SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #18

March 03, 2006

A little controversy.
Are the books on secure programming actually changing programmer
behavior? If you have proof that any of the books on secure programming
have made a significant difference in program habits, please let us know
so we can highlight the publication.

Separately, online security awareness training just got a huge boost in
effectiveness. 45 senior security managers reviewed the new technology
and over half decided to bring it in house. For information on the new
technology email awareness@sans.org

---

TOP OF THE NEWS

IT System Auditor Pleads Guilty to Computer Break-in
AOL Files Lawsuits Against Phishing Groups
Apple Security Update Addresses 20 Flaws, Including Safari Hole

THE REST OF THE WEEK'S NEWS

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Four Plead Guilty to Music Piracy
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Proof-of-Concept Virus is First to Spread from Desktops to Mobile Devices
Oracle Issues Out-of-Cycle Fix
ATTACKS & INTRUSIONS & DATA THEFT & LOSS
State of Ohio Questions Delay in Learning of Laptop Theft
Bank of Bermuda Cancels, Reissues Cards After Learning of Security Breach
DDoS Attackers Turn to High Profile Blogs
Cancer Center Says Insurance Claim Data on Stolen Laptop Was Encrypted
STATISTICS, STUDIES & SURVEYS
Japan's National Police Agency Notes Increase in Cybercrime Arrests
MISCELLANEOUS
Exam Requires Students to Scan Internet Servers

---

********************** UPCOMING SECURITY TRAINING ***********************

As you can see at www.sans.org, more and more SANS classes are sold out (the red triangles) so we have begun a policy of earlier posting of new conferences. If you are thinking about turbo charging your security career or the careers of any of your coworkers this spring, start planning now to go to San Diego in early May. You'll find more than a dozen of SANS most popular courses and a vendor exposition, right on the harbor in San Diego. http://www.sans.org/security06/

Or plan to come to Washington in July right after July 4 for the biggest SANS Fire ever: with all 17 SANS immersion tracks and more than a dozed special courses, a big exposition, and an inside look at how the Internet's Early Warning System (Internet Storm Center) actually works Bring your family for the national fireworks show. http://www.sans.org/sansfire06

*************************************************************************

---

TOP OF THE NEWS

IT System Auditor Pleads Guilty to Computer Break-in (2 March 2006)

Kenneth Kwak has pleaded guilty to unauthorized access to a protected computer in furtherance of a criminal or tortious act, according to the US Department of Justice. Kwak was working as a system auditor performing Federal Information Security Management Act (FISMA) audits for the Department of Education's Office of Inspector General. He allegedly placed software on his supervisor's computer that allowed him to view the supervisor's email and Internet usage. If convicted of all charges against him, Kwak could face up to five years in prison and a US$250,000 fine.
-http://www.computerworld.com.au/pp.php?id=1689984712&fp=2&fpid=1
[Editor's Note (Schultz): This incident in many respects comprises a worst case scenario because IT auditors are highly trusted within the organizations that they serve. Whenever insider threats are considered, IT auditors are almost never considered to be one of them. One of the "lessons learned" from this ugly incident may thus be that IT auditors' activities need to be considered a potential major security-related threat--organizations' risk estimates may need to be revised accordingly. Additionally, auditors themselves may need to be more carefully watched; in order words, auditors of auditors may be needed. ]

AOL Files Lawsuits Against Phishing Groups (1 March/28 February 2006)

AOL has filed civil lawsuits against several groups of phishers allegedly engaged in stealing data for the purpose of identity fraud. Many of the groups are international. The suits seek US$18 million to address the effects of the phishing schemes on AOL. The suits were filed under Virginia's Lanham Act and the Federal Computer Fraud & Abuse Act.
-http://www.techworld.com/security/news/index.cfm?NewsID=5471
-http://software.silicon.com/security/0,39024655,39156840,00.htm

Apple Security Update Addresses 20 Flaws, Including Safari Hole (2/1 March 2006)

Apple has released Security Update 2006-001, which fixes 20 flaws in Mac OS X, including vulnerabilities that could be exploited to install malware through the Safari web browser. Apple has issued updates for OS X v10.3.9, OS X Server v10.3.9, OS X v10.4.5 and OS X Server v10.4.5.
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39315343-39000005c
-http://blog.washingtonpost.com/securityfix/2006/03/apple_update_fixes_13_securit
y.html
-http://docs.info.apple.com/article.html?artnum=303382

---

************************* Sponsored Links: *****************************

1) Free Webcast next week - What Works in Intrusion Prevention: Sheltering Networks with The Red Cross Tuesday, March 07 at 1:00 PM EST (1800 UTC/GMT) http://www.sans.org/info.php?id=1048

2) Prepare for the June 10, 2006 CISA(R) Certification examination! The SANS(R) +S Training for the CISA(R) Certification Exam course has been specifically written to help prepare for and to pass the CISA(R) exam while ensuring that the information presented is practical and applicable in daily life. New SANS@Home session led by James Tarala starts March 23. See http://www.sans.org/info.php?id=1049

************************************************************************

---

THE REST OF THE WEEK'S NEWS

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

Four Plead Guilty to Music Piracy (1 March 2006)

Four US men have pleaded guilty to charges related to Internet music piracy, the result of a Department of Justice investigation dubbed "Operation Fastlink." When they are sentenced on May 19, they face up to five years in prison and fines of US$250,000. The men were part of "pre-release music piracy groups" meaning they obtained the music before it was released commercially available and made it released over the Internet.
-http://news.bbc.co.uk/2/hi/entertainment/4761768.stm
-http://www.theregister.co.uk/2006/03/01/music_pirates_plead_guilty/print.html

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Proof-of-Concept Virus is First to Spread from Desktops to Mobile Devices (28 February 2006)

The "Crossover" proof-of-concept virus is believed to be the first malware capable of spreading from PCs to mobile devices and deleting files. The virus is activated when a user connects a Windows Mobile device using Microsoft ActiveSync.
-http://www.informationweek.com/news/showArticle.jhtml?articleID=181401195&su
bSection=Columns
-http://www.computerworld.com/printthis/2006/0,4814,109050,00.html
-http://www.vnunet.com/vnunet/news/2151066/virus-closes-gap-pcs-windows

Oracle Issues Out-of-Cycle Fix (27 February 2006)

Oracle has released an out-of-cycle patch for vulnerabilities in the Oracle Diagnostics troubleshooting component of its E-Business Suite 11i. Oracle normally releases software updates on a quarterly schedule; the next one is scheduled for April 18, 2006.
-http://ww6.infoworld.com/products/print_friendly.jsp?link=/article/06/02/27/7592
4_HNoraclefix_1.html

ATTACKS & INTRUSIONS & DATA THEFT & LOSS

State of Ohio Questions Delay in Learning of Laptop Theft (1 March 2006)

Medco Health Solutions waited six weeks before informing the Ohio Department of Administrative Services (DAS) that a laptop computer containing the Social Security numbers (SSNs) and birthdates of about 4,600 state workers and their dependents had been stolen. The theft occurred in December; DAS was informed on February 8, 2006. The Ohio state attorney general's office is investigating the terms of the contract between the two entities to see if any data security violations occurred. Medco maintains the delay in informing the state was due to an investigation by New Jersey police and the need to create a complete log of the stolen data.
-http://www.computerworld.com/printthis/2006/0,4814,109116,00.html

Bank of Bermuda Cancels, Reissues Cards After Learning of Security Breach (28 February 2006)

Bank of Bermuda has been notified by Visa that a recent security breach compromised information about 800 Bank of Bermuda customers' bank cards. The breach occurred at an ATM transaction processor. The bank is closing the accounts, notifying customers and "issuing replacement cards." Some customers said they were not notified and learned of the breach only after contacting the bank in the wake of declined transactions. The bank did not feel it was necessary to make a public statement as only "certain customers were affected."
-http://www.theroyalgazette.com/apps/pbcs.dll/article?AID=/20060301/NEWS/10301012
4

DDoS Attackers Turn to High Profile Blogs (28 February 2006)

High profile blogs have been targeted by distributed denial of service (DDoS) attacks in recent weeks. Some speculate that the attackers are broadening their range of targets, which until now has included on line betting sites and online games to include profitable and politically focused blogs.
-http://news.netcraft.com/archives/2006/02/28/ddos_attacks_target_prominent_blogs
.html
[Editor's Note (Pescatore): This is sort of like saying "Hurricanes Turn To Attack New Orleans." DDoS attacks are easy to launch against anyone and anyone who has an Internet presence where availability is important should have DDoS protection built into their Internet services.]

Cancer Center Says Insurance Claim Data on Stolen Laptop Was Encrypted (22 February 2006)

A laptop computer containing insurance claim information regarding 4,000 University of Texas M.D. Anderson Cancer Center patients was stolen from a private home. The laptop was at the home of an employee of PricewaterhouseCoopers, the accounting company that was reviewing the claims. The data on the computer includes sensitive medical information and Social Security numbers. The theft occurred in Atlanta in November; patients and their families have been notified. M.D. Anderson chief privacy officer Carrie Lyons told those affected in a letter that the computer is protected with "sophisticated encryption software." Atlanta police are investigating.
-http://www.chron.com/disp/story.mpl/headline/metro/3679070.html
[Editor's Note (Schultz): Nobody likes hearing of incidents in which patient data have been stolen. Additionally, allowing an individual from another organization to store such data on a laptop seems extremely unwise. At the same time, however, the fact that these data were encrypted (hopefully with a non-trivial encryption scheme and with an adequately protected key) is some consolation. Data encryption goes a long way in protecting such data; the fact that more organizations do not use such encryption does not speak well for their information security practices. ]

STATISTICS, STUDIES & SURVEYS

Japan's National Police Agency Notes Increase in Cybercrime Arrests (2 March 2006)

Japan's National Police Agency says the number of people arrested for Internet-related crime increased nearly 52 percent over last year, from 2,081 to 3,161. The NPA has been keeping cyber crime statistics since 1999.
-http://www.smh.com.au/news/breaking/japan-reports-leap-in-cybercrime/2006/03/02/
1141191761510.html

MISCELLANEOUS

Exam Requires Students to Scan Internet Servers (1 March 2006)

A University professor has set his students the task of performing attack reconnaissance on an Internet server as a practical exam, which counts for 15 percent of their final grades. Because the professor has not required that the students obtain permission first, they could be breaking laws if they complete the assignment. The university said it would not take action against the students as long as they did not perform the reconnaissance on school computers. The professor may be rethinking the exam format.
-http://www.securityfocus.com/brief/151

---

===end===

NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian
Honan, Clint Kreitner, Bill Murray, Stephen Northcutt, Alan Paller, John
Pescatore, Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer,
Koon Yaw Tan, Mark Weatherford

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/