|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (NewsBites
sans.org)
Date: Fri Mar 21 2008 - 15:30:10 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
*************************************************************************
SANS NewsBites March 21, 2008 Vol. 10, Num. 23
*************************************************************************
TOP OF THE NEWS
Application Flaw Exploits on the Rise
UK National Security Strategy Falls Short on Cyber Security
German High Court Says Part of Data Retention Law is Unconstitutional
Threat of Legal Action Halts Voting Machine Audit
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
Hannaford Faces Lawsuits Following Breach Disclosure
Second Guilty Plea from Operation Bot Roast Arrests
Man Admits to Writing and Spreading Trojan
51-Month Sentence for Stealing Data Through Limewire
Two Indicted for MedPro Cyber Attacks
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
US Department of Energy (DOE) Inspector General's Report Finds Security Still an Issue
PA Voter Registration Web Page Shut Down Due to Data Leak
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Apple OS Security Update Addresses 80+ Flaws
MISCELLANEOUS
Faculty from Multiple Universities Share Tools and Tests for Teaching
Secure Coding
LIST OF UPCOMING FREE SANS WEBCASTS
********************** Sponsored By PacketMotion ************************
How do you safeguard intellectual property, sensitive information and
compliance-relevant data without hampering employee and contractor
productivity? Find the facts, blind spots and new technology regarding
real-time visibility and control of network user transactions and
information assets. Download the FREE, must-read whitepaper "TRUST
BUT VERIFY: 24/7 User Activity Monitoring to Protect Business Critical
Information" now.
http://www.sans.org/info/26183
*************************************************************************
TRAINING UPDATE
Where can you find the newest Penetration Testing techniques,
Application Pen Testing, Hacker Exploits, Secure Web Application
Development, Security Essentials, Forensics, Wireless, Auditing,
CISSP, and SANS' other top-rated courses?
- - SANS 2008 in Orlando (4/18-4/25) SANS' biggest program with myriad
bonus sessions and a huge exhibition of security products:
http://www.sans.org/sans2008
- - San Diego (5/9-5/16) http://www.sans.org/securitywest08
- - Toronto (5/10-5/16) http://www.sans.org/toronto08
- - and in 100 other cites and on line any time: www.sans.org
*************************************************************************
TOP OF THE NEWS
--Application Flaw Exploits on the Rise
(March 18, 2008)
The number of security holes detected in widely used software
applications is growing, as are attacks that exploit these holes. Users
need to be wary of attachments; maliciously crafted ones can worm their
way into systems and steal data. The applications can be exploited so
that the recipients of the attachments are not aware that something
malicious is going on behind the scenes of the seemingly innocent
file.
http://www.usatoday.com/tech/news/computersecurity/2008-03-18-hacker-attacks_N.htm
[Editor's Note (Schultz): The message in this news item is not really
news, yet it is very much worth repeating. The focus of attacks has
shifted dramatically over the last five or six (or maybe even more)
years, with applications clearly becoming the target.
(Grefer): One helpful tool for end users (as well as companies)
to keep an eye on which of the installed software may be insecure
or end-of-life, is the Secunia Personal Software Inspector available
free of charge at http://psi.secunia.com]
--UK National Security Strategy Falls Short on Cyber Security
(March 20, 2008)
Security companies are voicing their disappointment with British
Prime Minister Gordon Brown's National Security Strategy for failing
to adequately address the risk of cyber attacks. Despite the fact
that the plan notes that cyber attacks, from both foreign states and
terrorists, are on the rise, the plan offers no concrete strategy to
mitigate the risks. Some have pointed out that the absorption of
the National Hi-Tech Crime Unit (NHTCU) into the Serious Organized
Crime Agency (SOCA) leaves inadequate resources to address cyber
crime. Many would like to see the creation of an agency to address
cyber crime as well as laws mandating data breach disclosure.
http://technology.timesonline.co.uk/tol/news/tech_and_web/article3590336.ece
http://www.vnunet.com/computing/news/2212365/national-security-strategy
http://www.zdnetasia.com/news/security/0,39044215,62039143,00.htm
http://interactive.cabinetoffice.gov.uk/documents/security/national_security_strategy.pdf
--German High Court Says Part of Data Retention Law is Unconstitutional
(March 19 & 20, 2008)
Germany's Federal Constitutional Court has placed new limits on a
law that requires telecommunications companies to store phone call
and Internet data for six months. This week, the court issued
an injunction that declares parts of the law unconstitutional.
The law, which was passed to fulfill a European Union directive,
has faced a great deal of opposition in Germany from civil liberties
proponents. It requires the telecommunications companies to retain
phone numbers dialed and the duration and location of the calls.
The court says the information may be retained, but it may only be
given to law enforcement authorities when they are investigating
serious crimes and have obtained a warrant.
http://www.msnbc.msn.com/id/23725318/
http://www.spiegel.de/international/germany/0,1518,542398,00.html
http://www.dw-world.de/dw/article/0,2144,3203058,00.html
[Editor's Note (Honan): This is an interesting development as this
decision could influence similar legal actions taken by civil liberty
groups in other countries such as Ireland. ]
--Threat of Legal Action Halts Voting Machine Audit
(March 20, 2008)
After noting discrepancies between the paper audit trail and the
memory cartridges of Sequoia electronic voting machines used in the
February presidential primary, election officials in Union County, New
Jersey asked Princeton University computer science professor Ed Felten
to examine the machines. Before the inspection took place, Sequoia
threatened legal action against both Felten and Union County, saying
that the inspection would violate its licensing agreement. Sequoia
attributes the discrepancies to poll worker error. Felten has
published a response, saying that an investigation is necessary and
should be conducted by "someone not chosen by, ... paid by, ... [or]
reporting to Sequoia." Sequoia has announced that the machines in
question are undergoing external analyses by two separate firms.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9069999
http://www.theregister.co.uk/2008/03/20/sequoia_kills_evoting_review/print.html
[Editor's Note (Schultz): Here is another example of a voting machine
vendor doing everything it can to prevent the truth about potential
defects in its product from being found. I predict that Sequoia's
intimidation tactics will work only for a little while.
(Northcutt): Just say no to voting machines that do not leave a
physical audit trail. The good news in this story is that there
was a paper trail, so the machine could be audited. Remember,
last year California did an inspection of the Sequoia machines
and failed them (and a bunch of the competition, as well). The
principal investigator on that study, Matt Bishop, said, "Although,
we did not have enough time to perform a complete evaluation of
the Sequoia voting system, we exposed a number of serious security
issues. These vulnerabilities could be exploited by a determined
attacker to modify (or invalidate) the results of an election.":
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9028262
http://www.sos.ca.gov/elections/elections_vsr.htm ]
************************** Sponsored Links: ***************************
1) SANS Third Annual Log Management Survey What are the challenges
in log management? Have perceptions changed since last year? Help us
find out! Take the survey at http://www.sans.org/info/26188
*************************************************************************
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
--Hannaford Faces Lawsuits Following Breach Disclosure
(March 19 & 20, 2008)
Hannaford Brothers Co. is facing lawsuits over its recently disclosed
data breach. Philadelphia law firm Berger & Montague PC filed a
class-action lawsuit in US District Court in Portland, ME on behalf
of all people whose credit and debit card information were stolen
from the Hannaford computer network. An attorney based in Bangor,
ME has filed the second suit. The breach affects customers of 165
stores in New England and New York, 106 stores in Florida, and 23
independent stores that sell Hannaford products. Approximately 4.2
million payment card accounts are believed to have been compromised,
and there have been 1,800 cases of fraud associated with the breach.
The data were stolen between December 7, 2007 and March 10, 2008.
http://sev.prnewswire.com/supermarkets/20080319/DC1720519032008-1.html
http://www.boston.com/news/local/maine/articles/2008/03/19/hannaford_hit_with_class_action_suit_in_data_breach_1205971643/
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9070281&source=rss_topic17
[Editor's Note (Cole): This is a good story to show your
executives if you are having trouble justifying your security budget.
The growing trend is toward trial lawyers bringing suit when data
are lost.]
--Second Guilty Plea from Operation Bot Roast Arrests
(March 6, 19 & 20)
Robert Matthew Bentley has pleaded guilty to charges of conspiracy
to commit computer fraud. Bentley was indicted last November for
his involvement in a scheme that surreptitiously installed adware on
PCs in Europe. He was arrested as part of an investigation dubbed
"Operation Bot Roast II." Bentley used computers in Florida to
place the malware on the computers. He is scheduled to be sentenced
on May 28. Seven others have also been arrested as part of the
investigation; one of those, Robert Soloway, has already pleaded
guilty to a number of charges.
http://www.washingtonpost.com/wp-dyn/content/article/2008/03/20/AR2008032001412_pf.html
http://www.darkreading.com/document.asp?doc_id=148801&print=true
http://www.usdoj.gov/usao/fln/press%20releases/2008/mar/bentley.html
--Man Admits to Writing and Spreading Trojan
(March 19, 2008)
Masato Nakatsuji has admitted to writing malware and using copyrighted
anime footage to help it spread. The Trojan horse program spread
through the Winny filesharing program and attempted to remove music
and movie files from infected computers. Nakatsuji is being charged
with copyright law violation for using the animated content; there
is currently no Japanese law that prohibits the creation of malware.
http://www.yomiuri.co.jp/dy/national/20080319TDY02306.htm
http://www.vnunet.com/vnunet/news/2212354/japanese-man-admits-unleashing
http://www.theregister.co.uk/2008/03/19/winny_trojan_vxer_trial/print.html
--51-Month Sentence for Stealing Data Through Limewire
(March 18, 2008)
Gregory Kopiloff has been sentenced to 51 months in prison for
stealing personally identifiable information of 50 people through
P2P (peer-to-peer) filesharing programs. Kopiloff pleaded guilty
to mail fraud, computer hacking, and aggravated identity theft.
Kopiloff accessed tax returns, credit reports, bank statements and
other financial documents through the Limewire filesharing program.
He then obtained credit cards with the information and ran up US
$76,000 in fraudulent charges. Kopiloff will be on probation for three
years following his release and was also ordered to pay compensation.
http://www.theregister.co.uk/2008/03/18/p2p_highwayman_jailed/print.html
[Editor's Note (Northcutt): Tain't the first or last
time we will see this. Here is a case from over a year ago:
http://www.zeropaid.com/news/8065/Meth+Ring+Used+Limewire+to+Steal+Cash+and+IDs ]
--Two Indicted for MedPro Cyber Attacks
(March 18, 2008)
(*redacted*) and Matthew Justin Willner have been indicted on
charges of computer criminal activity, conspiracy to commit computer
criminal activity, impersonation, conspiracy to commit impersonation,
and attempted computer criminal activity. (*redacted*) allegedly hired
Willner to break into the computer system of his former employer,
MedPro. The attacks allegedly disrupted MedPro's business, costing
the medical retailer nearly US $900,000. The pair also allegedly
sent spam that was spoofed to appear to come from MedPro.
http://www.phillyburbs.com/pb-dyn/news/112-03182008-1505477.html
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
--US Department of Energy (DOE) Inspector General's Report Finds Security Still an Issue
(March 19, 2008)
According to a report from the US Energy Department's Office of the
Inspector General, DOE has experienced 60 security incidents on its
public servers over the last three years. The national laboratories,
managed by DOE, that handle nuclear weapons and nuclear waste
are subject to the same rules as the the government department
faces. One of the attacks redirected people visiting the Brookhaven
National Laboratory web site's home page to pornographic web pages
instead. In eight instances, personally identifiable information
was compromised. Some sites do not comply with web server security
standards from the National Institute of Standards and Technology
(NIST).
http://www.fcw.com/online/news/151957-1.html?type=pf
[Editor's Note (Cole): Security will always be a challenge since
threats and vulnerabilities are always changing. The key task for
security managers is to make sure that, based on your limited budget,
are focusing in on the correct items. In spending any money on
security you should always ask three questions:
1) what is the risk I am reducing;
2) is it the highest priority risk; and
3) is it the most cost effective way to reduce the risk?]
--PA Voter Registration Web Page Shut Down Due to Data Leak
(March 19 & 20, 2008)
Pennsylvania's Department of State has disabled a page of its voter
registration website after learning that a vulnerability exposed
information entered by previous visitors. The compromised data include
names, driver's license numbers, and in some instances, the last four
digits of people's Social Security numbers (SSNs). The page allowed
people to enter the information necessary for voter registration and
then print out a form that could be mailed to election officials.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9069578&source=rss_topic17
http://www.informationweek.com/security/showArticle.jhtml?articleID=206905007&cid=RSSfeed_TechWeb
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
--Apple OS Security Update Addresses 80+ Flaws
(March 19, 2008)
Apple issued security updates earlier this week that address more
than 80 vulnerabilities in the Tiger and Leopard operating systems.
The flaws could be exploited to allow cross-site scripting, spoofing,
privilege escalation, and denial of service; several could be exploited
to allow remote code execution. Apple also released a new version
of the Safari browser to fix 13 security flaws.
http://www.theregister.co.uk/2008/03/19/monster_apple_patch_batch/print.html
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=206904729
MISCELLANEOUS
--Faculty From Multiple Universities Share Tools and Tests For Teaching Secure Coding
(March 18, 2008)
Matt Bishop, Bill Chu, Pascal Meunier, Alec Yasinac, Sean Taylor,
Giovanni Vigna are coming together with other computer science faculty
to evaluate the secure coding exercises, teaching tools, and tests
each has developed in an effort to build a shared body of tools and
knowledge for teaching security as part of the core curriculum of
computer science, computer engineering, and information technology
degree programs. The goal of SANS (and three federal agencies)
sponsoring this workshop is to make it easy for faculty unfamiliar with
secure coding issues, to integrate key elements into their existing
courses. Participant travel is covered by SANS. The meeting is open
only to those who have developed tools and techniques that they are
using in core CS, CE, and IT courses. For a copy of the call for
participation, email ccalhounsans.org. If you are a vendor or other
organization that wishes to get involved in the project, please email
mbrownsans.org.
LIST OF UPCOMING FREE SANS WEBCASTS
Tool Talk Webcast: Are You Naked? Why virtualization and service
processors are leaving traditional log management customers naked.
WHEN: Tuesday, March 25, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKER: Bill Johnson
https://www.sans.org/webcasts/show.php?webcastid=91798
Sponsored By: Tdi
Virtualization and on board service processors are making log
management systems obsolete and opening their customers to huge
compliance issues. All existing log management systems are based
on an 'inside out' agent based, SYSLOG and SNMP architecture. This
model is obsolete in today's datacenter. Traditional log management
systems do not log all events or watch the data center all the time,
opening the door to Sarbanes Oxley, HIPAA and other compliance risks.
***
Tool Talk Webcast: Analyzing Pen Testing Tools: Shootout at the Blackbox Corral
WHEN: Wednesday, March 26, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Larry Suto
http://www.sans.org/info/24653
Sponsored By: Fortify Software
All black box testing tools are not created equal. In the Fall of 2007,
security consultant Larry Suto published a report that evaluates the
coverage and balance between false positives and false negatives of
three popular penetration testing tools. His findings, which some
found surprising, prompted official responses from a number of tool
vendors that called into question areas of the experiment that could
have led to shaky results.
***
SANS Special Webcast: Stephen Northcutt Presents: Managing Vulnerability Situational Awareness
WHEN: Wednesday, April 2, 2008 at 2:00 PM EDT (1800 UTC/GMT)
FEATURING: Stephen Northcutt
http://www.sans.org/info/24668
Sponsored By: Core Security Technologies
Stephen Northcutt challenges leaders to move past "Security Theater",
practices like confiscating nail files in airport security or running
vulnerability scans and taking no action or pretending a SIEM "partial
implementation" actually helps create effective security. If we
want to get better and actually implement security well one of the
atomic keys is to configure the system correctly and maintain that
configuration. Stephen will discuss the three views, the inside
view, outside view and user view that give us the information we
need to assess the configuration of our system. We can use tools
like the Center for Internet Security toolsets to create the inside
view, vulnerability scanners and exploitation tools like CORE for
the outside view and to get the user view we need to run a number
of tests to determine the level of awareness and practice. The data
from all three views gives us the ability to accurately assess our
exposure to threat.
***
SANS Special Webcast: Data Leakage Landscape
WHEN: Thursday, April 3, 2008 at 1:00 PM EDT (1800 UTC/GMT)
FEATURED SPEAKERS: Barb Filkins, Robert Hemeryck and Malte Pollmann
http://www.sans.org/info/24673
Sponsored By: TrendMicro and Utimaco Software
Data leakage occurs everywhere computing is conducted - whether it
be hand-helds, USB tokens or even protected internal computers where
cut, copy and paste functions are difficult to control. Organizations
need a map of these leakage points so they can plug them and protect
themselves against regulatory violations. This Webcast discusses
where and how data leaks, what types of privacy violations these
leakage points present, and what to do about them.
***
Tool Talk Webcast: A Blueprint for Successful NAC Deployments
WHEN: Wednesday, April 16, 2008 at 1:00 PM EDT (1800 UTC/GMT)
FEATURING: John Curry
http://www.sans.org/info/24618
Sponsored By: StillSecure
This webinar will discuss the challenges associated with NAC
deployments and provide organizations with a blueprint on how to
cost-effectively take advantage of this critical technology. Learn
first hand how your organization can benefit from this ground-breaking
technology.
*******************************************************************
Be sure to check out the following FREE SANS archived webcasts:
Tool Talk Webcast: The ABC's of Dealing with Unique Network Security
Risks in a World of Open Campus Networks
WHEN: Wednesday, March 5, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Brian Mehlman
http://www.sans.org/info/22979
Sponsored By: Q1 Labs
SANS Special Webcast: A Response to the "Cold Boot Attack" Announcement
WHEN: Thursday, March 6, 2008 at 3:00 PM EST (1900 UTC/GMT)
FEATURING: John Strand
https://www.sans.org/webcasts/show.php?webcastid=91884
********************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and
the author/co-author of books on Unix security, Internet security,
Windows NT/2000 security, incident response, and intrusion detection
and prevention. He was also the co-founder and original project manager
of the Department of Energy's Computer Incident Advisory Capability
(CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level
IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as
Vice-Chair of the President's Critical Infrastructure Protection
Board.
Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and
he is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND
FEAR and SECRETS AND LIES -- and dozens of articles and academic
papers. Schneier has regularly appeared on television and radio, has
testified before Congress, and is a frequent writer and lecturer on
issues surrounding security and privacy.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune
50 company (Alcoa). He is leading SANS' global initiative to improve
application security.
Marcus J. Ranum built the first firewall for the White House and
is widely recognized as a security products designer and industry
innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security
Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section
of the weekly SANS Institute's RISK newsletter and is the project
manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin,
Ireland.
Roland Grefer is an independent consultant based in Clearwater,
Florida.
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
iD8DBQFH5BKA+LUG5KFpTkYRAj17AJwIB09wiRpNWZNvutLyZYkMGOkzRQCdEXhL
G55+m51EE8VD7WpCUkMsZiU=
=Q0NS
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]