From: The SANS Institute (NewsBitessans.org)
Date: Tue May 23 2006 - 14:33:35 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

*************************************************************************
SANS NewsBites May 23, 2006 Vol. 8, Num. 41
*************************************************************************

TOP OF THE NEWS
  DSS Resumes Processing Some Clearance Applications, Draws Ire of
    Legislators
  Update to UK's CMA Could Prohibit Flaw Disclosure and Network
    Monitoring Tools
  Trojan Exploits Unpatched MS Word Hole
  Veterans' Personal Data Stolen

THE REST OF THE WEEK'S NEWS
  ARRESTS, CONVICTIONS AND SENTENCES
    MSN Spammer Draws 19 Months in Prison
    Three Sentenced for Music Piracy Activity
  COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
    Alleged Software Pirate Settles Microsoft Civil Suit
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
    Worm Spreads Through Yahoo Messenger
    Skype Releases Updates to Fix URI Flaw
  
  ATTACKS & INTRUSIONS & DATA THEFT & LOSS
    Ohio University Revamps Computer Services After Three Breaches
    Data Security Breach at Retailer Affects Texas Bank's Customers

******** Sponsored By SANS Log Management Summit at SANSFIRE ************
                  Washington DC, July 12-14, 2006
More than 15 users will be sharing surprising stories about how their
log management systems caught insider criminals, stopped the spread of
worms and more. The Summit is the only place you can learn how to deploy
log management for maximum impact. Don't miss it. You get a big discount
if you are also attending classes at SANSFIRE.
Registration information:
SANSFIRE: http://www.sans.org/sansfire06
Log Management Summit: http://www.sans.org/logmgtsummit06
*************************************************************************
SECURITY TRAINING UPDATE FOR JUNE and JULY, 2006
Washington DC: 18 tracks
Denver: 6 tracks
London: 5 tracks
Toronto: 4 tracks
Plus 10 other cities and live-online programs you can take from your home.
See http://sans.org/ for course schedule registration
*************************************************************************

TOP OF THE NEWS

 --DSS Resumes Processing Some Clearance Applications, Draws Ire of Legislators
(19/17 May 2006)
Although the Defense Security Service (DSS) has resumed processing
certain security clearance applications, US legislators are angry that
the shutdown occurred at all. Officials have been ordered to develop a
plan within six months to permanently solve the clearance-processing
problem. Clay Johnson, acting director of the Office of Management and
Budget (OMB), acknowledged that not informing Congress about the lack
of necessary funds and impending processing halt was "a mistake."
http://www.fcw.com/article94594-05-19-06-Print
http://www.fcw.com/article94560-05-17-06-Web
[Editor's Note (Pescatore): What is really needed is a review to
determine if the clearance process actually provides any security value,
and if security clearances are being required for positions that really
don't need them. A knee jerk reaction to just throw more money to pay
for more background investigations just perpetuates long time problems
in the entire process.
(Weatherford): I wonder if this temporary shutdown was simply a way for
DSS to cry for help and get the government's attention. This has been
a problem for years. Maybe now they will get the funding required to
eliminate the backlog.
(Shpantzer): The situation is so bad that some technical staffing
companies providing cleared employees to the government actually put the
cart before the horse: They find cleared people first, then train them
up to technical requirements... If that's not scary, I don't know what
is.
(Paller): The "clearance first" policies of many agencies has led them
to make people who have never secured a system responsible for telling
people how to secure systems. In other agencies, contractors with
abominable delivery records are being kept on, over the objections of
those who take security seriously, because the ineffective contractors
have people with clearances.]

 --Update to UK's CMA Could Prohibit Flaw Disclosure and Network
    Monitoring Tools
(19 May 2006)
While the UK's Police and Justice Bill will update the country's
Computer Misuse Act (CMA) to allow prosecution for denial-of-service
attacks and other cyber crimes that were not on the radar when it became
law, there is some concern that it could also allow individuals to be
prosecuted for disclosing details about flaws that have not yet been
patched or making network monitoring tools available. The House of
Commons recently passed the Police and Justice Bill; the House of Lords
will consider the bill in the next several months.
http://news.zdnet.co.uk/business/legal/0,39020651,39270045,00.htm
[Editor's Note (Honan): Legislators need to be careful they focus the
legislation on the intent of the individual rather than the tools held
by that person. After all a screwdriver is a useful tool to help me fix
items around the house but can also be used to break into someone else's
home.]

 --Trojan Exploits Unpatched MS Word Hole
(22/19 May 2006)
Mdropper-H, a Trojan horse program that exploits an unpatched hole in
Microsoft Word 2002 and 2003, has been detected on the Internet. It has
been used in highly targeted spear phishing attacks, via email
containing MS Word attachments that contain a backdoor program called
Backdoor-Ginwui. Microsoft is developing a fix for the MS Word flaw.
The SANS Internet Storm Center (ISC) has made several recommendations
for protecting networks from attack, including quarantining attachments
to allow for the release of relevant virus signatures, limiting user
privileges, monitoring or blocking outbound traffic and replacing MS
Word with OpenOffice until patches are available from Microsoft.
http://www.theregister.co.uk/2006/05/22/trojan_exploit_word_vuln/print.html
http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39361207-39000005c
http://blog.washingtonpost.com/securityfix/2006/05/microsoft_hackers_exploiting_u.html
http://isc.sans.org/diary.php?storyid=1347
[Editor's Note (Boeckman): Why are we still seeing such serious
problems over 4 years after Microsoft announced their trusted computing
initiative? Did they even patch the last zero day yet (CVE-2006-1992)?]

 --Veterans' Personal Data Stolen
(22 May 2006)
A Department of Veterans Affairs employee who took electronic data home
without authorization has been placed on administrative leave following
a burglary at his home during which the data were stolen. The employee
was not authorized to take the files home; the FBI, local law
enforcement agents and the VA's inspector general are investigating the
incident. The data include the Social Security numbers, names and
birthdates of all US veterans who have served in the military and have
been discharged since 1975, an estimated 26.5 million US veterans.
There is no evidence the data have been used. The VA is taking steps
to inform veterans of the data security breach and has established a web
site and a toll free number to address veterans' concerns.
http://www.usatoday.com/tech/news/2006-05-22-vadisk_x.htm
http://www.gcn.com/online/vol1_no1/40840-1.html?topic=security
(Please note this site requires free registration)
http://www.washingtonpost.com/wp-dyn/content/article/2006/05/22/AR2006052200709_pf.html
http://www.msnbc.msn.com/id/12916803/
[Editor's Note ( Northcutt): I happen to be a veteran so I used this
as an opportunity for field research. To get the toll free number you
need to go to http://www.firstgov.gov/veteransinfo.shtml and the phone
number, 1-800-333-4636 is at the very bottom of the article. When I
called, there was a recorded message with the same information as the
web site. Eventually, I got a person. I explained that I was a veteran
and I wanted to validate the accuracy of the data they had recorded for
me. Note that is a basic OECD privacy principle. Joshua, after a one
minute pause, tried to send me back to www.firstgov.gov. I don't wish
to appear as mean or cynical, but I am concerned. More than a couple
veterans have suffered injuries due to their time in service and might
be particularly vulnerable to identity attacks. If there is someone from
the VA or the government with authority, I am happy to volunteer to
participate on, or even lead a testing team to ensure the processes in
place to help veterans actually work. Right now they don't.
(Multiple): If the employee was not authorized to take the data home
then he should not have been able to do so. Simply having a policy
statement prohibiting certain courses of action does not guarantee the
statement will be adhered to nor that the data will be secured.
Controls and mechanisms need to be implemented to support and manage
compliance to policy statements and maintain the integrity of the
resources being secured.]

*************************** Sponsored Links: ****************************

1) ALERT: How do you protect what you can't see? Stop protecting
while blind. Gain network visibility now. Download FREE White Paper
"Network Behavior Analysis (NBA) in the Enterprise."
http://www.sans.org/info.php?id=1173

2) "SQL Injection and Signature Evasion" whitepaper - The attack
process, countermeasures and what does and doesn't work.
http://www.sans.org/info.php?id=1174
*************************************************************************

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
 --MSN Spammer Draws 19 Months in Prison
(22/19 May 2006)
Jayson Harris has been sentenced to 21 months in prison after pleading
guilty to fraud and wire fraud for his role in a phishing scam that
targeted MSN users. In his plea agreement, Harris admitted he sent
deceptive email to MSN users to try to lure them to a specially crafted
site that would help him harvest credit card numbers and other data.
Harris has been ordered to pay approximately US $57,000 in restitution;
he admitted to defrauding between 50 and 250 individuals.
http://www.techspot.com/news/21667-msn-phisher-gets-21-months-in-prison.html
http://www.informationweek.com/story/showArticle.jhtml?articleID=188100721

 --Three Sentenced for Music Piracy Activity
(19 May 2006)
Three men have been sentenced for their roles in groups that post
pre-release music to the Internet. George S. Hayes pleaded guilty to
one count of copyright infringement and was sentenced to 15 months in
jail. Aaron O. Jones and Derek A. Borchardt pleaded guilty to one
felony count of conspiracy to commit copyright infringement. Jones
received a sentence of six months in jail followed by six months of home
confinement; Borchardt was sentenced to six months home confinement. A
fourth man, Matthew Howard, will be sentenced next week. The men were
caught through the efforts of the FBI's ongoing Operation FastLink,
which targets piracy groups.
http://www.infoworld.com/article/06/05/19/78530_HNwarez3_1.html
http://www.australianit.news.com.au/articles/0,7204,19215726%5E15318%5E%5Enbv%5E,00.html

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
 --Alleged Software Pirate Settles Microsoft Civil Suit
(22/19 May 2006)
Microsoft brought a GBP 12 million (US$22.6 million) civil suit against
William Ling earlier this year for damages it claims it suffered as a
result of Ling selling pirated copies of its software. In May 2005,
Ling was prosecuted for selling pirated software but received a fine of
just GBP 10,000 (US$18,839) and resumed selling pirated software within
two months. Ling has settled the civil suit out of court for an
undisclosed sum and has agreed to stop selling pirated software.
http://software.silicon.com/applications/0,39024653,39159008,00.htm
http://www.theregister.co.uk/2006/05/22/microsoft_sues_pirate/print.html

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
 --Worm Spreads Through Yahoo Messenger
(22 May 2006)
The yhoo32-explr worm spreads through Yahoo's instant messaging network
and installs what it calls a "Safety Browser." The Safety Browser
hijacks Internet Explorer homepages and redirects it to a site that
downloads spyware onto infected machines.
http://www.theregister.co.uk/2006/05/22/safety_browser_im_worm/print.html
http://www.eweek.com/print_article2/0,1217,a=178894,00.asp
http://www.vnunet.com/vnunet/news/2156523/yahoo-messenger-worm-turns-ie

 --Skype Releases Updates to Fix URI Flaw
(22/19 May 2006)
Skype Ltd. has released an updated version of its VoIP software to
address a flaw stemming from improper handling of Uniform Resource
Indicator (URI) arguments that could be exploited to allow attackers to
download files from vulnerable machines. Vulnerable versions of Skype
include 2.0.x.104 and earlier and 2.5.x.0 through 2.5.x.78. Users are
encouraged to upgrade to Skype 2.5 release 2.5.x.79 or later or Skype
2.0, release 2.0.x.105 or later.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9000662
http://news.com.com/2102-1002_3-6074640.html?tag=st.util.print
http://www.skype.com/security/skype-sb-2006-001.html

ATTACKS & INTRUSIONS & DATA THEFT & LOSS

 --Ohio University Revamps Computer Services After Three Breaches
(21 May 2006)
A series of attacks on Ohio University servers has prompted a
reorganization of the school's computer services department. While the
attacks were only recently disclosed, at least one of the servers may
have been accessible to intruders for more than a year. This particular
server holds the Social Security numbers of more than 137,000
individuals. Ohio University was alerted to the breach when the FBI
discovered that one of the servers was being controlled remotely. A
technician has been placed on paid administrative leave.
http://news.com.com/2102-7349_3-6074739.html?tag=st.util.print

 --Data Security Breach at Retailer Affects Texas Bank's Customers
(19 May 2006)
About 100 customers of Texas-based Frost Bank were victims of cyber
thieves who stole debit card data from an unnamed retailer and used it
to commit identity fraud. Frost Bank is notifying all 9,300 affected
customers and informing them they will have all stolen money restored
to their accounts. Visa USA has acknowledged that it was alerted to the
data theft and that it notified the institutions that issued the
affected cards.
http://www.mysanantonio.com/business/stories/MYSA051906.01E.frosttheft.216bbd06.html

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is the author/ co-author of books on
Unix security, Internet security, Windows NT/2000 security, incident
response, and intrusion detection and prevention. He was also the
co-founder and original project manager of the Department of Energy's
Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.

Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers.
Schneier has regularly appeared on television and radio, has testified
before Congress, and is a frequent writer and lecturer on issues
surrounding security and privacy.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer
for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.

Marcus J. Ranum built the first firewall for the White House and is widely
recognized as a security products designer and industry innovator.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development
Authority (IDA) of the Singapore government.

Chuck Boeckman is Lead Network Security Engineer supporting the US
Transportation Command, responsible for the security of global military
transportation command and control systems.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin,
Ireland.

Roland Grefer is an independent language consultant based in Clearwater,
Florida.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

- ---end---
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)

iD8DBQFEc14P+LUG5KFpTkYRAk+NAJ9cATRF4qDWnN8KEkHSnHdKoV2gcwCgkUXK
A8fLKdfpdTcmbwKXYOydHz8=
=a//p
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]