From: The SANS Institute (NewsBitessans.org)
Date: Fri Mar 03 2006 - 10:25:32 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A little controversy.
Are the books on secure programming actually changing programmer
behavior? If you have proof that any of the books on secure programming
have made a significant difference in program habits, please let us know
so we can highlight the publication.

Separately, online security awareness training just got a huge boost in
effectiveness. 45 senior security managers reviewed the new technology
and over half decided to bring it in house. For information on the new
technology email awarenesssans.org

*************************************************************************
SANS NewsBites March 3, 2006 Vol. 8, Num. 18
*************************************************************************

TOP OF THE NEWS

  IT System Auditor Pleads Guilty to Computer Break-in
  AOL Files Lawsuits Against Phishing Groups
  Apple Security Update Addresses 20 Flaws, Including Safari Hole

THE REST OF THE WEEK'S NEWS
  COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
    Four Plead Guilty to Music Piracy
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
    Proof-of-Concept Virus is First to Spread from Desktops to Mobile
       Devices
    Oracle Issues Out-of-Cycle Fix
  ATTACKS & INTRUSIONS & DATA THEFT & LOSS
    State of Ohio Questions Delay in Learning of Laptop Theft
    Bank of Bermuda Cancels, Reissues Cards After Learning of Security
       Breach
    DDoS Attackers Turn to High Profile Blogs
    Cancer Center Says Insurance Claim Data on Stolen Laptop Was
       Encrypted
  STATISTICS, STUDIES & SURVEYS
    Japan's National Police Agency Notes Increase in Cybercrime Arrests
  MISCELLANEOUS
    Exam Requires Students to Scan Internet Servers

********************** UPCOMING SECURITY TRAINING ***********************

As you can see at www.sans.org, more and more SANS classes are sold out
(the red triangles) so we have begun a policy of earlier posting of new
conferences. If you are thinking about turbo charging your security
career or the careers of any of your coworkers this spring, start
planning now to go to San Diego in early May. You'll find more than a
dozen of SANS most popular courses and a vendor exposition, right on the
harbor in San Diego. http://www.sans.org/security06/

Or plan to come to Washington in July right after July 4 for the biggest
SANS Fire ever: with all 17 SANS immersion tracks and more than a dozed
special courses, a big exposition, and an inside look at how the
Internet's Early Warning System (Internet Storm Center) actually works
Bring your family for the national fireworks show.
http://www.sans.org/sansfire06

*************************************************************************

TOP OF THE NEWS

 --IT System Auditor Pleads Guilty to Computer Break-in
(2 March 2006)
Kenneth Kwak has pleaded guilty to unauthorized access to a protected
computer in furtherance of a criminal or tortuous act, according to the
US Department of Justice. Kwak was working as a system auditor
performing Federal Information Security Management Act (FISMA) audits
for the Department of Education's Office of Inspector General. He
allegedly placed software on his supervisor's computer that allowed him
to view the supervisor's email and Internet usage. If convicted of all
charges against him, Kwak could face up to five years in prison and a
US$250,000 fine.
http://www.computerworld.com.au/pp.php?id=1689984712&fp=2&fpid=1
[Editor's Note (Schultz): This incident in many respects comprises a
worst case scenario because IT auditors are highly trusted within the
organizations that they serve. Whenever insider threats are considered,
IT auditors are almost never considered to be one of them. One of the
"lessons learned" from this ugly incident may thus be that IT auditors'
activities need to be considered a potential major security-related
threat--organizations' risk estimates may need to be revised
accordingly. Additionally, auditors themselves may need to be more
carefully watched; in order words, auditors of auditors may be needed.]

 --AOL Files Lawsuits Against Phishing Groups
(1 March/28 February 2006)
AOL has filed civil lawsuits against several groups of phishers
allegedly engaged in stealing data for the purpose of identity fraud.
Many of the groups are international. The suits seek US$18 million to
address the effects of the phishing schemes on AOL. The suits were
filed under Virginia's Lanham Act and the Federal Computer Fraud & Abuse
Act.
http://www.techworld.com/security/news/index.cfm?NewsID=5471
http://software.silicon.com/security/0,39024655,39156840,00.htm

 --Apple Security Update Addresses 20 Flaws, Including Safari Hole
(2/1 March 2006)
Apple has released Security Update 2006-001, which fixes 20 flaws in Mac
OS X, including vulnerabilities that could be exploited to install
malware through the Safari web browser. Apple has issued updates for
OS X v10.3.9, OS X Server v10.3.9, OS X v10.4.5 and OS X Server v10.4.5.
http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39315343-39000005c
http://blog.washingtonpost.com/securityfix/2006/03/apple_update_fixes_13_security.html
http://docs.info.apple.com/article.html?artnum=303382

************************* Sponsored Links: *****************************

1) Free Webcast next week - What Works in Intrusion Prevention:
Sheltering Networks with The Red Cross
Tuesday, March 07 at 1:00 PM EST (1800 UTC/GMT)
http://www.sans.org/info.php?id=1048

2) Prepare for the June 10, 2006 CISA(R) Certification examination! The
SANS(R) +S Training for the CISA(R) Certification Exam course has been
specifically written to help prepare for and to pass the CISA(R) exam
while ensuring that the information presented is practical and
applicable in daily life.
New SANSHome session led by James Tarala starts March 23.
See http://www.sans.org/info.php?id=1049

************************************************************************

THE REST OF THE WEEK'S NEWS

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
 --Four Plead Guilty to Music Piracy
(1 March 2006)
Four US men have pleaded guilty to charges related to Internet music
piracy, the result of a Department of Justice investigation dubbed
"Operation Fastlink." When they are sentenced on May 19, they face up
to five years in prison and fines of US$250,000. The men were part of
"pre-release music piracy groups" meaning they obtained the music before
it was released commercially available and made it released over the
Internet.
http://news.bbc.co.uk/2/hi/entertainment/4761768.stm
http://www.theregister.co.uk/2006/03/01/music_pirates_plead_guilty/print.html

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
 --Proof-of-Concept Virus is First to Spread from Desktops to Mobile Devices
(28 February 2006)
The "Crossover" proof-of-concept virus is believed to be the first
malware capable of spreading from PCs to mobile devices and deleting
files. The virus is activated when a user connects a Windows Mobile
device using Microsoft ActiveSync.
http://www.informationweek.com/news/showArticle.jhtml?articleID=181401195&subSection=Columns
http://www.computerworld.com/printthis/2006/0,4814,109050,00.html
http://www.vnunet.com/vnunet/news/2151066/virus-closes-gap-pcs-windows

 --Oracle Issues Out-of-Cycle Fix
(27 February 2006)
Oracle has released an out-of-cycle patch for vulnerabilities in the
Oracle Diagnostics troubleshooting component of its E-Business Suite
11i. Oracle normally releases software updates on a quarterly schedule;
the next one is scheduled for April 18, 2006.
http://ww6.infoworld.com/products/print_friendly.jsp?link=/article/06/02/27/75924_HNoraclefix_1.html

ATTACKS & INTRUSIONS & DATA THEFT & LOSS
 --State of Ohio Questions Delay in Learning of Laptop Theft
(1 March 2006)
Medco Health Solutions waited six weeks before informing the Ohio
Department of Administrative Services (DAS) that a laptop computer
containing the Social Security numbers (SSNs) and birthdates of about
4,600 state workers and their dependents had been stolen. The theft
occurred in December; DAS was informed on February 8, 2006. The Ohio
state attorney general's office is investigating the terms of the
contract between the two entities to see if any data security violations
occurred. Medco maintains the delay in informing the state was due to
an investigation by New Jersey police and the need to create a complete
log of the stolen data.
http://www.computerworld.com/printthis/2006/0,4814,109116,00.html

 --Bank of Bermuda Cancels, Reissues Cards After Learning of Security Breach
(28 February 2006)
Bank of Bermuda has been notified by Visa that a recent security breach
compromised information about 800 Bank of Bermuda customers' bank cards.
The breach occurred at an ATM transaction processor. The bank is
closing the accounts, notifying customers and "issuing replacement
cards." Some customers said they were not notified and learned of the
breach only after contacting the bank in the wake of declined
transactions. The bank did not feel it was necessary to make a public
statement as only "certain customers were affected."
http://www.theroyalgazette.com/apps/pbcs.dll/article?AID=/20060301/NEWS/103010124

 --DDoS Attackers Turn to High Profile Blogs
(28 February 2006)
High profile blogs have been targeted by distributed denial of service
(DDoS) attacks in recent weeks. Some speculate that the attackers are
broadening their range of targets, which until now has included on line
betting sites and online games to include profitable and politically
focused blogs.
http://news.netcraft.com/archives/2006/02/28/ddos_attacks_target_prominent_blogs.html
[Editor's Note (Pescatore): This is sort of like saying "Hurricanes Turn
To Attack New Orleans." DDoS attacks are easy to launch against anyone
and anyone who has an Internet presence where availability is important
should have DDoS protection built into their Internet services. ]

 --Cancer Center Says Insurance Claim Data on Stolen Laptop Was Encrypted
(22 February 2006)
A laptop computer containing insurance claim information regarding 4,000
University of Texas M.D. Anderson Cancer Center patients was stolen from
a private home. The laptop was at the home of an employee of
PricewaterhouseCoopers, the accounting company that was reviewing the
claims. The data on the computer includes sensitive medical information
and Social Security numbers. The theft occurred in Atlanta in November;
patients and their families have been notified. M.D. Anderson chief
privacy officer Carrie Lyons told those affected in a letter that the
computer is protected with "sophisticated encryption software." Atlanta
police are investigating.
http://www.chron.com/disp/story.mpl/headline/metro/3679070.html
[Editor's Note (Schultz): Nobody likes hearing of incidents in which
patient data have been stolen. Additionally, allowing an individual from
another organization to store such data on a laptop seems extremely
unwise. At the same time, however, the fact that these data were
encrypted (hopefully with a non-trivial encryption scheme and with an
adequately protected key) is some consolation. Data encryption goes a
long way in protecting such data; the fact that more organizations do
not use such encryption does not speak well for their information
security practices.]

STATISTICS, STUDIES & SURVEYS
 --Japan's National Police Agency Notes Increase in Cybercrime Arrests
(2 March 2006)
Japan's National Police Agency says the number of people arrested for
Internet-related crime increased nearly 52 percent over last year, from
2,081 to 3,161. The NPA has been keeping cyber crime statistics since
1999.
http://www.smh.com.au/news/breaking/japan-reports-leap-in-cybercrime/2006/03/02/1141191761510.html

MISCELLANEOUS
 --Exam Requires Students to Scan Internet Servers
(1 March 2006)
A University professor has set his students the task of performing
attack reconnaissance on an Internet server as a practical exam, which
counts for 15 percent of their final grades. Because the professor has
not required that the students obtain permission first, they could be
breaking laws if they complete the assignment. The university said it
would not take action against the students as long as they did not
perform the reconnaissance on school computers. The professor may be
rethinking the exam format.
http://www.securityfocus.com/brief/151

===end===

NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian
Honan, Clint Kreitner, Bill Murray, Stephen Northcutt, Alan Paller, John
Pescatore, Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer,
Koon Yaw Tan, Mark Weatherford

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFECGaF+LUG5KFpTkYRAuGRAJ9V7bLKVdPauJ2uN0wLsXXm3ofb3ACfVnS1
sVxw46odwj3dLjqfyCFI5LY=
=RKto
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]