SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #52

June 30, 2006

TOP OF THE NEWS

Stolen VA Laptop, External Drive Recovered
Data Privacy Bill Introduced in Senate
US Is Unprepared for Large Cyber Attack, Study Says

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
Police Arrest One in Connection with HSBC Call Center Scam
Three Arrested for Malware Infestation
Man Charged with Navy Computer System Sabotage
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
GAO Removes Government Employee Personal Data From Web Site
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Microsoft Offers Revamped Patch
Proof-of-Concept Code Out for Two Unpatched IE Holes
Apple Releases Mac OS X Update
MISCELLANEOUS
Microsoft Updates WGA Notifications
Alumni File Lawsuit Against Ohio University Following Data Security Breaches

---

********************* Sponsored By LogLogic, Inc. ***********************

LIVE WEBCAST - Log data stores valuable evidence, but logs are so poorly understood that lawyers and regulators have been hard pressed to say anything useful about their creation and retention. Join LogLogic and legal expert Ben Wright as they discuss what particular regulations, investigations and lawsuits have said about log data, and a framework for managing logs from a legal perspective. Register today!
https://www.sans.org/webcasts/show.php?webcastid=90731

*************************************************************************

Summer Security Training Extravaganza

Over the next two months, you may attend one or more of 50 SANS courses in 20 cities on four continents. And if you cannot make those events, because of travel restrictions, you may attend live SANS courses with the best teachers in the world, without leaving your home. You can even take SANS courses online at your own schedule. Attendance at SANS educational events is experiencing the largest growth spurt in half a decade. Pick your class and register early to get a seat. http://www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Stolen VA Laptop, External Drive Recovered (29 June 2006)

The laptop computer stolen from the home of a Veterans Affairs Department (VA) employee has been recovered; the FBI and the VA say that, from a preliminary forensics analysis, it appears the data on the computer were not accessed. The external hard drive that was stolen in the May robbery was recovered as well.
-http://isc.sans.org/diary.php?storyid=1450
-http://news.com.com/2102-1029_3-6089648.html?tag=st.util.print
-http://www.clickondetroit.com/money/9446101/detail.html?taf=det
-http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomy
Name=hardware&articleId=9001518&taxonomyId=12
(please note this site requires free registration)
-http://www.washingtonpost.com/wp-dyn/content/article/2006/06/29/AR2006062900352_
pf.html
[Editor's Note (Pescatore): This incident has led to OMB guidance to government agencies to deploy encryption to laptops and require strong authentication for all remote access within 45 days. These are both good things but I'm sure we will see an initial rash of waivers because the government procurement gestation period is more elephant-like than ostrich-like. But even if it does take 22 months instead of 45 days, government (and private industry) security managers should prioritize making these two security controls part of standard practice. ]

Data Privacy Bill Introduced in Senate (27 & 26 June 2006)

The Data Security Act of 2006 would create a national standard for protecting personal and financial data that could be used to commit identity fraud. The law would apply to financial institutions, retailers and government agencies. Consumers would be notified in the event of a security breach that poses "substantial harm or inconvenience." The legislation was introduced by Senator Bob Bennett (Utah-R) and Senator Tom Carper (Del.-D), both of whom serve on the Senate Banking Committee.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9001477&taxonomyId=17
(please note this site requires free registration)
-http://www.washingtonpost.com/wp-dyn/content/article/2006/06/26/AR2006062601251_
pf.html
[Editor's Note (Schultz): As I have said before, sooner or later a piece of legislation that requires better data protection and notification of those affected by data security breaches will pass in the US. The real question is thus whether this legislation will have any teeth, so to speak. ]

US Is Unprepared for Large Cyber Attack, Study Says (27 June 2006)

In a report titled "Essential Steps to Strengthen America's Cyber Terrorism Preparedness," the Business Roundtable says "the United States is not sufficiently prepared for a major attack ... that would lead to disruption of large parts of the Internet." The report identifies three "cyber gaps": the lack of "trip wires" to indicate an attack is underway, the lack of accountability and clarity for responsibilities involved in restoring the infrastructure and the lack of resources for doing the same. The report makes several recommendations, dividing the responsibilities between the government and the private sector.
-http://www.gcn.com/online/vol1_no1/41172-1.html
-http://www.businessroundtable.org/pdf/20060622002CyberReconFinal6106.pdf

---

**************************** Sponsored Link: **************************

1) VoIP security webinar discusses how to overcome the challenges of secure VoIP deployment. Register Today!
http://www.sans.org/info.php?id=1211

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES

Police Arrest One in Connection with HSBC Call Center Scam (28 & 27 June 2006)

Police in Bangalore have reportedly arrested a man on charges stemming from his alleged role in a scam in which GBP233,000 (US$426,000) was stolen from the banking accounts of HSBC customers. Nadeem Kashmiri worked at an HSBC data processing center and allegedly supplied others with information that allowed them to steal money from the accounts.
-http://www.theregister.co.uk/2006/06/28/call_centre_fraud/print.html
-http://www.smh.com.au/news/Technology/Indian-police-arrest-employee-at-HSBC-outs
ourcing-center-forcheating-UK-customers/2006/06/28/1151174269365.html
-http://software.silicon.com/security/0,39024888,39159940,00.htm
[Editor's Note (Honan): This story demonstrates that outsourcing a function does not mean abdicating responsibility for that function. Also it was interesting to see that the bank's own internal security systems, not those of the outsourcing company, detected the breach. ]

Three Arrested for Malware Infestation (27 June 2006)

Three men have been arrested for their roles in spreading malware that installs backdoors on computers. The attack targeted a number of unnamed businesses, most of which are in the UK, providing the attackers with access to data on infected machines. Two of the men were arrested in the UK; the other was arrested in Finland.
-http://news.bbc.co.uk/2/hi/technology/5121082.stm
-http://technology.timesonline.co.uk/article/0,,19509-2245043,00.html

Man Charged with Navy Computer System Sabotage (27 June 2006)

Richard F. Sylvestre has been charged with unauthorized access to a government national defense computer for allegedly putting malicious software on computers at the US Navy's European Planning and Operations Command Center in Naples, Italy. Sylvestre owns Ares Systems International, which has done contract work for the Navy. Sylvestre was allegedly angry that his company's bid for another project was not accepted. The infected computers could have brought down the network used to track submarine and ship locations.
-http://home.hamptonroads.com/stories/story.cfm?story=106658&ran=64860

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY

GAO Removes Government Employee Personal Data From Web Site (27 June 2006)

The Government Accountability Office (GAO) has removed archived records from its website after they were found to contain names, Social Security numbers (SSNs) and addresses of some government employees.
-http://www.gcn.com/online/vol1_no1/41171-1.html
[Editor's Note: (Pescatore): This is not just a government problem. A few minutes of "Google hacking" will often find some amazing stuff exposed on corporate web servers. There is even a Google Hack Honeypot project to detect this type of thing - see
-http://ghh.sourceforge.net/]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Microsoft Offers Revamped Patch (29 June 2006)

Microsoft has issued an updated version of a patch that had been giving some dial-up users trouble. The patch in question accompanied Microsoft's security Bulletin MS06-025 and addresses a flaw in Microsoft's routing and remote access component that could be exploited to take control of vulnerable PCs. While proof-of-concept code for the flaw has been published, Microsoft said it is not aware of any attacks that use the exploit.
-http://software.silicon.com/security/0,39024888,39159984,00.htm
-http://isc.sans.org/diary.php?storyid=1445

Proof-of-Concept Code Out for Two Unpatched IE Holes (29/28 June 2006)

Proof-of-concept code has already been published for two unpatched Internet Explorer (IE) vulnerabilities. One of the flaws could allow remote code execution and requires user interaction; people may be able to protect their computers from exploits of this flaw by disabling active scripting in IE. The second flaw involves "a failure of IE to enforce cross-domain policies" and "could be exploited to hijack usernames and passwords."
-http://isc.sans.org/diary.php?storyid=1448
-http://www.techweb.com/wire/189602387
-http://www.theregister.co.uk/2006/06/29/ie_flaws/print.html
[Editor's Note (Boeckman): I suppose at some point people become numb to revelations that there is a new zero day in IE, since it seems to happen every week or two. You would think someone would recognize that there may be a market for a browser that is more secure. ]

Apple Releases Mac OS X Update (28 June 2006)

Apple has released Mac OS X 10.4.7, an update that addresses four flaws that could be exploited to execute code, access data and cause denial-of-service conditions. No exploit code for the flaws is known to exist.
-http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=39261486-20000
61744t-10000005c
-http://isc.sans.org/diary.php?storyid=1449
-http://www.itnews.com.au/newsstory.aspx?CIaNID=34183

MISCELLANEOUS

Microsoft Updates WGA Notifications (28 June 2006)

Microsoft has updated its Windows Genuine Advantage (WGA) Notifications program so that it no longer checks in with company servers every time users boot up their systems. Microsoft has also published instructions for removing the software.
-http://www.vnunet.com/vnunet/news/2159241/microsoft-revisits-wga-piracy
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39371036-39000005c

Alumni File Lawsuit Against Ohio University Following Data Security Breaches (27 & 22 June 2006)

Ohio University acknowledged that two alumni filed a lawsuit against the school alleging privacy violations and asking for compensation for any financial losses incurred through identity fraud together with credit monitoring services for all those affected by security breaches. The lawsuit is seeking class action status. The university suspended the director of Computer and Network Services and the Internet and systems manager pending the outcome of a disciplinary investigation. OU has also created a new position, Chief of Staff to the Chief Information Officer, and has launched a national search to fill that position.
-http://www.channelcincinnati.com/news/9431401/detail.html
-http://thepost.baker.ohiou.edu/articles/2006/06/22/news/14120.html
[Editor's Note (Schultz): Accounts of the aftermath of data security breaches such as the one in this news item will go far in helping motivate those who are negligent in protecting personal and financial data to improve their data security practices.
(Ranum): Now THAT is interesting. When word starts getting around that senior managers are in the firing line for accountability, we'll see some action. ]

---

==end==

NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan, Mark Weatherford

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/