From: The SANS Institute (NewsBitessans.org)
Date: Fri May 26 2006 - 14:55:43 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Good news and bad news on SCADA security:
[SCADA and process control systems are the computers that control
nuclear power plants, chemical plants, power stations, pipelines, dams
and other major critical infrastructure facilities]

Bad news first: Two SCADA systems have been penetrated for criminal
(extortion) activity. You can count on rapid expansion of this type of
crime.

Now the good news: The SCADA Security Procurement Project has made
extraordinary progress on developing procurement specifications so all
buyers can ensure they are acquiring the best security they can for
their control systems. Three SCADA/process control users are part of
the Vanguard Group, putting the new specifications to work in their
current procurements. The team at Idaho National Laboratory says they
can work with several other organizations planning procurements and that
such cooperation will help make the procurement language better. If
your organization will be acquiring a control system within the next
eight months, check out the project at:
http://www.cscic.state.ny.us/msisac/scada/

And if you are willing to consider confidentially participating on the
project with your upcoming procurement, contact Michael Assante at INL
(michael.assanteinl.gov) or Will Pelgrin., CISO of New York State
(william.pelgrincscic.state.ny.us)

                                Alan

PS We need your help on the Reading Room. See the Reading Room story at
the end of this issue.

*************************************************************************
SANS NewsBites May 26, 2006 Vol. 8, Num. 42
*************************************************************************

TOP OF THE NEWS

  House Committee Approves Stronger Cybercrime Bill
  565 Arrested in Global Fraud Sting
  Sony BMG Rootkit DRM Settlement Approved
  German Police Charge 3,500 eDonkey Users with Piracy
  Survey Finds Americans Want Strong Data Security Legislation

THE REST OF THE WEEK'S NEWS
  HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
    OMB Directs Agency Privacy Officials to Hone Policies and Processes
  COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
  ATTACKS & INTRUSIONS & DATA THEFT & LOSS
    Lawmakers Livid Over Delay in Notification of VA Data Theft
    American Red Cross Warns Blood Donors of Breach and Identity Fraud
    Univ. of Delaware Investigating Data Security Breach
  STATISTICS, STUDIES & SURVEYS
    BSA Survey Finds Piracy Losses Total US$34 Billion
  MISCELLANEOUS
    Suit Alleges MPAA Paid Someone to Infiltrate Valence Media IT Systems
    Improving the SANS READING ROOM (rr.sans.org)

******************** SPONSORED BY THE LOG MANAGEMENT SUMMIT *************

More than twenty pioneering log management users will be sharing the
lessons learned and best practices at the Log Management Summit July
12-14, 2006 in Washington DC. Here's what you'll learn:
How to find and stop phishing sites
Buy vs. Build -- tradeoffs
Legal foundations for log management
How log management helped catch four insider thieves at one site.
How log management stopped a spyware outbreak
How log management helps IT operations-beyond security
How log management helped stop a virus before it created havoc
The SANS consensus findings of the twenty most important log management reports and alerts
Solving the storage dilemma
Making Windows logging effective
The future of log management

Join 1,000 of your peers for SANSFIRE and/or the Log management Summit
SANSFIRE: http://www.sans.org/sansfire06
Log Management Summit: http://www.sans.org/logmgtsummit06
*************************************************************************

TOP OF THE NEWS
 --House Committee Approves Stronger Cybercrime Bill
(25 May 2006)
The House Judiciary significantly strengthened federal cybercrime law
and provided law enforcement with increased enforcement tools. Among
the most important: extortion based on threats to access computers will
be a crime if the bill becomes law. Use of botnets will also be a crime.
http://www.scmagazine.com/uk/news/article/561126/stronger+cybersecurity+bill+passes+house+committee/
 
 --565 Arrested in Global Fraud Sting
(24 May 2006)
Operation Global Con, an initiative targeting fraudulent marketing
schemes worldwide, has netted 565 arrests, according to US officials.
At least 2.8 million people fell prey to the scams and lost in excess
of US$1 billion. 139 suspects were arrested in the US; others were
arrested in Canada, Costa Rica, the Netherlands and Spain.
http://www.smh.com.au/news/Technology/500plus-nabbed-in-global-Internet-scams-US/2006/05/24/1148150288122.html#
http://releases.usnewswire.com/GetRelease.asp?id=66280

 --Sony BMG Rootkit DRM Settlement Approved
(23 May 2006)
A US district court judge has approved a settlement in the Sony BMG
rootkit class action lawsuit. Sony must provide all affected consumers
with CDs free of the controversial digital rights management (DRM)
software; the settlement also calls for Sony to provide free music
downloads to those customers. The software, which was automatically
downloaded to users' computers when they played the disk for the first
time, was in essence a rootkit that allowed malware purveyors to take
advantage of its presence. The software also reportedly sent
information about the users' actions back to Sony. Under the terms of
the settlement, Sony has agreed to stop manufacturing CDs with the two
offending pieces of software. Sony will also submit any DRM software
it plans to use in the future to a third party for review and include a
description of the software with all CDs that contain it.
http://www.theregister.co.uk/2006/05/23/sony_rootkit_settlement/print.html
http://software.silicon.com/security/0,39024655,39159045,00.htm
[Editor's Note (Pescatore): I've seen reliable numbers that show the
Sony BMG rootkit software is on more than 10 million PCs world wide, at
least several million in the US. But, of course, rootkits' major mission
in life is to not let "affected consumers" know they have been affected
- - I hope the settlement forces Sony to spend a lot of money finding
those PCs, not forcing the consumers to realize they have a problem.
(Shpantzer): I was at a DC area major bookstore chain this weekend and
they're STILL selling the Sony BMG CD's with MediaMax on them. I looked
for the logo on the label and there it was. What's the point of giving
customer refunds for a defective product if you're still selling it in
stores?]

 --German Police Charge 3,500 eDonkey Users with Piracy
(24/23 May 2006)
German police have charged 3,500 eDonkey peer-to-peer (P2P) file-sharing
network users; each individual could face up to three years in prison
or fines of as much as 15,000 Euros (US$19,219) and may also be ordered
to pay compensation. The investigation focused on individuals who
uploaded significant amounts of music to file-sharing networks.
http://www.theregister.co.uk/2006/05/24/german_raids_on_filesharers/print.html
http://news.bbc.co.uk/2/hi/entertainment/5009224.stm
http://timesonline.typepad.com/technology/2006/05/music_industry_.html

 --Survey Finds Americans Want Strong Data Security Legislation
(23 May 2006)
A survey from the Cyber Security Industry Alliance (CSIA) of 1,150 US
adults found 71 percent want the federal government to enact legislation
to protect personal data similar to California's data security law. Of
that 71 percent, 46 percent said they would consider a political
candidate's position on data security legislation and "have serious or
very serious doubts about political candidates who do not support quick
action to improve existing laws." In addition, half of those surveyed
avoid making online purchases due to security concerns.
http://www.fcw.com/article94613-05-23-06-Web
http://ww6.infoworld.com/products/print_friendly.jsp?link=/article/06/05/23/78609_HNdatapolitics_1.html
[Editor's Note (Schultz): These results as well as the lamentable recent
incident at the Veterans Administration once again shows how badly the
US is in need of a statute that requires strong protection of such
information and prescribes strong punishments for individuals who fail
to provide such protection. Additionally, such legislation should
mandate prompt notification of individuals who are potentially affected
by compromises of personal and or financial information.
(Weatherford): Big surprise here! Just look at today's NewsBites
articles: VA loses data on 26M Veterans; Red Cross warns donors of
possible Identity Fraud; University of Delaware Investigating Data
Security Breach. Is it any wonder the public doesn't trust
organizations to protect their personal data. Of course the bad news
is that our personal information simply isn't personal anymore!
(Pescatore): It is interesting to watch software industry lobbying
groups try to foster legislation that will drive demand for their
software while remaining amazingly silent whenever the topic of
liability or warranty is brought up for those same software products.
(Ranum): Notice the leading question, Do you "have serious or very
serious doubts about political candidates who do not support quick
action to improve existing laws"]

************************* Sponsored Link: *******************************

1) Stop spyware! Try Webroot Spy Sweeper Enterprise for free and
assess your spyware risk exposure. http://www.sans.org/info.php?id=1175
*************************************************************************

THE REST OF THE WEEK'S NEWS

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
 --OMB Directs Agency Privacy Officials to Hone Policies and Processes
(22 May 2006)
A memo from the Office of Management and Budget (OMB) acting director
Clay Johnson directs senior privacy officials as US government agencies
to "review ... policies and processes, and take corrective action as
appropriate to ensure your agency has adequate safeguards to prevent the
intentional or negligent misuse of, or unauthorized access to,
personally identifiable information." The results should be included
with agency Federal Information Security Management Act (FISMA)
compliance reports, which are due this fall.
http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn_daily&story.id=40842
http://www.whitehouse.gov/omb/memoranda/fy2006/m-06-15.pdf
[Editor's Note (Northcutt): According to the OMB memo: "The review shall
address all administrative, technical, and physical means used by your
agency to control such information, including but not limited to
procedures and restrictions on the use or removal of personally
identifiable information beyond agency premises or control." I am sure
this is a step in the right direction, but the number of breaches of
data from government and commercial organizations indicates too many
organizations consider discretionary access controls an acceptable
solution. They are not acceptable. If any NewsBites reader is using a
commercial encryption system for your production database and are
willing to share what tool you are using and how well you think it
works, please drop a note to Stephen At sans.edu ]

ATTACKS & INTRUSIONS & DATA THEFT & LOSS
 --Lawmakers Livid Over Delay in Notification of VA Data Theft
(25/24 May 2006)
US lawmakers are questioning the Department of Veterans Affairs'
decision to delay disclosing a security breach for two weeks. While
local law enforcement and the VA were notified of the theft "promptly"
following the May 3 theft, VA Secretary Jim Nicholson did not learn of
it until May 16. Nicholson has asked the VA's inspector general to find
out who knew of the breach and when they knew it; Nicholson has
acknowledged that the breach will cost in excess of US$100 million to
"fix." Bills in both the Senate and the House have been introduced to
provide for free credit reports and credit monitoring for veterans.
Some legislators have called for Nicholson to resign.
http://www.msnbc.msn.com/id/12953600/
http://news.com.com/2102-7348_3-6076100.html?tag=st.util.print
http://www.informationweek.com/showArticle.jhtml;jsessionid=5Q5RN2BO5EELQQSNDBOCKH0CJUMEKJVN?articleID=188500310
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9000777
[Editor's Note (Schultz): The delay in notifying those who have been
affected by this ugly incident is inexcusable. Additionally, why was
there no policy forbidding personal data from being stored in laptop
computers? Alternatively, if data could be stored in such a manner, why
was there no policy that required encryption?
(Weatherford): Having been on the receiving end of these sharp arrows
of criticism, I realize how easy it is to arm-chair quarterback during
a crisis but this is simply ridiculous. Even recognizing the VA as a
massively bureaucratic organization, two weeks for the Director to learn
of something this significant is more than scandalous!]

 --American Red Cross Warns Blood Donors of Breach and Identity Fraud
(24 May 2006)
The American Red Cross has warned approximately 1 million blood donors
in the Missouri-Illinois region that a former employee may have had
access to their personal information; the warning is being made through
the media and the Red Cross web site. Eight thousand donors whose data
were held in a database used by the employee received letters alerting
them to the danger of identity fraud posed by the data exposure; at
least four of the original 8,000 have experienced problems with identity
fraud. The Red Cross decided to inform all donors in the region due to
concerns the employee may have accessed additional records. The employee
used the stolen information to open credit card accounts and make
purchases using those accounts. The former employee has been indicted
on three felony counts of aggravated identity theft and one count of
credit card fraud.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9000754
http://www.ksdk.com/news/news_article.aspx?storyid=97155

 --Univ. of Delaware Investigating Data Security Breach
(23 May 2006)
The University of Delaware (UD) has notified more than 1,000 people that
their personal information, including names, Social Security numbers and
driver's license numbers, may have been compromised in a security breach
of a server at the school's Department of Public Safety. The
department, along with state law enforcement and the FBI, are
investigating the incident. The breach was detected on April 8 and the
department put its cyber incident response plan into effect. The
university's Office of Information Technologies has initiated a campaign
to educate various departments about the necessity of protecting what
they call "sensitive personal nonpublic information (PNPI)."
http://www.udel.edu/PR/UDaily/2006/may/breach052306.html

STATISTICS, STUDIES & SURVEYS
 --BSA Survey Finds Piracy Losses Total US$34 Billion
(23 May 2006)
The Business Software Alliance's (BSA's) annual global PC Software
Piracy Study found that more than a third of packaged software on PCs
around the world was pirated. However, the level of software piracy is
declining in certain markets, including China, Russia and India. Of 97
countries in the study, more than half saw moderate declines in software
piracy; piracy increased in just 19 countries. Piracy levels in large
markets, such as the US, Western Europe and Japan, remained relatively
steady. Overall estimated losses from piracy were US$34 billion.
http://www.vnunet.com/vnunet/news/2156665/software-piracy-costing-34bn
http://www.siliconrepublic.com/news/news.nv?storyid=single6482
http://www.australianit.news.com.au/common/print/0,7208,19229878%5E15306%5E%5Enbv%5E,00.html
http://management.silicon.com/government/0,39024852,39159067,00.htm
http://www.zdnetasia.com/news/software/printfriendly.htm?AT=39361394-39000001c

MISCELLANEOUS
 --Suit Alleges MPAA Paid Someone to Infiltrate Valence Media IT Systems
(25 May 2006)
TorrentSpy operator Valence Media has filed a lawsuit in the US District
Court for the Central District of California alleging that the Motion
Picture Association of America (MPAA) hired someone to gain unauthorized
access to the company's IT systems to find evidence to use in its patent
infringement suit against TorrentSpy, a file-sharing portal site.
http://www.eweek.com/print_article2/0,1217,a=179329,00.asp
[Editor's Note (Honan): This is a timely reminder that assessments of
external threats should include attacks motivated by commercial and
industrial espionage.]

 -- Improving the SANS READING ROOM (www.sans.org/rr/)
By Stephen Northcutt
Hello, we need your help to keep the reading room as a useful resource
for the community. The list of people below are authors of popular
reading room papers that need to be updated. Sadly, we have lost
contact. If you are one of the people below and are willing to update
your paper, or willing to give us permission to update your paper for
you, please write me, Stephensans.org. If you know someone on the list,
please give them a bump and suggest they reconnect with SANS!

John Mallery
Philip Craiger
Timothy Layton
Benjamin Huey
Christina Neal
Nancy Navato
Aaron Greenlee
Jamie Crapanzano
Dana Graesser
David Jarmon
Frederick Garbrecht
Patrick Lindley
Douglas Ford
David Carts
Philip Kaleewoun
Walter Patrick
Neil Cleveland
William Martin
Chaiw Kee

*************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is the author/ co-author of books on
Unix security, Internet security, Windows NT/2000 security, incident
response, and intrusion detection and prevention. He was also the
co-founder and original project manager of the Department of Energy's
Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.

Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers.
Schneier has regularly appeared on television and radio, has testified
before Congress, and is a frequent writer and lecturer on issues
surrounding security and privacy.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer
for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.

Marcus J. Ranum built the first firewall for the White House and is widely
recognized as a security products designer and industry innovator.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development
Authority (IDA) of the Singapore government.

Chuck Boeckman is Lead Network Security Engineer supporting the US
Transportation Command, responsible for the security of global military
transportation command and control systems.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin,
Ireland.

Roland Grefer is an independent language consultant based in Clearwater,
Florida.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

- ---end---
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)

iD8DBQFEd1KU+LUG5KFpTkYRAtozAJ98kNAkbWn5eSDgo+1GcRA4clbkeQCeLEUn
DlXcDIduU8BuutIEuymj5VQ=
=1XNe
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]