SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #35

May 02, 2006

Make plans now to attend SANSFIRE in Washington DC July 5-13 - Bring your family for the fireworks and stay for SANS' largest conference in Washington.

"Jacked my paranoia level up around my ears, and then gave me the tools to manage the threat." (Don Geiger, DCPS Division of Technology)

Offers every one of SANS' 17 immersion training courses plus 12 short courses and a big exposition: SANS Security Essentials, Hacker Exploits, System Forensics, Intrusion Detection, Auditing, plus training for CISSP exam and all Technical certification required for DoD 8570 and more. Registration and hotel information:
http://www.sans.org/sansfire06/

---

TOP OF THE NEWS

Mac OS X, Safari Security Threats on the Rise
SANS Announces Updates To Top 20 Internet Security Vulnerabilities
Yahoo Implicated in Jailing of Another Chinese Dissident
Pending Law in Georgia Could Mean Jail Time for Forensic Computer Consultants Who Testify in Court

THE REST OF THE WEEK'S NEWS

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
Military Employee Health Data Security Breach
NIST Releases Draft Guidelines for Security Log Management
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
RIAA and MPAA Ask University Presidents for Help in Fighting Piracy
BSA Ups Maximum Reward for Tips About Unlicensed Software Use at UK Businesses
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Proof-of-Concept Code Released for Unpatched IE Hole
Hitachi Offers Patches and Workarounds for Flaws in JP1 Server Software
ATTACKS & INTRUSIONS & DATA THEFT & LOSS
Data Storage Company Acknowledges Losing Backup Tapes
Stolen Aetna Laptop Contains Data on 38,000 Members
MISCELLANEOUS
CD-ROMs for Ohio Campaign Operations Include Voter SSNs

---

***************** Sponsored By Blue Coat Systems, Inc. ******************

Help! Everyone needs Access from Everywhere!- A 3 part webcast series. Sponsored by Blue Coat

In this 3-part webcast series, SANS instructors and industry experts bring you technical, to-the-point advice on providing secure, controlled access to remote users. From the mobile user to the branch office employee to the unmanaged endpoint, you'll learn security considerations and best practices. View part 1 now "The Mobile User - Secure Access from Anywhere (even the Home PC!)
http://www.sans.org/info.php?id=1132
*************************************************************************

---

TOP OF THE NEWS

Mac OS X, Safari Security Threats on the Rise (1 May/30 April 2006)

As more threats against Macintosh computers emerge, there is a growing realization that Mac users are no longer immune to cyber attacks. Seven new flaws in Mac OS X were recently reported; Apple plans to address these in its next update. Furthermore, the SANS Institute's Top-20 Internet vulnerabilities added Mac OS X for the first time in 2005; the updated list, out this week, includes flaws in Apple's Safari web browser that were exploited before Apple was able to fix them. Rohit Dhamankar, who edits the @RISK newsletter for SANS, said "the number of vulnerabilities in the Mac OS has certainly increased in the last six-month period."
-http://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2006/05/01/BUGK7IHGOC1.DTL&a
mp;type=printable
-http://www.msnbc.msn.com/id/12537279/

SANS Announces Updates To Top 20 Internet Security Vulnerabilities (1 May 2006)

SANS Today announced eight patterns of growing attacks in the Internet. Includes Internet Explorer and Firefox, media files, Apple OS/X, Oracle and Veritas, plus attacks on data warehouses using SQL injection. Spear Phishing is also a growing scourge.
-http://www.usatoday.com/tech/news/computersecurity/2006-05-01-cyber-attack-chang
e_x.htm?POE=TECISVA
SANS List: www.sans.org/top20/2005/spring_2006_update.php

Yahoo Implicated in Jailing of Another Chinese Dissident (28 April 2006)

According to the Human Rights in China (HRIC) group, evidence has surfaced indicating that Yahoo provided Chinese authorities with information leading to the arrest of yet another Chinese citizen, Wang Xiaoning. The writer was sentenced in 2003 to ten years in prison on charges of incitement to subvert state power.
-http://www.computerworld.com/printthis/2006/0,4814,110988,00.html
-http://www.zdnet.co.uk/print/?TYPE=story&AT=39266014-39020369t-10000023c

Pending Law in Georgia Could Mean Jail Time for Forensic Computer Consultants Who Testify in Court (24 April 2006)

Georgia's HB 1259, which has the approval of state legislature but not the Governor's signature, would require private investigators (PIs) in the State of Georgia to be licensed. The law is broadly written and could be interpreted to include most computer forensics and incident response experts. It is possible under the new law that computer security experts would need a PI license to testify in court or face felony charges.
-http://www.securityfocus.com/columnists/399
[Editor's Note (Schultz): I have for quite a while been concerned about the number of people who claim to be "forensic computer experts" without credentials that appear to be genuine. At the same time, however, I doubt whether requiring that people who serve as expert computer forensics witnesses in court cases to have a PI license will do much if any good in weeding out imposters.]

---

************************ Sponsored Links: *******************************

1) Stop spyware! Try Webroot Spy Sweeper Enterprise for free and assess your spyware risk exposure
http://www.sans.org/info.php?id=1133
*************************************************************************

---

THE REST OF THE WEEK'S NEWS

NEWS HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY

Military Employee Health Data Security Breach (1 May/28 April 2006)

The US Department of Defense (DOD) has acknowledged that a cyber intruder gained access to a Tricare Management Activity (TMA) public server compromising personal military employee data. The breach was detected during routine monitoring. As soon as the incident was detected, security controls were improved and extra monitoring tools put in place. The Defense Criminal Investigative Service is investigating the incident. DOD has informed those affected by the breach. TMA oversees DOD's Military Health System.
-http://www.fcw.com/article94232-04-28-06-Web
-http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn_daily&
story.id=40626

NIST Releases Draft Guidelines for Security Log Management (28 April 2006)

The National Institute of Standards and Technology (NIST) has released Special Publication 800-92: Guide to Security Log Management. The draft guidelines address log generation, transmission, storage, analysis and disposal. They offer suggestions for creating a log management policy and creating a centralized log management infrastructure.
-http://www.fcw.com/article94229-04-28-06-Web
-http://csrc.ncsl.nist.gov/publications/drafts/DRAFT-SP800-92.pdf
[Editor's Note (Boeckman): This is a good document. System logs are still a very valuable component of intrusion and misuse detection. I hope this will help analysts make better use of log data. ]

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

RIAA and MPAA Ask University Presidents for Help in Fighting Piracy (27 April 2006)

The Recording Industry Association of America (RIAA) and the Motion Picture Association of America (MPAA) have sent letters to 40 US university presidents informing them of problems with pirated digital content on their schools' local area networks (LANs) and asking they take action to halt the copyright violations. The RIAA and the MPAA say students are trading files across school LANs rather than sending them over the Internet. LANs in universities often serve tens of thousands of people.
-http://news.com.com/2102-1025_3-6066118.html?tag=st.util.print

BSA Ups Maximum Reward for Tips About Unlicensed Software Use at UK Businesses (27/26 April 2006)

The Business Software Alliance (BSA) has increased its maximum reward for information regarding the use of illegal or unlicensed software in UK businesses. The BSA has launched 420 investigations from tips received on its hotline. People providing the BSA with tips about unlicensed software could receive as much as GBP20,000 (US$36,513) through the end of June.
-http://management.silicon.com/itdirector/0,39024855,39158440,00.htm
-http://www.bsa.org/uk/press/newsreleases/ukpressrelease26april2006.cfm

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Proof-of-Concept Code Released for Unpatched IE Hole (28 April 2006)

Proof-of-concept exploit code for an unpatched hole in Microsoft's Internet Explorer (IE) has been published. The flaw could allow attackers to run unauthorized code on Windows machines. The flaw affects only older versions of Windows; the most recent versions of Windows and Windows Server 2003 are unaffected. Also, to exploit the hole, attackers would need to trick users into performing a series of unusual actions. Microsoft has issued a statement explaining that "significant mitigating factors" are sufficient reason to address the flaw in an upcoming service pack instead of a security update.
-http://ww6.infoworld.com/products/print_friendly.jsp?link=/article/06/04/28/7785
3_HNsecondbug_1.html

Hitachi Offers Patches and Workarounds for Flaws in JP1 Server Software (26 April 2006)

Hitachi has acknowledged that a vulnerability in the software that ships with several of its JP1 Server products could be exploited to create denial-of-service conditions. Hitachi has released patches for the holes and suggests workarounds that can be used until the patches are applied.
-http://www.vnunet.com/vnunet/news/2154805/hitachi-servers-dos-threat
-http://www.hitachi-support.com/security_e/vuls_e/HS06-007_e/01-e.html

ATTACKS & INTRUSIONS & DATA THEFT & LOSS

Data Storage Company Acknowledges Losing Backup Tapes (28 April 2006)

Data storage company Iron Mountain has apologized for losing a container of backup tapes that contain personal information belonging to as many as 17,000 current and former employees of Long Island Railroad. The railroad has informed affected employees by letter. Other data affected by the tape loss belongs to the US Department of Veterans Affairs.
-http://www.boston.com/business/globe/articles/2006/04/28/data_storage_firm_apolo
gizes_for_loss_of_railroad_data_tapes?mode=PF

Stolen Aetna Laptop Contains Data on 38,000 Members (27 April 2006)

Aetna Insurance has acknowledged that a laptop computer stolen from an employee's car contains personal data belonging to approximately 38,000 members. Those affected are employees of two companies who asked not to be named until all of their affected employees are informed of the laptop's theft and its implications. Aetna plans to send letters to inform all those affected. Aetna said the employee who left the computer in the car was not following company policy.
-http://news.zdnet.com/2102-1009_22-6066078.html?tag=printthis
[Editor's Note (Honan): HONAN - This is getting ridiculous! Each week we hear of companies losing sensitive information on mobile media. What will it take to get the message across? If you store sensitive information on any mobile device make sure it is secured properly and the data is encrypted. ]

MISCELLANEOUS

CD-ROMs for Ohio Campaign Operations Include Voter SSNs (28 April 2006)

CD-ROMs given to various political campaign operations in Ohio apparently contain the Social Security numbers (SSNs) of as many as 7.7 million registered voters in the state. The Ohio secretary of state's office was alerted to the situation by one of the campaigns. All the campaigns have been contacted and have agreed to return the disks in exchange for disks without the SSNs. The campaign groups use the data on the CDs for phone canvassing and other political activities. Data privacy is not a new issue for the Ohio government; last month, a man sued the state of Ohio for posting his and others' SSNs on public record web sites. Ohio does have a security breach notification law that would require residents to be informed "if unencrypted or unredacted personal information about those individuals ... included in computerized data owned or licensed by
[an ]
agency, person or business entity is accessed and acquired by unauthorized persons" as long as the disclosure "causes or is reasonably believed
[to ]
create a material risk of the commission of the offense of identity fraud or other fraud to the individual."
-http://www.computerworld.com/printthis/2006/0,4814,110983,00.html

---

===end===

NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan, Mark Weatherford

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/