From: The SANS Institute (NewsBitessans.org)
Date: Fri Jun 02 2006 - 14:10:17 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Another week, another data breach, and another million Americans become
prime candidates for identity theft. At the same time the number of
cyber criminals around the world is skyrocketing. Many of them think
stealing from the US is an honorable profession. One major bank reported
(privately) that cyber fraud at their bank is up by 300% over last year.
They are starting to question whether they should cover the losses
suffered by their depositors and have already stopped covering losses
by small businesses.

If the public ever gets angry enough to ask for accountability, they
need look no further than their elected officials who lead the House of
Representatives. The US government could have led by example and
created a market for far more secure systems and networks. Instead
government leads only in the number of cyber breaches they hide from the
public. Congress (with OMB and NIST's active assistance) set the bar far
too low, measured the wrong things, avoided pressuring vendors and
government contractors to deliver safer systems, and then actively
refused to ask the Government Accountability Office to take a hard look
at the impact of what they have done. We'll be highlighting some of the
most egregious actions in coming editions of NewsBites.

Warning: Fake SANS Courses in Portugal, at the end of Newsbites we have
additional information.

                                Alan

*************************************************************************
SANS NewsBites June 2, 2006 Vol. 8, Num. 44
*************************************************************************

TOP OF THE NEWS
  Two More Major Data Breaches Put More Than 1,000,000 Americans at Risk
     of Identity Theft
  DISS to Deny Access to .edu Domain Name Users
  EU Court Overturns Passenger Data Agreement with US
  New Legislation in China Takes Aim at Copyright Violators
THE REST OF THE WEEK'S NEWS
  ARRESTS, CONVICTIONS AND SENTENCES
    Japanese Police Arrest Eight in Phishing Scam
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
    Proof-of-Concept Malware for OpenOffice Detected
    Symantec Offers Fixes for Remotely Exploitable Flaw
  ATTACKS & INTRUSIONS & DATA THEFT & LOSS
    Texas Guaranteed Student Loan Corp. Data Security Breach
    Florida International University Notifies Students of Security Breach
    Cyber Thieves Redirect Online Banking Customers to Phony Site
    Ransomware Spreads to UK
    Colleges' Systems Easy Pickings for Data Thieves
  MISCELLANEOUS
    Microsoft Enters the Security Market
  
****** SPONSORED BY THE LOG MANAGEMENT SUMMIT AND SANSFIRE 06 ***********

Like gold hidden in rocks, a number of surprising security assets have
been discovered hiding in log data - in logs you might not be keeping.
More than a dozen users from banks, hospitals, manufacturers, and
government will be sharing their discoveries at the Log Management
Summit July 12-14 in Washington, DC. And in the same hotel, you can
attend any of 16 SANS immersion training courses, taught by the world's
best instructors. You'll also be allowed to attend insider briefings on
new developments in malware and other security innovations. That's
SANSFIRE 2006, July 5-12.
Log Management Summit information: http://www.sans.org/logmgtsummit06
SANSFIRE 2006 information: http://www.sans.org/sansfire06
*************************************************************************

TOP OF THE NEWS

 -- Two More Major Data Breaches Put More Than 1,000,000 Americans at
    Risk of Identity Theft
(1 June 2006)
Texas Guaranteed, a company that administers federally guaranteed
student loans, reported an outside contractor lost equipment containing
the names and Social Security numbers of approximately 1.3 million
borrowers. In addition security flaw in servers at Sacred Heart
University in Fairfield Connecticut, led to data breach that exposed
names, addresses and Social Security numbers of 135,000 people, and
credit card numbers for a hundred others.
http://computerworld.com/action/article.do?command=viewArticleBasic&articleId=9000878

 -- DISS to Deny Access to .edu Domain Name Users
(31 May 2006)
As of June 30, 2006, .edu domain name users will be denied access to
applications on the Defense Information System for Security (DISS) web
site. Users of the .net and .org domains will face tighter restrictions
than before while .mil, .gov and .com users will still have access to
the applications. A Defense Security Service (DSS) spokesperson said the
decision was made in response to security concerns.
http://www.fcw.com/article94700-05-31-06-Web

 -- EU Court Overturns Passenger Data Agreement with US
(31/30 May 2006)
The European Court of Justice said an EU/US agreement to transfer
sensitive personal data about EU airline passengers did not have an
"appropriate legal basis" and invalidated the agreement. "The court
ruled that because the information contained in passenger records is
collected by airlines for their own commercial use, the European Union
could not legally agree to provide that data to US authorities ..." US
authorities had wanted EU airlines to provide them with 34 pieces of
data about each traveler on board planes headed for the US and
threatened hefty fines and lengthy security checks if the request was
not met. The European Court of Justice has given the EU until September
30 to develop an alternative solution.
http://news.bbc.co.uk/2/hi/europe/5028918.stm
http://www.boston.com/news/world/europe/articles/2006/05/31/eu_court_overturns_passenger_data_deal?mode=PF
[Editor's Note (Pescatore): This is a good example of the European
"opt-in" privacy model conflicting with the US "opt out" approach. The
obvious tradeoff will be long waits at in-bound US security lines if you
don't opt-in to provide the information in advance.
(Honan): Many Europeans will welcome this move, because the agreement
had created a lot of unease regarding the invasion into their privacy
by the US authorities, lack of clarity over how this information would
be used, with whom the information would be shared and how it would be
protected.
(Schultz): Another clash between EU and US privacy requirements and
standards has occurred. The differences between the EU and US with
respect to privacy (or, in the US, the lack thereof) are so great that
I suspect that will be extremely unlikely that they ever will be
reconciled in dealing with the passenger data issue.]

 -- New Legislation in China Takes Aim at Copyright Violators
(30 May 2006)
New legislation in China forbids people and organizations to distribute
copyrighted content on the Internet without permission from the
copyright holder. In addition, producing, importing and supplying
devices that allow people to circumvent copyright protection are
prohibited. Those found in violation of the law could face fines of up
to 100,000 yuan (US$12,470) and have their equipment confiscated.
http://china.org.cn/english/2006/May/169778.htm
http://www.thestandard.com.hk/news_detail.asp?we_cat=2&art_id=19679&sid=8183719&con_type=1&d_str=20060530
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=data_control_and_ip&articleId=9000806&taxonomyId=144

********************Sponsored Links (Webcasts): *************************
Note: These free SANS webcasts can be your most cost-effective means of
keeping your security knowledge current. (If you are not already expert
on SQL Injection, for example, you probably should be):

1) Free Webcast next week - "Hacker Techniques: Windows Malware and
Blind SQL Injection" Wednesday, June 07 at 1:00 PM EDT (1700 UTC/GMT)
http://www.sans.org/info.php?id=1177

2) "Part 3: Securing the Web Application - At the Server and the
Endpoint" Thursday, June 08 at 1:00 PM EDT (1700 UTC/GMT)
http://www.sans.org/info.php?id=1178

3) "Hacking the Hallways: The Convergence of Physical and Logical
Security" Webcast Tuesday, June 13 at 1:00 PM EDT (1700 UTC/GMT)
http://www.sans.org/info.php?id=1179
*************************************************************************

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
 -- Japanese Police Arrest Eight in Phishing Scam
(31 May 2006)
Police in three Japanese prefectures have arrested eight people
suspected of fraud and violating the Unauthorized Computer Access Law
in connection with a phishing scheme. The group allegedly defrauded
Yahoo Japan members by sending emails that appeared to come from Yahoo
employees and directed recipients to a fraudulently constructed web site
where they tried to gather the victims' account data. The cyber thieves
used the data to place nonexistent goods on Yahoo auction sites.
http://www.yomiuri.co.jp/dy/national/20060531TDY02012.htm

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
 -- Proof-of-Concept Malware for OpenOffice Detected
(1 June/30 May 2006)
Stardust, a macro virus, is believed to be the first malware that
targets OpenOffice and StarOffice. Stardust opens an adult-theme image
file from the Internet in a new document; it has not been detected in
the wild.
http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39362421-39000005c
http://www.pcworld.com/news/article/0,aid,125917,00.asp

 -- Symantec Offers Fixes for Remotely Exploitable Flaw
(31/30 May 2006)
Symantec has released updates to address a vulnerability in its
AntiVirus Corporate Edition and Client Security products. The remotely
exploitable buffer overflow flaw could allow attackers to execute
arbitrary code on vulnerable systems. Additionally, Symantec products
are widely used and if the vulnerability were to be exploited by
malware, it could pose a significant problem on the Internet. The fix
is available through Symantec's LiveUpdate.
http://isc.sans.org/diary.php?storyid=1368
http://isc.sans.org/diary.php?storyid=1372
http://www.zdnet.co.uk/print/?TYPE=story&AT=39272156-39020375t-10000025c
http://www.usatoday.com/tech/news/computersecurity/2006-05-30-symantec-fix_x.htm?POE=TECISVA

ATTACKS & INTRUSIONS & DATA THEFT & LOSS
 -- Texas Guaranteed Student Loan Corp. Data Security Breach
(31 May 2006)
The Texas Guaranteed Student Loan Corporation has acknowledged that a
piece of equipment lost by a third-party contractor contained data,
including Social Security numbers, belonging to an estimated 1.3 million
borrowers. TG is notifying those affected by the loss with letters. A
web site created to provide additional information details how the loss
occurred, and indicates the data were encrypted and password protected.
http://www.bizjournals.com/austin/stories/2006/05/29/daily11.html?t=printable
http://www.tgslc.org/resources/customerdata.cfm
[Editor's Note (Schultz): Although no one can be happy concerning the
events that have occurred, at least staff from the Texas Guaranteed
Student Loan Corporation had the wisdom and foresight to encrypt and
password-protect the data that were stolen.]

 -- Florida International University Notifies Students of Security Breach
(31 May 2006)
Florida International University has informed thousands of students that
their personal data may have been compromised due to a data security
breach. The school notified only those students whose data were put at
risk by the malware they found on the compromised computer. Some have
expressed concern over the format of the notifications - a
postcard-sized letter that could easily be overlooked.
http://cbs4.com/topstories/local_story_150225136.html
 
 -- Cyber Thieves Redirect Online Banking Customers to Phony Site
(31 May 2006)
Cyber thieves gained access to a server operated by Goldleaf
Technologies, which hosts web sites for numerous community banks. The
thieves redirected online banking customers to a phony web site where
they attempted to gather user names, passwords, credit card information
and ATM PINs. A spokesman for Goldleaf said as many as 175 banks were
affected by the intrusion for as long as 90 minutes. One of the affected
institutions, Minnesota-based Premier Banks, has notified the FBI and
plans to send letters to its customers urging them to change their
online banking passwords.
http://www.thestate.com/mld/thestate/business/14703801.htm?template=contentModules/printstory.jsp
[Editor's Note (Pescatore) Web attacks have changed from simple
vandalism to gain notoriety, to much more targeted attacks to make
money. While much of the attention is on strengthening user
authentication so banks can trust who is making a transaction, financial
institutions need to make sure that their end of the transaction is
trustable as well.
(Northcutt): Goldleaf, "The technology you want - from a partner you can
trust" has a press release here:
http://www.corporate-ir.net/ireye/ir_site.zhtml?ticker=GFSI&script=410&layout=9&item_id=861511
]

 --Ransomware Spreads to UK
(31 May 2006)
A woman in Manchester England found her computer infected with malware
that placed all her files in a password-protected folder; a new file on
her computer told her that if she wanted to get her files back, she
needed to purchase drugs from a certain web site. The malware apparently
made its way onto her computer when she clicked on a pop-up
advertisement. It reportedly exploited a known vulnerability. The woman
contacted the police, who are investigating, and brought her computer
to an expert; most of her files were recovered. This is believed to be
the first reported case of ransomware in the UK.
http://www.manchestereveningnews.co.uk/news/technology/s/214/214532_net_pirates_in_file_theft_scam.html
http://www.theregister.co.uk/2006/05/31/virus_ransoms_files/
[Editor's Note (Honan): Note that Sophos has cracked the code. See
http://www.vnunet.com/vnunet/news/2157399/sophos-cracks-ransomware-code
]

 --Colleges' Systems Easy Pickings for Data Thieves
(30 May 2006)
According to data gathered by ChoicePoint, colleges and universities
accounted for approximately 30 percent of reported computer security
breaches last year. In addition, an Educause survey of colleges found
that security topped the list of computer system concerns. College and
university networks are vulnerable to intrusions due to the open nature
of information exchange expected in an academic environment. Some
schools have begun requiring students to download antivirus and firewall
software before allowing them to connect to school systems. Other
security measures include requiring the frequent changing of passwords
and phasing out the use of Social Security numbers as identifiers.
http://www.latimes.com/technology/la-me-hacks30may30,0,4561270,print.story?coll=la-home-headlines
[Guest Editor Note (Marchany, tongue in cheek comment): EDU sites are
embracing this novel strategy enthusiastically by declaring that no .gov
or .mil sites can access the EDU domain.
(Northcutt): This is the closet thing to the ostrich sticking its head
in the sand I have heard of yet.
(Kreitner): Today's requirements for prudent protection of information
simply don't mix with the unrestrained user choices implicit in the
concept of academic freedom. Clear separations should be established
between systems used for academic purposes and those used for
administrative functions.]

MISCELLANEOUS
 --Microsoft Enters the Security Market
(1 June/31 May 2006)
Microsoft has introduced Windows Live OneCare, a subscription-based
software product that will provide antivirus, spyware and firewall
protection, tools to help maintain and enhance performance and file
backup support for Windows OSes. Symantec and McAfee have both indicated
they will release new security suites in the coming months.
http://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2006/06/01/BUG7RJ5F1R1.DTL&type=printable
http://news.bbc.co.uk/2/hi/technology/5032832.stm
http://www.zdnet.co.uk/print/?TYPE=story&AT=39272163-39020375t-10000025c
[Editor's Note (Boeckman): It seems to me they are basically selling a defective product and then charging you protection money to avoid a disaster.]

Warning: Fake SANS Courses in Portugal

If a course is not advertised on www.sans.org, it probably is not SANS.
We received a note from someone in Portugal who bought a poor quality
security course. Sadly, they thought it was a SANS course when they were
buying it. Later after they took the course, it was so bad they
realized it was fake. The company uses SANS as a course code and SANS
titles in an attempt to mislead people. Example: SANS02 Firewalls,
Perimeter Protection & VPNs Remember, if it is not advertised on
www.sans.org, it probably is not SANS.

==end==

NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian
Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore,
Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw
Tan, Mark Weatherford

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)

iD8DBQFEgIxJ+LUG5KFpTkYRAjkqAJ4oBnJy9t87JUPRiuKBIhzv98E/EwCgoR4t
Bg8O1E4NiaylMK8RdwZww1w=
=tj5x
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]