From: The SANS Institute (NewsBitessans.org)
Date: Tue Jul 10 2007 - 13:04:42 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The first story this week provides a direct and authoritative link
between cyber crime and terrorism. WashingtonPost.com's Brian Krebs did
an extraordinary job of getting the full story out of the law
enforcement people. Although this isn't the first such proof, it
reinforces the point that terrorists are exploiting lapses in
cybersecurity to raise money to buy their bombs.
                                 Alan

*************************************************************************
SANS NewsBites July 10, 2007 Vol. 9, Num. 54
*************************************************************************
TOP OF THE NEWS
  Terrorist Support Ring Supported Through Stolen Credit Card Data
  Court Rules Belgian ISP Must Block P2P Filesharing
  Card Fraudsters May be Testing Validity on Charity Sites
  Google Privacy Chief Says Data Retention is a Security Issue
THE REST OF THE WEEK'S NEWS
  LEGAL MATTERS
    Card Fraud Group Members Arrested
  POLICY & LEGISLATION
    FCC Rule Puts Brakes on Software-Defined Radio
    South Africa Considering Tough Anti-Spam Law
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
    Buffer Overflow Flaws in SAP Products
    HotLan-A Trojan
    Group Launches Up Vulnerability Auction Website
  ATTACKS, INTRUSIONS, DATA THEFT & LOSS
    Stolen Tapes Hold Girl Scout Data
  STATISTICS, STUDIES & SURVEYS
    IT Security Professionals Support Data Breach Notification
UPCOMING SANS WEBCASTS
INVITATION FOR PROGRAMMERS TO THE EXAM THAT DEMONSTRATES SECURE PROGRAMMING SKILLS

*********************** Sponsored By ArcSight, Inc. *********************

Free Whitepaper: The Missing Link in Your Security Solution
Time is the enemy in a cyber attack. Only a rapid, automated response
can make the difference between a minor incident and significant damage.
Learn how to protect, detect and respond to cyber threats with this free
whitepaper. Brought to you by ArcSight, the leader in compliance and
security management.
http://www.sans.org/info/10641
*************************************************************************
TRAINING UPDATE
SANS Network Security in Las Vegas, Sept. 22-30, now open for
registration at http://www.sans.org/ns2007
Complete schedule: http://www.sans.org/
*************************************************************************

TOP OF THE NEWS
 --Terrorist Support Ring Supported Through Stolen Credit Card Data
(July 6, 2007)
The three men who recently entered guilty pleas to charges of using the
Internet to incite murder apparently used fraudulently obtained credit
card information to fund their activity. This is the first major case
to draw a definitive link between terrorism and cyber crime. The group
used phishing attacks and Trojan horse programs to steal the card
information and used the data to pay for web hosting services, GPS
devices, night vision goggles, pre-paid cell phones and airplane
tickets. The three men charged more than US $3.5 million on the stolen
cards.
http://www.washingtonpost.com/wp-dyn/content/article/2007/07/05/AR2007070501945_pf.html
[Editor's Note (Multiple): The authors of GAO's flawed report on the
lack of importance of data breaches might do well to read this article.
(Kreitner): I hope people who think credit card fraud is just a matter
of personal inconvenience and the credit card industry players who
complain about the PCI Data Security Standard will let this information
sink in.
(Shpantzer): It's only natural for terrorist networks to adapt to the
latest criminal methods to support their activities. This is financial
support for terrorists through crime, which is really nothing new at
all. The only twist is that phishing and trojan horses are involved on
the internet, instead of other types of organized crime like
counterfeiting and drug dealing. ]

 --Court Rules Belgian ISP Must Block P2P Filesharing
(July 4 & 6, 2007)
In what is being hailed as a landmark European legal ruling, Belgian
court has ordered the ISP Scarlet to block all peer-to-peer (P2P)
traffic on its network. The case was brought by Sabam, which represents
authors and composers in Belgium. The court ruled that Scarlet had a
variety of available technologies from which to choose to block the
offending traffic. The court maintains the ruling does not require
Scarlet to monitor its network. Scarlet has six months in which to
supply Sabam in writing with plans for deploying blocking measures.
Failure to comply will result in a fine of 2,500 Euros (US $3,405) a
day.
http://www.vnunet.com/vnunet/news/2193670/isp-block-illegal-p2p-traffic
http://www.sabam.be/website/data/Communiques_de_presse/SABAM_vs_TISCALI_engl.pdf
[Editor's Note (Ullrich): Many organizations have tried to block P2P and
failed. P2P traffic is hard to define and usually requires sophisticated
(and expensive) content based packet filtering devices to detect and
stop. Scarlet as an ISP will have a hard time implementing such a filter
effectively. It may be a sign of copyright laws gone overboard. Like
regular copy machines, P2P networks can be used to share illegal as well
as legal content.]
[Guest Editor's Note (Frantzen): This case is a continuation of an
earlier case covered here: http://www.edri.org/edrigram/number2.23/p2p ]

 --Card Fraudsters May be Testing Validity on Charity Sites
(July 6 & 9, 2007)
Symantec has found evidence that credit card fraudsters are making small
donations to charities, presumably to test the cards' validity. If the
transaction clears, the credit card thieves know the card information
they have is functional. Small charitable donations are unlikely to
raise fraud flags among credit card security monitors.
http://www.forbes.com/technology/2007/07/09/hackers-charity-creditcards-tech-cx_ag_0709hack.html
http://www.networkworld.com/news/2007/070607-credit-card-thieves.html
[Editor's Note (Ullrich): This is potentially very expensive for
charities. Charities will have to deal with refunds after fraud is
detected and face potentially higher discount rates. A reasonable
defense may be to return to the user a "donation accepted" message even
if the credit card is marked as stolen/fraudulent. That way, charity
sites will lose their value for this activity.]

 --Google Privacy Chief Says Data Retention is a Security Issue
(July 6 & 9, 2007)
During a radio interview, Google global privacy chief Peter Fleischer
said the company's retained search query data falls under the purview
of security, not privacy. Therefore, according to Fleischer, the
European Union's (EU) Article 29 Working Party holds no sway over
Google's data retention policy. Google justifies its data retention
policy by maintaining that the EU's Data Retention Directive requires
it, but the Article 29 Working Party says the directive does not apply.
Even the security arm of the EU government structure says the directive
does not apply because search queries contain content, not traffic and
location data. Fleischer said that even if the directive were not in
effect, Google would maintain its data retention policy.
http://www.theregister.co.uk/2007/07/06/google_data_retention_/print.html
http://www.vnunet.com/vnunet/news/2193694/google-bashes-protection-bodies

************************ Sponsored Links: *****************************

1) ALERT: "How A Hacker Launches A Blind SQL Injection Attack!"- White
Paper
http://www.sans.org/info/10646

2) FREE trial log management solution for simplified compliance from
netForensics. Start collecting and managing logs today!
http://www.sans.org/info/10651

3) SANS Ask the Expert webcast, "Reputation-Based Network Security"
sponsored by Secure Computing. Register today.
http://www.sans.org/info/10656
*************************************************************************

THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
 --Card Fraud Group Members Arrested
(July 9, 2007)
The US Secret Service has arrested four people allegedly affiliated with
a credit card fraud gang. Authorities recovered more than 200,000
credit card account numbers, two trucks, and US $10,000 cash. Two other
people were arrested in connection with the group's activity earlier
this year. The Florida-based group allegedly exchanged funds through
E-gold accounts with individuals in Eastern Europe, who supplied them
with credit card account information they used to manufacture phony
cards.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9026641&intsrc=news_ts_head
http://blog.washingtonpost.com/securityfix/2007/07/florida_counterfeit_credit_car.html?nav=rss_blog

POLICY & LEGISLATION
 --FCC Rule Puts Brakes on Software-Defined Radio
(July 6, 2007)
A Federal Communications Commission (FCC) rule may slow down the
availability of software-defined radio devices. At issue is the
security of the "open-source elements" on which the devices are based.
The FCC has received at least one petition asking that they retreat from
their position. The technology is already in use in military and public
safety arenas.
http://news.com.com/2102-1041_3-6195102.html?tag=st.util.print

 --South Africa Considering Tough Anti-Spam Law
(June 24, 2007)
South African legislators are considering a bill that would impose harsh
penalties on those convicted of sending spam. The Protection of
Personal Information Bill defines email addresses and cell phone numbers
as private information; sending unsolicited commercial messages to
either without express written permission would be illegal.
Perpetrators could be fined or face prison sentences of up to 10 years.
http://www.24.com/news/?p=tsa&i=565876

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
 --Buffer Overflow Flaws in SAP Products
(July 9, 2007)
Users of several SAP software packages are encouraged to upgrade to the
newest versions of the products to protect their systems from a handful
of vulnerabilities. The security flaws include buffer overflow
vulnerabilities in EnjoySAP GUI, SAP's Message Server and SAP DB Web
Server, and a flaw in SAP Web Application Server that could be exploited
to cause a denial-of-service condition.
http://www.theregister.co.uk/2007/07/09/sap_update/print.html

 --HotLan-A Trojan
(July 6 & 9, 2007)
The HotLan-A Trojan horse program establishes phony Yahoo! and Hotmail
accounts that are used to send spam. The malware's creators have
evidently discovered a way to circumvent the challenge-response systems
put in place by the account providers to prevent mechanized systems from
setting up accounts. The systems ask the entity setting up the account
to type in plaintext a word displayed in a distorted fashion; the image
is assumed not to be readable by a machine.
http://www.theregister.co.uk/2007/07/06/webmail_trojan/print.html
http://www.zdnetasia.com/news/security/printfriendly.htm?AT=62027948-39000005c

 --Group Launches Up Vulnerability Auction Website
(July 5 & 6, 2007)
The founders of vulnerability auction web site WabiSabiLabi maintain it
will strengthen security because "researchers" will be paid "a fair
price" for their work instead of providing their work gratis or selling
the flaws to cyber criminals. For the first six months, the site will
be free to use. After the initial period, buyers and sellers will be
assessed a 10 percent fee. Buyers and sellers both must preregister,
presumably to be vetted, and to ensure the site's purpose is not
misused. WabiSabiLabi will test the vulnerabilities in their laboratory
before putting them on the auction site; they will be accompanied by a
proof-of-concept exploit.
http://www.zdnet.co.uk/misc/print/0,1000000169,39287912-39001093c,00.htm
http://www.heise-security.co.uk/news/92258
http://news.bbc.co.uk/2/hi/technology/6276474.stm
http://www.vnunet.com/vnunet/news/2193550/security-exchange-trades-zero
http://www.theregister.co.uk/2007/07/06/security_flaw_marketplace/
[Editor's Note (Ullrich): A couple of legitimate companies (iDefense and
3COM) will already pay researchers a reasonable amount of money.
However, these companies will also forward the information to the author
of the software, which will help fix the actual problem. This new
auction site has no such provision. While I fully agree that we need to
find a better way to compensate and protect researchers, this auction
site doesn't look like the right way as it does not release
vulnerability information to vendors.
(Ranum): This is purely and simply about cashing in on security flaws -
it shows the real agenda of the vulnerability researchers: money.]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS
 --Stolen Tapes Hold Girl Scout Data
(July 9, 2007)
Girl scouts and their families in the metro Denver, Colorado area are
being alerted that their personally identifiable information was on
tapes stolen from a car on June 27. The information was from the Girl
Scouts Mile Hi Council membership database, and includes names,
addresses, phone numbers, members' schools and a small number of credit
card and Social Security numbers (SSNs) from camp and event
registrations. The data theft affects those whose information was in
the database between 2003 and 2007.
http://www.rockymountainnews.com/drmn/local/article/0,1299,DRMN_15_5621147,00.html

STATISTICS, STUDIES & SURVEYS
 --IT Security Professionals Support Data Breach Notification
(July 9, 2007)
"The European Commission is expected to pass the European directive on
Data Protection this year, which would require companies to inform all
customers and regulators of any data security breaches. However, it
could take years for ... European countries to adopt this directive into
law." More than three-quarters of IT security professionals surveyed
at the Infosec 2007 conference believe organizations should be required
by law to notify customers and regulators about data security breaches.
Of those in favor of a law, 49 percent believe notification should occur
immediately. A separate survey found that 82 percent of consumers
expected to be notified immediately in the event of a breach; 53 percent
said they would stop conducting business with the entity that suffered
the breach.
http://www.computerworlduk.com/management/government-law/legislation/news/index.cfm?newsid=3924
[Editor's Note (Kreitner): It is hard to be optimistic about the ability
of legislative bodies to keep up with the consequences of society's
increasing dependence on information technology.]

********************* Upcoming SANS Webcasts **************************

July 10, 2007 GIAC Secure Software Programmer (GSSP) for Java/Java EE Review
http://www.sans.org/info/10596
Featuring: Edward Tracy and Alan Paller

July 11, 2007 Internet Storm Center: Threat Update
http://www.sans.org/info/10601
Sponsored by: Core Security

July 12, 2007 GIAC Secure Software Programmer (GSSP) for C Review
http://www.sans.org/info/10606
Featuring: Robert Seacord and Alan Paller

July 18, 2007 Making your Web Applications PCI Compliant
http://www.sans.org/info/10611
Sponsored by: SPI Dynamics

July 19, 2007 Next-Gen Log Monitoring: Who's Minding the Applications?
http://www.sans.org/info/10616
Sponsored by: ArcSight

July 25, 2007 Meeting PCI Data Security Standards: It's more than log
collection
http://www.sans.org/info/10621
Sponsored by: Q1 Labs

******************************************************************
INVITATION TO THE EXAM THAT DEMONSTRATES SECURE PROGRAMMING SKILLS

This is the promised invitation for your contractors to participate in
the secure programming assessment on August 14 in Washington, DC.

Who may send programmers to the assessment?
Each government contractor that is building or maintaining web
applications written in Java or other applications written in C may send
up to three programmers to the exam.

What does the assessment measure?
It measures the degree of mastery of the basics of secure programming.
One test measures Java secure programming, and one measures C secure
programming The attachments to this note provide the blueprints showing
exactly what areas are assessed?

Will the results be confidential?
Yes. Only the test taker will receive the results.

What value will programmers who take the test gain?
They will learn the areas in which their secure coding skills are strong
and the areas in which they need more review. If they score high enough
(about 62%) they will be among the first programmers to earn a GSSP
(GIAC Secure Software Programmer) certification. Contractors who do
especially well may also want to share their results with their
government clients to demonstrate to their clients that they have
programmers who really know how to write secure code.

Should programmers cram for the assessment?
That would not be useful because the exam measures programming rules
that most programmers who write code should already know. Moreover, the
assessment will tell you in which areas you need additional knowledge
so it will be cost-effective to use the assessment to determine which
areas need study and then focus on those. SANS is creating online
mini-courses for each area of the exams so that programmers can quickly
master the topics in which the assessment showed they need more
knowledge.

Where and when is the exam and how long is it?
Bothe the Java and C exams are being held at the Marriott Wardman Park
in Washington DC (near the Washington Zoo Metro Stop) on August 14 at 9
AM. It has 100 questions and will take approximately 3 hours.

What types of questions are on the exam?
They are multiple choice questions. Some include code samples; others
ask about techniques and concepts.

Here are sample questions for Java:

1. The Java synchronized keyword is important to security because of
which of the following:

A. It allows two different functions to execute simultaneously.
B. It prevents multiple developers from writing the same block of code.
C. It allows the class to be loaded as soon as the JRE starts.
D. It prevents multiple threads from accessing a block of code at the same time. (CORRECT)

Explanation: The synchronized keyword ensures that only one thread of
execution is accessing a given block of code at a given time. The
subtleties of concurrent programming are often overlooked by developers.

2. Consider the following 'Session Fixation' attack scenario:
An attacker browses to a website and receives a JSESSIONID without
logging in. Then embeds that ID in a link and emails it to a victim.
The victim clicks on the link and proceeds to login, using the
JSESSIONID that is known by the attacker. The attacker can now
masquerade as the victim.

Which of the following best mitigates this threat?

A. Users should be instructed not to click on links in email.
B. The application should provide a new JSESSIONID to each user when
they authenticate. (CORRECT)
C. Users should be required to enter text that is represented in a
garbled graphic, proving they are human.
D. The application server should be configured to expire the JSESSIONID
very quickly to reduce the window of opportunity.

Explanation: Session Ids can be embedded in a link as described in the
scenario and many applications don't protect them with SSL until a user
authenticates. But in both cases the session Id may have already been
compromised. Therefore, it should not be used to represent an
authenticated user, they should be issued a new one upon authentication.
This is not, nor can it be, done by J2EE, it is the application
developer's responsibility.

How to learn more about the whole Secure Coding Assessment and Certification?
Go to www.sans-ssi.org

How to register?
Go to: http://www.sans.org/gssp07/

You may also attend the Application Security Summit where users from T.
Rowe Price to Kaiser to Cisco, will share what they have learned about
developing application security initiatives. Yes. See
http://www.sans.org/appsummit07/

Additional questions. Email apallersans.org

- ---end---

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer
for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.

Chuck Boeckman is a Principal Information Security Engineer at a
non-profit federally funded research and development corporation that
provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin,
Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iD8DBQFGk7tn+LUG5KFpTkYRAniGAJ9/Ro/CT0RYpnMdPaWdPUPq/9+SrgCeOW9D
eTylxMwNU65bftx92SylRwY=
=2bxB
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]