|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (NewsBites
sans.org)
Date: Fri Nov 16 2007 - 13:38:00 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
*************************************************************************
SANS NewsBites November 16, 2007 Vol. 9, Num. 91
*************************************************************************
TOP OF THE NEWS
Yahoo Settles Lawsuit Brought by Jailed Dissidents' Families
Council Enumerates Minimum Security Skills for Java Programmers
UK Info Commissioner Pushes for Harsher Data Mismanagement Penalties
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
Dutch Teen Arrested for Alleged Virtual Furniture Theft
Ex-CIA Agent Pleads Guilty to Conspiracy to Defraud Government
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Nevada Steps Up State Payroll Data Security
Visa Applicant Data Exposure Violated UK Data Protection Act
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Baseball and Hockey Sites Serving Malware
Apple Releases Big Security Update for Mac
Australian Bank to Give Out Free Anti-Virus Software
Microsoft Patches DNS Spoofing URI Flaws
STATISTICS, STUDIES & SURVEYS
Data Rights Awareness on the Rise in UK
MISCELLANEOUS
Ulster Bank Gives Card Readers to Online Customers
LIST OF UPCOMING FREE SANS WEBCASTS
********************* Sponsored By Sunbelt Software ********************
Email Security for Exchange in HALF the Admin Time!
Osterman Research surveyed enterprises that use five of the leading
email security tools. Read this white paper to learn what email security
tool takes 50% less time to manage and has a lower cost per user.
http://www.sans.org/info/19431
*************************************************************************
TRAINING UPDATE
Where can you find Hacker Exploits, Secure Web Application Development,
Security Essentials, Forensics, Wireless, Auditing, CISSP, and SANS'
other top-rated courses?
- - Washington DC (12/13-12/18): http://www.sans.org/cdi07
- - New Orleans (1/12-1/17): http://www.sans.org/security08/event.php
- - London (11/26 - 12/1): http://www.sans.org/london07/
- - and in 100 other cites and on line any-time: www.sans.org
*************************************************************************
TOP OF THE NEWS
--Yahoo Settles Lawsuit Brought by Jailed Dissidents' Families
(November 13 & 14, 2007)
Yahoo has settled a lawsuit brought on behalf of the families of two
Chinese dissidents who were identified and sent to prison by Chinese
authorities based on information provided by Yahoo. While Yahoo
maintains it had to surrender the information to comply with local laws
in China, chief executive Jerry Wang said the company agreed to the
settlement "to make this right for [the dissidents], for Yahoo and for
the future." Details of the out of court settlement have not been
released, but Yahoo will pay the legal costs of the suit and establish
a fund to help other political dissidents. Last week, Yahoo executives
were taken to task by a US House panel for omitting details when
questioned about the situation at an earlier date.
http://news.bbc.co.uk/2/hi/business/7093564.stm
http://www.washingtonpost.com/wp-dyn/content/article/2007/11/13/AR2007111300885_pf.html
http://technology.timesonline.co.uk/tol/news/tech_and_web/article2868689.ece
http://www.smh.com.au/news/Technology/Yahoo-settles-lawsuit-by-jailed-journalists-over-decision-to-giveinfo-to-Chinese-government/2007/11/14/1194766724468.html
--Council Enumerates Minimum Security Skills for Java Programmers
(November 15, 2007)
The Secure Programming Council, a group of security managers brought
together by the SANS Institute, has released a document titled
"Essential Skills for Secure Programmers using Java/J2EE," enumerating
the most important skills and knowledge for Java developers to have when
writing applications. The list includes detailed elements in several
categories: input handling, authentication and session management,
access control, error and exception handling, and encryption services.
http://www.computerworld.com/action/article.do?command=printArticleBasic&articleId=9047098
http://www.gcn.com/online/vol1_no1/45421-1.html?topic=security&CMP=OTC-RSS
[Editor's Note (Paller): Online examinations that allow programmers to
demonstrate how well they have mastered the Council-defined essential
skills and knowledge will be deployed in a pilot project involving
approximately 20 large organizations over the next three months. The
tests will be used to identify gaps in programmer skills and knowledge
and to assess how well the exams can be deployed both in house and for
outsourced programmers in India and China and the US. Comprehensive,
paper-based examinations will held in London and Washington during early
December and in 17 other cities in early 2008. More information at
www.sans.org/gssp.]
--UK Info Commissioner Pushes for Harsher Data Mismanagement Penalties
(November 15, 2007)
UK Information Commissioner Richard Thomas wants people to be criminally
liable for losing data storage devices that contain personal information
of others. Thomas is pushing for fines of up to GBP 5,000 (US$10,221)
in a magistrates' court, with an unlimited cap if a case goes to the
crown court for people convicted of breaching the Data Protection Act.
Thomas would also like the power to conduct unannounced "spot checks on
companies to ensure their compliance with data protection legislation."
http://www.pcpro.co.uk/news/139302/doctors-may-be-liable-for-stolen-laptops.html
http://www.computerweekly.com/Articles/2007/11/15/228104/information-commissioners-office-asks-uk-to-criminalise-severe-data.htm
************************* Sponsored Links: ***************************
1) Complimentary Aberdeen research report that addresses the challenges
of deploying encryption and key management.
http://www.sans.org/info/19436
2) Link here to complete the SANS Database Security Compliance Survey
and register to win a $250 AMEX Gift card.
http://www.sans.org/info/19441
3) Over 450 security professional participated in the 2007 Web Security
Leadership Survey. Get the results at
http://www.sans.org/info/19446
*************************************************************************
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
--Dutch Teen Arrested for Alleged Virtual Furniture Theft
(November 14, 2007)
Police have arrested a teenager in Holland for allegedly stealing 4,000
Euros (US $5,847) worth of virtual furniture from the Habbo Hotel, a
popular social networking website. Users paid real money for credits
to purchase the virtual goods; the teen allegedly tricked other users
into revealing their account login credentials, and then used them to
access their accounts and move the furniture into his own virtual room
in Habbo Hotel. Five other juveniles have also been questioned in
connection with the case.
http://news.bbc.co.uk/2/hi/technology/7094764.stm
[Editor's Note (Pesactore): Calling this "virtual furniture theft" makes
for a good headline, but it is really just another example of a targeted
phishing attack. These are happening all the time, as salesforce.com and
its customers recently experienced.
(Northcutt): This gets my vote for funniest story of the year. Not that
a juvenile stealing is in any way funny, but the thought of $5,847 worth
of virtual furniture is cracking me up. You can get the air spa
massaging LaZBoy with power recliner for less than that! You can keep
your virtual furniture, just do me a favor and get me a beer and put on
a movie! ]
--Ex-CIA Agent Pleads Guilty to Conspiracy to Defraud Government
(November 13, 2007)
Nada Nadim Prouty this week pleaded guilty in US District Court to
conspiracy to defraud the US government. Prouty obtained US citizenship
fraudulently and accessed a US government computer system without
authorization. Prouty is originally from Lebanon. After her one-year,
non-immigrant student visa expired in 1990, Prouty offered to pay an
unemployed American citizen to marry her; the marriage was in name only
as the two never lived together. Prouty was hired as an FBI special
agent in 1999; she used that position to access the FBI's Automated Case
System without authorization and search for information about herself
and family members as well as information about a national security
investigation into Hezbollah. Prouty joined the CIA in 2003 and was
assigned to a post on Baghdad. The charges against her carry maximum
prison sentences of between one and 10 years, as well as fines of
between US $100,000 and US $250,000.
http://www.computerworld.com/action/article.do?command=printArticleBasic&articleId=9046802
http://www.msnbc.msn.com/id/21796035/
(Please note this site requires free registration)
http://www.nytimes.com/2007/11/14/washington/14spy.html?_r=1&oref=slogin&pagewanted=print
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
--Nevada Steps Up State Payroll Data Security
(November 10 & 14, 2007)
After learning that more than 470 CDs holding Nevada state payroll data
have been lost over a three-year period, the state is instituting new
procedures to guard against more data being lost. The Nevada personnel
department sent CDs to 80 state agencies every two weeks for the past
three years. There was no system in place to track the disks. Now,
"disks must be signed for and returned to the personnel department after
each pay period," the data on the CDs will be password-protected and
state employees will no longer be identified by their Social Security
numbers (SSNs). The problem came to light when former Nevada Department
of Information Technology security manager Jim Elste tried to get the
state to tell employees about the breach. He lost his job as a result
of his efforts. Elste maintains he is protected under whistleblower
statutes and is appealing his dismissal.
http://www.gcn.com/online/vol1_no1/45412-1.html?topic=security&CMP=OTC-RSS
http://www.nevadaappeal.com/article/20071110/NEWS/111100113/-1/NEWS
[Editor's Note (Northcutt): Nevada may have just picked a fight with the
wrong guy. Elste was listed as a mover and shaker with CSO Magazine, has
a degree from Norwich, holds a CISA and a CISM, he may just go down
swinging:
http://www.csoonline.com/movers/101606_4298.html
http://www.linkedin.com/pub/1/a0b/159
(Honan): Effective security programmes include training staff to alert
appropriate management when they see something that could result in a
potential breach. Shooting the messenger by firing staff members who
report issues does not address the security problem and only undermines
the effectiveness of the overall security programme.]
--Visa Applicant Data Exposure Violated UK Data Protection Act
(November 13, 2007)
A UK Information Commissioner's Office investigation revealed that
people visiting the UK's visa website could view personal details of
people applying online for visas for entry into the UK. As a result,
the Foreign and Commonwealth Office was found to be in violation of the
Data Protection Act. The Foreign Office says it will close the website
and create another, presumably more secure website. The Foreign and
Commonwealth Office has signed a document saying it will comply with the
Data Protection Act.
http://www.theregister.co.uk/2007/11/13/foreign_office_data_security/print.html
http://www.zdnet.co.uk/misc/print/0,1000000169,39290807-39001093c,00.htm
http://www.computerweekly.com/Articles/2007/11/13/228058/fco-breached-data-privacy-of-50000-visa-applicants.htm
[Editor's Note (Honan): The breach was first reported in May of this
year http://news.scotsman.com/uk.cfm?id=772752007 The management and
running of the actual site in question was outsourced by the UK Home
Office to a company called VFS Global, a company that also provides visa
processing services for the United States, Australia, Italy, France,
Canada, Germany, Belgium, The Netherlands, Sweden, Thailand and Ireland.
Under European Data Protection Legislation organisations are obliged to
ensure the security personal data even when processing is outsourced to
a third party. With this in mind you should include in your outsourcing
contract clauses to allow you verify the security of the outsourced
data.]
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
--Baseball and Hockey Sites Serving Malware
(November 15, 2007)
The Major League Baseball and National Hockey League websites are the
latest high-profile sites to fall prey to malware purveyors. Both
websites have been infected with a program that tries to get visitors
to download malware onto their own machines. The lure appears as a
pop-up advertisement that urges them to scan their computers for
viruses. The exploit does not occur every time someone visits a
website, making the attack more difficult to detect and identify.
http://www.pcworld.com/article/id,139669-c,browsersecurity/article.html
--Apple Releases Big Security Update for Mac
(November 14 & 15, 2007)
On Wednesday, November 14, Apple Computer released a security update to
fix 41 vulnerabilities in Mac OS X, as well as flaws in other
applications. Fifteen of the 41 fixes to OS X could allow arbitrary
code execution. The other flaws could be exploited to crash the system
and applications, poison the DNS cache, let websites download malware
surreptitiously or allow attackers access to data on computer hard
drives.
http://www.computerworld.com/action/article.do?command=printArticleBasic&articleId=9047018
http://www.zdnetasia.com/news/security/printfriendly.htm?AT=62034417-39000005c
[Editor's Note (Pescatore): On Nov 15th, Apple issued a number of
patches to Leopard just 3 weeks after it was released. Whenever you see
serious flaws patched that soon after release it is an indicator that
marketing, not QA or engineering, drove the release date of a software
product - not the way to go.]
--Australian Bank to Give Out Free Anti-Virus Software
(November 14, 2007)
Australia's Commonwealth Bank is giving its some of its customers
security software, but denies suggestions that the move indicates a
change in policy to resemble New Zealand's proposed rules that would
place online banking security liability in the hands of the customers.
The bank is targeting the software giveaway at the 20 percent of two
million "regularly active" customers who do not have anti-virus software
on their computers. The first 25,000 copies of the security software
will be given away at no charge; after that, customers can obtain it
from the bank for half price. In a separate story, a password-stealing
Trojan horse program has been detected that targets Commonwealth Bank
customers; ironically, the software the bank is providing did not detect
the malware. The Trojan was traced to a server in Hong Kong, which has
been taken down. The Trojan also targeted banks in Spain, Germany,
Portugal, Greece, and Italy.
http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=339283812-130061744t-110000005c
http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=339283820-130061744t-110000005c
[Editor's Note (Pescatore): As this item points out, desktop AV software
mostly only works as a removal tool - the malware gets on because there
are no signatures for most targeted attacks and *may* get removed
sometime later if a signature does come out. That's why most of the full
endpoint protection products now include more than just signature-based
defenses, but those aren't the versions being given out for free.
(Schultz): The problem of security software, anti-virus software in
particular, not being able to detect Trojan programs is growing to the
point that it is now a major concern. The best way to detect Trojan
programs remains running integrity checking programs such as tripwire.
(Paller): Managing a tripwire implementation is beyond the capability
of most users. Until file integrity is transparently built into
operating systems, user acceptance of this technology will be
miniscule.]
--Microsoft Patches DNS Spoofing URI Flaws
(November 14, 2007)
Microsoft's patch Tuesday security release for November comprises a
critical security bulletin to address a URI handling vulnerability in
Windows and an important bulletin to address a flaw in Windows that
could allow Domain Name System (DNS) spoofing. Some were expecting that
the release would include a fix for a vulnerability in Macrovision
SafeDisk copy protection software that comes bundled with Windows XP and
2003. Macrovision has released its own update for the problem.
http://www.theregister.co.uk/2007/11/14/windows_novemeber_patch_update/print.html
http://www.zdnetasia.com/news/security/printfriendly.htm?AT=62034383-39000005c
https://www.microsoft.com/technet/security/bulletin/ms07-nov.mspx
http://isc.sans.org/diary.html?storyid=3642
STATISTICS, STUDIES & SURVEYS
--Data Rights Awareness on the Rise in UK
(November 15, 2007)
Research from the UK's Information Commissioner's office shows that
people are significantly more aware of their rights under the Data
Protection Act (DPA) than they were three years ago. Ninety percent of
people know they have the right to view information an organization
keeps about them, and 87 percent are aware they have the right to
correct information about them that is inaccurate. Three years ago, 74
percent of people knew they had the right to view their information and
roughly 79 percent were aware they had the right to amend inaccurate
data.
http://www.kablenet.com/kd.nsf/FrontpageRSS/AABB89D0485AE02A80257393006012BA!OpenDocument
MISCELLANEOUS
--Ulster Bank Gives Card Readers to Online Customers
(November 14, 2007)
Ulster Bank has started providing card readers to its online customers
at no charge to enhance the security of their banking transactions. In
what amounts to three-factor authentication, thieves would need to have
the card reader and the ATM or debit card, and would also have to know
its PIN. The system works by having a user put the card through the
reader and enter the PIN; a challenge code appears on the computer
screen. When this code is typed into the card reader, it generates a
response code that is ultimately used to authenticate the online
transaction.
http://www.siliconrepublic.com/news/news.nv?storyid=single9630
LIST OF UPCOMING FREE SANS WEBCASTS
SANS Special Webcast: Analyzing a Traffic Analyzer: NIKSUN NetDetector/NetVCR 2005
WHEN: Wednesday, December 5, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Jerry Shenk
http://www.sans.org/info/19131
Sponsored By: NIKSUN
How deep can traffic inspection reach without hindering data flow and
how much data should it store for post-mortem analysis? Join this
Webcast to hear senior SANS Analyst Jerry Shenk go over his test results
on the NetDectector/NetVCR 2005 and features such as full packet
inspection and the ability to call up and review raw data in its native
format.
Internet Storm Center: Threat Update
WHEN: Wednesday, December 12, 2007
FEATURED SPEAKER: Johannes Ullrich
https://www.sans.org/webcasts/show.php?webcastid=90831
This monthly webcast discusses recent threats observed by the Internet
Storm Center, and discusses new software vulnerabilities or system
exposures that were disclosed over the past month. The general format
is about 30 minutes of presentation by senior ISC staff, followed by a
question and answer period.
WhatWorks Webcast: Pinpointing and Proving Web Application Vulnerabilities
WHEN: Tuesday, December 18, 2007 at 1:00 PM EST (1800 UTC/GMT) FEATURED SPEAKER: Eric Cole
http://www.sans.org/info/19176
Sponsored By: Core Security
Please join Dr. Eric Cole, SANS fellow and senior scientist with
Lockheed Martin Information Technology, for a free webcast: "Pinpointing
and Proving Web Application Vulnerabilities"
Dr. Cole will present new penetration testing technology that lets you
to see your web applications from an attacker's perspective.
*************************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer
for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin,
Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
iD8DBQFHPeD6+LUG5KFpTkYRAkDZAKCkIw4Pwfk5A7vTozaGvjh58G0d2ACeKufG
kY8BihGyClFkOfRhdvHI18A=
=Mj/V
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]