******************************

1) FREE Product Demo: Stop protecting while blind. Gain network
visibility now.
http://www.sans.org/info.php?id=1167

************************************************************************

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
 --Former Dept. of Education Employee Gets Five Months in Prison for
    Accessing Supervisor's Computer
(12 May 2006)
Kenneth Kwak has been sentenced to five months in prison for using
remote control software to access his former supervisor's computer
without authorization. Kwak read his supervisor's email and kept an eye
on his surfing habits; Kwak shared what he discovered with other
employees. Kwak was at the time a computer security specialist at the
Department of Education. Kwak will serve five months of home
confinement once he has completed his prison sentence. He has also been
ordered to pay US$40,000 in restitution to the US government and will
be on parole for three years.
http://news.com.com/2102-7350_3-6071928.html?tag=st.util.print
[Editor's Note (Honan): As with all positions of trust it is essential
that appropriate controls, audit trails and mechanisms are put in place
to ensure those entrusted with our security do not break that trust. In
effect we have to be able to "watch the watchers"]

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY

 --FBI Cyber Division Gets New Assistant Director
(10/8 May 2006)
James Finch has been named assistant director of the FBI's Cyber
Division; Steve Martinez has been acting assistant director since Louis
Riegel retired in February.
http://www.fcw.com/article94313-05-08-06-Web
 
POLICY & LEGISLATION

 --Regulators Hear About SOX Section 404 Compliance Woes
(11 May 2006)
A roundtable discussion organized by the US Securities and Exchange
Commission (SEC) and the Public Company Accounting Oversight Board
(PCAOB) allowed companies to voice their concerns and complaints about
complying with the Sarbanes-Oxley Act (SOX) Section 404. SEC and PCAOB
representatives say they are willing to modify rules and standards to
ease compliance with Section 404, the costs of which, company executives
say, can outweigh the benefits of compliance. Section 404 hits small
companies especially hard, as they do not have the internal resources
to devote to compliance testing.
http://www.networkworld.com/news/2006/051106-sox-costs.html
[Editor's Note (Ranum): There are appear to be very few benefits to
compliance for the taxpayers, shareholders, and customers - SOX has
rapidly become a jobs program for the high priesthood. You would think
that, by now, we'd have gotten the idea that "check box security" does
not work - it just looks good on paper. ]

SPYWARE, SPAM & PHISHING
 --Kodak Online Photo Sharing Service Settles FTC Spam Charges
(12/11 May 2006)
Kodak Imaging Network, an online photo sharing service once known as
Ofoto, has agreed to pay US$26,331 in penalties for violating the US
CAN-SPAM Act. The US Federal Trade Commission (FTC) charged that the
company violated the law by sending two million messages that did not
provide a means of opting out of receiving future email or a physical
postal address. The settlement bars the company from violating CAN-SPAM
at any time in the future; the company will also establish
record-keeping practices to allow the FTC to monitor its compliance.
http://money.cnn.com/2006/05/11/news/companies/kodak_spam.reut/
http://www.theregister.co.uk/2006/05/12/kodak_spam_fine/
[Editor's Note (Grefer): At a price of 1.3 cents per message this sounds
more like an invitation to follow their lead, rather than a penalty
designed to scare potential offenders away.]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
 --Apple Issues Security Alerts for OS X and QuickTime Media Player
(15/12 May 2006)
Apple Computer has issued two security alerts describing more than 30
flaws in Mac OS X and a dozen flaws in QuickTime media player software.
The flaws in OS X could allow attackers "to execute arbitrary commands,
bypass security restrictions, disclose sensitive information or cause a
denial of service." The vulnerabilities in QuickTime present security
concerns for both OS X and Windows computers; the flaws could be
exploited to hijack vulnerable machines.
http://news.com.com/2102-1002_3-6071833.html?tag=st.util.print
http://www.pcworld.idg.com.au/index.php/id%3B1209940133%3Bfp%3B16%3Bfpid%3B0
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1188049,00.html
http://docs.info.apple.com/article.html?artnum=303737
http://docs.info.apple.com/article.html?artnum=303752

 --FBI Investigating Malware Attack on Movie Theater Chain
(11 May 2006)
The FBI is investigating an incident in which a worm shut down showtime
listings and ticket purchasing features at Muvico.com, a southeastern
US movie theater chain. Point-of-sale systems were also hit by the
worm, which prevented people from buying tickets with credit cards. A
fire alarm had gone off less than half an hour before the malware
disabled the systems, leaving company headquarters empty. A
spokesperson for the company said the attack appeared to be designed to
hurt the system but not to steal data. The Muvico.com server was
running Windows 2000. Muvico issued a press release about the attack
because it wanted to be forthcoming with its customers.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9000400&taxonomyId=85
[Editor's Note (Honan): Muvico should be commended for admitting they
were victims of an attack. Their admissions may encourage other
companies to review their own security mechanisms. Nothing increases
the sales of burglar alarms in a neighborhood like a break-in at a
neighbor's house. ]

STATISTICS, STUDIES & SURVEYS
 --Search Engines Return Malicious Links
(12 May 2006)
A study from McAfee found that people who use the five major search
engines, Google, Yahoo, MSN, Ask.com and AOL, visit malicious sites
approximately 285 million times every month by clicking on results
returned by the search engines. Sponsored links are nearly three times
more likely to link to malicious sites than are regular search results.
Measures being taken to protect search engine users include spyware
detection and removal tools and pop-up blockers and anti-phishing
filters in toolbars. Other search engines are taking steps to remove
the malicious sites from their indices.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9000421&taxonomyId=85
[Editor's Note (Schultz): If these findings are indeed true, they are
terribly disconcerting. Most users cannot determine whether or not links
go to malicious sites, so any help that users get must come from the
search engines themselves.]

MISCELLANEOUS
 --India Seeks to Create Oversight Body for Outsourcing Firms
(12 May 2006)
India's National Association of Software and Service Companies (NASSCOM)
is establishing an oversight body to monitor companies that handle
outsourcing contracts with foreign countries. Last year, several data
security breaches at Indian outsourcing companies doing work for Western
banks raised concerns. The organization would establish a code of
ethics and make certain Indian companies adhere to them.
http://www.theregister.co.uk/2006/05/12/indian_security/print.html
[Editor's Note (Schultz): NASSCOM's taking this initiative is likely to
alleviate at least some of the security-related concerns that companies
in the US and elsewhere have about outsourcing work to India.]

 --Real Estate Company Settles with FTC Over Data Security Charges
(10 May 2006)
The US Federal Trade Commission (FTC) has announced that Nations Holding
Co. (NHC), a real estate company, has settled a case brought by the FTC
alleging that NHC "allowed a common web attack to compromise customer
data." Under the terms of the settlement, NHC must improve information
security and "submit to biennial audits of its security practices for
the next 20 years."
http://ww6.infoworld.com/products/print_friendly.jsp?link=/article/06/05/10/78177_HNftcsettlescase_1.html

==end==

The Editorial Board of SANS NewsBites

Guest Editor Lynn Goodendorf, Vice President, Information Privacy
Protection, InterContinental Hotels Group

Eugene Schultz, Ph.D., CISM, CISSP is the author/ co-author of books on
Unix security, Internet security, Windows NT/2000 security, incident
response, and intrusion detection and prevention. He was also the
co-founder and original project manager of the Department of Energy's
Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.

Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers.
Schneier has regularly appeared on television and radio, has testified
before Congress, and is a frequent writer and lecturer on issues
surrounding security and privacy.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer
for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development
Authority (IDA) of the Singapore government.

Chuck Boeckman is Lead Network Security Engineer supporting the US
Transportation Command, responsible for the security of global military
transportation command and control systems.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin,
Ireland.

Roland Grefer is an independent language consultant based in Clearwater,
Florida.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)

iD8DBQFEaiGE+LUG5KFpTkYRAoIsAKCSMULfLQgOandyIwUbY466U0CqhACdHoys
22vGv9pzQKBRxeFf80by3v8=
=ee1m
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]