SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #44

June 02, 2006

Another week, another data breach, and another million Americans become prime candidates for identity theft. At the same time the number of cyber criminals around the world is skyrocketing. Many of them think stealing from the US is an honorable profession. One major bank reported (privately) that cyber fraud at their bank is up by 300% over last year. They are starting to question whether they should cover the losses suffered by their depositors and have already stopped covering losses by small businesses.

If the public ever gets angry enough to ask for accountability, they need look no further than their elected officials who lead the House of Representatives. The US government could have led by example and created a market for far more secure systems and networks. Instead government leads only in the number of cyber breaches they hide from the public. Congress (with OMB and NIST's active assistance) set the bar far too low, measured the wrong things, avoided pressuring vendors and government contractors to deliver safer systems, and then actively refused to ask the Government Accountability Office to take a hard look at the impact of what they have done. We'll be highlighting some of the most egregious actions in coming editions of NewsBites.

Warning: Fake SANS Courses in Portugal, at the end of Newsbites we have additional information.

Alan

---

TOP OF THE NEWS

Two More Major Data Breaches Put More Than 1,000,000 Americans at Risk of Identity Theft
DISS to Deny Access to .edu Domain Name Users
EU Court Overturns Passenger Data Agreement with US
New Legislation in China Takes Aim at Copyright Violators

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
Japanese Police Arrest Eight in Phishing Scam
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Proof-of-Concept Malware for OpenOffice Detected
Symantec Offers Fixes for Remotely Exploitable Flaw
ATTACKS & INTRUSIONS & DATA THEFT & LOSS
Texas Guaranteed Student Loan Corp. Data Security Breach
Florida International University Notifies Students of Security Breach
Cyber Thieves Redirect Online Banking Customers to Phony Site
Ransomware Spreads to UK
Colleges' Systems Easy Pickings for Data Thieves
MISCELLANEOUS
Microsoft Enters the Security Market

---

****** SPONSORED BY THE LOG MANAGEMENT SUMMIT AND SANSFIRE 06 ***********

Like gold hidden in rocks, a number of surprising security assets have been discovered hiding in log data - in logs you might not be keeping. More than a dozen users from banks, hospitals, manufacturers, and government will be sharing their discoveries at the Log Management Summit July 12-14 in Washington, DC. And in the same hotel, you can attend any of 16 SANS immersion training courses, taught by the world's best instructors. You'll also be allowed to attend insider briefings on new developments in malware and other security innovations. That's SANSFIRE 2006, July 5-12.
Log Management Summit information: http://www.sans.org/logmgtsummit06
SANSFIRE 2006 information: http://www.sans.org/sansfire06

*************************************************************************

---

TOP OF THE NEWS

Two More Major Data Breaches Put More Than 1,000,000 Americans at Risk of Identity Theft (1 June 2006)

Texas Guaranteed, a company that administers federally guaranteed student loans, reported an outside contractor lost equipment containing the names and Social Security numbers of approximately 1.3 million borrowers. In addition security flaw in servers at Sacred Heart University in Fairfield Connecticut, led to data breach that exposed names, addresses and Social Security numbers of 135,000 people, and credit card numbers for a hundred others.
-http://computerworld.com/action/article.do?command=viewArticleBasic&articleI
d=9000878

DISS to Deny Access to .edu Domain Name Users (31 May 2006)

As of June 30, 2006, .edu domain name users will be denied access to applications on the Defense Information System for Security (DISS) web site. Users of the .net and .org domains will face tighter restrictions than before while .mil, .gov and .com users will still have access to the applications. A Defense Security Service (DSS) spokesperson said the decision was made in response to security concerns.
-http://www.fcw.com/article94700-05-31-06-Web

EU Court Overturns Passenger Data Agreement with US (31/30 May 2006)

The European Court of Justice said an EU/US agreement to transfer sensitive personal data about EU airline passengers did not have an "appropriate legal basis" and invalidated the agreement. "The court ruled that because the information contained in passenger records is collected by airlines for their own commercial use, the European Union could not legally agree to provide that data to US authorities ..." US authorities had wanted EU airlines to provide them with 34 pieces of data about each traveler on board planes headed for the US and threatened hefty fines and lengthy security checks if the request was not met. The European Court of Justice has given the EU until September 30 to develop an alternative solution.
-http://news.bbc.co.uk/2/hi/europe/5028918.stm

-http://www.boston.com/news/world/europe/articles/2006/05/31/eu_court_overturns_p
assenger_data_deal?mode=PF
[Editor's Note (Pescatore): This is a good example of the European "opt-in" privacy model conflicting with the US "opt out" approach. The obvious tradeoff will be long waits at in-bound US security lines if you don't opt-in to provide the information in advance.
(Honan): Many Europeans will welcome this move, because the agreement had created a lot of unease regarding the invasion into their privacy by the US authorities, lack of clarity over how this information would be used, with whom the information would be shared and how it would be protected.
(Schultz): Another clash between EU and US privacy requirements and standards has occurred. The differences between the EU and US with respect to privacy (or, in the US, the lack thereof) are so great that I suspect that will be extremely unlikely that they ever will be reconciled in dealing with the passenger data issue. ]

New Legislation in China Takes Aim at Copyright Violators (30 May 2006)

New legislation in China forbids people and organizations to distribute copyrighted content on the Internet without permission from the copyright holder. In addition, producing, importing and supplying devices that allow people to circumvent copyright protection are prohibited. Those found in violation of the law could face fines of up to 100,000 yuan (US$12,470) and have their equipment confiscated.
-http://china.org.cn/english/2006/May/169778.htm
-http://www.thestandard.com.hk/news_detail.asp?we_cat=2&art_id=19679&sid=
8183719&con_type=1&d_str=20060530
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=data_control_and_ip&articleId=9000806&taxonomyId=144

---

********************Sponsored Links (Webcasts): *************************

Note: These free SANS webcasts can be your most cost-effective means of keeping your security knowledge current. (If you are not already expert on SQL Injection, for example, you probably should be):

1) Free Webcast next week - "Hacker Techniques: Windows Malware and Blind SQL Injection" Wednesday, June 07 at 1:00 PM EDT (1700 UTC/GMT) http://www.sans.org/info.php?id=1177

2) "Part 3: Securing the Web Application - At the Server and the Endpoint" Thursday, June 08 at 1:00 PM EDT (1700 UTC/GMT) http://www.sans.org/info.php?id=1178

3) "Hacking the Hallways: The Convergence of Physical and Logical Security" Webcast Tuesday, June 13 at 1:00 PM EDT (1700 UTC/GMT) http://www.sans.org/info.php?id=1179

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES

Japanese Police Arrest Eight in Phishing Scam (31 May 2006)

Police in three Japanese prefectures have arrested eight people suspected of fraud and violating the Unauthorized Computer Access Law in connection with a phishing scheme. The group allegedly defrauded Yahoo Japan members by sending emails that appeared to come from Yahoo employees and directed recipients to a fraudulently constructed web site where they tried to gather the victims' account data. The cyber thieves used the data to place nonexistent goods on Yahoo auction sites.
-http://www.yomiuri.co.jp/dy/national/20060531TDY02012.htm

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Proof-of-Concept Malware for OpenOffice Detected (1 June/30 May 2006)

Stardust, a macro virus, is believed to be the first malware that targets OpenOffice and StarOffice. Stardust opens an adult-theme image file from the Internet in a new document; it has not been detected in the wild.
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39362421-39000005c
-http://www.pcworld.com/news/article/0,aid,125917,00.asp

Symantec Offers Fixes for Remotely Exploitable Flaw (31/30 May 2006)

Symantec has released updates to address a vulnerability in its AntiVirus Corporate Edition and Client Security products. The remotely exploitable buffer overflow flaw could allow attackers to execute arbitrary code on vulnerable systems. Additionally, Symantec products are widely used and if the vulnerability were to be exploited by malware, it could pose a significant problem on the Internet. The fix is available through Symantec's LiveUpdate.
-http://isc.sans.org/diary.php?storyid=1368
-http://isc.sans.org/diary.php?storyid=1372
-http://www.zdnet.co.uk/print/?TYPE=story&AT=39272156-39020375t-10000025c
-http://www.usatoday.com/tech/news/computersecurity/2006-05-30-symantec-fix_x.htm
?POE=TECISVA

ATTACKS & INTRUSIONS & DATA THEFT & LOSS

Texas Guaranteed Student Loan Corp. Data Security Breach (31 May 2006)

The Texas Guaranteed Student Loan Corporation has acknowledged that a piece of equipment lost by a third-party contractor contained data, including Social Security numbers, belonging to an estimated 1.3 million borrowers. TG is notifying those affected by the loss with letters. A web site created to provide additional information details how the loss occurred, and indicates the data were encrypted and password protected.
-http://www.bizjournals.com/austin/stories/2006/05/29/daily11.html?t=printable

-http://www.tgslc.org/resources/customerdata.cfm
[Editor's Note (Schultz): Although no one can be happy concerning the events that have occurred, at least staff from the Texas Guaranteed Student Loan Corporation had the wisdom and foresight to encrypt and password-protect the data that were stolen. ]

Florida International University Notifies Students of Security Breach (31 May 2006)

Florida International University has informed thousands of students that their personal data may have been compromised due to a data security breach. The school notified only those students whose data were put at risk by the malware they found on the compromised computer. Some have expressed concern over the format of the notifications - a postcard-sized letter that could easily be overlooked.
-http://cbs4.com/topstories/local_story_150225136.html

Cyber Thieves Redirect Online Banking Customers to Phony Site (31 May 2006)

Cyber thieves gained access to a server operated by Goldleaf Technologies, which hosts web sites for numerous community banks. The thieves redirected online banking customers to a phony web site where they attempted to gather user names, passwords, credit card information and ATM PINs. A spokesman for Goldleaf said as many as 175 banks were affected by the intrusion for as long as 90 minutes. One of the affected institutions, Minnesota-based Premier Banks, has notified the FBI and plans to send letters to its customers urging them to change their online banking passwords.
-http://www.thestate.com/mld/thestate/business/14703801.htm?template=contentModul
es/printstory.jsp
[Editor's Note (Pescatore) Web attacks have changed from simple vandalism to gain notoriety, to much more targeted attacks to make money. While much of the attention is on strengthening user authentication so banks can trust who is making a transaction, financial institutions need to make sure that their end of the transaction is trustable as well.
(Northcutt): Goldleaf, "The technology you want - from a partner you can trust" has a press release here:
-http://www.corporate-ir.net/ireye/ir_site.zhtml?ticker=GFSI&script=410&l
ayout=9&item_id=861511]

Ransomware Spreads to UK (31 May 2006)

A woman in Manchester England found her computer infected with malware that placed all her files in a password-protected folder; a new file on her computer told her that if she wanted to get her files back, she needed to purchase drugs from a certain web site. The malware apparently made its way onto her computer when she clicked on a pop-up advertisement. It reportedly exploited a known vulnerability. The woman contacted the police, who are investigating, and brought her computer to an expert; most of her files were recovered. This is believed to be the first reported case of ransomware in the UK.
-http://www.manchestereveningnews.co.uk/news/technology/s/214/214532_net_pirates_
in_file_theft_scam.html
-http://www.theregister.co.uk/2006/05/31/virus_ransoms_files/
[Editor's Note (Honan): Note that Sophos has cracked the code. See
-http://www.vnunet.com/vnunet/news/2157399/sophos-cracks-ransomware-code]

Colleges' Systems Easy Pickings for Data Thieves (30 May 2006)

According to data gathered by ChoicePoint, colleges and universities accounted for approximately 30 percent of reported computer security breaches last year. In addition, an Educause survey of colleges found that security topped the list of computer system concerns. College and university networks are vulnerable to intrusions due to the open nature of information exchange expected in an academic environment. Some schools have begun requiring students to download antivirus and firewall software before allowing them to connect to school systems. Other security measures include requiring the frequent changing of passwords and phasing out the use of Social Security numbers as identifiers.
-http://www.latimes.com/technology/la-me-hacks30may30,0,4561270,print.story?coll=
la-home-headlines
[Guest Editor Note (Marchany, tongue in cheek comment): EDU sites are embracing this novel strategy enthusiastically by declaring that no .gov or .mil sites can access the EDU domain.
(Northcutt): This is the closet thing to the ostrich sticking its head in the sand I have heard of yet.
(Kreitner): Today's requirements for prudent protection of information simply don't mix with the unrestrained user choices implicit in the concept of academic freedom. Clear separations should be established between systems used for academic purposes and those used for administrative functions. ]

MISCELLANEOUS

Microsoft Enters the Security Market (1 June/31 May 2006)

Microsoft has introduced Windows Live OneCare, a subscription-based software product that will provide antivirus, spyware and firewall protection, tools to help maintain and enhance performance and file backup support for Windows OSes. Symantec and McAfee have both indicated they will release new security suites in the coming months.
-http://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2006/06/01/BUG7RJ5F1R1.DTL&a
mp;type=printable
-http://news.bbc.co.uk/2/hi/technology/5032832.stm
-http://www.zdnet.co.uk/print/?TYPE=story&AT=39272163-39020375t-10000025c
[Editor's Note (Boeckman): It seems to me they are basically selling a defective product and then charging you protection money to avoid a disaster. ]

---

Warning: Fake SANS Courses in Portugal

If a course is not advertised on www.sans.org, it probably is not SANS. We received a note from someone in Portugal who bought a poor quality security course. Sadly, they thought it was a SANS course when they were buying it. Later after they took the course, it was so bad they realized it was fake. The company uses SANS as a course code and SANS titles in an attempt to mislead people. Example: SANS02 Firewalls, Perimeter Protection & VPNs Remember, if it is not advertised on www.sans.org, it probably is not SANS.


==end==

NewsBites Editorial Board: Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan, Mark Weatherford

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/