SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #49

June 20, 2006

TOP OF THE NEWS

Government Data Security Breaches Lead to Closer Examination of Data Security Practices
Breaches Point to Problems with FISMA
Exploit for Zero-Day Excel Flaw Circulating

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
Guilty Plea from Pirated Software Web Site Owner
Two Arrested in Japan for Attempted Extortion About Data Leak
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
PayPal Fixes Phishing Hole
Trojan Detected at Google Pages
ATTACKS & INTRUSIONS & DATA THEFT & LOSS
Laptop Theft Prompts ING to Inform 13,000 of Data Breach
Laptops Missing from Minnesota State Auditor's Office
Trojan Exposes Data from Oregon Dept. of Revenue Office

---

********* Sponsored By Check Point Software Technologies, Inc. *********

You face a growing number of security threats but have limited resources and an increasing number of standalone solutions to manage. Check Point VPN-1 UTM products simplify security deployment by integrating proven security functions and centralizing management, updates, and reporting across multiple sites into a single solution. Download our UTM white paper to learn more.

http://www.sans.org/info.php?id=1198

************************************************************************

Summer Security Training Extravaganza
Over the next two months, you may attend one or more of 50 SANS courses in 20 cities on four continents. And if you cannot make those events, because of travel restrictions, you may attend live SANS courses with the best teachers in the world, without leaving your home. You can even take SANS courses online at your own schedule. Attendance at SANS educational events is experiencing the largest growth spurt in half a decade. Pick your class and register early to get a seat.

www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Government Data Security Breaches Lead to Closer Examination of Data Security Practices (19 June 2006)

In the wake of the public disclosure of a massive data security breach at the Department of Veterans Affairs (VA), the Government Accountability Office (GAO) and the Office of Management and Budget (OMB) want agencies to take a closer look at their data security practices. The GAO wants agencies "to take a more strategic approach to guarding personal information" while the OMB has directed heads of all agencies "to describe the specific steps they are taking to implement the requirements of the Federal Information Security Management Act (FISMA) in their annual FISMA compliance reports. Chairman of the House Committee on Government Reform Tom Davis (R-Va.) says he will introduce legislation "to strengthen breach-notification requirements at agencies."
-http://www.cio-today.com/story.xhtml?story_id=0330014YEWXR
[Editor's Note
(Schultz): It is clear that some kind of drastic change is needed to motivate government agencies as well as commercial entities to protect personal information much better than they currently do. Requiring that agencies take a more strategic approach in safeguarding such information will probably not help as much as requiring ownership and accountability, however.
(Kreitner): Nothing like a little distress to motivate a stronger commitment to better security practice. And the devil is in the details. ]

Breaches Point to Problems with FISMA (12 June 2006)

Some observers are hopeful that recent data security breaches at US government agencies could prompt changes to the Federal Information Security Management Act (FISMA). They say FISMA certification and accreditation requirements consume large portions of IT budgets, leaving the actual implementation of security measures under-funded. The OMB has given no indication that FISMA will be amended.
-http://www.govexec.com/story_page.cfm?articleid=34309&printerfriendlyVers=1&
amp;
[Editor's Note (Boeckman): Yes, there are problems with the effectiveness of FISMA. If IT systems are using software with a new zero day showing up every other week, and they still get through the security certification process, then there are obviously problems. ]

Exploit for Zero-Day Excel Flaw Circulating (19 & 16 June 2006)

Microsoft is warning that a zero-day vulnerability in Excel is being exploited; it could allow attackers to execute arbitrary code on infected machines. A maliciously crafted Excel file contains a Trojan horse program and another piece of malware that are capable of downloading more malware to infected machines. Users must open the document to become infected. The flaw appears to affect all versions of Excel.

-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39368787-39000005c

-http://www.us-cert.gov/cas/techalerts/TA06-167A.html
[Editors' Note (Multiple): Until Microsoft comes out with a hot fix for this vulnerability, all users can do is refrain from downloading and opening Excel attachments that they are not expecting. ]

---

********************* Sponsored Links: *******************************

1) Free Whitepaper: Preventing Insider Threats. From ArcSight, a leader in Enterprise Security Management.
http://www.sans.org/info.php?id=1199

2) Upcoming ToolTalk Webcast: Auditors Present How to Reach Compliance Nirvana - PCI and Government Regulatory Compliance
http://www.sans.org/info.php?id=1200

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES

Guilty Plea from Pirated Software Web Site Owner (16 June 2006)

Danny Ferrer has pleaded guilty to one count of conspiracy and one count of criminal copyright infringement for selling millions of dollars worth of pirated software. Ferrer owns the BuysUSA.com web site, which was shut down by the FBI in October, 2005. Ferrer will also forfeit a number of vehicles purchased with the proceeds from the site, including airplanes, a boat, a helicopter and several cars. When he is sentenced on August 25, Ferrer faces up to 10 years in prison and a fine of US$500,000.

-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9001258&taxonomyId=17

Two Arrested in Japan for Attempted Extortion About Data Leak (15 & 13 June 2006)

Tokyo police have arrested two men for trying to extort nearly US$90,000 from KDDI Corp., a Japanese phone company. The pair allegedly threatened to disclose the existence of storage media containing personal data belonging to four million KDDI customers prior to a shareholder meeting; however, KDDI alerted the police as soon as they were contacted by the blackmailers; the police monitored communications between KDDI and the pair for several weeks.

-http://www.vnunet.com/vnunet/news/2158327/arrests-japan-extortion-case

-http://www.smh.com.au/news/Technology/KDDI-reports-massive-personal-data-leak/20
06/06/13/1149964535511.html

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

PayPal Fixes Phishing Hole (19 June 2006)

PayPal says it has fixed a flaw in its web site that was being exploited by phishers to gather sensitive personal and financial data from customers. Attackers exploiting the vulnerability were redirecting PayPal users to a phony web site. Code on the PayPal web site has been changed to block this type of attack; PayPal is also taking steps to help shut down the phony site.

-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39368806-39000005c

Trojan Detected at Google Pages (19 June 2006)

A keylogger Trojan horse program has apparently been uploaded to the Google Pages web site hosting service. There have been no reports of messages attempting to trick users into visiting specially crafted links or download malicious files.

-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9001264

-http://news.com.com/Trojan+targets+Google+hosting+service/2100-7349_3-6085295.ht
ml
[Guest Editor Note (Dr. Johannes Ullrich, CTO of Internet Storm Center): "Google Page Creator" is Google's answer to free web hosting services like Geocities and 50megs. Needless to say, Google is having the same problems all the other free and anonymous services are having. The challenge for Google is to deploy technology that will protect users and prevent damage to the Google brand caused by malware posted to googlepages.com. ]

ATTACKS & INTRUSIONS & DATA THEFT & LOSS

Laptop Theft Prompts ING to Inform 13,000 of Data Breach (19 June 2006)

Letters are being sent to 13,000 individuals whose personal data are held in a laptop computer stolen from the home of an ING US Financial Services agent. ING is instating a new security policy for laptop computers that includes encryption and password protection; the stolen computer had neither. The people affected by the data security breach are all District workers and retirees.
(please note: this site requires free registration)

-http://www.washingtonpost.com/wp-dyn/content/article/2006/06/18/AR2006061800716_
pf.html
[Editor's Note ( Northcutt): ING's slogan is Your Future. Made Easier. Try telling that to the 13,000 impacted individuals. This wave of data losses is starting to remind me of counties that don't put traffic lights up until there is a motorist fatality.
(Grefer): Invest around 30-40 dollars into a cable lock for your laptop computers and spare yourselves this embarrassment as well as lots of headaches for your customers. Further, even if you don't want to spend the money for encryption software, at least use the EFS (Encrypted File System) functionality provided within Windows XP Professional to add a bit more security to the mix. ]

Laptops Missing from Minnesota State Auditor's Office (15 & 14 June 2006)

Police in St. Paul, Minnesota are investigating the disappearance of three laptop computers from the state auditor's office. The computers hold a variety of data, including Social Security numbers (SSNs) of roughly 500 public employees and 1,900 participants in certain public programs. The incident has prompted a change in policy; computers will now be locked in cabinets or secured with cables when they are not being used. Also, encryption software has been installed on other computers; the stolen data were password protected but not encrypted. State legislators are urging a review of data security practices at the auditor's office.

-http://www.twincities.com/mld/twincities/14826261.htm?template=contentModules/pr
intstory.jsp

-http://www.startribune.com/462/story/490333.html

Trojan Exposes Data from Oregon Dept. of Revenue Office (19 & 14 June 2006)

An employee at the Oregon department of revenue inadvertently downloaded a Trojan horse program on a department computer. The Trojan may have sent out taxpayer information, including names, addresses and SSNs, to the source of the malware. As many as 2,200 Oregon taxpayers are affected by the data security breach; 1,300 letters have been sent so far and other individuals are being contact as they are identified. As a result of the incident, Oregon department of revenue workers have been prohibited from using their computers for anything besides business.

-http://www.kgw.com/sharedcontent/APStories/stories/D8I7JI4G0.html

-http://www.theregister.co.uk/2006/06/19/oregon_security_breach/print.html
[Editor's Note (Northcutt): A quote from the Associated Press article says it all, "Amy McLaughlin, an information technology security officer with the state, said the incident apparently occurred when an employee downloaded a contaminated file from a porn site." Websense, 8e6, Surf Control, BlueCoat, or any other decent content filter, could have prevented this from happening. ]

---

NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian
Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore,
Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw
Tan, Mark Weatherford

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit http://portal.sans.org/