From: The SANS Institute (NewsBitessans.org)
Date: Tue May 02 2006 - 15:17:50 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Make plans now to attend SANSFIRE in Washington DC July 5-13 - Bring
your family for the fireworks and stay for SANS' largest conference in
Washington.
     "Jacked my paranoia level up around my ears, and then gave me the
      tools to manage the threat." (Don Geiger, DCPS Division of
      Technology)
Offers every one of SANS' 17 immersion training courses plus 12 short
courses and a big exposition: SANS Security Essentials, Hacker
Exploits, System Forensics, Intrusion Detection, Auditing, plus training
for CISSP exam and all Technical certification required for DoD 8570 and
more. Registration and hotel information:
http://www.sans.org/sansfire06/

*************************************************************************
SANS NewsBites May 2, 2006 Vol. 8, Num. 35
*************************************************************************
TOP OF THE NEWS
  Mac OS X, Safari Security Threats on the Rise
  SANS Announces Updates To Top 20 Internet Security Vulnerabilities
  Yahoo Implicated in Jailing of Another Chinese Dissident
  Pending Law in Georgia Could Mean Jail Time for Forensic Computer
     Consultants Who Testify in Court

THE REST OF THE WEEK'S NEWS
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
  Military Employee Health Data Security Breach
  NIST Releases Draft Guidelines for Security Log Management
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
  RIAA and MPAA Ask University Presidents for Help in Fighting Piracy
  BSA Ups Maximum Reward for Tips About Unlicensed Software Use at UK Businesses
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
  Proof-of-Concept Code Released for Unpatched IE Hole
  Hitachi Offers Patches and Workarounds for Flaws in JP1 Server Software
ATTACKS & INTRUSIONS & DATA THEFT & LOSS
  Data Storage Company Acknowledges Losing Backup Tapes
  Stolen Aetna Laptop Contains Data on 38,000 Members
MISCELLANEOUS
  CD-ROMs for Ohio Campaign Operations Include Voter SSNs

***************** Sponsored By Blue Coat Systems, Inc. ******************

Help! Everyone needs Access from Everywhere!- A 3 part webcast series.
Sponsored by Blue Coat

In this 3-part webcast series, SANS instructors and industry experts
bring you technical, to-the-point advice on providing secure, controlled
access to remote users. From the mobile user to the branch office
employee to the unmanaged endpoint, you'll learn security considerations
and best practices. View part 1 now "The Mobile User - Secure Access
from Anywhere (even the Home PC!)
http://www.sans.org/info.php?id=1132
*************************************************************************

TOP OF THE NEWS
 --Mac OS X, Safari Security Threats on the Rise
(1 May/30 April 2006)
As more threats against Macintosh computers emerge, there is a growing
realization that Mac users are no longer immune to cyber attacks. Seven
new flaws in Mac OS X were recently reported; Apple plans to address
these in its next update. Furthermore, the SANS Institute's Top-20
Internet vulnerabilities added Mac OS X for the first time in 2005; the
updated list, out this week, includes flaws in Apple's Safari web
browser that were exploited before Apple was able to fix them. Rohit
Dhamankar, who edits the RISK newsletter for SANS, said "the number of
vulnerabilities in the Mac OS has certainly increased in the last
six-month period."
http://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2006/05/01/BUGK7IHGOC1.DTL&type=printable
http://www.msnbc.msn.com/id/12537279/

 --SANS Announces Updates To Top 20 Internet Security Vulnerabilities
(1 May 2006)
SANS Today announced eight patterns of growing attacks in the Internet.
Includes Internet Explorer and Firefox, media files, Apple OS/X, Oracle
and Veritas, plus attacks on data warehouses using SQL injection. Spear
Phishing is also a growing scourge.
http://www.usatoday.com/tech/news/computersecurity/2006-05-01-cyber-attack-change_x.htm?POE=TECISVA
SANS List: www.sans.org/top20/2005/spring_2006_update.php

 --Yahoo Implicated in Jailing of Another Chinese Dissident
(28 April 2006)
According to the Human Rights in China (HRIC) group, evidence has
surfaced indicating that Yahoo provided Chinese authorities with
information leading to the arrest of yet another Chinese citizen, Wang
Xiaoning. The writer was sentenced in 2003 to ten years in prison on
charges of incitement to subvert state power.
http://www.computerworld.com/printthis/2006/0,4814,110988,00.html
http://www.zdnet.co.uk/print/?TYPE=story&AT=39266014-39020369t-10000023c

 --Pending Law in Georgia Could Mean Jail Time for Forensic Computer
    Consultants Who Testify in Court
(24 April 2006)
Georgia's HB 1259, which has the approval of state legislature but not
the Governor's signature, would require private investigators (PIs) in
the State of Georgia to be licensed. The law is broadly written and
could be interpreted to include most computer forensics and incident
response experts. It is possible under the new law that computer
security experts would need a PI license to testify in court or face
felony charges.
http://www.securityfocus.com/columnists/399
[Editor's Note (Schultz): I have for quite a while been concerned about
the number of people who claim to be "forensic computer experts" without
credentials that appear to be genuine. At the same time, however, I
doubt whether requiring that people who serve as expert computer
forensics witnesses in court cases to have a PI license will do much if
any good in weeding out imposters. ]

************************ Sponsored Links: *******************************

1) Stop spyware! Try Webroot Spy Sweeper Enterprise for free and
assess your spyware risk exposure
http://www.sans.org/info.php?id=1133
*************************************************************************

THE REST OF THE WEEK'S NEWS
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
 --Military Employee Health Data Security Breach
(1 May/28 April 2006)
The US Department of Defense (DOD) has acknowledged that a cyber
intruder gained access to a Tricare Management Activity (TMA) public
server compromising personal military employee data. The breach was
detected during routine monitoring. As soon as the incident was
detected, security controls were improved and extra monitoring tools put
in place. The Defense Criminal Investigative Service is investigating
the incident. DOD has informed those affected by the breach. TMA
oversees DOD's Military Health System.
http://www.fcw.com/article94232-04-28-06-Web
http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn_daily&story.id=40626

 --NIST Releases Draft Guidelines for Security Log Management
(28 April 2006)
The National Institute of Standards and Technology (NIST) has released
Special Publication 800-92: Guide to Security Log Management. The draft
guidelines address log generation, transmission, storage, analysis and
disposal. They offer suggestions for creating a log management policy
and creating a centralized log management infrastructure.
http://www.fcw.com/article94229-04-28-06-Web
http://csrc.ncsl.nist.gov/publications/drafts/DRAFT-SP800-92.pdf
[Editor's Note (Boeckman): This is a good document. System logs are
still a very valuable component of intrusion and misuse detection. I
hope this will help analysts make better use of log data.]

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
 --RIAA and MPAA Ask University Presidents for Help in Fighting Piracy
(27 April 2006)
The Recording Industry Association of America (RIAA) and the Motion
Picture Association of America (MPAA) have sent letters to 40 US
university presidents informing them of problems with pirated digital
content on their schools' local area networks (LANs) and asking they
take action to halt the copyright violations. The RIAA and the MPAA say
students are trading files across school LANs rather than sending them
over the Internet. LANs in universities often serve tens of thousands
of people.
http://news.com.com/2102-1025_3-6066118.html?tag=st.util.print

 --BSA Ups Maximum Reward for Tips About Unlicensed Software Use at UK Businesses
(27/26 April 2006)
The Business Software Alliance (BSA) has increased its maximum reward
for information regarding the use of illegal or unlicensed software in
UK businesses. The BSA has launched 420 investigations from tips
received on its hotline. People providing the BSA with tips about
unlicensed software could receive as much as GBP20,000 (US$36,513)
through the end of June.
http://management.silicon.com/itdirector/0,39024855,39158440,00.htm
http://www.bsa.org/uk/press/newsreleases/ukpressrelease26april2006.cfm

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
 --Proof-of-Concept Code Released for Unpatched IE Hole
(28 April 2006)
Proof-of-concept exploit code for an unpatched hole in Microsoft's
Internet Explorer (IE) has been published. The flaw could allow
attackers to run unauthorized code on Windows machines. The flaw
affects only older versions of Windows; the most recent versions of
Windows and Windows Server 2003 are unaffected. Also, to exploit the
hole, attackers would need to trick users into performing a series of
unusual actions. Microsoft has issued a statement explaining that
"significant mitigating factors" are sufficient reason to address the
flaw in an upcoming service pack instead of a security update.
http://ww6.infoworld.com/products/print_friendly.jsp?link=/article/06/04/28/77853_HNsecondbug_1.html

 --Hitachi Offers Patches and Workarounds for Flaws in JP1 Server Software
(26 April 2006)
Hitachi has acknowledged that a vulnerability in the software that ships
with several of its JP1 Server products could be exploited to create
denial-of-service conditions. Hitachi has released patches for the
holes and suggests workarounds that can be used until the patches are
applied.
http://www.vnunet.com/vnunet/news/2154805/hitachi-servers-dos-threat
http://www.hitachi-support.com/security_e/vuls_e/HS06-007_e/01-e.html

ATTACKS & INTRUSIONS & DATA THEFT & LOSS
 --Data Storage Company Acknowledges Losing Backup Tapes
(28 April 2006)
Data storage company Iron Mountain has apologized for losing a container
of backup tapes that contain personal information belonging to as many
as 17,000 current and former employees of Long Island Railroad. The
railroad has informed affected employees by letter. Other data affected
by the tape loss belongs to the US Department of Veterans Affairs.
http://www.boston.com/business/globe/articles/2006/04/28/data_storage_firm_apologizes_for_loss_of_railroad_data_tapes?mode=PF

 --Stolen Aetna Laptop Contains Data on 38,000 Members
(27 April 2006)
Aetna Insurance has acknowledged that a laptop computer stolen from an
employee's car contains personal data belonging to approximately 38,000
members. Those affected are employees of two companies who asked not
to be named until all of their affected employees are informed of the
laptop's theft and its implications. Aetna plans to send letters to
inform all those affected. Aetna said the employee who left the
computer in the car was not following company policy.
http://news.zdnet.com/2102-1009_22-6066078.html?tag=printthis
[Editor's Note (Honan): HONAN - This is getting ridiculous! Each week
we hear of companies losing sensitive information on mobile media. What
will it take to get the message across? If you store sensitive
information on any mobile device make sure it is secured properly and
the data is encrypted.]

MISCELLANEOUS

 --CD-ROMs for Ohio Campaign Operations Include Voter SSNs
(28 April 2006)
CD-ROMs given to various political campaign operations in Ohio
apparently contain the Social Security numbers (SSNs) of as many as 7.7
million registered voters in the state. The Ohio secretary of state's
office was alerted to the situation by one of the campaigns. All the
campaigns have been contacted and have agreed to return the disks in
exchange for disks without the SSNs. The campaign groups use the data
on the CDs for phone canvassing and other political activities. Data
privacy is not a new issue for the Ohio government; last month, a man
sued the state of Ohio for posting his and others' SSNs on public record
web sites. Ohio does have a security breach notification law that would
require residents to be informed "if unencrypted or unredacted personal
information about those individuals ... included in computerized data
owned or licensed by [an] agency, person or business entity is accessed
and acquired by unauthorized persons" as long as the disclosure "causes
or is reasonably believed [to] create a material risk of the commission
of the offense of identity fraud or other fraud to the individual."
http://www.computerworld.com/printthis/2006/0,4814,110983,00.html

===end===

NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian
Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore,
Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw
Tan, Mark Weatherford

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)

iD8DBQFEV6XG+LUG5KFpTkYRAky+AJ9RO+G61wvY4NtAxD0wIoWFoD2/LACdH/x2
nKZGya5YDQs0tXcvVItHwD0=
=VBzh
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]