From: The SANS Institute (NewsBitessans.org)
Date: Fri Feb 01 2008 - 14:56:05 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If we as a community are ever going to improve software security,
programmers are the key. They write the code; they will take the lead.
More than 100 programmers have now taken the new secure coding skills
exams (GSSP) and more than 70% passed. Here's my favorite response from
one of the test takers (who passed):

    "This exam helped me to enhance my Java coding skills. Now to code
    a line for my project, I am considering the security leaks and doing
    the coding to avoid possible leaks. (After passing it) my manager
    asked me to give a class for other programmers."

Government CIOs and large financial organization CIOs have begun telling
their contractors and outsourcers that by the end of 2008, their
programmers will need to have demonstrated mastery of the Essential
Skills for Secure Programming. Your programmers can demonstrate mastery
by taking the test (and providing feedback to help make it better) in
five cities in the next 120 days (Phoenix, Washington, DC, Orlando, Las
Vegas, and San Diego.) See www.sans.org/gssp for the schedule and the
test blueprints.
                                     Alan

*************************************************************************
SANS NewsBites February 2, 2008 Vol. 10, Num. 9
*************************************************************************
TOP OF THE NEWS
  Severed Cables Disrupt Service in Mediterranean and Asia
  EU Court: ISPs Don't Have to Surrender Customer ID in Civil Cases
THE REST OF THE WEEK'S NEWS
  LEGAL MATTERS
    FTC Asks Court to Hold Alleged MySpace Hijackers in Contempt
    DOD Pay System Fraudsters Sentenced
    Acquittal for S5 Wireless Founder
  COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
    U2 Manager Calls for ISPs to Help Fight Piracy
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
    ActiveX Control Flaws Affect MySpace and Facebook Users
  ATTACKS, INTRUSIONS, DATA THEFT & LOSS
    Employee Literally Pulls Plug on Attempted Cyber Theft
    Stolen Laptop Holds Info on 300,000 NJ HMO Members
    More Stolen Laptops Hold Medical Data
    Stolen Hard Drive Holds Georgetown Univ. Data
  MISCELLANEOUS
    Sarkozy Reportedly Angry He Wasn't Told About SocGen Situation Immediately
LIST OF UPCOMING FREE SANS WEBCASTS

*************************** Sponsored By SANS ***************************
Fulfill a New Year's Resolution: learn how to better protect your
organization's assets while becoming a more valuable employee. Join us
for technical computer and network security training at SANS Phoenix
2008, Feb 11-16. Experience the Sonoran Desert with its warm weather
and spectacular sunsets while you meet your training goals early in
2008!
http://www.sans.org/info/23409
*************************************************************************
TRAINING UPDATE
Where can you find the newest Penetration Testing techniques,
Application Pen Testing, Hacker Exploits, Secure Web Application
Development, Security Essentials, Forensics, Wireless, Auditing, CISSP,
and SANS' other top-rated courses?
- - Las Vegas (3/17 - 3/18) Penetration Testing Summit:
  (an ultra cool program) http://www.sans.org/pentesting08_summit
- - San Jose (2/2 - 2/8): http://www.sans.org/siliconvalley08/event.php
- - Phoenix (2/11 - 2/18) http://www.sans.org/phoenix08/event.php
- - Prague (2/18-2/23): http://www.sans.org/prague08
- - SANS 2008 (4/18-4/25) In Orlando SANS' biggest program with myriad
bonus sessions: http://www.sans.org/sans2008
- - and in 100 other cites and on line any-time: www.sans.org
*************************************************************************

TOP OF THE NEWS
 --Severed Cables Disrupt Service in Mediterranean and Asia
(January 31, 2008)
Two undersea communications cables in the Mediterranean - one near
Marseilles, France and the other near Alexandria, Egypt - were
accidentally cut on Tuesday, January 29. Different groups operated the
two cables, but the damage to both occurred within a matter of hours.
Undersea cables can be damaged by movement along fault lines or by
ships' anchors. Internet access was disrupted in most of Egypt and in
India, and some Verizon customers experienced slow service. Most
communications were rerouted through other cables.
http://www.nytimes.com/2008/01/31/business/worldbusiness/31cable.html?ei=5088&en=95a9e51bf6c
http://news.bbc.co.uk/2/hi/technology/7218008.stm
http://news.smh.com.au/damaged-cables-cut-internet-in-mideast/20080131-1p5a.html
[Editor's Note (Schultz): Although it appears that this incident was
completely accidental, it is hugely significant in that it provides a
glimpse of what might happen when a massive denial of service attack
designed to bring the entire Internet down occurs, something that I have
predicted will happen this year. (Honan): If your company outsources
services to countries overseas have you reviewed your business
continuity plans lately to determine how an outage like this would
impact on your business and what to do in the event that it does?]

 --EU Court: ISPs Don't Have to Surrender Customer ID in Civil Cases
(January 29, 2008)
The European Court of Justice has ruled that Internet service providers
(ISPs) do not have to disclose the identities of their customers who
download copyrighted files in civil cases. ISPs could be required to
disclose names in criminal cases. The ruling came in response to a
complaint from Spanish record trade industry association Promusicae
against Spanish ISP Telefonica to obtain the identities of its customers
who traded files on KaZaA.
http://euobserver.com/9/25559
http://today.reuters.co.uk/news/articlenews.aspx?type=internetNews&storyID=2008-01-29

************************** Sponsored Links: ***************************
1) SANS Third Annual Log Management Survey
What are the challenges in log management? Have perceptions changed
since last year? Help us find out! Take the survey at
http://www.sans.org/info/23414

2) Learn about testing network security and encryption technology.
Complimentary Tested with Spirent Security Testing Seminar.
http://www.sans.org/info/23419
*************************************************************************

THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
 --FTC Asks Court to Hold Alleged MySpace Hijackers in Contempt
(January 31, 2008)
The Federal Trade Commission (FTC) has asked a US district court to hold
alleged MySpace hijackers in contempt for violating an earlier FTC order
that bars them from unfair and deceptive practices. Walter Rines,
Sanford Wallace and Rines's company Online Turbo Merchant allegedly used
a variety of techniques to redirect MySpace users to other websites
where they were inundated with ads, earning the accused commissions.
Rines, who previously ran a company called Odysseus Marketing, was
accused in October 2005 of offering users free software that came
bundled with spyware that bombarded users with pop-ups, replaced
legitimate search results with results that benefited the company, and
stole information from users. In October 2006, the FTC obtained a
permanent injunction that barred the defendants from redirecting users'
computers, changing their browser default home pages and from altering
functions of other applications.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9060482&source=rss_topic17
http://www.ftc.gov/opa/2008/01/contempt.shtm

 --DOD Pay System Fraudsters Sentenced
(January 28, 2008)
Two people have been sentenced for their roles in a scheme that
defrauded the US government of approximately US $700,000 through a
pay-processing computer system. Lilia Delgadillo and Saul Granados were
civilian employees at the US Department of Defense (DOD) when they
submitted phony pay adjustments into the system, causing wire transfers
to be made into a bank account in Delgadillo's name. Delgadillo was
sentenced to 33 months in prison followed by probation, as well as 100
hours of community service. Granados was sentenced to three years of
probation and 150 hours of community service.
http://elpaso.fbi.gov/dojpressrel/pressrel08/govtfraud012808.htm

 --Acquittal for S5 Wireless Founder
(January 24, 2008)
William "Kurt" Dobson has been acquitted of all charges in a case
involving alleged unauthorized email access. Dobson and two partners
founded a company called S5 Wireless in 2003, but Dobson resigned from
the company in late 2004 due to business disagreements with his
co-founders. He faced allegations that after he left, he accessed a
company computer that hosted its email, set up a new mailbox and
instructed the server to send it copies of all messages sent to the
mailboxes of the two executives remaining at S5. Dobson's attorney
maintained that he was acting within his authority and that his
interests were "of a fiduciary nature, not for commercial advantage, or
any unlawful purpose."
http://www.sltrib.com/ci_8066377

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
 --U2 Manager Calls for ISPs to Help Fight Piracy
(January 30, 2008)
The manager of Irish rock bank U2 says that Internet Service Providers
(ISPs) should cut off service to users who are downloading files
illegally and that governments should make sure that they do. Paul
McGuinness called on ISPs to "take responsibility for protecting the
music they are distributing, and ..., by commercial agreements, sharing
their enormous revenues with the content makers and owners."
http://www.nzherald.co.nz/section/story.cfm?c_id=5&objectid=10489563
http://www.smh.com.au/news/web/isps-have-snouts-in-the-the-trough/2008/01/30/1201369193338.html

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
 --ActiveX Control Flaws Affect MySpace and Facebook Users
(January 31, 2008)
Vulnerabilities in two ActiveX controls that Facebook and MySpace
members use to upload images to their pages could be exploited to crash
Internet Explorer (IE) and possibly allow remote code execution, which
could in turn allow attackers to take control of the machine on which
IE runs or steal data. The ActiveX controls in question are based on a
commercial control known as Image Uploader.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9060483&source=rss_topic17

ATTACKS, INTRUSIONS, DATA THEFT & LOSS
 --Employee Literally Pulls Plug on Attempted Cyber Theft
(January 31, 2008)
A scheme to steal money from a bank using remote access equipment was
foiled when an attentive bank employee realized something was amiss with
his computer and unplugged it. The thieves were attempting to transfer
a large sum of money from the bank into an account that they would later
presumably empty. Swedish police arrested seven people earlier this
week in connection with the incident, which occurred last August.
http://www.theregister.co.uk/2008/01/31/remote_access_bank_robbery_unplugged/print.html
http://news.smh.com.au/swedish-bank-stops-digital-theft/20080131-1p53.html
http://www.citynews.ca/news/news_19122.aspx
[Editor's Note (Ullrich): It's nice to see someone paying attention!
However, before you start unplugging your systems, consider removing the
network cable instead. In some cases, memory forensics can be important.
I know some malware researchers who snapped off the little tap on their
network cable to make them easier to pull, after accidentally setting
off malware (not that I recommend doing so on production systems.
(Ullrich): Kudos to the employee for spotting this attack and reacting
to it. Two takeaways from this story, does your security awareness
program educate users on what they should do if they see suspicious
activity on their system? How stringent are your background checks on
the employees, contractors, cleaners and other people who have physical
access to sensitive systems?]

 --Stolen Laptop Holds Info on 300,000 NJ HMO Members
(January 30 & 31, 2008)
A stolen laptop computer contains personally identifiable information
of approximately 300,000 members of New Jersey-based Horizon Blue
Cross/Blue Shield health insurance. The compromised data include names
and Social Security numbers (SSNs), but not medical information. The
laptop was not encrypted, but a security feature on the computer was
programmed to delete the data on January 23. The computer was stolen
from an employee on January 5. That employee was authorized to have the
data on the computer, but taking it off premises without taking proper
security precautions was a violation of company policy.
http://www.njherald.com/345987573807788.php
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9060299&source=rss_topic17
http://www.nj.com/news/ledger/jersey/index.ssf?/base/news-9/1201671434279680.xml&coll=1

 --More Stolen Laptops Hold Medical Data
(January 29 & 30, 2008)
A laptop computer stolen from the Wake County (North Carolina) Emergency
Medical Services holds personally identifiable information of
approximately 850 patients served by ambulances in the county. The
data, which include names, addresses, and SSNs, were not encrypted. In
a separate story, a computer stolen from the Royal Bolton Hospital in
Lancashire, UK holds personally identifiable information of
approximately 200 cancer patients, including names, addresses,
diagnoses, and treatment. Affected patients have been notified of the
theft, which occurred in October.
http://www.firefightingnews.com/article-US.cfm?articleID=44430
http://www.theboltonnews.co.uk/misc/print.php?artid=2003952

 --Stolen Hard Drive Holds Georgetown Univ. Data
(January 29, 2008)
An external hard drive stolen from the office of Student Affairs at
Georgetown University contains personally identifiable information of
approximately 40,000 of the school's students, alumni, faculty, and
staff. The theft occurred on January 3. The drive was not encrypted.
The theft affects students who were enrolled at the school between 1998
and 2006.
http://www.thehoya.com/node/15151

MISCELLANEOUS
 --Sarkozy Reportedly Angry He wasn't Told About SocGen
Situation Immediately
(January 26, 28, & 29, 2008)
French president Nicolas Sarkozy was apparently not told about the
massive losses incurred by Socit Gnrale (SocGen) for three days after
the fraud was uncovered. SocGen futures trader Jerome Kerviel allegedly
made fraudulent trades that lost the bank more than 5 billion Euros (US
$7.4 billion). There is mounting evidence that SocGen had been warned
several times in the last few months about unauthorized transactions.
Comments from Sarkozy's advisors indicate that there is a healthy amount
of skepticism that one person alone was responsible for the fiasco, and
that other high-ranking officials may lose their jobs. Kerviel has
gained a cult following of sorts.
http://timescorrespondents.typepad.com/charles_bremner/2008/01/post-6.html
http://www.businessweek.com/globalbiz/content/jan2008/gb20080128_400149.htm?campaign_id=rss_daily
[Editor's Note (Schultz): What is also so troubling about the Socit
Gnrale fraud incident is that security for large financial transactions
depended upon passwords. The perpetrator (allegedly Kerviel) was able
to bypass the "two-man rule" for approval of these transactions by
obtaining passwords of accounts belonging to colleagues who had
transaction approval authority.]

LIST OF UPCOMING FREE SANS WEBCASTS

SANS Special Webcast: The SANS Database and Compliance Survey
WHEN: Tuesday, February 5, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Barb Filkins
https://www.sans.org/webcasts/show.php?webcastid=91486
Sponsored By: Lumigent Technologies

How many organizations really understand their data privacy rules well
enough to know where and how to protect their regulated data with proper
audit?
What are their perceptions of data privacy regulations, and how are they
integrating compliance into their data management practices, starting
at the database?
These and other questions will be answered when, on Feb. 5, SANS analyst
Barbara Filkins uncovers the findings in the SANS Database Auditing and
Compliance Survey. Conducted over three months, 348 respondents answered
a variety of questions ranging from their perceptions of compliance
issues to security frameworks and roles and responsibilities for data
privacy protection inside their organizations.

We will also be announcing the $250 American Express card winner from
among nearly 200 respondents who signed up for our drawing.

SANS Special Webcast: A Brief History of Hacking with Dave Shackleford
WHEN: Wednesday, February 6, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Dave Shackleford
https://www.sans.org/webcasts/show.php?webcastid=91521
Sponsored By: Core Security

Quick quiz: What do Phreaking, Captain Crunch, Blue boxes, LoD and MoD
have in common?
Answer: They were all milestones in the evolution of hacking and
information security.

Please join Dave Shackleford, CTO at the Center for Internet Security
and SANS certified instructor, for a look at the evolution of hacking
and hackers. You'll hear Dave's take on lessons learned from hacking
milestones, including: The early days of phone phreaks and bulletin
boards The growth of hacker gangs and 2600: The Hacker Quarterly The
75-cent accounting error that led to an international crime
investigation Bill Cheswick's evening with "Berferd" The first malware
and Trojan horse programs At the same time, Dave will give his
predictions for the coming year of hacking - and discuss which hacker
movies are most realistic (if any)!

WhatWorks Webcast: WhatWorks in Intrusion Detection and Prevention:
Improving Network Visibility at GraceKennedy
WHEN: Tuesday, February 12, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Alan Paller and Gregory Henry
http://www.sans.org/info/22559
Sponsored By: Sourcefire

A need for increased visibility into its diverse network prompted
GraceKennedy's security team to seek an intrusion detection system. They
found a solution that met all their needs and offered great tech
support, as well as a component that could establish a network activity
baseline and another that included a top vulnerability scanner for the
same price as other solutions they tried. GraceKennedy is one of the
Caribbean's largest and most dynamic corporate entities. The company
started in Jamaica in 1922 as a small trading establishment and wharf
founder. It has expanded and diversified over the years, changing from
a privately-owned enterprise to a public company listed on the stock
exchanges of Jamaica, Trinidad, Barbados and the Eastern Caribbean.
Today, the GraceKennedy Group comprises a varied network of some 60
subsidiaries and associated companies located across the Caribbean, in
North and Central America and the United Kingdom. The group's operations
span the food distribution, financial services, insurance, remittance,
hardware retailing and food-processing industries.

********************************************************************

Be sure to check out the following FREE SANS archived webcasts:

WhatWorks in Firewalls and Anti-Malware Gateways: Flexible Firewalling at
Harris Corporation
WHEN: Wednesday, January 30, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Alan Paller and Ronda Henning
http://www.sans.org/info/21659
Sponsored By: Secure Computing

The company that handles information security for major broadcast
networks and such government agencies as the FAA, needed a very robust,
very secure and very flexible firewall platform that could be tailored
and customized to address both new and ancient legacy protocols and
applications. Denial of service was a significant concern for Harris
Corp. clients so the company turned to a solution that provided a highly
available and high performance firewall.

Internet Storm Center: Threat Update
WHEN: Wednesday, December 12, 2007 at 1:00 PM EST (1800 UTC/GMT) FEATURED
SPEAKER: Johannes Ullrich and John Weinschenk
http://www.sans.org/info/20062
Sponsored By: Cezic http://www.cenzic.com/

This monthly webcast discusses recent threats observed by the Internet
Storm Center, and discusses new software vulnerabilities or system
exposures that were disclosed over the past month. The general format
is about 30 minutes of presentation by senior ISC staff, followed by a
question and answer period.

SANS Special Webcast: Pinpointing and Proving Web Application
Vulnerabilities with Eric Cole
WHEN: Monday, December 10, 2007 at 1:00 PM EST (1800 UTC/GMT) FEATURED
SPEAKER: Dr. Eric Cole
http://www.sans.org/info/20057
Sponsored By: Core Security

The September "Internet Security Threat Report" from Symantec reported
that 61% of all vulnerabilities disclosed in the first half of 2007 were
web application vulnerabilities. It's no wonder, since web apps are
often highly customized and can be rife with potential security holes.
Fortunately, recent advances in penetration testing products can help
you to pinpoint and prove web application security weaknesses - even in
customized apps.

SANS Special Webcast: Analyzing a Traffic Analyzer: NIKSUN
NetDetector/NetVCR 2005
WHEN: Wednesday, December 5, 2007 at 1:00 PM EST (1800 UTC/GMT) FEATURED
SPEAKER: Jerry Shenk
http://www.sans.org/info/20052
Sponsored By: NIKSUN

How deep can traffic inspection reach without hindering data flow and
how much data should it store for post-mortem analysis? Join this
Webcast to hear senior SANS Analyst Jerry Shenk go over his test results
on the NetDectector/NetVCR 2005 and features such as full packet
inspection and the ability to call up and review raw data in its native
format.

*************************************************************************
The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer
for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin,
Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkejefwACgkQ+LUG5KFpTkbgOgCfbzw2A61a5GGUYnTFP1gywK1f
RwQAn3Vw/E+6Y4DaXJQ0ZgfCd15MA15a
=tG6C
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]