|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (NewsBites
sans.org)
Date: Tue Feb 26 2008 - 13:34:44 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Note for people planning to attend security training this spring: The
deadline for savings on SANS08 in Orlando is next Wednesday, March 5.
More information: http://www.sans.org/sans2008
*************************************************************************
SANS NewsBites February 26, 2008 Vol. 10, Num. 16
*************************************************************************
TOP OF THE NEWS
Pakistan's Attempt to Block YouTube Cast Wider-Than-Expected Net
FCC Ready to Take Steps to Enforce Net Neutrality
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
Woman Indicted on HIPAA Violation
Internet Stalker Gets Prison Time
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
OMB: Agencies Need to be More Aggressive About Data Protection
SPYWARE, SPAM & PHISHING
Spammers Defeat Gmail Captcha System
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Image Uploader Flaw is Being Actively Exploited
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Stolen Laptop Contained Psychiatric Patient Data
ICO: Financial Services Firm Violated Data Protection Act
MISCELLANEOUS
Workers Often Peek at Customer Data
Informant Allegedly Sold Bank Account Data to Tax Authorities
Counterfeit Computer Parts Seized
PGP Responds to Cold Boot Attack Paper
LIST OF UPCOMING FREE SANS WEBCASTS
********************* Sponsored By PacketMotion *************************
How do you safeguard intellectual property, sensitive information and
compliance-relevant data without hampering employee and contractor
productivity? Find the facts, blind spots and new technology regarding
real-time visibility and control of network user transactions and
information assets. Download the FREE, must-read whitepaper "TRUST BUT
VERIFY: 24/7 User Activity Monitoring to Protect Business Critical
Information" now.
http://www.sans.org/info/24554
*************************************************************************
TRAINING UPDATE
Where can you find the newest Penetration Testing techniques,
Application Pen Testing, Hacker Exploits, Secure Web Application
Development, Security Essentials, Forensics, Wireless, Auditing, CISSP,
and SANS' other top-rated courses?
- - SANS 2008 in Orlando (4/18-4/25) SANS' biggest program with myriad
bonus sessions and a huge exhibition of security products:
http://www.sans.org/sans2008
- - Washington DC (Tyson's) 3/24-3/31 http://www.sans.org/tysonscorner08
- - San Diego (5/9-5/16) http://www.sans.org/securitywest08
- - Toronto (5/10-5/16) http://www.sans.org/toronto08
- - and in 100 other cites and on line any-time: www.sans.org
*************************************************************************
TOP OF THE NEWS
--Pakistan's Attempt to Block YouTube Cast Wider-Than-Expected Net
(February 24 & 25, 2008)
An attempt by Pakistan to have YouTube blocked within its own borders
is believed to be responsible for a two-hour outage of the site
worldwide on Sunday, February 24. The incident draws attention to a
weakness in autonomous systems broadcasts. Autonomous systems (AS),
which are the network providers, effectively serve as postal codes or
ZIP codes for IP address requests. In the incident this past weekend,
the AS made a false broadcast to the whole Internet, not just to
requests from Pakistan.
http://www.news.com/8301-10784_3-9878655-7.html?part=rss&subj=news&tag=2547-1_3-0-5
http://news.bbc.co.uk/2/hi/technology/7262071.stm
[Editor's Note (Skoudis): Although this is a short-term risk with
copycat attacks, I think it's really good news for the long term.
Having YouTube knocked off line gets Google's attention. Having it
knocked off line by Pakistan gets a lot of countries' attention. Thus,
we've managed to have this big problem illustrated with only minor
inconvenience. I'm hopeful that with these big forces now interested
in the problem, we'll likely see a move to address the situation in the
near future.
(Schultz): This incident once again shows (at least on a small scale)
just how potentially vulnerable the Internet is to disruption, denial
of service attacks very much included. Mechanisms such as authenticated
updates would have in this case solved a good part of the problem, but
such mechanisms would cause substantial slowdowns.
(Guest Editor Frantzen): This incident boils down to a dangerous setup
by the ISP. It allowed BGP announcements (BGP4 is the routing protocol
used between ASes) to be constructed (in part) from internal routing
information.]
--FCC Ready to Take Steps to Enforce Net Neutrality
(February 25, 2008)
At a hearing on Monday, February 25, the US Federal Communications
Commission (FCC) said it might soon take action against Internet service
providers (ISPs) that discriminate against traffic from content
providers. At issue is finding the line between discrimination and
legitimate network traffic management. The FCC is also looking at rules
that would force ISPs to be more transparent in their policies about
when traffic might be slowed. The issue gained press recently when
Comcast admitted to throttling traffic from BitTorrent.
http://www.nytimes.com/2008/02/25/technology/25cnd-fcc.html?ei=5088&en=400675c21d9dc50b&ex=1361682000&partner=rssnyt&emc=rss&pagewanted=print
http://www.usatoday.com/tech/news/techpolicy/2008-02-25-fcc-comcast-internet_N.htm?csp=34
[Editor's Note (Pescatore): The ISPs certainly have the right to enforce
their Terms of Service agreements, but blocking bulk content is going
beyond that. If the ISPs would focus on getting their customers to sign
up (opt-in) for "in the cloud" filtering of spam and viruses *and* to
clean up the bot clients on so many consumer machines, the ISPs would
be able to gain back probably 30% of their bandwidth while the customers
were gaining back 30% of their home PCs CPU cycles.
(Northcutt): This is a very complex issue that might be best left for
the market to sort out. If a significant number of Comcast users want
bit torrents and they can go to other providers, Comcast will probably
change their policy. I don't expect this issue to go away. One
possibility: The "type of service" field in the IP header just might get
used for its original intended purpose yet! Policy-based routing could
happen because one way or another the biggest uses of bandwidth have to
be paid for:
http://www1.sans.edu/resources/leadershiplab/network_neutrality.php ]
************************** Sponsored Links: ***************************
1) Sponsored By RSA, The Security Division of EMC - Download 3 new White
Papers on Best Practices for Comprehensive Security and Event
Management.
http://www.sans.org/info/24559
2) More than 50% of latest online scams are hosted on compromised web
sites. New report has the details.
http://www.sans.org/info/24564
*************************************************************************
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
--Woman Indicted on HIPAA Violation
(February 23, 2008)
An Oklahoma woman has been indicted on charges of violating the Health
Insurance Portability and Accountability Act (HIPAA). The federal
indictment alleges that Leslie A. Howell provided patient information
from an unnamed counseling center to two individuals, knowing that they
intended to use the information to commit "access device fraud" and
identity theft. If she is convicted of charges against her, Howell
could face up to 10 years in prison and a fine of up to US $250,000.
http://www.kten.com/global/story.asp?s=7914206
http://www.newsok.com/article/keyword/3207858/
--Internet Stalker Gets Prison Time
(February 21, 2008)
Devon Townsend has been sentenced to two years in prison for using
computers at her workplace to access private information about Linkin
Park lead singer Chester Bennington. Townsend was employed at Sandia
National Laboratories; from computers there, she managed to access
Bennington's email account, phone numbers, phone bill records, and
family photographs. She used some of the information she found to
threaten Bennington's wife.
http://www.sfgate.com/cgi-bin/blogs/sfgate/detail?blogid=7&entry_id=24407
http://www.theregister.co.uk/2008/02/22/linkin_park_stalker_jailed/print.html
[Editor's Note (Northcutt): The article goes on to say she will be
receiving mental health counseling while incarcerated. Seems that might
be a good idea.]
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
--OMB: Agencies Need to be More Aggressive About Data Protection
(February 22, 2008)
Following the spring 2006 theft of computer equipment that placed
personal information of 26.5 million US armed service veterans and
active duty members at risk of theft, the White House Office of
Management and Budget (OMB) issued recommendations for federal agencies
to help them protect sensitive personal data. Of the 24 agencies
questioned by the Government Accountability Office (GAO), just two
agencies - the Treasury and the Department of Transportation - have
adopted all five recommendations. Two agencies have adopted none, while
other agencies have adopted some of the recommendations, which include
encrypting data on mobile devices.
http://www.msnbc.msn.com/id/23293565/
http://www.darkreading.com/document.asp?doc_id=146877&WT.svl=news1_1
http://www.gao.gov/docsearch/abstract.php?rptno=GAO-08-343
SPYWARE, SPAM & PHISHING
--Spammers Defeat Gmail Captcha System
(February 25, 2008)
Spammers have figured out a way to defeat the Gmail Captcha
challenge-response mechanism, which is used to ensure that requests to
create new accounts are coming from real people and not from automated
programs. Spammers successfully broke the Hotmail Captcha program in
the last few weeks.
http://www.theregister.co.uk/2008/02/25/gmail_captcha_crack/print.html
[Editor's Note (Honan): This is not the first time that captchas have been defeated.
http://news.zdnet.co.uk/security/0,1000000189,39287905,00.htm
In addition, the article highlights that the hack has a 20% success rate
in defeating captchas. However when running an automated process a 1
in 5 success rate is not an issue and can yield a high number of
accounts over a relatively short period. ]
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
--Image Uploader Flaw is Being Actively Exploited
(February 23, 2008)
An exploit is circulating for a flaw in Image Uploader, an ActiveX
control used in several social networking sites, including MySpace and
Facebook. The exploit is part of an attack toolkit that also contains
exploits for flaws in QuickTime, Windows, and Yahoo! Music Jukebox.
Users become infected when they click on specially crafted links in
email messages or IMs that send them to phony login pages where the tool
tries to steal their credentials and scans the machines for vulnerable
applications.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9064298&intsrc=hm_list
[Editor's Note (Honan): With the growth in Web 2.0 services criminals
will develop even more tools to exploit unwary users. From a corporate
point of view these browser based attacks can be difficult to defend
against. Prohibiting access to certain sites may reduce your attack
profile. You should also ensure that applications which have no
business use are removed from your systems.
(Cole): DO NOT LET ACTIVE CONTENT RUN in your browser. Old habits are
hard to fix but a little Internet safety will go a long way.]
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
--Stolen Laptop Contained Psychiatric Patient Data
(February 25, 2008)
A laptop computer stolen from a NHS doctor's home in 2005 held extremely
sensitive medical information about 190 psychiatric patients. The
computer is one of approximately 180 devices reported missing or stolen
from public institutions in the Lothians region of Scotland over the
last five years.
http://news.scotsman.com/scotland/Patients39-medical--histories-stored.3811245.jp
[Editor's Note (Cole): If a system is turned off (for more than 5
seconds) full disk encryption solutions with strong passwords or
external keys will minimize the damage.]
--ICO: Financial Services Firm Violated Data Protection Act
(February 21 & 22, 2008)
The UK Information Commissioner's Office (ICO) has found that a
financial services firm breached the Data Protection Act after a laptop
computer containing unencrypted client information was stolen. The
computer was stolen from Moore Stephens Ltd, which was processing data
for Skipton Financial Services, but it was Skipton who was found to be
in violation of the Data Protection Act. The ICO did not punish
Skipton, but did compel the company to sign a legal document saying it
would make sure customer data are protected in the future.
http://www.silicon.com/financialservices/0,3800010322,39170125,00.htm?r=1
http://www.itpro.co.uk/internet/news/170154/skipton-financial-lose-unencrypted-laptop.html
MISCELLANEOUS
--Workers Often Peek at Customer Data
(25 February 2008)
Documents made public in a lawsuit indicate that employees throughout
Wisconsin utility company WE Energies were accessing data about friends,
family members, politicians, and others. Several years ago, a WE
Energies employee leaked information about a mayoral candidate.
Following that incident, the company began paying closer attention to
which accounts its employees were accessing; 17 people were fired
between 2005 and 2007. Federal agencies are struggling with similar
problems.
http://ap.google.com/article/ALeqM5ghPenZUJTE7BfSfgQbj6RX597DEAD8V019TG0
http://www.securityfocus.com/brief/687
--Informant Allegedly Sold Bank Account Data to Tax Authorities
(February 24 & 25, 2008)
UK HM Revenue & Customs reportedly paid an informant GBP 100,000 (US
$197,000) for information about bank accounts held by Britons at
Liechtenstein bank LGT Group. The same informant reportedly sold
account information to Germany's intelligence agency. In the UK, people
found to have evaded taxes face hefty fines, and, if the deception is
proven to be deliberate, they could face jail time as well. The
informant has been fired from LGT group and convicted of fraud.
http://business.timesonline.co.uk/tol/business/money/tax/article3423610.ece
http://www.bloomberg.com/apps/news?pid=20601085&sid=a_LpINIqHzSY&refer=europe
[Editor's Note (Honan): Contrary to popular belief, Swiss bank accounts
are not as confidential as some would think. Liechtenstein has stricter
confidentiality requirements over access to its bank accounts which have
made it a popular destination for those wishing to evade tax in their
own countries. ]
--Counterfeit Computer Parts Seized
(February 22 & 25, 2008)
Thousands of counterfeit computer chips and network components were
seized in a two-week period late last year as part of a joint effort of
US Customs and Border Protection and the European Commission Tax and
Customs Directorate known as "Operation Infrastructure." The phony
items carried more than 40 different trademarks, including Intel, Cisco,
and Philips, and were valued at a total of more than US $1.3 billion.
US Customs and border protection Assistant Commissioner Dan Baldwin
noted that the "problem [is] a fairly high risk for critical
infrastructure."
http://www.latimes.com/news/nationworld/politics/wire/sns-ap-us-europe-computer-chips,1,623547.story
http://www.nzherald.co.nz/section/story.cfm?c_id=5&objectid=10494389
--PGP Responds to Cold Boot Attack Paper
(February 2008)
PGP has posted a response to the recently published paper about the Cold
Boot Attack, which describes how attackers with physical access to
computers can take advantage of the fact that some encryption products
store their keys in DRAM. PGP stresses the fact that attackers require
physical access to the machines to conduct this sort of attack, and also
points out that "all security tools techniques ... are designed to
address specific threat models. Achieving comprehensive security in any
given environment requires using a combination of security measures."
http://www.pgp.com/newsroom/cold_boot_attack_response.html
[Editor's Note (Northcutt): Good for PGP, calling all crypto vendors,
we would love to highlight your cold boot responses as well, if you have
posted a white paper on the subject, please send the link to
stephensans.edu and copy iscsans.org.
(Internet Storm Center: Frantzen) Excellent information from PGP is
included in their answer, and it should be used to construct guidance
for users of their tools. All vendors should release similar
information needed to create such guidance.
- - For PGP WDE: the guidance is that if you "sleep" your laptop and
it get's stolen the keys are still in RAM. They claim hibernating
removes the keys from RAM.
- - For PGP Virtual Disk, the disk images need to be unmounted in
order to remove the key from RAM.
At the Internet Storm Center were are collecting this guidance in an
article. Vendors and users are invited to contribute.]
LIST OF UPCOMING FREE SANS WEBCASTS
Ask the Expert Webcast: Regulatory Compliance and Securing Endpoint Data
against Internal Threats
WHEN: Wednesday, February 27, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Jim Hietala and Richard Stone
http://www.sans.org/info/22969
Sponsored By Credant Technologies
This webcast will then discuss why today's dynamic IT environments must
move away from first gen encryption products and to a more data-centric,
not stand-alone, platform-specific point product of old. Gone are the
days of the "encrypt everything" approaches, which lack protection
against insider threats and have significant manageability, recovery,
and usability issues. Hear how a new solution simultaneously meets
security, IT operations, and compliance needs.
***
SANS Special Webcast: How to Win Friends and Influence People (for
Penetration Testers)
WHEN: Tuesday, March 4, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Lenny Zeltser
http://www.sans.org/info/22984
Sponsored By: Core Security
The success of a security test is often determined in the planning
stage, when the "human element" plays a critical role. This is
especially true for penetration testing projects, which sometimes
encounter political hurdles before they even begin.
Please join us to learn how, with a little transparency and tact, you
can not only get approval for pen testing projects but also help
colleagues use the results to improve your overall security.
***
Tool Talk Webcast: The ABC's of Dealing with Unique Network Security
Risks in a World of Open Campus Networks
WHEN: Wednesday, March 5, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Tom Turner
http://www.sans.org/info/22979
Sponsored By: Q1 Labs
Universities continue to face a challenge in the balancing act of two
diametrically opposed networking requirements. On one hand, IT services
have must meet the requirements of delivering an open campus network
with minimal restriction on use. And, on the other hand, you have
networks and systems that maintain sensitive information that requires
tight security controls, often under the scrutiny of specific regulatory
mandates.
***
Ask the Expert: Malcode Analysis and Response: Proficiency vs. Complexity
WHEN: Thursday, March 20, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Matt Allen and Russ McRee
https://www.sans.org/webcasts/show.php?webcastid=91808
Sponsored By: Norman Data Defense Systems
The threat landscape changes constantly, driven in part by the "bot
economy" and changing malcode techniques. In response, incident handler
techniques must keep pace. This presentation will cover the use of
RAPIER, a security tool built to facilitate first response procedures
for incident handling. It is designed to acquire commonly requested
information and samples during an information security event, incident,
or investigation. RAPIER automates the entire process of data collection
and delivers the results directly to the hands of a skilled security
analyst. From detection and discovery, capture and containment, count
on a useful discussion meant to further your incident response
practices.
***
Tool Talk Webcast: Are You Naked? Why virtualization and service
processors are leaving traditional log management customers naked.
WHEN: Tuesday, March 25, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKER: Bill Johnson
https://www.sans.org/webcasts/show.php?webcastid=91798
Sponsored By: Tdi
Virtualization and on board service processors are making log management
systems obsolete and opening their customers to huge compliance issues.
All existing log management systems are based on an 'inside out' agent
based, SYSLOG and SNMP architecture. This model is obsolete in today's
datacenter. Traditional log management systems do not log all events or
watch the data center all the time, opening the door to Sarbanes Oxley,
HIPAA and other compliance risks.
********************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer
for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin,
Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkfEXTUACgkQ+LUG5KFpTkZjiwCeKati+A/DVA9rLlqMVZ7SdUFJ
weUAnR4zJRvBXTl63VYyQnA/R7iTEy8h
=hEHk
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]