|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (NewsBites
sans.org)
Date: Tue Feb 12 2008 - 15:56:17 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Breaking news: As we go to press on Tuesday afternoon, Google,
Microsoft, IBM, Yahoo and Versign report that they have reached an
agreement to support the OpenID spec that allows individuals to create
one user name, password, and other credentials for logging onto multiple
Web sites that support the spec. Could be a nice step forward. More
data:
http://www.campustechnology.com/articles/58342
Alan
*************************************************************************
SANS NewsBites February 12, 2008 Vol. 10, Num. 12
*************************************************************************
TOP OF THE NEWS
Russian Computers Sending an Increasing Share of Spam
Adobe Reader Flaw Actively Exploited
Families Affected by HMRC Data Loss Seek Compensation
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
Spanish Police Arrest 76 for Internet Fraud
Authors of Negative Postings May Remain Anonymous
Police Officer Charged with Computer Crime
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Unencrypted UK Army Laptop Left in Pub
Irish Government Called on to Improve its Data Security
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Apple Issues Mac OS X Update
AV Site Infected with Malware
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
SQL Injection Attacks Expose MLSgear.com Customer Data
South Bend Hospital Employee Data on Missing Computer
MISCELLANEOUS
Two Sheriff's Office Employees Fired for Accessing Computer System "For Fun"
What's What in a Breach Notification Letter
Roman Aqueducts Redux
LIST OF UPCOMING FREE SANS WEBCASTS
*********** Sponsored By Credant Technologies ***********
WAIT 'TIL YOU HEAR WHAT'S NEW IN LAPTOP ENCRYPTION!
Outdated encryption methods, such as Full Disk (FDE), require unwelcome
compromises to existing IT operations and support processes, and can't
provide the level of data security now needed. A new, better encryption
technology is here! Reg. for live webcast and to win $500 gift card.
http://www.sans.org/info/23953
*************************************************************************
TRAINING UPDATE
Where can you find the newest Penetration Testing techniques,
Application Pen Testing, Hacker Exploits, Secure Web Application
Development, Security Essentials, Forensics, Wireless, Auditing, CISSP,
and SANS' other top-rated courses?
- - SANS 2008 in Orlando (4/18-4/25) SANS' biggest program with myriad
bonus sessions and a huge exhibition of security products:
http://www.sans.org/sans2008
- - Washington DC (Tyson's) 3/24-3/31 http://www.sans.org/tysonscorner08
- - Prague (2/18-2/23): http://www.sans.org/prague08
- - San Diego (5/9-5/16) http://www.sans.org/securitywest08
- - Toronto (5/10-5/16) http://www.sans.org/toronto08
- - and in 100 other cites and on line any-time: www.sans.org
*************************************************************************
TOP OF THE NEWS
--Russian Computers Sending an Increasing Share of Spam
(February 11, 2008)
Experts at SophosLabs scanned all spam messages received in the
company's global network of spam traps, and found a dramatic rise in the
proportion of the world's spam messages being sent from compromised
Russian computers. Russian now accounts for one in twelve junk mails
seen in inboxes. Between October-December 2007, the USA relayed far more
spam than any other country, because so many US computers have been
taken over by remote hackers.
http://www.sophos.com/pressoffice/news/articles/2008/02/dirtydozfeb08.html
--Adobe Reader Flaw Actively Exploited
(February 10 & 11, 2008)
Attackers have been actively exploiting a recently patched JavaScript
vulnerability in Adobe Reader since January 20. Thousands of computers
are believed to have been infected as a result. Adobe released an
update last week to address a number of vulnerabilities, but did not
provide details about the flaws. The exploit spreads the Zonebac Trojan
horse program through a maliciously crafted PDF file traced to a server
in the Netherlands. Zonebac reportedly disables antivirus programs and
alters search results and banner ads. Users are urged to update their
versions of Acrobat Reader.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9061938&source=rss_topic17
http://www.theregister.co.uk/2008/02/11/adobe_reader_exploit/print.html
http://www.vnunet.com/vnunet/news/2209318/attacks-target-pdf-flaw
[Editor's Note (Skoudis): Here's more proof that enterprises need
patching processes and systems that can quickly test and deploy patches
for third-party apps and not just for Microsoft products. While you are
deploying this Adobe Reader update, double check your Java Runtime
Environment, Quicktime, Flash, and other software patch levels. If you
are going to touch all of your machines, get all of this stuff up to
date, as exploits were released for all of them in the past several
months. Whenever we do a penetration test, we almost always get in with
a client-side exploit of such third-party software.]
--Families Affected by HMRC Data Loss Seek Compensation
(February 10, 2008)
Thousands of families whose personal information was on the HM Revenue
and Customs disks that were lost in the mail have signed up to file
claims against the UK government. The families have registered with a
company that maintains the government has breached the Data Protection
Act (DPA) and that those affected are entitled to compensation of
between GBP 50 and GBP 300 (US $98 and US $585). For the claims to move
forward, however, HMRC would have to be found guilty of having breached
the DPA. The results of an official inquiry into the data loss are
expected in June.
http://www.dailymail.co.uk/pages/live/articles/news/news.html?in_article_id=513344&in_page_id=1770
************************** Sponsored Links: ***************************
1) SANS Third Annual Log Management Survey
What are the challenges in log management? Have perceptions changed
since last year? Help us find out! Take the survey at
http://www.sans.org/info/23958
2) By converging networking and security, StillSecure provides
intelligent networks that are easy to manage and protect.
http://www.sans.org/info/23963
*************************************************************************
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
--Spanish Police Arrest 76 for Internet Fraud
(February 11, 2008)
Seventy-six people arrested by Spanish police are believed to have
stolen more than 3 million Euros in a variety of Internet fraud schemes.
Some of the suspects allegedly sold expensive merchandise on auctions
sites but never sent the items. Other suspects allegedly used stolen
bank account information, probably stolen in a phishing scam, to siphon
money into their own accounts.
http://www.theregister.co.uk/2008/02/11/spanish_police_fraud_crackdown/print.html
[Guest Editor's Note (Raul Siles): The police operation has been called
Ulises and it involved actions in 14 different provinces plus Ceuta. The
stolen bank credentials were obtained from phishing scams, impersonating
banks and the national tax administration (equivalent to the IRS in the
US), and they also used fake auction sites. The amounts stolen range
from 400 to 10000 _ per victim, for a total of more than 3 million
euros. The suspects are from Spain and other 16 different nationalities,
and the victims are from all over the world. The attacks and frauds are
not new, but it is good to see effective police operations and the
criminals being arrested.]
--Authors of Negative Postings May Remain Anonymous
(February 11, 2008)
Ten people who posted "unquestionably offensive and demeaning" comments
on a Yahoo! message board about a company that conducts clinical trials
of drugs will not have to be identified, according to a California
Appeals court ruling. The plaintiff was initially granted the right to
have those posting the negative comments identified, but the new ruling
says the comments are protected under free speech laws.
http://www.vnunet.com/vnunet/news/2209305/court-rules-internet-trolls
http://blogs.wsj.com/biztech/2008/02/08/web-rage-protected-by-the-first-amendment/?mod=googlenews_wsj
--Police Officer Charged with Computer Crime
(February 6 & 7, 2008)
A 17-year veteran of the Hartford, Connecticut police force has been
arrested and charged with committing a computer crime in the third
degree, which is a Class D (violent) felony. Sgt. Reginald Allen
allegedly obtained information from the National Crime Information
Center and provided it to a friend, who used the information to harass
an ex-boyfriend's current girlfriend. The girlfriend alerted
authorities.
http://www.scmagazineus.com/Conn-police-sergeant-charged-with-computer-crime/PrintArticle/105085/
http://www.courant.com/news/local/hc-ctallenarrest0206.artfeb06,0,1692714.story
Editor's Comment (Northcutt): How long have we been preaching that if
we create databases with information on citizens that access would be
abused? There are two similar stories in this NewsBites and the words
ringing in my head are that they did it, "for fun". Take a few minutes
to read this analysis from the Cato Institute:
http://www.cato.org/pubs/pas/pa-295.html
Totally off topic, but I was looking at PaulDotCom's youtube ad video
for his SANS course on hardware hacking, and it hit me; if you can
reprogram a wireless router, you can make it do just about anything
(duh). Obvious threats are eavesdropping and masquerading as a
trustworthy access point. However, you can do that without first
modifying an access point. If you think of some really nefarious cyber
ninja tricks that you could accomplish only by reprogramming a network
device to do your bidding, please drop me a note, stephensans.edu, I
am considering adding this to the threat section in my course.
http://www.youtube.com/watch?v=uYBUixjnpgo
http://www.sans.edu/resources/securitylab/81/
http://www.sans.org/training/description.php?mid=62 ]
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
--Unencrypted UK Army Laptop Left in Pub
(February 12, 2008)
A UK Army captain left a laptop computer containing sensitive
information in a pub. The unencrypted data include personal information
pertaining to more than 200 soldiers, military exercises information and
weapons store locations. Cabinet Secretary Sir Gus O'Donnell recently
ordered that laptops containing unencrypted data not be removed from
government offices. The laptop was handed in by the person who found
it in the pub.
http://www.thesun.co.uk/sol/homepage/news/article791210.ece
http://ukpress.google.com/article/ALeqM5jDHYTZhBTz0zO3rv0NuPIlkpol5A
--Irish Government Called on to Improve its Data Security
(February 8, 2008)
Ireland's Fine Gael party wants the country's government to implement
stronger security controls on its data management. In the last five
years, 80 government laptops, 19 Blackberrys and 10 USB memory devices
have been lost or stolen. In addition, four government websites have
recently been attacked. Officials maintain that no sensitive data were
compromised as a result of the missing devices.
Internet Storm Center: http://isc.sans.org/diary.html?storyid=3958
http://www.independent.ie/national-news/fears-for-our-personal-data-as-80-government-laptops-missing-1284944.html?service=Print
[Editor's Note (Honan): Maybe Irish Government employees should be
directed to the recently launched and government sponsored security
awareness website, in particular the section on encryption -
http://www.makeitsecure.org/en/otherRisks_encryption.html. The fact
that these losses only came to light as a result of a parliamentary
question highlights the need for effective breach disclosure laws in
Ireland.]
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
--Apple Issues Mac OS X Update
(February 11, 2008)
Apple has released Security Update 2008-001 for Mac OS X to address 10
vulnerabilities in the operating system. The update covers both Tiger
and Leopard users; the flaws place unprotected systems at risk of code
execution, denial-of-service, and information disclosure. One of the
flaws fixed in the update is a stack buffer overflow that was disclosed
about a year ago during the Month of Apple Bugs project.
Internet Storm Center: http://isc.sans.org/diary.html?storyid=3974
http://www.eweek.com/c/a/Security/Apple-Patch-Day-10-Holes-Covered-in-Tiger-Leopard/
http://www.news.com/8301-10789_3-9869589-57.html?part=rss&subj=news&tag=2547-1_3-0-20
http://docs.info.apple.com/article.html?artnum=307430
[Editor's Note (Skoudis): These are big downloads -- 180 Megs or 340
Megs depending on the kind of Mac you have. With that magnitude,
Apple's patches really do feel like you are downloading a whole new
operating system.]
--AV Site Infected with Malware
(February 10, 2008)
A web page on the website of Indian antivirus company AVSoft
Technologies was "seeded" with malware that exploits the iFrame
vulnerability to infect visitors' computers with the Virut virus. And
iFrame vulnerability is caused by an unchecked buffer in Internet
Explorer processing of certain HTML elements such as FRAME and IFRAME
elements. That malware creates a backdoor on the machines it infects,
allowing attackers to download more malware onto the computers.
http://www.theregister.co.uk/2008/02/08/indian_av_site_compromise/print.html
[Editor's Note (Northcutt): What a bad day for them and to make things
worse, if you tried to get to their site 24 hours after the incident
from Google, you got the StopBadware.org intercept page from Google.
That can't be good for business.
http://isc.sans.org/diary.html?date=2004-11-20 ]
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
--SQL Injection Attacks Expose MLSgear.com Customer Data
(February 8, 2008)
The names, addresses, credit card and debit card information of people
who made purchases through Major League Soccer's MLSgear.com website
were compromised last year. The data were exposed through SQL injection
attacks during the first eight months of 2007 on third party servers
hosting the customer data. MLS has terminated its relationship with
that provider. A breach notification letter mentions that MLS has taken
steps to improve security, but did not clarify what those steps were.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=internet_business&articleId=9061858&taxonomyId=71&intsrc=kc_top
[Editor's Note (Honan): When you outsource services to a third party you
should ensure that you retain the right to audit and test the security
of the systems for the outsourced party.]
--South Bend Hospital Employee Data on Missing Computer
(February 7, 2008)
A laptop computer holding personally identifiable information of
approximately 4,300 current and former employees of Memorial Hospital
in South Bend, Indiana was lost last November. The data were on an
employee's computer that was lost while she was traveling; the computer
was not encrypted.
http://www.wsbt.com/news/local/15408791.html
MISCELLANEOUS
--Two Sheriff's Office Employees Fired for Accessing Computer System "For Fun"
(February 7, 2008)
Two Collier County (Florida) Sheriff's Office employees have been fired
for accessing the office's computer system and looking up information
about other deputies, an FBI agent, and family members. One of the fired
individuals said they did the searches "for fun." Both fired employees
worked in the Fingerprinting Department. The unauthorized activity was
discovered when one of the people whose information was searched alerted
the authorities. To prevent future privacy breaches, the Sheriff's
Office will conduct random checks of the computer system and audit for
unusual activity.
http://www.winknews.com/news/local/15408931.html
--What's What in a Breach Notification Letter
(February 2008)
Breach notification letters often involve an intricate dance of
language. A pair of public relations professionals dissects actual
breach notification letters from Monster.com and USAJOBS. They analyze
the merits of differing approaches to notification: the choice of
salutation; the pros and cons of apologizing; the level of detail
offered. Most of the time, it appears that breach notification letters
will raise as many if not more questions than they answer. This article
is a good resource for those who find themselves burdened with the
unfortunate task of drafting such a letter.
http://www2.csoonline.com/exclusives/column.html?CID=33523
[Editor's Note (Northcutt): Just when you think there is nothing left
to say about data breaches, someone amazes you. Nice job CSO Magazine!]
--Roman Aqueducts Redux
A concise version of the paper on lessons the Roman Aqueducts provide
for securing power grids appears in CSO Online.
(The original version ran on January 15, NewsBites Volume 10, Number 4.)
http://www2.csoonline.com/exclusives/column.html?CID=33519
[Editor's Note (Ranum): The article sounds plausible, but the
differences between Rome and its aqueducts and the US and its power
grids are simply so vast that all we're left with is an article that
amounts to argument by analogy.]
LIST OF UPCOMING FREE SANS WEBCASTS
Ask the Expert: You've Collected the Logs, Now What? Reducing Risk through
Integrated Log Management, Database Monitoring and Real-time Event Management
WHEN: Thursday, February 14, 2008 at 1:00 PM EST (1800 UTC/GMT
FEATURED SPEAKER: Dave Shackleford
http://www.sans.org/info/23528
Sponsored By: netForensics
So you've collected event logs from security devices and other critical
systems and stored them away - great. Check the compliance box. Now
what?
Logs are important... but only if you are doing something with them.
They provide valuable, credible, accurate information about what is
going on in your inter-connected environment. But if your logs are not
being analyzed regularly and in real-time, how can you tell if data
isn't seeping out of your databases and other critical applications?
Manually glancing through logs may be enough to "check the box" for
compliance purposes, but it is definitely not enough to detect data
theft or other malicious activity.
SANS Special Webcast: Beyond Security Basics: Emerging Defensive Strategies
You Shouldn't Miss
WHEN: Tuesday, February 19, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: John Strand
https://www.sans.org/webcasts/show.php?webcastid=91778
Sponsored By: Core Security
Still think that locking down root access to operating systems is the
cornerstone of security, or that your perimeter can't be tunneled under?
Please join John Strand, certified SANS instructor and security
consultant with Argotek, for this free webcast.
Ask the Expert: Security Needs a Paradigm
WHEN: Thursday, February 21, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and A.N. Ananth
http://www.sans.org/info/22959
Sponsored By: Prism MicroSystems
In this webcast, we'll discuss the reasoning behind a "whitelist"
approach, how change monitoring can complement logging and event
monitoring in your security program, and common system changes that may
indicate malicious activity.
Tool Talk Webcast: A Practical Approach to Cyber Security within Control System Environments
WHEN: Tuesday, February 26, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Brian Contos
http://www.sans.org/info/22964
Sponsored By: ArcSight
Recently there has been substantial media hype surrounding cyber attacks
against critical infrastructure: oil and gas, power and energy,
chemical, etc. Few disagree that systems controlling critical
infrastructure make valuable targets for a wide range of attackers and
pursuits; but the FUD sometimes shadows the facts. So rather than debate
the threat level, this webcast will focus on empirical findings derived
from multiple, federally funded research projects. These collaborative
projects have brought together federal agencies, academia, control
system vendors, IT security vendors like ArcSight, and industry
representatives to research and test practical cyber incident
prevention, detection and response.
SANS Special Webcast: How to Win Friends and Influence People (for
Penetration Testers)
WHEN: Tuesday, March 4, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Lenny Zeltser
http://www.sans.org/info/22984
Sponsored By: Core Security
The success of a security test is often determined in the planning
stage, when the "human element" plays a critical role. This is
especially true for penetration testing projects, which sometimes
encounter political hurdles before they even begin.
Please join us to learn how, with a little transparency and tact, you
can not only get approval for pen testing projects but also help
colleagues use the results to improve your overall security.
********************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer
for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin,
Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkeyE0gACgkQ+LUG5KFpTkZ+hACfQUg5geTYh16XzF5PRlXfCr/L
htwAnRZy0On1Bbbh+v9w/A4ESkvbWbx0
=sH8B
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]