SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #77

September 29, 2006

TOP OF THE NEWS

House Passes Veterans Identity and Credit Security Act
New York Gets Tougher on Identity Theft
Microsoft Releases out-of-Cycle Patch for VML Flaw

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS & SENTENCES
Woman Sentenced to 13 Years for Data Theft and Abuse
Six Indicted in Phishing Scheme
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Microsoft Sues Anonymous Author of DRM Breaking Program
Apple Pressuring Podcast Providers
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Microsoft Acknowledges PowerPoint Vulnerability
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Stolen Computer Holds Info of 16,000 NC Driver's License Holders
Emergency Room Patients' Data Stolen
Stolen Laptop Holds Data of 8,000 Alberta-Area Physicians
Lawsuit Against AOL for Data Exposure Seeks Class Action Status
FBI Investigation of Server Breach at Univ. of Alaska is Ongoing
MISCELLANEOUS
eBay Will Change its Site to Enhance Privacy

---

************************* Sponsored By BigFix, Inc. *********************

Interested in learning more about a cost-effective multi-functional security configuration management solution? Join us for a BigFix, Inc. sponsored webcast on October 5, 1pm EST "WhatWorks in Patch and Configuration Management: Securing Systems and Saving Money with Multifunction Management Tools" Learn how a publicly-traded music company found a solution with added functionality in areas such as SOX compliance and application license tracking to deliver a very high ROI.
http://sans.org/info/1375

*************************************************************************

Three Big SANS Training Conferences Coming Up in the Next Three Months Amsterdam, New Orleans, Washington, DC

See http://www.sans.org/
New Orleans: November 14-26 http://www.sans.org/neworleans06/index.php
Amsterdam: November 6-11 http://www.sans.org/amsterdam06/index.php
Washington DC: December 9-16 http://www.sans.org/cdieast06/index.php How Good Are SANS Courses? ++ "I have attended courses by several of SANS rivals, and SANS blew them away." - Alton Thompson, US Marines ++ "This is the only conference/training I've ever attended at which I learned techniques and found tools I could apply immediately." - Dwight Leo, Defense Logistics Agency, DLA ++ "This program provided the opportunity to learn from many of the people who are defining the future direction of information technology" - - Larry Anderson, Computer Sciences Corp. ++ "The SANS classes have been uniformly excellent. To learn as much through traditional classes would have entailed weeks away from work." - - David Ritch, Department of Defense Programs are scheduled in more than 40 cities in the next few months or you can attend live classes (or on demand courses) without leaving your home.
Schedule: http://www.sans.org/index.php

***********************************************************************

---

TOP OF THE NEWS

House Passes Veterans Identity and Credit Security Act (27 September 2006)

The US House has passed the Veterans Identity and Credit Security Act of 2006, which gives federal CIOs enforcement authority over any information technology that holds personally identifiable data. The bill would require agencies to publicly disclose all security breaches involving sensitive data. The bill now goes to the Senate.
-http://www.gcn.com/online/vol1_no1/42132-1.html?topic=security

New York Gets Tougher on Identity Theft (26 September 2006)

New York Governor George E. Pataki has signed a trio of laws aimed at protecting New York residents from identity fraud. The first law establishes the Consumer Communication Records Privacy Act and prohibits the disclosure of consumers' telephone records without their consent. The second law limits the ways in which individuals' Social Security numbers (SSNs) may be used. The third law strengthens existing state laws against computer crimes.
-http://www.state.ny.us/governor/press/06/0926061.html

Microsoft Releases out-of-Cycle Patch for VML Flaw (27, 26 & 25 September 2006)

Microsoft has released an out-of-cycle patch to address a critical security flaw in the Vector Markup Language (VML) component of Internet Explorer (IE). The vulnerability is being actively exploited and users are urged to apply the patch (MS06-055) promptly. Microsoft's fix follows close on the heels of a third-party patch for the flaw released by an independent group. It is estimated that several thousand web sites are now exploiting the flaw on visitors' machines. The attack also spreads through email. The number of exploits circulating for this flaw appears to be rising quickly.
-http://www.theregister.co.uk/2006/09/27/ms_emergency_patch/print.html
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=61955442-39000005c
-http://www.usatoday.com/tech/news/computersecurity/2006-09-27-ie-flaw_x.htm
-http://www.vnunet.com/vnunet/news/2164975/internet-explorer-vml-exploit
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9003618&source=NLT_PM&nlid=8
-http://www.microsoft.com/technet/security/Bulletin/MS06-055.mspx
[Editor's Note (Honan) - If this vulnerability is critical enough for Microsoft to release it outside of their patch cycle, then it is critical enough for you to deploy in your environment. All effective patch management processes should cater for emergency patch deployment, but remember to ensure the patch is tested adequately before deploying it. ]

---

************************* Sponsored Link: ******************************

1) Register now for any OnDemand Course and get a FREE set of course books. Offer Ends 10/15/06
http://www.sans.org/info/1376

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS & SENTENCES

Woman Sentenced to 13 Years for Data Theft and Abuse (28 September 2006)

Traci Southerland has been sentenced to 13 years in prison for stealing personal information from the Hamilton County (OH) Clerk of Courts' website and using it to commit identity fraud. Southerland and seven others used the stolen information to commit credit card and check fraud, netting them US$500,000. The county clerk's website now blocks access to documents that hold personally identifiable information.
-http://www.wcpo.com/news/2006/local/09/28/id_theft.html

Six Indicted in Phishing Scheme (27 September 2006)

Six people have been indicted on fraud charges for their involvement in a phishing scam that tried to gather credit card and bank account numbers from AOL users. The individuals allegedly gathered thousands of AOL email addresses and sent maliciously crafted ecards that downloaded software that prevented the users from logging on to AOL without providing credit card or bank account information. The scam's victims may also include non-AOL users; Internet service provider EarthLink provided evidence that helped track down the fraudsters. The cyber thieves allegedly used the stolen financial account information to buy computers, gift cards and gaming consoles. Three of the men have already pleaded guilty and face between two and nine-and-a-half years in prison when they are sentenced in December. The other three people have not yet been arraigned.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9003691&source=rss_news50
-http://www.theregister.com/2006/09/27/us-phishing_ring_court_case/print.html

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

Microsoft Sues Anonymous Author of DRM Breaking Program (27 September 2006)

Microsoft has filed a lawsuit against an anonymous individual who released a program that strips digital rights management (DRM) copy protection from Windows media files, allowing digital movies and music to be copied. Microsoft issued patches to thwart the program but each time, the programmer has released an updated version of the program. The lawsuit is seeking unspecified damages and a permanent injunction. The suit alleges the unknown coder obtained proprietary source code without authorization. The individual believed to be responsible for the code in question, who is known only by a screen name, maintains no Microsoft source code was involved in his program.
-http://www.eweek.com/print_article2/0,1217,a=189794,00.asp
-http://news.com.com/2102-1025_3-6119892.html?tag=st.util.print

Apple Pressuring Podcast Providers (25 September 2006)

Internet Bloggers are reporting that Apple's legal teams are cracking down on the use of the term podcast.
-http://blogs.zdnet.com/hardware/?p=103
-http://news.com.com/2061-11199_3-6118966.html
[Editor Note (Grefer): Here is a brief flashback to the early days of podcasting:
-http://www.scripting.com/2006/09/23.html
Given that the term "pod" has been used for a long time and is in no way patentable, it boils down to who may have the deeper pockets to spend on legal counsel and defense. As such, one has to wonder about whether or not such as beast as a class action defense is around.
(Guest Editor Assadorian): Others have related it to Apple suing people over the use of the word "Mac" or "Newton". CBS has caught on and is using the word "netcast" as well (
-http://cbs.com/netcast).
Leo Laporte has an interesting article on the topic:
-http://www.twit.tv/2006/09/22/a_cast_by_any_other_name
(Northcutt): The focus seems to be a company called podcast ready, here is their statement:
-http://www.podcastready.com/info.php?section=8&page=41
However, there is some evidence they are actually trying to gain control of the word "pod":
-http://www.macworld.co.uk/news/index.cfm?NewsID=15957]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Microsoft Acknowledges PowerPoint Vulnerability (28 & 27 September 2006)

Microsoft is warning of "limited 'zero-day' attacks" exploiting an unpatched security flaw in PowerPoint. The remote code execution vulnerability affects PowerPoint in Office 2000, Office XP and Office 2003 on Windows and Mac OS X. The attacks appear to be targeted; users must be tricked into opening a maliciously crafted PowerPoint file for the exploit to work. As always, users should not open files from untrusted sources.
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=61955699-39000005c
-http://www.infoworld.com/archives/emailPrint.jsp?R=printThis&A=/article/06/0
9/27/HNpowerpointbugattack_1.html
-http://www.microsoft.com/technet/security/advisory/925984.mspx
[Editor's Note (Boeckman): Most business environments would come to a grinding halt if they could not pass PowerPoint slides around using email. Since email is trivial to spoof so that is appears to be from a trusted source, Microsoft's advice is not very useful. ]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Stolen Computer Holds Information of 16,000 NC Driver's License Holders (28 September 2006)

A computer stolen from a North Carolina Department of Motor Vehicles (DMV) office in Louisburg contains personally identifiable information belonging to approximately 16,000 North Carolina driver's license holders. The data include the names, addresses and Social Security numbers (SSNs) of people who were issued licenses between March 2005 and September 10, 2006. There is no evidence the data have been misused; the DMV is notifying all affected license holders of the incident by mail.
-http://www.newsobserver.com/102/story/491642.html
[Editor's Note (Grefer): This incident may serve as yet another reminder of the benefits of cable locks (yes, they are also available for desktops) and encryption. ]

Emergency Room Patients' Data Stolen (28 September 2006)

A contract worker at the Stevens Hospital emergency room in Edmonds, Washington stole patients' credit card numbers and gave the information to her brother who used it to buy thousands of dollars worth of goods over the Internet. Yvon Hennings pleaded guilty to conspiracy to commit access device fraud and wire fraud. She will be sentenced in November and her brother's trial is slated to begin in January 2007. The data breach affected patients who visited the emergency room between December 2003 and January 2005. Washington state Attorney General Rob McKenna and US attorney John McKay say government agencies, financial institutions, health care providers and other businesses need to implement stronger safeguards to protect customer data.
-http://www.heraldnet.com/stories/06/09/28/100loc_a1files001.cfm
[Editor's Note (Schultz): Unfortunately, Mr. McKenna's saying the businesses need to implement stronger safeguards to protect customer data does little if any good. Businesses are unlikely to strengthen controls against data security theft on their own volition. Legislation that mandates better controls and that prescribes significant punishment for individuals who do not adequately protect personal and financial data is the only solution that is likely to work. ]

Stolen Laptop Holds Data of 8,000 Alberta-Area Physicians (27 September 2006)

A laptop computer stolen from the car of a financial services company employee in Edmonton, Alberta holds personally identifiable information of 8,000 area physicians. The company, MD Management Ltd., has notified the doctors of the incident, which took place on June 19. Alberta's Office of the Information and Privacy Commissioner said the company did not take adequate measures to safeguard the data from theft.
-http://www.edmontonsun.com/News/Alberta/2006/09/27/1905123-sun.html

Lawsuit Against AOL for Data Exposure Seeks Class Action Status (27 & 25 September 2006)

Three individuals whose search records were exposed by AOL earlier this year have filed a lawsuit against the company. The suit was filed in US District Court in Oakland, California and seeks class-action status. AOL had released search queries of more than 650,000 subscribers. While user names were replaced with numeric identifiers, information included in the searches themselves could be linked to specific individuals. The information was taken down from AOL's web site after company executives were alerted to the situation. Three people lost their jobs at AOL as a result of the incident. The lawsuit alleges AOL's actions violated the federal Electronic Communications Privacy Act and consumer protection laws in California. The suit asks AOL to stop collecting customer search data and to destroy the data it already holds.
-http://www.usatoday.com/tech/news/2006-09-26-aol-lawsuit_x.htm

-http://www.infoworld.com/article/06/09/25/HNaolmemberssue_1.html

FBI Investigation of Server Breach at Univ. of Alaska is Ongoing (26 September 2006)

The FBI is still investigating a server intrusion at the University of Alaska, Fairbanks (UAF) Bethel campus that took place in April 2006. Authorities are still unable to say who accessed the server that holds personally identifiable information of 38,941 current and former students. On April 20, UAF publicly disclosed the incident and noted that the server was accessed several times between February 2005 and January 2006. Records also indicate that school officials knew of the intrusions as early as October 2005. The intruder or intruders installed FTP servers on the Windows 2003 server. The FBI was brought in on April 24.
-http://www.uaf.edu/sunstar/archives/20060926/hacking.html
[Editor's Note (Schultz): The time between the discovery of this incident and the time this university announced it was excessive. Once again it seems as if there is little concern for the potential victims in yet another personal data security breach. ]

MISCELLANEOUS

eBay Will Change its Site to Enhance Privacy (27 September 2006)

In response to complaints from a privacy advocacy group, eBay says it will make changes to its site that will make it easier for users to close accounts. The Internet auction site will also make it easier for its customers to track ecommerce transactions. Privacy International had said that eBay was violating the Data Protection Act because it was so difficult for users to close their accounts. The UK Information Commissioner's office ruled that eBay did not violate the DPA, but eBay has agreed to make changes nonetheless. eBay conferred with Privacy International before agreeing to make the changes.
-http://www.zdnet.co.uk/print/?TYPE=story&AT=39283670-39020372t-10000024c
[Editor's Note (Honan): It is refreshing to see a company taking a progressive approach to dealing with the privacy/security concerns of its customers. ]

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center, to the Editorial Board

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/