From: The SANS Institute (NewsBitessans.org)
Date: Tue Mar 07 2006 - 12:03:22 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

*************************************************************************
SANS NewsBites March 7, 2006 Vol. 8, Num. 19
*************************************************************************

TOP OF THE NEWS
  OMB FISMA Report for FY2005 Notes Improvements
  FCC Investigating Caller-ID Spoofing Services
  Ohio Secretary of State Sued Over SSNs on Web Site

THE REST OF THE WEEK'S NEWS
  ARRESTS, CONVICTIONS AND SENTENCES
    Israeli Spyware Purveyors Indicted, Reportedly Reach Plea Agreement
    Man Indicted on Charges of Releasing Trojan Horse Program
  SPYWARE, SPAM & PHISHING
    AOL Will Not Charge Non-Profits to Send Bulk eMail
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
    Google Repairs Gmail Flaw
    Glitch in Some Norton Products Exploited to Knock Users Off IRC Channels
  ATTACKS & INTRUSIONS & DATA THEFT & LOSS
    Georgetown University Acknowledges Server Breach
    Stolen Laptop Contained Data on 93,000 Denver Students
  MISCELLANEOUS
    Group Takes Aim at Botnet Command and Control Servers

************************* Sponsored by Symantec *************************

2006 Security Compliance Research Report: The Struggle to Manage
Security Compliance for Multiple Regulations Sponsored by the Institute
of Internal Auditors (IIA), the Computer Security Institute (CSI) and
Symantec, this report provides survey results that describe how
companies are managing requirements for multiple regulations, the
proportion of their IT budgets being devoted to compliance, and how
organizations are responding to improve security, demonstrate compliance
and reduce costs.
Download now!
http://www.sans.org/info.php?id=1052
*************************************************************************
Upcoming Security Training in Monterey, San Diego and Washington DC

As you can see at www.sans.org, more and more SANS classes are sold out
(the red triangles) so we have begun a policy of earlier posting of new
conferences. If you are thinking about turbo charging your security
career or the careers of any of your coworkers this spring, start
planning now to go to San Diego in early May. You'll find more than a
dozen of SANS most popular courses and a vendor exposition, right on the
harbor in San Diego. http://www.sans.org/security06/

Or plan to come to Washington in July right after July 4 for the biggest
SANSFIRE ever: with all 17 SANS immersion tracks and more than a dozen
special courses, a big exposition, and an inside look at how the
Internet's Early Warning System (Internet Storm Center) actually works
Bring your family for the national fireworks show.
http://www.sans.org/sansfire06

*************************************************************************

TOP OF THE NEWS

 --OMB FISMA Report for FY2005 Notes Improvements
(2/1 March 2006)
The Office of Management and Budget's (OMB) "FY2005 Report to Congress
on Implementation of the Federal Information Security Management Act of
2002" found that 85 percent of IT systems at federal agencies are
certified and accredited (C&A), a 19 percent increase over last year's
figure of 77 percent. The number of systems with tested contingency
plans increased from 57 percent to 61 percent. Seventeen of 25 agencies
received ratings of satisfactory or better. The Veterans Affairs
Department reported just 14 percent of its systems were certified and
accredited in FY2004, but all 585 of its systems were accredited and
certified in FY2005. The Social Security Administration was the only
agency to receive a rating of "Excellent."
http://www.fcw.com/article92474-03-01-06-Web
http://www.govexec.com/story_page.cfm?articleid=33498&printerfriendlyVers=1&
[Editor's Note (Paller): Hold on. There is a problem with the self
congratulations here: the number of C&A reports is not a viable
indicator of security if the reports are not accurate and/or they don't
lead to significant security improvements. Otherwise they are just a
futile exercise - a billion dollar joke on the American people. The one
agency that checked their C&A reports found that many (a large number)
had been done by contractors who failed to do the job effectively. The
reports had to be done over; but the original contractors didn't face
any penalties. Worse, at a meeting last month of companies that do C&A
studies, more than half said that they wrote C&A reports that are never
read by agency officials. If reports were never read, it is unlikely
they led to significant improvements in security. The "emperor" here is
not wearing many clothes. Titan Rain proved the nation is at risk; it
is time for OMB to stop counting C&A reports, admit the security
problems with federal systems, and move aggressively to correct them.
(Boeckman): This report is somewhat misleading. While the number of
certifications have increased, it does not mean IT systems are more
secure, since it is largely an exercise in paperwork. The best
indicator is testing the security controls, and this actually decreased
since 2004.]

 --FCC Investigating Caller-ID Spoofing Services
(2 March 2006)
The US Federal Communications Commission (FCC) has launched an
investigation into companies offering Caller-ID spoofing services.
Paying customers provide the companies with the number they wish to
call, their real phone number and the number they wish to have appear
on the Caller-ID screen. The FCC's investigation is focused on whether
or not the services are violating the federal Communications Act, which
requires that interstate calls send accurate "originating calling party
telephone number information." The FCC has demanded business records
as well as the names of all customers and data regarding the calls they
have made. Recent Congressional testimony indicates that people have
been using the services to social engineer private customer information
from other companies and the services have hurt companies that rely on
Caller-ID as a form of authentication, such as Western Union wire
transfers.
http://www.wired.com/news/technology/1,70320-0.html

 --Ohio Secretary of State Sued Over SSNs on Web Site
(3/2 March 2006)
An Ohio resident is suing the Ohio secretary of state J. Kenneth
Blackwell after discovering that his and other residents' SSNs have been
publicly available for years on state web sites. The numbers are
included in records of purchases of expensive items such as boats and
furniture; these are often registered with the secretary of state. The
plaintiff's attorney says the secretary of state has refused to remove
the numbers or block them from view. Ohio Attorney General Jim Petro
made a statement that Blackwell should remove the numbers by law, and
that every person whose number is on the site should be notified.
Apparently it is not uncommon for the web sites run by secretaries of
states to contain personal information.
http://www.computerworld.com/printthis/2006/0,4814,109213,00.html
http://www.usatoday.com/tech/news/internetprivacy/2006-03-02-social_x.htm
[Editor's Note (Schultz): This will not be the last lawsuit of this
nature. State, provincial and federal governments have been remarkably
naive when it comes to dealing with personal and financial information
of individuals whom they at least in theory serve.]

*************************** Sponsored Links: ****************************

1) Free WhatWorks Webcast next week - "Securing Electronic Payments
with NYCE"
Tuesday, March 14 at 1:00 PM EST (1800 UTC/GMT)
http://www.sans.org/info.php?id=1053

2) Free Internet Storm Center webcast next week "Threat Update"
Wednesday, March 15 at 1:00 PM EST (1800 UTC/GMT)
http://www.sans.org/info.php?id=1054

3) SANSHome delivers the same first-class training presented at live
SANS events with the added bonus of meeting your needs for flexibility,
affordability and up-to-date education in a setting convenient for you!
http://www.sans.org/athome
*************************************************************************

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
 --Israeli Spyware Purveyors Indicted, Reportedly Reach Plea Agreement
(6/5 March 2006)
Ruth and Michael Haephrati have been indicted in the Tel Aviv District
Court on charges of creating and distributing spyware that was used by
private investigators to steal information from clients' business
competitors. The couple was extradited from Great Britain in January.
According to the Tel Aviv district attorney's office, authorities have
reached a plea agreement with the Haephratis that will be revealed in
court next week.
http://www.techweb.com/wire/security/181501294
http://www.globes.co.il/serveen/globes/DocView.asp?did=1000067928&fid=1725

 --Man Indicted on Charges of Releasing Trojan Horse Program
(6 March/28 February 2006)
A federal grand jury has indicted Richard Honour, who goes by the
pseudonym Fyle, Anatoly, on charges of releasing a Trojan horse program
in an IRC chat room. Honour allegedly used the malware to harvest
confidential banking and identity information. If convicted, Honour
could face ten years in prison and a fine of US$250,000.
http://www.theregister.co.uk/2006/03/06/irc_trojan_charges/print.html
http://seattlepi.nwsource.com/local/6420AP_Internet_Virus.html

SPYWARE, SPAM & PHISHING
 --AOL Will Not Charge Non-Profits to Send Bulk eMail
(6/3 March 2006)
Following protests from activist groups, AOL will not charge legitimate
non-profit and advocacy groups a tax on bulk email." AOL's original
plan would have charged companies to have their bulk email certified and
delivered with images and hyperlinks. Hyperlinks and images would be
blocked if they come from organizations that are not part of AOL's
Enhanced Whitelist.
http://news.bbc.co.uk/1/hi/technology/4778136.stm
http://www.usatoday.com/tech/news/2006-03-03-aol-nonprofit-email_x.htm
http://networks.silicon.com/webwatch/0,39024667,39156982,00.htm

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
 --Google Repairs Gmail Flaw
(3/2 March 2006)
Google has fixed a vulnerability in its Gmail web-based email service
that could have allowed JavaScript code to run while users were viewing
messages. The flaw, which was first disclosed in a blog, could have
been exploited to run malicious code. Google repaired the hole soon
after learning of it and expressed disappointment that it learned of the
flaw publicly through a blog rather than privately from the person who
discovered it.
http://news.com.com/2102-1002_3-6045416.html?tag=st.util.print
http://ww6.infoworld.com/products/print_friendly.jsp?link=/article/06/03/02/76030_HNgmailflaw_1.html

 --Glitch in Some Norton Products Exploited to Knock Users Off IRC Channels
(2 March 2006)
Some script kiddies have been exploiting a Norton Internet Security and
Norton Personal Firewall feature that will involuntarily logoff users
from IRC channels when anyone on the channel types "startkeylogger" or
"stopkeylogger." A family of worms that spread using mIRC and the Kazaa
file-sharing network use these phrases, which some IRC channels now
filter out. Symantec plans to make adjustments to the affected products
so they are no longer vulnerable to the ploy.
http://blog.washingtonpost.com/securityfix/2006/03/keylogger_utterance_spooks_nor.html

ATTACKS & INTRUSIONS & DATA THEFT & LOSS
 --Georgetown University Acknowledges Server Breach
(6/5 March 2006)
Georgetown University has acknowledged that a security breach of one of
its servers compromised personal data belonging to as many as 41,000
District of Columbia residents. The breach was discovered on February
12 during a routine internal inspection, but was not disclosed until
Friday, March 3. The lag time has been attributed to the need for the
US Secret Service to examine the server and establish a web site and
hotline to help those affected by the attack.
http://www.washingtonpost.com/wp-dyn/content/article/2006/03/04/AR2006030401028_pf.html
http://www.computerworld.com/printthis/2006/0,4814,109245,00.html

 --Stolen Laptop Contained Data on 93,000 Denver Students
(3/2 March 2006)
A laptop stolen from the home of a Metropolitan State College employee
in Denver held sensitive personal information belonging to more than
93,000 students. The employee was using the data, which include names
and Social Security numbers (SSNs), to write a grant proposal and to
write his masters thesis. The theft occurred on February 25, but was
not made public until March 1 at the request of local police. The data
belong to people who were registered for classes at the Denver school
between fall 1996 and summer 2005; they are being notified by mail.
There is no evidence that the information has been used to commit
identity fraud; however, the school is looking into whether or not the
employee had permission to use the data in his thesis. The employee was
authorized to have the data on his workstation at the college and on the
laptop.
http://www.computerworld.com/printthis/2006/0,4814,109208,00.html
http://www.mscd.edu/~collcom/artman/publish/specialedition030206.shtml

MISCELLANEOUS
 --Group Takes Aim at Botnet Command and Control Servers
(2 March 2006)
A group of representatives from various security concerns has come
together to try to find and disable the command-and-control (C&C)
servers used by botmasters to control their botnets, which they use to
launch distributed denial-of-service (DDoS) attacks, install malware and
send spam. The group hopes to establish a way for Internet service
providers (ISPs) and IT administrators to report botnet activity. The
group has worked for the past year through invitation-only mailing
lists, but now is opening up their efforts with a public mailing list
that will serve as a forum to discuss techniques for detecting C&C
servers, report botnets and inform ISPs of C&C detections.
http://www.eweek.com/print_article2/0,1217,a=172598,00.asp

===end===

NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian
Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore,
Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw
Tan, Mark Weatherford

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFEDcDX+LUG5KFpTkYRAiQoAJ0dOXXxZGdSJvtRyRd9PaiU1AQBNACeJEUi
FWDADfoifIPAJ7fLKY8rwEA=
=nuAw
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]