SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VIII - Issue #19
March 07, 2006
TOP OF THE NEWSOMB FISMA Report for FY2005 Notes Improvements
FCC Investigating Caller-ID Spoofing Services
Ohio Secretary of State Sued Over SSNs on Web Site
THE REST OF THE WEEK'S NEWSARRESTS, CONVICTIONS AND SENTENCES
Israeli Spyware Purveyors Indicted, Reportedly Reach Plea Agreement
Man Indicted on Charges of Releasing Trojan Horse Program
SPYWARE, SPAM & PHISHING
AOL Will Not Charge Non-Profits to Send Bulk eMail
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Google Repairs Gmail Flaw
Glitch in Some Norton Products Exploited to Knock Users Off IRC Channels
ATTACKS & INTRUSIONS & DATA THEFT & LOSS
Georgetown University Acknowledges Server Breach
Stolen Laptop Contained Data on 93,000 Denver Students
Group Takes Aim at Botnet Command and Control Servers
************************* Sponsored by Symantec *************************
2006 Security Compliance Research Report: The Struggle to Manage Security Compliance for Multiple Regulations Sponsored by the Institute of Internal Auditors (IIA), the Computer Security Institute (CSI) and Symantec, this report provides survey results that describe how companies are managing requirements for multiple regulations, the proportion of their IT budgets being devoted to compliance, and how organizations are responding to improve security, demonstrate compliance and reduce costs.
Upcoming Security Training in Monterey, San Diego and Washington DC
As you can see at www.sans.org, more and more SANS classes are sold out (the red triangles) so we have begun a policy of earlier posting of new conferences. If you are thinking about turbo charging your security career or the careers of any of your coworkers this spring, start planning now to go to San Diego in early May. You'll find more than a dozen of SANS most popular courses and a vendor exposition, right on the harbor in San Diego. http://www.sans.org/security06/
Or plan to come to Washington in July right after July 4 for the biggest SANSFIRE ever: with all 17 SANS immersion tracks and more than a dozen special courses, a big exposition, and an inside look at how the Internet's Early Warning System (Internet Storm Center) actually works Bring your family for the national fireworks show. http://www.sans.org/sansfire06
TOP OF THE NEWS
OMB FISMA Report for FY2005 Notes Improvements (2/1 March 2006)The Office of Management and Budget's (OMB) "FY2005 Report to Congress on Implementation of the Federal Information Security Management Act of 2002" found that 85 percent of IT systems at federal agencies are certified and accredited (C&A), a 19 percent increase over last year's figure of 77 percent. The number of systems with tested contingency plans increased from 57 percent to 61 percent. Seventeen of 25 agencies received ratings of satisfactory or better. The Veterans Affairs Department reported just 14 percent of its systems were certified and accredited in FY2004, but all 585 of its systems were accredited and certified in FY2005. The Social Security Administration was the only agency to receive a rating of "Excellent."
[Editor's Note (Paller): Hold on. There is a problem with the self congratulations here: the number of C&A reports is not a viable indicator of security if the reports are not accurate and/or they don't lead to significant security improvements. Otherwise they are just a futile exercise - a billion dollar joke on the American people. The one agency that checked their C&A reports found that many (a large number) had been done by contractors who failed to do the job effectively. The reports had to be done over; but the original contractors didn't face any penalties. Worse, at a meeting last month of companies that do C&A studies, more than half said that they wrote C&A reports that are never read by agency officials. If reports were never read, it is unlikely they led to significant improvements in security. The "emperor" here is not wearing many clothes. Titan Rain proved the nation is at risk; it is time for OMB to stop counting C&A reports, admit the security problems with federal systems, and move aggressively to correct them.
(Boeckman): This report is somewhat misleading. While the number of certifications have increased, it does not mean IT systems are more secure, since it is largely an exercise in paperwork. The best indicator is testing the security controls, and this actually decreased since 2004. ]
FCC Investigating Caller-ID Spoofing Services (2 March 2006)The US Federal Communications Commission (FCC) has launched an investigation into companies offering Caller-ID spoofing services. Paying customers provide the companies with the number they wish to call, their real phone number and the number they wish to have appear on the Caller-ID screen. The FCC's investigation is focused on whether or not the services are violating the federal Communications Act, which requires that interstate calls send accurate "originating calling party telephone number information." The FCC has demanded business records as well as the names of all customers and data regarding the calls they have made. Recent Congressional testimony indicates that people have been using the services to social engineer private customer information from other companies and the services have hurt companies that rely on Caller-ID as a form of authentication, such as Western Union wire transfers.
Ohio Secretary of State Sued Over SSNs on Web Site (3/2 March 2006)An Ohio resident is suing the Ohio secretary of state J. Kenneth Blackwell after discovering that his and other residents' SSNs have been publicly available for years on state web sites. The numbers are included in records of purchases of expensive items such as boats and furniture; these are often registered with the secretary of state. The plaintiff's attorney says the secretary of state has refused to remove the numbers or block them from view. Ohio Attorney General Jim Petro made a statement that Blackwell should remove the numbers by law, and that every person whose number is on the site should be notified. Apparently it is not uncommon for the web sites run by secretaries of states to contain personal information.
[Editor's Note (Schultz): This will not be the last lawsuit of this nature. State, provincial and federal governments have been remarkably naive when it comes to dealing with personal and financial information of individuals whom they at least in theory serve. ]
*************************** Sponsored Links: ****************************
1) Free WhatWorks Webcast next week - "Securing Electronic Payments with NYCE" Tuesday, March 14 at 1:00 PM EST (1800 UTC/GMT) http://www.sans.org/info.php?id=1053
2) Free Internet Storm Center webcast next week "Threat Update" Wednesday, March 15 at 1:00 PM EST (1800 UTC/GMT) http://www.sans.org/info.php?id=1054
3) SANS@Home delivers the same first-class training presented at live SANS events with the added bonus of meeting your needs for flexibility, affordability and up-to-date education in a setting convenient for you! http://www.sans.org/athome
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCES
Israeli Spyware Purveyors Indicted, Reportedly Reach Plea Agreement (6/5 March 2006)Ruth and Michael Haephrati have been indicted in the Tel Aviv District Court on charges of creating and distributing spyware that was used by private investigators to steal information from clients' business competitors. The couple was extradited from Great Britain in January. According to the Tel Aviv district attorney's office, authorities have reached a plea agreement with the Haephratis that will be revealed in court next week.
Man Indicted on Charges of Releasing Trojan Horse Program (6 March/28 February 2006)A federal grand jury has indicted Richard Honour, who goes by the pseudonym Fyle, Anatoly, on charges of releasing a Trojan horse program in an IRC chat room. Honour allegedly used the malware to harvest confidential banking and identity information. If convicted, Honour could face ten years in prison and a fine of US$250,000.
SPYWARE, SPAM & PHISHING
AOL Will Not Charge Non-Profits to Send Bulk eMail (6/3 March 2006)Following protests from activist groups, AOL will not charge legitimate non-profit and advocacy groups a tax on bulk email." AOL's original plan would have charged companies to have their bulk email certified and delivered with images and hyperlinks. Hyperlinks and images would be blocked if they come from organizations that are not part of AOL's Enhanced Whitelist.
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Glitch in Some Norton Products Exploited to Knock Users Off IRC Channels (2 March 2006)Some script kiddies have been exploiting a Norton Internet Security and Norton Personal Firewall feature that will involuntarily logoff users from IRC channels when anyone on the channel types "startkeylogger" or "stopkeylogger." A family of worms that spread using mIRC and the Kazaa file-sharing network use these phrases, which some IRC channels now filter out. Symantec plans to make adjustments to the affected products so they are no longer vulnerable to the ploy.
ATTACKS & INTRUSIONS & DATA THEFT & LOSS
Georgetown University Acknowledges Server Breach (6/5 March 2006)Georgetown University has acknowledged that a security breach of one of its servers compromised personal data belonging to as many as 41,000 District of Columbia residents. The breach was discovered on February 12 during a routine internal inspection, but was not disclosed until Friday, March 3. The lag time has been attributed to the need for the US Secret Service to examine the server and establish a web site and hotline to help those affected by the attack.
Stolen Laptop Contained Data on 93,000 Denver Students (3/2 March 2006)A laptop stolen from the home of a Metropolitan State College employee in Denver held sensitive personal information belonging to more than 93,000 students. The employee was using the data, which include names and Social Security numbers (SSNs), to write a grant proposal and to write his masters thesis. The theft occurred on February 25, but was not made public until March 1 at the request of local police. The data belong to people who were registered for classes at the Denver school between fall 1996 and summer 2005; they are being notified by mail. There is no evidence that the information has been used to commit identity fraud; however, the school is looking into whether or not the employee had permission to use the data in his thesis. The employee was authorized to have the data on his workstation at the college and on the laptop.
Group Takes Aim at Botnet Command and Control Servers (2 March 2006)A group of representatives from various security concerns has come together to try to find and disable the command-and-control (C&C) servers used by botmasters to control their botnets, which they use to launch distributed denial-of-service (DDoS) attacks, install malware and send spam. The group hopes to establish a way for Internet service providers (ISPs) and IT administrators to report botnet activity. The group has worked for the past year through invitation-only mailing lists, but now is opening up their efforts with a public mailing list that will serve as a forum to discuss techniques for detecting C&C servers, report botnets and inform ISPs of C&C detections.
NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian
Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore,
Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw
Tan, Mark Weatherford
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit