|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (NewsBites
sans.org)
Date: Tue Jul 31 2007 - 13:22:52 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The OWASP Top Ten Web Security Threats have been updated. On Thursday
(8/2/2007) at 1 PM EDT (17:00 UTC) OWASP chair, Jeff Williams will
summarize the most important changes and take questions. You'll also
hear about what enterprises are doing to eliminate the bulk of their web
application security vulnerabilities and Ryan Berg from Ounce Labs will
share with you information about how the new national examination for
Java web programmers measures their security skills.
Register for the free webcast: http://www.sans.org/info/12176
Alan
PS. The early registration discount for SANS Network Security in Las
Vegas (September 22-30) ends on Wednesday August 8
*************************************************************************
SANS NewsBites July 31, 2007 Vol. 9, Num. 60
*************************************************************************
TOP OF THE NEWS
Report to California Sec. of State Details Security Flaws in eVoting
Systems
UK Telecoms Must Retain Call Data
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
Software Engineer Arrested for Data Theft
Computer Security Lecturer Gets Jail Time for Identity Fraud
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Botmasters Turn to Dynamic IP Addresses
Yahoo! Widgets Flaw
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Stolen Laptop Holds County Child Support Services Data
Stolen Laptop Holds Student Loan Data
Former Employee Allegedly Stole Personal Data for Prescription Fraud
Stolen Laptop Contains Aflac Customer Data
Charitable Donors Notified of Possible Data Breach
Marines' SSNs Unintentionally Posted to Internet
MISCELLANEOUS
Black Hat Participant Denied Entry to US
Ohio Intern Says He Is a Scapegoat
LIST OF UPCOMING FREE SANS WEBCASTS
******************* Sponsored By Seagate Technology *********************
What Seagate knows about secure storage could affect--perhaps materially
improve--your company's security decisions, at a time when regulations
and rising threats have made security decisions more and more critical.
Find expert information about security planning, technologies,
legislation, standards and news at
http://www.sans.org/info/12216.
Don't wait till tomorrow. One piece of information could change
everything.
*************************************************************************
SECURITY TRAINING UPDATE
SANS Network Security 2007 (September 22-30, in Las Vegas) is the
largest fall conference on cybersecurity with more than 40 courses and
wonderful evening sessions and a big vendor exposition. Most
importantly, it brings together the top rated teachers in cybersecurity
in the world. How good are they? Here's what past attendees said:
"This course has valuable information that can be implemented
immediately in the work place." (Christopher O'Brien, Booz Allen
Hamilton)
"The quality of teachers, speakers, and even attendees is far superior
to any other training event I've attended." (Corinne Cook, Jeppesen)
"SANS provides by far the most in-depth security training with the true
experts in the field as instructors." (Mark Smith, Costco Wholesale)
Registration information: http://www.sans.org/ns2007/
*************************************************************************
TOP OF THE NEWS
--Report to California Sec. of State Details Security Flaws in eVoting Systems
(July 27, 28, & 30 2007)
A review of electronic voting systems commissioned by California
Secretary of State Debra Bowen has been released, and the results are
"not encouraging." The researchers were able to get around physical and
software security in every system tested. In several cases, they were
able to "circumvent the system's audit logs and directly access data on
the machine." Bowen has set an August 3 deadline for determining which
systems to certify for use in the 2008 presidential primary elections,
which are scheduled for February 5 in California. The review took two
months, with two teams of researchers - one focusing on penetration
testing and the other on examining source code. In California, counties
purchase their own voting systems, but those systems must be certified
by the Secretary of State's office before they are used. The study
found "absolutely no evidence of any malicious source code anywhere."
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9028262
http://sfgate.com/cgi-bin/article.cgi?f=/c/a/2007/07/28/VOTING.TMP&tsp=1
http://news.com.com/8301-10784_3-9752129-7.html?part=rss&subj=news&tag=2547-1_3-0-20
http://www.sos.ca.gov/elections/elections_vsr.htm
[Editors' Note (Schultz, Paller): The tremendous effort of Professor
Bishop and his team, all from the University of California at Davis,
deserves special mention. As one of the news stories says, this was the
most thorough and rigorous testing of electronic voting machines ever.
At the same time, however, count on electronic voting machine companies
and their proponents quickly launching a very aggressive
counteroffensive in which they attack the testing and its results.]
--UK Telecoms Must Retain Call Data
(July 27, 2007)
New legislation in the UK will require telecommunications companies to
keep records of all landline and mobile phone calls for one year.
Internet activity, which includes VoIP calls, is not affected by the new
law, which goes into effect on the first of October. The law reflects
the European Union's Data Retention Directive and is aimed at
establishing uniform industry standards.
http://www.out-law.com/page-8332
http://www.jisclegal.ac.uk/publications/dataretention.htm
Draft of the legislation: http://www.opsi.gov.uk/si/si2007/draft/20077449.htm
************************ Sponsored Links: ****************************
1) ALERT: Hacking Web Applications- A Step-by-Step Attack Analysis
Download this SPI Dynamics White Paper:
http://www.sans.org/info/12221
2) CA Secure Content Manager takes security to the next level, offering
all-around security protection for the gateway.
http://www.sans.org/info/12226
*************************************************************************
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
--Software Engineer Arrested for Data Theft
(July 29, 2007)
Police in India have arrested a software engineer for allegedly breaking
into a server that belongs to the US-based company Caterpillar and
taking proprietary information. M.S. Ramasamy worked at a Caterpillar
office in India earlier this year. He allegedly broke into the
"Research and Engineering Documents Inquiry System" and used another
employee's login credentials to access and download more than 4,000
sensitive documents.
http://www.hinduonnet.com/thehindu/thscrip/print.pl?file=2007072959470300.htm&date=2007/07/29/&prd=th&
[Editor's Note (Shpantzer): One of the hardest things to prove is not
what happened or when, but who was at the keyboard. In this case, the
stolen User ID and password that were used did not throw off the
investigators permanently, since there was a CCTV pointed at the
terminal to visually ID the man at the keyboard during the period the
files were accessed. At the end of the day, information security is a
three legged stool comprised of physical, personnel and computer
security.]
--Computer Security Lecturer Gets Jail Time for Identity Fraud
(July 26 & 27, 2007)
Eni Oyegoke, a Nigerian man who has been a lecturer in computer security
at the University of Glamorgan in South Wales, UK, was sentenced to two
years in jail after admitting to fraud, deception and theft offenses.
Oyegoke applied for a British driving license with a false passport
number. When police searched his home, they found a phony driving
license as well as evidence that he had made nearly GBP 22,000 (US
$44,683) in fraudulent credit card charges using his former landlords'
identities. He came to Wales as a PhD student in 2005 and soon after
began lecturing in the computer science department about identity theft.
Oyegoke maintains the phony license was made as part of his graduate
thesis. It is likely that he will be deported once his jail term is
complete.
http://news.bbc.co.uk/2/hi/uk_news/wales/south_east/6917965.stm
http://icwales.icnetwork.co.uk/southwalesecho/news/tm_headline=university-speaks-out-over-id-fraud&method=full&objectid=19529398&siteid=50082-name_page.html
[Editor's Note (Weatherford): It sounds like his day job conflicted with
his noble aspirations to be a good citizen. Intelligence is a terrible
thing to waste although this could lend credence to creating a
technology category for the annual "Darwin Award." ]
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
--Botmasters Turn to Dynamic IP Addresses
(July 28 & 17, 2007)
Always on the lookout for ways to prolong the life of their attacks,
botmasters are starting to use a new technique dubbed fast-flux to make
it harder to track them down. Instead of communicating with their
zombie PCs through IRC, botmasters have begun to take advantage of load
balancing and resiliency techniques used by legitimate companies to hide
behind dynamically changing IP addresses. The "infected machines serve
as proxies ... for malicious websites." IP-based blocking is
ineffective against this technique.
http://www.eweek.com/print_article2/0,1217,a=212440,00.asp
http://www.forbes.com/technology/2007/07/17/symantec-security-bot-tech-cx_0717darkreading.html
[Editor's Note (Skoudis): This is a really interesting development for
the bad guys in improving the resiliency of their bot-nets. As bot-nets
grow ever bigger, pushing the envelope toward multiple millions of
machines, the attackers are encountering the same problems with
massively distributed computing that big enterprises have faced for the
last twenty years. It makes sense for the attackers to borrow the ideas
that enterprises perfected for creating resilient, patchable,
manageable, large-scale computing systems, and I expect to see a lot
more of those ideas incorporated into bots going forward.
(Ullrich): This new phenomenon, sometimes referred to as "flux" is the
next malware challenge. Domain name registrars hold the keys to the
solution. Sadly, not all of them step up to the challenge and even a
small number of uncooperative registrars are able to cause a lot of
pain.]
--Yahoo! Widgets Flaw
(July 27, 2007)
A critical remote code execution flaw in Yahoo! Widgets is due to "a
boundary error within the YDPCTL.dll ActiveX control when handling the
'GetComponentVersion()' method." The vulnerability has been confirmed
in YDPCTL.dll version 2007.4.13.1 in Yahoo! Widgets version 4.0.3, which
also goes by the name "build 178". Other versions of Widgets may be
affected was well. Users are urged to update their Widget software to
version 4.0.5. In the next few weeks, users will start to receive
prompts to download the new version when they launch the application.
"Yahoo! Widgets are software plug-ins that allow information [such as
weather reports and sports scoreboards] to be delivered to a user's
desktop."
http://www.vnunet.com/vnunet/news/2195121/yahoo-widgets-hit-highly
http://www.scmagazine.com/us/news/article/673773/activex-vulnerability-hits-yahoo-widgets/
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
--Stolen Laptop Holds County Child Support Services Data
(July 28, 2007)
A laptop stolen from the Yuba County (CA) Health and Human Services
Building contains personally identifiable information of approximately
70,000 individuals whose cases were opened before May 2001. The data
were on the laptop because it "was being used as a backup system for the
county's computer system." The data include Social Security numbers
(SSNs) and driver's license numbers. The Yuba County Department of
Health and human services has begun notifying affected clients by mail.
http://www.appeal-democrat.com/news/county_51837___article.html/information_brown.html
--Stolen Laptop Holds Student Loan Data
(July 27, 2007)
A stolen laptop contains personally identifiable information of 5,184
American Education Services (AES) student loan customers. Most of those
affected by the breach are thought to be from Pennsylvania. The
computer was stolen from the Livermore, California headquarters of
subcontractor Vista Financial, Inc. The data include names, addresses
and SSNs, and were not encrypted. AES has sent notification letters to
the affected customers. Vista was found to be violating both AES's and
its own security policies.
http://www.post-gazette.com/pg/07208/804836-96.stm
--Former Employee Allegedly Stole Personal Data for Prescription Fraud
(July 27, 2007)
A former benefits administration company employee has been arrested and
charged with prescription fraud. Melissa Lea McDevitt allegedly stole
Virginia Beach city and school district employees' personal information
and used it to commit prescription fraud. The breach affects
approximately 2,000 employees. Police discovered a list of names and
SSNs at the suspect's home. McDevitt was formerly employed at Flexible
Benefits Administrators, a City of Virginia Beach Contractor. Affected
employees have been notified.
http://www.wtkr.com/Global/story.asp?S=6850947
--Stolen Laptop Contains Aflac Customer Data
(July 26, 2007)
A laptop stolen from an insurance agency employee in Japan holds
personally identifiable information of approximately 152,000 Aflac
supplemental health insurance customers. The computer was stolen on
July 17; Aflac notified affected customers before disclosing the theft
to the media. The data on the computer are encrypted and password
protected.
http://www.bloomberg.com/apps/news?pid=20601101&sid=afw8zxz12Koo
--Charitable Donors Notified of Possible Data Breach
(July 26, 2007)
More than 12,000 people who have made donations to City Harvest, a New
York-based organization aimed at feeding hungry people, have received
letters informing them their credit card data may have been compromised.
The breach affects people who made donations in the two years prior to
April 25, 2007. Few other details have been released about the breach,
but the Manhattan DA is investigating.
http://www.ny1.com/ny1/content/index.jsp?stid=8&aid=72018
http://www.nypost.com/seven/07292007/business/morgy_probing_id_theft_at_city_harvest_business_richard_wilner.htm
-- Marines' SSNs Unintentionally Posted to Internet
(July 26, 2007)
Personally identifiable information of 10,554 US Marines was
inadvertently posted to the Internet. The data were in the possession
of Penn State University, which had obtained them under a research
contract. The data include names and SSNs; the problem was discovered
by a Marine who had Googled his own name. Penn State officials took the
information off the Internet as soon as they learned of the situation
and Google has deleted the data from its cache.
http://www.marinecorpstimes.com/news/2007/07/marine_data_exposed_070726/
[Editor's Note (Honan): This story highlights the dangers of using live
data for any research and test purposes. Where possible data used for
research and testing should be anonymised. Indeed, under EU Data
Protection Legislation any companies based in the EU should ensure that
test/research data is anonymised and where actual data needs to be used,
then it should be treated with the same due care as live data.]
MISCELLANEOUS
--Black Hat Participant Denied Entry to US
(July 29 & 30, 2007)
Security researcher and reverse engineering specialist Thomas Dullien
was prevented from entering the US after more than four hours of
questioning by immigration officials. Dullien was headed to the Black
Hat Security briefings in Las Vegas where he was to teach a class.
Officials decided to question him after finding course materials in his
luggage. He was ultimately refused entry because of a visa problem.
The immigration officials determined that because he was being paid
directly by Black Hat, he was essentially an employee and thus required
a different type of visa from the one he held. Because of the incident,
Dullien is no longer eligible for the US visa waiver program, even if
he wants to visit on vacation. The visa waiver program allows citizens
of 27 countries to enter the US without a visa for a stay of 90 days or
less for business or leisure.
http://www.theregister.co.uk/2007/07/30/black_hat_visa_refusal/print.html
http://www.vnunet.com/vnunet/news/2195242/block-entry-blackhat-teacher
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9028378&intsrc=news_ts_head
http://www.securityfocus.com/brief/557
--Ohio Intern Says He Is a Scapegoat
(July 25, 2007)
The intern in the Ohio database backup tape theft has issued a statement
in which he refers to himself as a "scapegoat." Jared Ilovar maintains
he was merely following instructions to "bring these back tomorrow" when
he took the data tapes home and that he was never instructed how to
handle or store them. Ilovar also says he was following instructions
from his employer when he did not tell the police the tapes contained
sensitive data. Ilovar says he will ask for written instructions in the
future.
http://www.dispatch.com/dispatch/content/local_news/stories/2007/07/25/ilovar_email.html
LIST OF UPCOMING FREE SANS WEBCASTS
Wed. 8/1/07 - Host Based Intrusion Prevention (HIPS), what does it do for me?
http://www.sans.org/info/12171
Sponsored By: CA
Thursday, 8/2/07 - What's New with the OWASP Top 10
http://www.sans.org/info/12176
Sponsored By: SANS
Wednesday, 8/8/07 - Internet Storm Center: Threat Update
http://www.sans.org/info/12181
Thursday, 8/9/07 - The Service/Help/Support Desk Implications of Migrating
to 802.1x Standards
http://www.sans.org/info/12186
Sponsored By: AirWave
Wednesday, 8/22/07 - Encryption Face-Off: Software Encryption vs. DriveTrust Technology
http://www.sans.org/info/12191
Sponsored By: Seagate
Thursday, 8/23/07 - Full Disk Encryption - The Reasons, Options and
Deployment Issues
http://www.sans.org/info/12196
Sponsored By: Seagate
Be sure to check the following Archived SANS Webcasts:
Tuesday, 7/31/07 Archived Webcast Promos:
July 24, 2007 - Validating the Vault: Penetration Testing for Financial Institutions
http://www.sans.org/info/12201
Sponsored By: Core Security Technologies
July 19, 2007 - Next-Gen Log Monitoring: Who's Minding the Applications?
http://www.sans.org/info/12206
Sponsored By: ArcSight, Inc.
July 18, 2007 - Making Your Web Applications PCI Compliant
http://www.sans.org/info/12211
Sponsored By: SPI Dynamics
- ---end---
*************************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.
Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer
for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.
Chuck Boeckman is a Principal Information Security Engineer at a
non-profit federally funded research and development corporation that
provides support to the federal government.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin,
Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription, (and
for free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
iD8DBQFGr2ot+LUG5KFpTkYRAuSyAJ9q0Js7V1x3crz1+U8bxgEINXo2SACginST
TwSYtFShz5bynLG0CAip0ec=
=qPJP
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]