SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #51

June 27, 2006

TOP OF THE NEWS

OMB Sets Guidelines for Protecting Federal Laptop Security
Audit Finds Security Problems in Florida's Voter Registration Database
Audit Indicates Security Didn't Top List of Concerns at Ohio University

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
Man Sentenced to 21 Months for Running Phishing Site
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Exploit Code for Critical Windows RRAS Flaw
Buffer Overflow Flaw in Opera Browser
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Lost Memory Stick Holds Phishing Investigation Dossier
NC County Students' SSNs Exposed
FTC Says Laptops Stolen from Car
Attackers Use SMS Messages to Lure People to Malicious Site
Data Breach Affects 28,000 US Sailors
Stolen Laptop Holds Student Data
MISCELLANEOUS
Workers Sanctioned, Fired for Sending Offensive eMail

---

********************* Sponsored By Imperva Inc. *************************

Top 10 Database Attacks and How to Stop Them - Free White Paper Insider abuse and on-line attacks on sensitive data can be costly in fines, lawsuits, and customer attrition. There are 10 commonly used database attacks. Defend against these, and you will have a highly secure database. Download now. http://www.sans.org/info.php?id=1209

*************************************************************************

Summer Security Training Extravaganza

Over the next two months, you may attend one or more of 50 SANS courses in 20 cities on four continents. And if you cannot make those events, because of travel restrictions, you may attend live SANS courses with the best teachers in the world, without leaving your home. You can even take SANS courses online at your own schedule. Attendance at SANS educational events is experiencing the largest growth spurt in half a decade. Pick your class and register early to get a seat. http://www.sans.org/index.php

*************************************************************************

---

TOP OF THE NEWS

OMB Sets Guidelines for Protecting Federal Laptop Security (27 June 2006)

Clay Johnson, Deputy Director of OMB, issued a memorandum to federal officials giving them four specific steps to protect sensitive information on laptops and on systems accessible by remote users. He also set a 45 day goal for implementation.
-http://www.washingtonpost.com/wp-dyn/content/article/2006/06/27/AR2006062700540.
html

Audit Finds Security Problems in Florida's Voter Registration Database (26 June 2006)

A report from Florida's auditor general describes a number of privacy and security concerns regarding the state's voter registration database. According to the report, the data are "vulnerable to theft, corruption, unauthorized access and alteration." Problems included a worker who was given access to the database in error and a former contract worker who still had access to the database. The database was created to comply with the federal Help America Vote Act (HAVA). Among the report's recommendations: the Secretary of State's office should develop procedures to protect the data from unauthorized access and develop policies for "antivirus protection, patch management maintenance and system recovery."
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=112204

Audit Indicates Security Didn't Top List of Concerns at Ohio University (24 June 2006)

An independent audit has turned up evidence that Ohio University's Computer Services department failed to take appropriate security precautions to protect the data on its systems despite a generous budget and average annual surpluses in excess of US$1 million. Ohio University has been in the news lately because of no fewer than five security breaches of its systems that exposed personal data belonging to thousands of students and alumni. Last week, university trustees voted to spend up to US$4 million to improve the school's computer systems.
-http://www.smh.com.au/news/Technology/Audit-Ohio-U-Cyber-Security-Low-Priority/2
006/06/24/1150845411386.html
[Editor's Note (Schultz): Unfortunately, the conclusions from the audit at Ohio University are by no means unique to this university. Until new statutes that require adequate protection of personal and financial data and that prescribe punishment for failing to do so are signed into law, organizations will continue to be lax in their data security practices. ]

---

**************************** Sponsored Links: ***************************

1) Upcoming ToolTalk Webcast: Auditors Present How to Reach Compliance Nirvana - PCI and Government Regulatory Compliance http://www.sans.org/info.php?id=1206

2) VoIP security webinar discusses how to overcome the challenges of secure VoIP deployment. View Today! http://www.sans.org/info.php?id=1207

3) Protect corporate data on stolen computers and avoid costly litigation. Delete data remotely with Computrace(r) Data Protection. Computrace Data Protection: http://www.sans.org/info.php?id=1208

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES

Man Sentenced to 21 Months for Running Phishing Site (23 June 2006)

Jayson Harris has been sentenced to 21 months in jail for operating a phishing site that pretended to be an MSN billing web site. Harris, who will also pay about US$57,000 in restitution, pleaded guilty to two counts of wire fraud and fraud. He will also be subject to three years of supervised release following completion of his jail time.
-http://www.vnunet.com/vnunet/news/2158925/phishing-site-operator-gets-21

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Exploit Code for Critical Windows RRAS Flaw (26 June 2006)

Microsoft says that exploit code for a critical flaw in Windows Routing and Remote Access (RRA) service has been released. A patch was issued for the flaw with a security update on June 13 (MS06-025), but unpatched computers are vulnerable to the exploit. Those running Windows 2000 are at the greatest risk from the exploit; Windows XP and Windows Server 2003 require valid logon credentials for the exploit to be effective. The patch accompanying MS06-025 has been reported to cause problems for certain users; Microsoft has suggested several workarounds.
-http://www.techweb.com/wire/189601532

Buffer Overflow Flaw in Opera Browser (23 June 2006)

A buffer overflow flaw that occurs when the Opera web browser processes JPEG mages could allow remote code execution. The problem is known to exist in Opera v.8.54 and possibly in earlier versions as well. Users are urged to upgrade to Opera 9.
-http://www.vnunet.com/vnunet/news/2158971/jpeg-flaw-uncovered-opera

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Lost Memory Stick Holds Phishing Investigation Dossier (26 June 2006)

A police officer with the Australian High Tech Crime Centre (AHTCC) lost a memory stick that contains sensitive financial data belonging to thousands of Australians. The lost memory stick holds a dossier on Russian phishing scams. The data on the stick were being used in an investigation; several arrests were made with the help of the data, but since the loss of the stick, no arrests have been made. While officials searched fruitlessly for the memory stick, the people whose data were compromised were not informed of the loss. The officer who lost the device violated AHTCC rules regarding data transport.
-http://australianit.news.com.au/common/print/0,7208,19588463%5E15306%5E%5Enbv%5E
,00.html
[Editor's Note (Honan): Yet again we have a case of an employee violating policy resulting in the loss of sensitive data. Policies without the technical controls to enforce them will invariably result in security breaches. ]

NC County Students' SSNs Exposed (24 June 2006)

The Social Security numbers (SSNs) of more than 600 Catawba County (NC) high school students were found exposed on the Internet. An individual found the page while conducting a Google search on a separate topic. School officials maintain the web page was password protected and they do not know how it came to be accessible through a Google search. The page, which also lists placement test scores, has been removed from the school system's web site and Google is taking steps to remove the page as well. The data are several years old; Catawba County school system has not used SSNs as personal identifiers since the 2001-02 academic year.
-http://www.bradenton.com/mld/bradenton/news/nation/14891995.htm
[Editor's Note (Grefer): Repeat after me: "Encryption software and cable locks lead a long way." ]

FTC Says Laptops Stolen from Car (23 June 2006)

The US Federal Trade Commission (FTC) has acknowledged that two laptop computers containing names, Social Security numbers (SSNs) and some financial account data belonging to approximately 110 individuals, were stolen from a locked vehicle. The computers are those of staff attorneys and are password protected. The agency "is developing a new information security policy that would require an employee to remove any personal identifying data in the machine before it leaves an agency office. If the personal data were needed for an investigation, an FTC manager would have to approve allowing the laptop to leave the building."
-http://news.com.com/2102-1029_3-6087218.html?tag=st.util.print
[Editor's Note (Honan): Policies by themselves have proven to be ineffective in protecting sensitive data. Organizations need to also implement proper security awareness training and implement appropriate technical controls, such as encryption, to prevent such data losses reoccurring. ]

Attackers Use SMS Messages to Lure People to Malicious Site (23 June 2006)

A recently detected attack sends intended victims SMS text messages thanking them for subscribing to an online dating service and telling them they will be charged US$2 a day until they unsubscribe. When people visit the site where they are purportedly unsubscribing from the fictitious service, "they are prompted to download a Trojan horse program." Infected computers then become part of a bot net.
-http://www.zdnet.co.uk/print/?TYPE=story&AT=39277240-39020375t-10000025c

Data Breach Affects 28,000 US Sailors (23 June 2006)

Personal data, including names, birth dates and SSNs, for approximately 28,000 US sailors and family members, was discovered on a civilian website. The information has been removed from the site and the Navy has launched a criminal investigation into how the data came to be posted there. Those affected by the data security breach are being notified.
-http://news.moneycentral.msn.com/provider/providerarticle.asp?feed=AP&Date=2
0060623&ID=5821436

Stolen Laptop Holds Student Data (23 June 2006)

A laptop computer stolen from the car of a San Francisco State University faculty member held data, including some SSNs, belonging to nearly 3,000 current and former students. A university spokesperson declined to elaborate on the disciplinary measures taken, and said it is "very common" for faculty to have student data on their computers. The school stopped using SSNs as personal identifiers one year ago.
-http://sfgate.com/cgi-bin/article.cgi?file=/c/a/2006/06/23/BAGQLJJ2LB1.DTL&t
ype=printable

MISCELLANEOUS

Workers Sanctioned, Fired for Sending Offensive eMail (23 & 26 June 2006)

Twenty employees in Merrill Lynch's Dublin, Ireland office have been put on leave for sending pornographic email. An additional 10 employees were given written warnings for sending offensive email. Merrill Lynch issued a statement that reads in part "Our employees are notified of, and advised to carefully follow strict policies on electronic communications." In a separate story, more than 100 employees of the Driver and Vehicle Licensing Agency (DVLA) were disciplined for sending pornographic email; fourteen were fired for "gross misconduct." The sending of such email violates DVLA's code of conduct.
-http://www.siliconrepublic.com/news/news.nv?storyid=single6637
-http://www.theregister.co.uk/2006/06/26/dvla_email_smut_affair/print.html
Merrill Lynch subsequently sacked 13 of the 20 staff asked to stay away from work. See
-http://unison.ie/breakingnews/index.php3?ca=35&si=93877

---

==end==

NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan, Mark Weatherford

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/