From: The SANS Institute (NewsBitessans.org)
Date: Fri Feb 22 2008 - 13:07:14 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

*************************************************************************
SANS NewsBites February 22, 2008 Vol. 10, Num. 15
*************************************************************************
TOP OF THE NEWS
  Losses From Cyber Intrusions at US Banks Rise Significantly
  Paper Describes Weakness of Disk Encryption Software
  UK Lords to Push Again for Internet Security Policy Changes
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
  Canadian Police Arrest 17 in Alleged Botnet Scheme
  Lawsuit Filed Against Bloodbank Over Handling of Computer Theft
  Man Gets Three Years Probation for eMail Harassment
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
  UK PM Promises Inquiry into Mishandling of Criminal DNA Data Disk
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
  Microsoft Acknowledges Compatibility Problems from Vista SP1
  Opera Releases Browser Update
MISCELLANEOUS
  Microsoft Announces Plan to Share More Technical Info
  Judge Orders Registrar to Disable Domain Name of Leak Site
LIST OF UPCOMING FREE SANS WEBCASTS

********************** Sponsored By PacketMotion ************************

Are your internal controls and acceptable use policies for consultants,
temporary, and high-risk users working? What information assets are in
jeopardy? Find the facts, blind spots and new technology regarding
real-time visibility and control of network user transactions.
Download the FREE whitepaper "TRUST BUT VERIFY: 24/7 Monitoring of
High-risk User Activity in the Network" now.
http://www.sans.org/info/24433

*************************************************************************
TRAINING UPDATE
Where can you find the newest Penetration Testing techniques,
Application Pen Testing, Hacker Exploits, Secure Web Application
Development, Security Essentials, Forensics, Wireless, Auditing, CISSP,
and SANS' other top-rated courses?
- - SANS 2008 in Orlando (4/18-4/25) SANS' biggest program with myriad
    bonus sessions and a huge exhibition of security products:
       http://www.sans.org/sans2008
- - Washington DC (Tyson's) 3/24-3/31 http://www.sans.org/tysonscorner08
- - San Diego (5/9-5/16) http://www.sans.org/securitywest08
- - Toronto (5/10-5/16) http://www.sans.org/toronto08
- - and in 100 other cites and on line any-time: www.sans.org
*************************************************************************

TOP OF THE NEWS
 --Losses From Cyber Intrusions at US Banks Rise Significantly
(February 20, 2008)
According to an anonymously obtained copy of a non-public Federal
Deposit Insurance Corporation (FDIC) quarterly Technology Incident
Report, financial institutions in the US experienced a considerable
increase in the number of intrusions leading to account hijackings and
stolen money over the last year. The report indicates that the cost of
these breaches is increasing for all involved - banks, businesses, and
consumers. The report looks into suspicious activity reports, or SARs.
Banks are required to report fraudulent and suspicious transactions of
US $5,000 or more. The report says that the average cost per SAR in the
second quarter of 2007 was US $29,630; the average cost per SAR in the
same period a year earlier was US $10,536. The majority of SARs were
classified as "unknown unauthorized access - online banking." The
report suggests that Trojan horse programs and keystroke loggers are
used in many instances of unauthorized access.
http://blog.washingtonpost.com/securityfix/2008/02/banks_losses_from_computer_int.html
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=206801184
[Editor's Note (Pescatore): That report does point out that the number
of suspicious activity reports that are computer intrusion-related are
still less than 2% of those due to mortgage and check fraud, but the
widespread prevalence of compromised PCs is causing the computer related
incidents to be fast growing.
(Paller): While the overall pattern of increase may be correct, several
banks have experienced significant decreases in losses from money taken
stolen from customer accounts through theft of customer credentials (via
phishing or keystroke loggers, primarily). These banks set up a series
of increasingly difficult challenges to transactions based on the
transaction's score on (at least) three variables: (1) whether the
transaction is done regularly, (2) whether the IP address is the one
usually used, and (3) how large the transaction is. Customers doing
their regular banking from home are not impacted because they don't
trigger the defenses. Defense in depth; simple and effective.]

 --Paper Describes Weakness of Disk Encryption Software
(February 21, 2008)
Researchers from Princeton University, the Electronic Frontier
Foundation, and Wind River Systems have published a paper explaining how
attackers with physical access to computers can use disk encryption keys
in the machine's RAM to bypass disk encryption. Apparently encryption
keys remain in RAM for a period of time even when the computer is
powered off. powered off. One of the researchers calls the problem "a
fundamental limitation in the way these systems were designed."
http://blog.wired.com/27bstroke6/2008/02/researchers-dis.html
[Editor's Note (Northcutt): Definitely worth your time to read this
paper. They have a video explaining this that even non-technical
audiences will be able to understand. If you have bought a full disk
encryption product, start a dialog with your vendor. And above all, if
an officer or auditor from your organization asks you if DRAM memory
retains information even when the system is powered off, say yes!
(Skoudis): The concepts underlying the attacks have been rumored and
discussed for years. But, the paper provides more details and
real-world explanations than I've seen anywhere else on this topic.
(Honan): The paper is a very interesting read and highlights a number
of takeaways that we regularly discuss in NewsBites. Firstly, once
someone has physical access to your computer it is extremely difficult
to secure the data on it. Secondly having data distributed across many
devices and locations makes it difficult to protect that data. Thirdly,
new attacks are constantly being developed and you need to regularly
review your defences and your incident response plan accordingly.
(Guest Editor Frantzen): Critical questions need to be asked of
encryption software vendors: how they keep the keys in memory, and if
they wipe the data whenever a screensaver is activated, whenever the
computer is put to sleep, whenever the computer is hibernating.]

 --UK Lords to Push Again for Internet Security Policy Changes
(February 21, 2008)
The UK House of Lords Science and Technology Committee will launch a
follow-up inquiry to the "Personal Internet Security" report it released
in August 2007. The government apparently did not put much stock in the
report when it was delivered and chose not to adopt many of the report's
recommendations, including establishing a data breach notification law
and reversing the requirement that online payment card fraud victims
report security incidents top banks instead of to police. The committee
is asking representatives from organizations that gave evidence at the
initial inquiry for their opinions on the government's response to the
report.
http://www.kablenet.com/kd.nsf/FrontpageRSS/5D72E7E11523FF4B802573F5005FC318!OpenDocument
[Editor's Note (Schultz): Policy changes, let alone changes in
information security policy, do not come easily, no matter what the
level (organizational or federal). Persistence is the best remedy.]

************************** Sponsored Links: ***************************
1) SANS Third Annual Log Management Survey What are the challenges in
log management? Have perceptions changed since last year? Help us find
out! Take the survey at http://www.sans.org/info/24438

2) SANS OnSite Training
Your Location! Your Schedule! Lower Cost! Contact us by March 31 and
receive additional free seats (up to $25,000 value)
Click here today!
http://www.sans.org/info/24443
*************************************************************************

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
 --Canadian Police Arrest 17 in Alleged Botnet Scheme
(February 21, 2008)
Police in Quebec have arrested 17 people in several home raids earlier
this week as a result of an investigation into a botnet ring that
allegedly infected as many as one million computers around the world
with malware. Most of the infected machines were in Poland and Brazil,
although there were also some in Canada and the US. In one of the
countries, government computers were also compromised. The gang was
allegedly involved in identity fraud, data theft, denial-of-service
attacks and sending spam. If convicted, the suspects could face prison
sentences of up to 10 years.
http://www.cbc.ca/technology/story/2008/02/20/qc-hackers0220.html
http://www.upi.com/NewsTrack/Top_News/2008/02/21/quebec_smashes_ring_of_17_computer_hackers/8519
http://www.darkreading.com/document.asp?doc_id=146639&WT.svl=news2_2
[Editor's Note (Pescatore): Botnets are one of those problems like zebra
mussels: they haven't really damaged the vessels that carry them but
they cause huge damage to the environment around those vessels. This
means that the incentive to clean up the compromised host hasn't been
there but increasingly (see the story on cyber intrusion losses at banks
rising) those compromised PCs are being used in bot networks that
download targeted attack code that *does* cause local losses. ]

 --Lawsuit Filed Against Bloodbank Over Handling of Computer Theft
(February 19, 2008)
The Lifeblood Mid-South Regional Blood Center is facing a lawsuit
following the revelation that laptop computers holding donors' personal
information are missing. The lawsuit, which seeks class action status,
alleges that the blood center was "grossly negligent and engaged in a
willful and intentional pattern of conduct to conceal its negligence
from affected persons." The computers hold information of approximately
321,000 donors.
http://www.commercialappeal.com/news/2008/feb/19/lawsuit-targets-lifeblood/

 --Man Gets Three Years Probation for eMail Harassment
(February 13, 2008)
California law student Victor Vevea has been sentenced to three years
of probation with 90 days of monitored confinement for breaking into an
attorney's email account and sending harassing messages so that they
appeared to come from that attorney. The attack was apparently
motivated by the fact that the attorney had represented Vevea's former
girlfriend in a lawsuit against him about 10 years ago.
http://sacramento.fbi.gov/filelink.html?file=dojpressrel/pressrel08/sc021308.pdf

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
 --UK PM Promises Inquiry into Mishandling of Criminal DNA Data Disk
(February 20 & 22, 2008)
The UK government is facing more publicity over yet another incident of
mismanaging data. Dutch police sent a disk containing DNA profiles of
4,000 serious criminal suspects to the Crown Prosecution Service (CPS)
more than a year ago in the hope that CPS could identify and catch some
of the criminals. The disk had been misplaced; when it was found last
week, it turned out that 17 of the people identified on the disk were
in the UK and 11 of them had committed offenses within the past year.
While this is not overtly a data security issue - the disk was never out
of the building -- the incident demonstrates lack of effective data
management. Prime Minister Gordon Brown has ordered an inquiry.
http://www.thisislondon.co.uk/news/article-23439932-details/Brown+pledges+inquiry+after+admission+assaults+were+committed+by+murderers+and+rapists+while+DNA+disc+was+lost/article.do
http://www.theregister.co.uk/2008/02/20/government_data_loss/print.html

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
 --Microsoft Acknowledges Compatibility Problems from Vista SP1
(February 21, 2008)
Microsoft has issued a list of applications that will either be broken
or experience reduced functionality after Windows Vista Service Pack 1
is installed. Microsoft recommends that users install updates from
vendors to fix the compatibility problems. In a related story,
Microsoft has removed a problematic SP1 pre-update file from its
software update service because of reports that it was causing some
machines to continually reboot.
http://www.news.com/2102-1002_3-6231449.html?tag=st.util.print
http://www.heise.de/english/newsticker/news/103815
http://support.microsoft.com/kb/935796/en-us
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=206800819
[Editor's Note (Pescatore): It appears that Microsoft will slow down
wide distribution of SP1 because of the high level of compatibility
issues. SP1 should be treated like any other patch - don't move to it
until you have tested all your images to make sure all apps still work.
It is not always a bad thing when this happens - apps breaking because
they are being forced to operate more securely is good breakage - but
business interruption from pushing patches and upgrades out too fast is
never a career-enhancing move.]

 --Opera Releases Browser Update
(February 20, 2008)
Opera has released an updated version of its web browser, Opera 9.26 for
Windows, to address at least three vulnerabilities that could be
exploited to "trick users into uploading arbitrary files," use image
properties to execute scripts, and allow cross-site scripting. Opera
learned of one of the flaws from Mozilla and has criticized Mozilla's
decision to disclose details about the vulnerability without giving
ample time to address the flaw.
http://www.eweek.com/index2.php?option=content&task=view&id=46505&pop=1&hide_ads=1&page=0&hide_js=1
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9063683&source=rss_topic17
http://www.opera.com/support/search/view/877/
http://www.opera.com/support/search/view/879/
http://www.opera.com/support/search/view/880/

MISCELLANEOUS
 --Microsoft Announces Plan to Share More Technical Info
(February 21, 2008)
Calling the decision "a major step" and "a strategic shift," Microsoft
has said it will share more technical details about its products with
others in the software industry. The move was motivated by the need for
interoperability to make transfer of documents, data, and code across
the Internet run smoothly. It is also a nod to European Union antitrust
regulators who remain skeptical, noting that Microsoft did not "address
allegations it seeks to undercut rivals by illegally giving away IE with
Windows desktop OS."
http://www.nytimes.com/2008/02/21/technology/21cnd-soft.html?ei=5088&en=ac788bb40091a52e&ex=1361336400&partner=rssnyt&emc=rss&pagewanted=print
http://www.washingtonpost.com/wp-dyn/content/article/2008/02/21/AR2008022101268_pf.html
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=206801085

 --Judge Orders Registrar to Disable Domain Name of Leak Site
(February 20, 2008)
A US federal judge has ordered that a website that posts leaked
information aimed at exposing corporate and governmental "unethical
behavior" be shut down. The order came as a result of a lawsuit brought
by a Cayman Islands bank that said a former employee had leaked stolen
documents to the site in violation of a confidentiality agreement and
banking laws. The judge issued a permanent injunction ordering that the
site's registrar disable the site's domain name. The order appears to
indicate a lack of understanding of how the Internet works. Savvy
people view the action as locking the front door but leaving the back
door open; the site can still be accessed at its IP address and mirror
sites. The judge also issued an order to Wikileaks that it stop
distributing the bank's documents. Citizen media Law Project director
David Ardia said the judge's order to disable the site "is clearly not
constitutional."
http://www.nytimes.com/2008/02/20/us/20wiki.html?ei=5088&en=94c15d10c2263334&ex=1361336400&partner=rssnyt&emc=rss&pagewanted=print
[Editor's Note (Northcutt): Too funny! Three strikes and the Judge is
out! First, Judge Jeffery White's decision will be overturned for
blatant First Amendment abuse. Second, this will also serve as a
reminder that trying to push US law on other countries doesn't work, and
is not appreciated. I expect to see some well-deserved negative press
from Europe. Third, these guys are technically way smarter than the
Judge, you might be able to keep http://88.80.13.160/wiki/Wikileaks from
working, but what about http://wikileaks.be/ and http://wikileaks.de ?
And there are ties from this group to Pirate Bay and those guys are very
attack resistant:
http://www.theregister.co.uk/2008/02/21/wikileaks_bulletproof_hosting/
]

LIST OF UPCOMING FREE SANS WEBCASTS

Tool Talk Webcast: A Practical Approach to Cyber Security within Control System Environments
WHEN: Tuesday, February 26, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Brian Contos
http://www.sans.org/info/22964
Sponsored By: ArcSight

Recently there has been substantial media hype surrounding cyber attacks
against critical infrastructure: oil and gas, power and energy,
chemical, etc. Few disagree that systems controlling critical
infrastructure make valuable targets for a wide range of attackers and
pursuits; but the FUD sometimes shadows the facts. So rather than debate
the threat level, this webcast will focus on empirical findings derived
from multiple, federally funded research projects. These collaborative
projects have brought together federal agencies, academia, control
system vendors, IT security vendors like ArcSight, and industry
representatives to research and test practical cyber incident
prevention, detection and response.

***
Ask the Expert Webcast: Regulatory Compliance and Securing Endpoint Data
against Internal Threats
WHEN: Wednesday, February 27, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Jim Hietala and Richard Stone
http://www.sans.org/info/22969
Sponsored By Credant Technologies

This webcast will then discuss why today's dynamic IT environments must
move away from first gen encryption products and to a more data-centric,
not stand-alone, platform-specific point product of old. Gone are the
days of the "encrypt everything" approaches, which lack protection
against insider threats and have significant manageability, recovery,
and usability issues. Hear how a new solution simultaneously meets
security, IT operations, and compliance needs.

***
SANS Special Webcast: How to Win Friends and Influence People (for
Penetration Testers)
WHEN: Tuesday, March 4, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Lenny Zeltser
http://www.sans.org/info/22984
Sponsored By: Core Security

The success of a security test is often determined in the planning
stage, when the "human element" plays a critical role. This is
especially true for penetration testing projects, which sometimes
encounter political hurdles before they even begin.
Please join us to learn how, with a little transparency and tact, you
can not only get approval for pen testing projects but also help
colleagues use the results to improve your overall security.

***
Tool Talk Webcast: The ABC's of Dealing with Unique Network Security
Risks in a World of Open Campus Networks
WHEN: Wednesday, March 5, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Tom Turner
http://www.sans.org/info/22979
Sponsored By: Q1 Labs

Universities continue to face a challenge in the balancing act of two
diametrically opposed networking requirements. On one hand, IT services
have must meet the requirements of delivering an open campus network
with minimal restriction on use. And, on the other hand, you have
networks and systems that maintain sensitive information that requires
tight security controls, often under the scrutiny of specific regulatory
mandates.

***
Ask the Expert: Malcode Analysis and Response: Proficiency vs. Complexity
WHEN: Thursday, March 20, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Matt Allen and Russ McRee
https://www.sans.org/webcasts/show.php?webcastid=91808
Sponsored By: Norman Data Defense Systems

The threat landscape changes constantly, driven in part by the "bot
economy" and changing malcode techniques. In response, incident handler
techniques must keep pace. This presentation will cover the use of
RAPIER, a security tool built to facilitate first response procedures
for incident handling. It is designed to acquire commonly requested
information and samples during an information security event, incident,
or investigation. RAPIER automates the entire process of data collection
and delivers the results directly to the hands of a skilled security
analyst. From detection and discovery, capture and containment, count
on a useful discussion meant to further your incident response
practices.

********************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer
for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin,
Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAke/EqwACgkQ+LUG5KFpTkYl6wCfVLFEjs/MogT/wn6bE79GKzqA
t7wAn0Gb0fWecT3Oeuye6o+Cb+r3/euC
=zHoV
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]