|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (NewsBites
sans.org)
Date: Fri Apr 27 2007 - 08:58:28 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
A second round of Congressional hearings brought into stark relief the
abject failure of US leadership in cyber security that continues to
allow vast amounts of sensitive information to be stolen from US
government computers and from the computers of military contractors.
See the first story in this issue for more on what the witnesses said.
Alan
P.S. The 40 handlers of the Internet Storm Center (isc.sans.org) are
better informed about how the sophisticated new attacks work than any
group other than the criminals carrying them out. If your job is
protecting systems against the new wave of more sophisticated attacks,
consider coming to SANSFIRE 2007 in Washington in the last week in July.
There the Internet Storm Center handlers will be giving numerous free
evening briefings, exclusively for the SANSFIRE attendees, on what they
have uncovered about how newest hacker techniques work. Course list
for SANSFIRE: http://www.sans.org/sansfire07/
*************************************************************************
SANS NewsBites April 27, 2007 Vol. 9, Num. 34
*************************************************************************
TOP OF THE NEWS
Second Congressional Hearing Highlights Federal Cyber Security Failure
Lawsuit Seeks Identities of eMail Address Harvesters
Report: Fears that a Data Breach Could Ruin Business
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
Card Fraudster Faces More Charges
TJX Faces More Lawsuits
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Ohio University Bans P2P From Campus Network
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Malware Purveyors Exploit Sponsored Links on Google
Flaw Exploited to Hack MacBook Affects All Java-Enabled Web Browsers
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
UK Junior Doctors' Personal Data Exposed
Former Payroll Co. Employee Accidentally Exposes Old Client Data
Neiman Marcus Employee Data Compromised
Purdue Univ. Notifies Students of Data Breach
************************** Sponsored By SANS ****************************
SAVE BIG! Get 30% off of any of upcoming courses when you sign up for
OnDemand's pre-paid program. Check out our full list of upcoming courses
http://www.sans.org/info/6316. For more information or to request a
pre-paid from please contact ondemandsans.org.
*************************************************************************
TOP OF THE NEWS
--Second Congressional Hearing Highlights Federal Cyber Security Failure
(April 26, 2007)
Several of the nation's most respected cyber security experts on
Wednesday told the Homeland Security Committee's Emerging Threats and
Cyber Security Subcommittee that the US is unprepared to defend its
systems or recover from a broad-based cyber attack. "Foreign
intelligence agencies must weep with joy when they contemplate U.S.
government networks," said James Lewis, director of the technology and
public policy program at the Center for Strategic and International
Studies, who went on to describe "an unparalleled looting of U.S.
government databases."
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9017860
http://blog.washingtonpost.com/securityfix/2007/04/nations_cyber_plan_outdated_la.html?nav=rss_blog
http://www.darkreading.com/document.asp?doc_id=122732&WT.svl=news2_1
--Lawsuit Seeks Identities of eMail Address Harvesters
(April 25, 2007)
A lawsuit will be filed on behalf of Project Honey Pot, a service of
Unspam Technologies LLC representing 20,000 people around the world in
an attempt to uncover the identities of those responsible for harvesting
email addresses that are then provided to spammers. Unspam's anti-spam
tool has software that generates pages with "spam trap" email addresses.
Each time the page is visited, the visitor's IP address and the time and
date of the visit are recorded. Because these addresses are never used
in any way that could indicate an agreement to receive unsolicited
commercial email, the information collected can help make connections
between people harvesting the addresses and the spammers who use their
lists. The defendants in the lawsuit are listed as John Doe because the
plaintiffs want the court to allow them to subpoena records from ISPs
associated with the IP addresses they have collected to confirm the
harvesters' identities.
http://www.washingtonpost.com/wp-dyn/content/article/2007/04/25/AR2007042503098_pf.html
--Report: Fears that a Data Breach Could Ruin Business
(April 25, 2007)
A new report from McAfee found that of more than 1,400 IT professionals
surveyed, a third fear that a major data security breach could put their
company out of business. Despite the fact that 60 percent of
respondents said their companies had experienced data loss in the last
year, they reported spending just 0.5 percent of their IT budgets on
data security. Sixty-one percent of respondents believe data leaks are
caused by people within the organization, and 23 percent believe those
leakages are of malicious intent.
http://www.computing.co.uk/itweek/news/2188528/breaches-worry-firms
http://www.securecomputing.net.au/news/50577,mcafee-data-breach-will-cause-major-corporate-collapse.aspx
************************* Sponsored Links: ****************************
SANS Voucher Credits
Maximize your Training Budget
Save 15-30% on SANS training & certification
Visit http://www.sans.org/info/6321 or Email Voucherssans.org
*************************************************************************
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
--Card Fraudster Faces More Charges
(April 25 & 26, 2007)
A King City, Ontario (Canada) man who is already a suspect in a
card-skimming fraud case had numerous new charges filed against him
after he was allegedly discovered violating the conditions of his
release on bail. Sergeui Kokoouline was serving a conditional sentence
for fraud when police found him and his wife, Larissa Piminova, to be
in possession of counterfeit credit cards; when the couple's home was
searched, police found and seized credit card-making equipment, numerous
phony cards and pages of credit and debit card data. The couple faces
a combined 238 charges against them.
http://www.durhamregion.com/dr/business/story/3952141p-4564382c.htm
http://680news.com/news/local/article.jsp?content=20070425_141204_6068
http://www.yorkregion.com/News/article/21336
--TJX Faces More Lawsuits
(April 24 & 25, 2007)
The Massachusetts Bankers Association (MBA) has filed a class-action
lawsuit against TJX Companies Inc., seeking to recover damages on behalf
of the financial entities who incurred the costs of blocking compromised
credit and debit cards and issuing new ones. Bank associations in
Connecticut and Maine plan to join the Massachusetts suit. TJX is
facing other lawsuits as well. The Arkansas Carpenters Pension Fund,
which owns stock in TJX, has filed a suit over TJX's alleged "refusal
to provide documents outlining the company's security measures and its
response to the data breach." In Canada, a class-action lawsuit has
been filed against two retail companies owned by TJX. A woman in
Virginia has filed a class-action lawsuit over TJX's refusal to provide
affected customers with credit monitoring.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9017758&source=rss_topic17
http://www.seacoastonline.com/apps/pbcs.dll/article?AID=/20070425/NEWS/70425004
[Editor's Note (Grefer): Abiding by all requirements of the Payment Card
Industry (PCI) Data Security Standard (DSS) would likely have helped to
avoid a lot of this trouble. The PCI DSS is available for download at
https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf]
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
--Ohio University Bans P2P From Campus Network
(April 25, 2007)
Ohio University (OU) has outlawed peer-to-peer (P2P) filesharing over
its networks. According to OU CIO Brice Bible, "peer-to-peer file
sharing consumes a disproportionate amount of resources, both in
bandwidth and human technical support." As of Friday, April 27, OU will
monitor the campus network for P2P activity; computers found to be
violating the new policy will be cut off from Internet access. OU's
policy decision comes in the wake of a wave of "prelitigation letters"
from the Recording Industry Association of America (RIAA), sent to
colleges and universities, including OU.
http://www.ohio.edu/students/filesharing.cfm
[Editor's Note (Schultz): Ohio University's decision to ban peer-to-peer
networking makes perfect sense. Peer-to-peer file sharing is, after all,
anything but conducive to security, and Ohio University has recently
been through the proverbial ringer when it comes to security-related
incidents. Additionally, although usually well-intentioned, RIAA
notifies and threatens organizations that use peer-to-peer networking
rather blindly. In one case RIAA sent a threatening letter to an
organization that neither allowed nor tolerated peer-to-peer networking.
However, that organization had a honeypot network in which certain ports
associated with peer-to-peer networking *appeared* to be open. When that
organization's legal department sent a letter informing RIAA that there
was in reality no peer-to-peer networking, RIAA lamentably did not back
down.]
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
--Malware Purveyors Exploit Sponsored Links on Google
(April 24 & 26, 2007)
Cyber criminals have reportedly bought sponsored links on frequently
visited Google search pages; the malicious links take users to the sites
they intend to visit, but on the way, users are momentarily sent to a
malicious site that attempts to download a backdoor and a post-logger
on their computers. Part of the problem lies in the fact that when a
user rolls a mouse over the sponsored link on the Google search results
page, the browser does not display the URL at the bottom of the screen,
so the user does not have a clear picture of where the click will lead.
Furthermore, the malware site is given a name that makes it appear to
be a third-party tracking site so users do not become suspicios. The
post-logger targets roughly 100 different banks "by injecting extra html
into those banks' response pages to try to coax extra information out
of the victim." Google has apparently shut down the account serving the
advertisements.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9017862&source=rss_topic17
http://www.securitypronews.com/insiderreports/insider/spn-49-20070426GoogleAdsLedToPCInfections.html
http://explabs.blogspot.com/2007/04/google-sponsored-links-not-safe.html
--Flaw Exploited to Hack MacBook Affects All Java-Enabled Web Browsers
(April 25 & 26, 2007)
The remote code execution flaw exploited by the winner of a hacking
challenge last week is in Apple's QuickTime media player, not in the
Safari web browser, as was first reported. The flaw appears to be
exploitable through any Java-enabled web browser. iPod users are also
affected. For the attack to be successful, users would need to be
tricked into visiting a web site that has malicious Java code. Users
will not be protected until Apple patches QuickTime against the flaw;
until then, users are advised to disable Java in their browsers. There
are unconfirmed reports that the attack used in the challenge at last
week's conference was grabbed, because the MacBooks that were being used
were connected to an unprotected wireless network.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9017841&intsrc=hm_list
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=199201605
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
--UK Junior Doctors' Personal Data Exposed
(April 26, 2007)
The UK's Department of Health has apologized for a data leak in the
National Health Service's (NHS) Medical Training Application Service
(MTAS) that exposed personally identifiable information of hundreds of
junior doctors. According to information gathered by the television
news channel that reported the story, people could not only view the
data but could alter them as well. Furthermore, British Health
Secretary Patricia Hewitt was told in a letter from the British
orthopaedic trainees association that "We have also had concerns about
the security of the site with shortlisters reporting they could access
deanery data and applications they had nothing to do with." The
Department has launched an investigation.
http://www.channel4.com/news/articles/society/health/health+department+apologises+over+info+leak/471342
http://www.itpro.co.uk/information-management/news/111579/doctors-private-information-leaked-on-recruitment-website.html
--Former Payroll Co. Employee Accidentally Exposes Old Client Data
(April 25, 2007)
Payroll processing company Ceridian Corp. has apologized to employees
of a New York advertising company, Innovation Interactive, after
personally identifiable information of 150 Innovation Interactive
employees was inadvertently made available on the Internet. The data
include names, addresses Social Security numbers (SSNs) and salary and
checking account information. Apparently, a man who no longer works for
Ceridian took payroll files with him by accident when he left the
company. The files were inadvertently posted on a web site because they
somehow became mixed in with his family photos. Ceridian is looking at
records back through March 2006 to see if anyone accessed the data. The
breach was discovered by a former Innovation Interactive VP who googled
himself, discovered the data and contacted Innovation Interactive.
Ceridian has sent letters of apology to affected employees and is
offering two years of personal data monitoring.
http://www.startribune.com/535/story/1144594.html
--Neiman Marcus Employee Data Compromised
(April 24, 2007)
A notebook computer stolen from a pension consultant holds personally
identifiable information of approximately 160,000 current and former
employees of the Neiman Marcus Group. The data include names,
addresses, SSNs and salary information. The theft affects employees
hired prior to August 30, 2005. Neiman Marcus plans to contact everyone
whose data were on the computer. Neiman Marcus learned of the theft on
April 10, though it had occurred several days earlier.
http://www.wfaa.com/sharedcontent/dws/bus/stories/042507dnbusneiman.40beadd.html
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9017725&source=rss_topic17
--Purdue Univ. Notifies Students of Data Breach
(April 24, 2007)
Purdue University has sent letters to 175 people whose data were
inadvertently accessible on the Internet until recently. The data
breach affects people who were enrolled in a freshman engineering honors
course in fall 2001; the exposed data include names and SSNs. The page
was on an Internet-connected server; while the university was no longer
using the page, several search engines had indexed and cached the data.
The page is no longer on the server and Yahoo! and Google have removed
the information from their indices and caches.
http://news.uns.purdue.edu/x/2007a/070424KsanderEngineer.html
[Editor's Note (Northcutt): Word on the street is that Neiman might get
a bye from the bad publicity, Astroglide apparently had customer records
unprotected on an Internet facing web site and it looks like a hotter
story:
http://www.homelandstupidity.us/2007/04/21/astroglide-data-breach-exposes-customer-information/
http://techwag.com/index.php/2007/04/24/astroglide-suffers-data-breach-this-ought-to-be-interesting/ ]
==end==
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.
Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers.
Schneier has regularly appeared on television and radio, has testified
before Congress, and is a frequent writer and lecturer on issues
surrounding security and privacy.
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer
for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan leads the cyber threat intent team for Infocomm Development
Authority (IDA) of the Singapore government.
Chuck Boeckman is a Principal Information Security Engineer at a
non-profit federally funded research and development corporation that
provides support to the federal government.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin,
Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
iD4DBQFGMfHK+LUG5KFpTkYRAqrVAJj+u1i8g0SvK+lfV7BuBMsgjPxWAJ425bq2
9+uPBh1knap1FnRthnw42A==
=kv1f
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]