From: The SANS Institute (NewsBitessans.org)
Date: Fri Apr 07 2006 - 13:56:56 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

By now you should have received the SANSFIRE 2006 program and the new
Threat Matrix poster. SANSFIRE in Washington in early July is the first
opportunity to both attend 16 great hands-on courses and get the inside
scoop on the Internet Storm Center. You'll come away far better
prepared to protect your organization's computers. Also now that
government is requiring technical security certifications for all
sysadmins and technical security professionals - both employees and
consultants -- SANSFIRE (and SANS Security 2006 in San Diego in May) are
the only places where you can get training for all the technical
security certifications that are approved by government regulations.
Please register early because all the popular courses were sold out at
our last big conference.
Information on SANSFIRE in Washington DC: http://www.sans.org/sansfire06
Information on SANS Security in San Diego: http://www.sans.org/security06
Ordering extra Threat Matrix posters: https://store.sans.org/

Also: If your organization uses the VeriSign security mark on its web
site, be certain to read the advisory at the bottom of this edition of
NewsBites.
                               Alan
*************************************************************************
SANS NewsBites April 7, 2006 Vol. 8, Num. 28
*************************************************************************

TOP OF THE NEWS
  GAO Report: Data Brokers and Government Agencies Not Compliant with
     Privacy Act
  Senator Questions DOJ Contract with ChoicePoint
  Proposed Rule Change Would Allow Tax Preparers to Sell Data with
     Permission

THE REST OF THE WEEK'S NEWS

  ARRESTS, CONVICTIONS AND SENTENCES
    Suffolk County, NY Policeman Arraigned on Stalking and Other Charges
    Two Plead Guilty to Piracy Charges
  HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
    GAO Report: SEC Information Security Still Problematic
  SPYWARE, SPAM & PHISHING
    NY AG Lawsuit Alleges Company Surreptitiously Installed Spyware
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
    Cisco Addresses Flaws in ONS 15000 Series
    Microsoft Will Release Five Security Bulletins on Tuesday
    New IE Flaw Could be Exploited by Phishers
    HP Issued Update to Fix Flaw in Color LaserJet Printers
  MISCELLANEOUS
    Database with Passwords Inadvertently Exposed on Internet
    Police Society Posted Reporter's Personal Info on Web
  

************************** Sponsored Links ******************************

1) Free SANS Webcast next week - Internet Storm Center: "Threat Update"
Wednesday, April 12 at 1:00 PM EDT (1700 UTC/GMT)
http://www.sans.org/info.php?id=1094

2) SANS OnSite InfoSec Training
Your Location! Your Schedule! Lower Cost! Receive a bonus seat for
your OnSite Course (up to $4,750 value). Simply complete the interest
form today! http://www.sans.org/info.php?id=1087

3) The SANHome program brings the same courses taught at SANS
conferences right to your home. Many new classes starting in April.
See http://www.sans.org/athome
*************************************************************************

TOP OF THE NEWS

 --GAO Report: Data Brokers and Government Agencies Not Compliant with
    Privacy Act
(5 April 2006)
According to a Government Accountability Office (GAO) report, the
Departments of Justice, Homeland Security and State and the Social
Security Administration spend a total of US$30 million to acquire data
from information resellers for a variety of purposes. According to the
study, "while major information resellers that do business with the
federal agencies had some measures to protect privacy, they 'are not
always fully consistent with the Fair Information Practices,'" which
form the basis of the Privacy Act of 1974. The "resellers ... have
limited ability to ensure the accuracy of the data they collect." In
addition, the agencies apparently do not have consistent policies
regarding the use of the data they purchased. According to the report,
resellers do not believe they need to be completely compliant with the
Privacy Act because they do not collect their data directly from
individuals.
http://www.washingtonpost.com/wp-dyn/content/article/2006/04/04/AR2006040401727_pf.html
http://www.computerworld.com/printthis/2006/0,4814,110245,00.html
http://govexec.com/story_page.cfm?articleid=33759&printerfriendlyVers=1&
http://www.techweb.com/wire/184429050
http://www.gao.gov/new.items/d06609t.pdf
[Editor's Note (Schultz): I fear that the real truth of the matter is
that information resellers correctly believe that they can get away with
almost everything that they do when it comes to collecting and selling
personal and financial data. Why? Lamentably, there is incredibly little
commitment on the part of the US government to enforce the few privacy
statutes that exist.]

 --Senator Questions DOJ Contract with ChoicePoint
(5 April 2006)
US Senator Patrick Leahy (D-Vermont) wonders why the US Department of
Justice (DOJ) is still doing business with data broker ChoicePoint,
which last year disclosed that it had suffered a large data security
breach. The DOJ and FBI recently signed a "five-year, US$12 million
contract with ChoicePoint to provide investigative analysis software to
the FBI." US Attorney General Alberto Gonzales and ChoicePoint have
both defended the contract, pointing out that it is for technology
services, not data services. Leahy also voiced concerns about the
findings of the GAO report discussed in the "Top of the News" story
about GAO and data brokers.
http://www.networkworld.com/news/2006/040506-senator-questions-fbi-on-choicepoint.html
[Editor's Note (Kreitner): A good example of the lingering impact of
reputational damage stemming from a past security incident. I wonder
how many Board members and CEO's have given really deep thought and
analysis to the costs of damaged reputation vs the costs of adequate
protection. Reminds me of the relationship between human lifestyle and
health status. Something in our DNA makes us more disposed to deal with
disasters after they happen rather than prevent them.]

 --Proposed Rule Change Would Allow Tax Preparers to Sell Data with Permission
(5 April 2006)
A proposed Internal Revenue Service (IRS) rule change would allow tax
preparers to sell personal information they acquire in their work with
taxpayer consent. Opponents of the proposed change say it is designed
to increase revenues for tax preparers and exposes taxpayers to possible
identity fraud.
http://www.techweb.com/wire/184429112
[Editor's Note (Northcutt): Sen. Chuck Grassley's closing statement says
it best! "I am concerned about trends suggesting that tax preparers are
interested in selling taxpayer information to make a fast buck, rather
than as proprietary information that should be held in confidence by a
trusted advisor. We need to change the focus of paid preparers from
selling to advising."
(Schultz): Why would a government "by the people and for the people" do
anything like this?]
(Schmidt) Not having any more information then what is in this story, I
agree with the opponents. Why anyone would want to consent to something
like this is beyond me. This is NOT a good rule change.
(Kreitner): This is beyond objectionable! As a society, we have enough
trouble protecting our personal information without spreading it around
even more.
(Grefer): As Jean Ann Fox of the Consumer Federation of America points
out, the proposed change "essentially turns tax return information into
a commodity for the highest bidder." Unfortunately, coverage of the
April 4th open hearing on this issue is virtually non-existent at this
point.
http://www.accountingweb.com/cgi-bin/item.cgi?id=101947
Proposed consent language:
www.irs.gov/pub/irs-drop/n-05-93.pdf]]

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
 --Suffolk County, NY Policeman Arraigned on Stalking and Other Charges
(5 April 2006)
A Suffolk County, New York policeman has been arraigned on a 197-count
indictment that includes charges of stalking, computer trespass and
official misconduct for allegedly breaking into the email account of a
woman he dated for a short time, altering her on line dating profile and
sending threatening and deceptive email messages from her online
account. Officer Michael Valentine has pleaded not guilty; he has been
suspended from the police force without pay.
http://www.wral.com/apstrangenews/8449104/detail.html

 --Two Plead Guilty to Piracy Charges
(4 April 2006)
Two California men have entered guilty pleas to charges related to music
and software piracy. The charges against Ye Teng Wen and Hao He stem
from the illegal manufacture of 200,000 CDs. The two men, together with
a third person, Yaobin Zhai, were indicted in October 2005 on charges
related to illegally copying music CDs and Symantec and Adobe software.
US Attorney for Northern California Kevin Ryan called it "the largest
case involving CD manufacturing piracy uncovered in the United States
to date." Each of the five counts carries a maximum five-year sentence.
http://today.reuters.co.uk/news/newsArticle.aspx?type=technologyNews&storyID=2006-04-04T021133Z_01_N03321736_RTRIDST_0_TECH-CRIME-MUSIC-PIRACY-DC.XML

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY

 --GAO Report: SEC Information Security Still Problematic
(5/4/3 April 2006)
A report from the Government Accountability Office (GAO) says the US
Securities and Exchange Commission (SEC) addressed just eight of 51
security weaknesses identified in last year's report. Problems that
have yet to be addressed include controlling remote access to servers
and implementing auditing and monitoring mechanisms. GAO identified 15
additional problem areas in this year's report. The SEC says it agrees
with the GAO's findings.
http://www.fcw.com/article92839-04-05-06-Web
http://www.computerworld.com/printthis/2006/0,4814,110196,00.html
http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn_daily&story.id=40313
http://www.gao.gov/new.items/d06408.pdf

SPYWARE, SPAM & PHISHING
 --NY AG Lawsuit Alleges Company Surreptitiously Installed Spyware
(4 April 2006)
New York Attorney General Eliot Spitzer has filed a lawsuit against
Direct Revenue LLC, alleging the software distributor "surreptitiously
installed millions of pop-up ad programs on consumers' computers."
Spitzer's lawsuit asks that Direct Revenue be enjoined from installing
spyware without users' permission and from sending advertisements
through software that is already on computers. It also asks that the
court make the company disclose its revenues and "impose monetary
penalties." Direct Revenue has posted a rebuttal to the allegations on
its web site, saying the case is founded on activity in which they no
longer engage. A lengthy investigation indicated that Direct Revenue
had installed the spyware on people's computers when they installed free
applications and neglected to mention the bundled spyware. The suspect
software was downloaded to consumers' computers by Direct Revenue's own
servers once the free application had been installed. Investigation
results also indicate that the software was designed to be difficult to
detect and uninstall and in some cases, reinstalled itself after users
removed it.
http://www.computerworld.com/printthis/2006/0,4814,110203,00.html
http://www.informationweek.com/story/showArticle.jhtml?articleID=184428598
http://www.smh.com.au/news/breaking/spyware-company-sued-over-popup-ads/2006/04/05/1143916536088.html

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
 --Cisco Addresses Flaws in ONS 15000 Series
(6 April 2006)
Cisco has issued a bulletin that warns users about five security flaws
in its Cisco Optical Networking System 15000 Series. Cisco has
distributed an updated version of the ONS 15000 operating system to
end-users. The flaws could be exploited to launch denial-of-service
attacks on vulnerable systems, reset control cards or execute arbitrary
code.
http://www.eweek.com/print_article2/0,1217,a=175221,00.asp
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1178960,00.html

 --Microsoft Will Release Five Security Bulletins on Tuesday
(6 April 2006)
Microsoft's Security Bulletin Advance Notification says that on Tuesday,
April 11 Microsoft will release five Microsoft Security Bulletins - four
are for Windows and one is for both Windows and Office. The highest
maximum severity rating is critical. One of the bulletins will include
a cumulative IE update that will address the CreateTextRange()
vulnerability. Microsoft also plans to release an updated version of
its Windows malicious Software Removal Tool as well as a handful of
non-security, high-priority updates.
Internet Storm Center: http://isc.sans.org/diary.php?storyid=1247
http://www.microsoft.com/technet/security/bulletin/advance.mspx
http://news.com.com/2102-1002_3-6058548.html?tag=st.util.print

 --New IE Flaw Could be Exploited by Phishers
(6 April 2006)
A newly disclosed flaw in Microsoft's Internet Explorer (IE) could be
used by phishers to trick vulnerable users into thinking they are
visiting a legitimate web site when they are actually on a malicious
site. Attackers could exploit the vulnerability to spoof the address
bar in the browser window. The flaw lies in the way IE loads Macromedia
Flash animation. The flaw is known to affect IE 6.0 on fully patched
versions of Windows XP as well as the most recent IE 7 beta; other
versions of IE may be vulnerable as well.
http://news.com.com/2102-1002_3-6058557.html?tag=st.util.print

 --HP Issued Update to Fix Flaw in Color LaserJet Printers
(6/5 April 2006)
Hewlett-Packard (HP) is warning of an input validation error
vulnerability in two HP Color LaserJet printers. The security flaw is
in the Toolbox software that ships with HP Color LaserJet 2500 and 4600
printers; attackers could exploit the flaw to read documents sent to the
printer and gain remote administrative control over Windows PCs. HP has
issued HP Color LaserJet 2500/4600 Software Update version 3.1 to
address the flaw.
http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39348880-39000005c
http://www.vnunet.com/vnunet/news/2153487/hp-printer-users-warned-upgrade

MISCELLANEOUS
 --Database with Passwords Inadvertently Exposed on Internet
(5 April 2006)
A database containing the names, email names and passwords of as many
as 800 people who signed up to receive New South Wales (Australia)
Police media releases was inadvertently posted to the Internet. This
database has since been removed from the Internet. NSW police
apparently have not yet contacted those whose data were exposed. While
passwords are used for the subscription service mentioned above, the
people could potentially be using the same passwords for other accounts.
http://www.smh.com.au/news/breaking/police-secret-password-blunder/2006/04/05/1143916569155.html#
[Editor's Note (Honan): This story highlights the conundrum faced by
many ordinary Internet users. Having too many passwords is difficult
to manage, yet reusing the same password across many sites can expose
you in the event of one of those sites being breached. People should
consider either using a common password for use across low risk/value
websites with difficult passwords for more critical sites and using a
tool such as Password Safe to manage their different passwords.]

 --Police Society Posted Reporter's Personal Info on Web
(30 March 2006)
In response to a piece of investigative journalism that cast Broward and
Miami-Dade (Florida) county police in an unfavorable light, a reporter's
personal information, including his address, birth date and driver's
license number was posted on the web site of the Broward County Police
Benevolent Association. The posting was listed as a "be on the lookout"
or BOLO, a term typically used when law enforcement officers are
searching for missing people or criminals. The information was removed
from the site after a lawyer from the reporter's station sent a letter
explaining that disclosing the personal information contained in motor
vehicle records violates both state and federal law.
http://www.miami.com/mld/miamiherald/news/local/states/florida/counties/broward_county/14218941.htm
[Editor's Note (Schultz): This is simply egregious. Hopefully, the
reporter in this unfortunate incident will win a large sum of money in
a future lawsuit against the individual or organization that posted this
information to the Broward County web site in question.
(Northcutt): The current version of the BOLO for Police "Benevolent"
Association can be found at http://www.bcpba.org/]

 --Advisory: An Important Note For Any Web Site That Relies on
    Verisign's Security Marks

VeriSign reports that many public-facing Web sites continue to implement
an older and less secure version of VeriSign's security mark. The old
VeriSign site seals did not contain the full set of anti-spoofing
measures available in the newest version of the VeriSign Secured Seal.
VeriSign is phasing out its old-architecture seals and moving forward
with support only for the newest version of the VeriSign Secured Seal.

Old-version, less secure seals are in a round, "gold or silver
medallion" shape and call their verification page from
https://digitalid.verisign.com. Newer, more secure seals contain the
black VeriSign check mark in a red circle and the words VeriSign Secured
and call their verification page from https://seal.verisign.com.
Authorized web site administrators can download the latest version of
the VeriSign Secured Seal free of charge at www.verisign.com/seal.

[Editor's Note (Northcutt): The real problem with privacy trustmarks is
there are too many of them, and they seem to be more of a marketing
feature than something that actually improves privacy. If you are not
familiar with the securewebbank project, you might want to give it a
look: https://www.securewebbank.com/trustseal.html]

===end===

NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian
Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore,
Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw
Tan, Mark Weatherford

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFENqLt+LUG5KFpTkYRAjgFAJ9Zs154bdnjmav6NhRK9sDFpNdubACeMaAt
0x8QaB2Uw7ghUGUCc7sio4M=
=FiVd
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]