SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #82

October 17, 2006

A surprise decision by a US Appeals Court (that employees have an expectation of privacy in emails, under certain circumstances) should persuade you to review your log-on banners, maybe even today. It's the second story below.

The Secure Storage and Encryption Summit (Washington DC December 6-7) has filled so quickly that we expect to have to limit registrations to only SANS alumni and their co-workers within a week or so. If you were thinking about attending, register right away. The talks are fascinating: users telling about the mistakes they made when they implemented encryption on laptops, how they justified desktop encryption, how they integrated encryption with AD and LADP, the two keys that made ALL the difference in effective implementation, securing backups, more. Great sessions on how to bring down the costs. Plus DoD will announce its new policy for protecting data at rest.
Register at http://www.sans.org/mclean06/

Alan

---

TOP OF THE NEWS

House Committee Report Finds All Gov. Agencies Report Data Loss
Marine had Reasonable "Subjective Expectation of Privacy" Regarding eMails Offered as Evidence, Says USCAAF
Princeton Researchers Develop Method for Encrypting Data in Fiber Optic Cable "Noise"

THE REST OF THE WEEK'S NEWS

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Phishers Steal Congressional Budget Office Mailing List
SPYWARE, SPAM & PHISHING
UK ISP to Identify Spammers and Bot-Infected Computers
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Flash MP3 Players Given as Prizes in Japan Infected with Trojan
Cache Servers Can Retain Malware
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Cyber Thieves Steal Money from VI Gov't Bank Accounts
MISCELLANEOUS
DOD Voting Site Poses Security Concerns
Microsoft Will Provide Security Vendors with APIs for Vista
Civil Grand Jury Recommends Schools Districts Implement Security and Privacy Measures

---

******************** Sponsored By Symark Software ***********************

Security and compliance go hand-in-hand. How can you meet compliance requirements and guard against unauthorized access or theft of data? Learn how PowerBroker, the most widely used solution for systems administration and controlling Unix/Linux root privileges, helps you meet data privacy and compliance requirements. Download the FREE White Paper " PowerBroker vs. sudo."
http://www.sans.org/info/1454

*************************************************************************

Where To Get the Technical Skills You Need To Lead Security Programs? Major US SANS Training Events in the Next 60 Days
New Orleans ( http://www.sans.org/neworleans06/index.php )and
Washington, DC ( http://www.sans.org/cdieast06/index.php ) Plus Amsterdam where we added an extra class because of the sell-out. How Good Are SANS Courses. ++ "I have attended courses by several of SANS rivals, and SANS blew them away." - Alton Thompson, US Marines ++ "This is the only conference/training I've ever attended at which I learned techniques and found tools I could apply immediately." - Dwight Leo, Defense Logistics Agency, DLA ++ "The SANS classes have been uniformly excellent. To learn as much through traditional classes would have entailed weeks away from work." - - David Ritch, Department of Defense Programs are scheduled in more than 40 cities in the next few months or you can attend live classes (or on-demand courses) without leaving your home, or you may even study online.
Schedule: http://sans.org

*************************************************************************

---

TOP OF THE NEWS

House Committee Report Finds All Gov. Agencies Report Data Loss (16 & 13 October 2006)

According to a report from the House Government Reform Committee, all government agencies have experienced data loss. However, many agencies could not say what data were lost and many attributed the losses to government contractors. The number of data losses attributed to online attacks is quite low; most losses were due to lax physical security and lost or stolen computers and data storage devices. The report was prompted by last spring's data security breach at the Veterans Affairs Department in which a laptop computer and storage devices holding personally identifiable data of more than 26.5 million veterans and current military were stolen from the home of a VA employee. "The Government Reform Committee asked agencies to provide details about each incident since January 1, 2003 involving the loss or compromise of any sensitive personal information they or their contractors held." More than 700 incidents were reported. In some cases, all affected individuals were notified; in others, no one was notified.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9004168&intsrc=news_ts_head
-http://www.gcn.com/online/vol1_no1/42299-1.html?topic=security
-http://www.govexec.com/story_page.cfm?articleid=35270&sid=1
-http://www.govexec.com/pdfs/AgencyBreachSummaryFinal.doc

Marine had Reasonable "Subjective Expectation of Privacy" Regarding eMails Offered as Evidence, Says USCAAF (27 September 2006)

The United States Court of Appeals for the Armed Forces has ruled that Lance Corporal Jennifer Long of the US Marine Corps had a reasonable subjective expectation of privacy regarding email stored on her government computer "and that the lower court should not admitting Corporal Long's emails as evidence. The court said the deciding factors in determining reasonable subjective expectation of privacy were the existence of a password known only to Long and a banner that "described access to monitor the computer system, not to engage in law enforcement intrusions by examining the contents of particular emails in a manner unrelated to maintenance of the email system."
-http://www.armfor.uscourts.gov/opinions/2006Term/05-5002.pdf
[Editor's Note (Schultz): This ruling could be precedent setting. In previous court cases the concept of "expectation of privacy" seemed to be well-established, but now it is once again up in the air, at least in military cases such as this one.]

Princeton Researchers Develop Method for Encrypting Data in Fiber Optic Cable "Noise" (16 & 10 October 2006)

Researchers at Princeton University say they have found a way to send encrypted data over fiber-optic networks in the noise that accompanies fiber-optic cable signals. The sender converts the message to be sent into a short light pulse. It is then spread into a stream of optical data. The recipient uses knowledge of how the message was spread to pick it out from the rest of the noise and decrypt it. "The breakthrough comes from the ability to make the signal faster than the noise jitters in the fiber-optic cable."
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=61960016-39000005c

-http://www.ccnmag.com/news.php?id=4521

---

************************ Sponsored Links: *****************************

1) Use NetFlow to gain valuable network visibility to protect and optimize your network security. Download FREE White Paper "Network Behavior Analysis (NBA) in the Enterprise."
http://www.sans.org/info/1455

2) ALERT: Learn How Hackers Launch Web Application Attacks- SPI Dynamics White Paper
http://www.sans.org/info/1456

3) "Utilizing IPv6 Addresses to Invalidate Lost or Stolen Smart Cards" - - FREE White Paper Link to document "IPv6 as a Personal
http://www.sans.org/info/1457

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

Phishers Steal Congressional Budget Office Mailing List (12 October 2006)

The Congressional Budget Office (CBO) says that someone breached one of their servers and obtained email addresses of their mailing list subscribers. The hole that allowed the breach has been closed, but the thieves sent phishing email purporting to come from CBO to the purloined addresses. Law enforcement officials have been notified of the incident and have begun an investigation.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9004108&source=NLT_AM&nlid=1

SPYWARE, SPAM & PHISHING

UK ISP to Identify Spammers and Bot-Infected Computers (13 October 2006)

British ISP BT has deployed technology to detect customers who are spammers and customers whose computers have been compromised and unwittingly recruited into a botnet. Identified spammers will face account termination; bot-infected customers will be quarantined and will receive assistance in cleansing their computers for a fee. BT estimates that approximately 80 percent of email is spam; that translates to 6.5 billion messages daily.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=infrastructure&articleId=9004134&taxonomyId=145

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Flash MP3 Players Given as Prizes in Japan Infected with Trojan (16 October 2006)

As many as 10,000 people in Japan received Flash MP3 players as prizes from McDonalds, but they came with an unexpected extra bit of software: a variant of the QQpass spyware Trojan horse program. The players were preloaded with ten songs and the malware. If the devices were connected to Windows PCs, passwords and other sensitive data could potentially be exposed to attackers. It is likely that a machine used to load the content was infected with the malware. McDonalds Japan has apologized, established a helpline to facilitate the recall of the infected MPs players and posted directions for cleansing infected PCs.
-http://www.theregister.co.uk/2006/10/16/mcd_spyware_mp3_recall/print.html

Cache Servers Can Retain Malware (12 October 2006)

Cache servers can hold onto malicious code even after a web site has been taken down. Caching can "store code embedded in html, including programming formats such as Javascript." Search engines and services providers have been notified of the potential problem.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=cybercrime_hacking&articleId=9004107&taxonomyId=82
-http://www.theregister.co.uk/2006/10/12/proxy_malware_risk/print.html

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Cyber Thieves Steal Money from VI Gov't Bank Accounts (13 October 2006)

Cyber thieves managed to access two US Virgin Island government accounts at Banco Popular and steal US$500,000. The thefts were discovered in August. The bank has credited the accounts with US$300,000; the rest of the money is expected to be credited back to the accounts soon. The thieves stole the money in increments over a two-month period.
-http://www.theage.com.au/news/Technology/Hackers-steal-US500000-euro399010-out-o
f-US-Virgin-Islandsgovernment-bank-accounts/2006/10/13/1160246291912.html

MISCELLANEOUS

DOD Voting Site Poses Security Concerns (16 October 2006)

The US Department of Defense's Federal Voting Assistance Program's (FVAP) Integrated Voting Alternative Site (IVAS) presents several security concerns for Americans within DOD voting while away from home. Military personnel and civilian employees are offered the opportunity to vote by sending their ballots through fax machines or email. Emailed ballots are not encrypted, but the site provides SSL encryption, according to IVAS deputy director J. Scott Wiedmann. People may also download a form from the site that allows them to request absentee ballots for local elections by postcard. The form requires SSNs and dates of birth, posing the possibility that the information could be stolen and used to commit identity fraud.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=268797&intsrc=news_ts_head

Microsoft Will Provide Security Vendors with APIs for Vista (16, 14 & 13 October 2006)

Microsoft now says it will provide outside security vendors with Application Program Interfaces (APIs) to allow their products to be used with the company's forthcoming Vista operating system. Initially, Microsoft had appeared determined to prevent outside vendors from accessing the kernel of Vista, which would have limited users to security products available from Microsoft. Microsoft has allowed the companies to have access to the kernel in previous versions of its operating systems. Microsoft also said it would provide the capability to disable Microsoft Security Center for users of other products and that it will provide links to other vendors in the Vista Welcome screen. Security companies have met Microsoft's announcement with skepticism, saying they will believe it when they see it.
-http://www.washingtonpost.com/wp-dyn/content/article/2006/10/13/AR2006101301280_
pf.html
-http://www.msnbc.msn.com/id/15287410/
-http://news.com.com/2102-7355_3-6125866.html?tag=st.util.print
-http://www.techweb.com/wire/software/193302999;jsessionid=B2DLDOYN04J2MQSNDLOSKH
SCJUNN2JVN

Civil Grand Jury Recommends Schools Districts Implement Security and Privacy Measures (13 & 12 October 2006)

A civil grand jury in San Mateo County (CA) has recommended that the seven school districts within the county with high schools create data security and privacy guidelines to protect students' personal information when used and stored off-site.. The grand jury recommended the districts develop the guidelines by February 1, 2007. The San Mateo County Office of Education already has guidelines in place; all laptops are inspected annually and are prohibited from use by unauthorized individuals. In addition, off-site printing of student and family information is not allowed. Finally, all student information used off-site must be encrypted and password-protected.
-http://cbs5.com/local/local_story_285185112.html
-http://www.examiner.com/a-340963~Report_finds_schools_need_better_safeguards_for
_records.html

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center, to the Editorial Board.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/