|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (NewsBites
sans.org)
Date: Fri Mar 28 2008 - 13:07:27 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Note: Hundreds of millions of devices are being placed on networks with
built-in back doors. Printers, routers, computers, control systems,
storage systems, medical devices, nearly every automated device has
them. The manufacturers of these systems never told you how vulnerable
you are. One victim said "It's as if the people who are supposed to help
me put a big sign on my door saying 'the key is under the mat by the
back door,' and anyone can come in and violate me and my family." These
vulnerable back doors were installed to allow remote management; they
are fully functioning processors with network connections, operating
systems, and memory. In addition to being able to disable the device,
in many cases they provide remote back-door access to the main CPU and
storage of the computer or other device.
A research program is being launched to find and close the secret back
doors. This is one of the most critical technical research projects
we've announced in NewsBites - and SANS has allocated $20,000 in
immediate grants for people (anywhere in the world) who can help develop
answers quickly. If you think you have data or skills that can help,
please read the last story in this issue.
Alan
PS If you are involved in web application security and/or penetration
testing, you can find extraordinary solutions to some of the newest and
hardest problems at the two simultaneous Summits in Las Vegas:
Web Application Security: http://sans.org/appsec08_summit/
Penetration Testing: http://sans.org/pentesting08_summit
*************************************************************************
SANS NewsBites March 28, 2008 Vol. 10, Num. 25
*************************************************************************
TOP OF THE NEWS
FTC Reaches Settlements with TJX, Reed Elsevier and Seisint
Indiana Breach Notification Law Gets Toughened Up
Delinquent Tax Collection Contractors Protected Data
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
42 Months in Prison for Data Theft and Card Fraud
Washington State AG Sues Alleged Software Scammer
Man Gets Five Years Probation for Planting Logic Bomb
POLICY & LEGISLATION
Putin Signs Orders to Segregate Networks with Access to Secrets
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Firefox Update Addresses 10 Vulnerabilities
MISCELLANEOUS
Comcast Will Alter Traffic Management Practices
Guardian Backs Off Deal with Phorm
Canadian Univ. Faculty Unhappy with Decision to Use Google Apps
Hannaford was PCI Compliant During Breach
Closing the Back Doors in Printers, Computers, and Appliances
LIST OF UPCOMING FREE SANS WEBCASTS
********************** Sponsored By PacketMotion ************************
How do you safeguard intellectual property, sensitive information and
compliance-relevant data without hampering employee and contractor
productivity? Find the facts, blind spots and new technology regarding
real-time visibility and control of network user transactions and
information assets. Download the FREE, must-read whitepaper "TRUST BUT
VERIFY: 24/7 User Activity Monitoring to Protect Business Critical
Information" now.
http://www.sans.org/info/26658
*************************************************************************
TRAINING UPDATE
Where can you find the newest Penetration Testing techniques,
Application Pen Testing, Hacker Exploits, Secure Web Application
Development, Security Essentials, Forensics, Wireless, Auditing, CISSP,
and SANS' other top-rated courses?
- - SANS 2008 in Orlando (4/18-4/25) SANS' biggest program with myriad
bonus sessions and a huge exhibition of security products:
http://www.sans.org/sans2008
- - San Diego (5/9-5/16) http://www.sans.org/securitywest08
- - Toronto (5/10-5/16) http://www.sans.org/toronto08
- - and in 100 other cites and on line any time: www.sans.org
*************************************************************************
TOP OF THE NEWS
--FTC Reaches Settlements with TJX, Reed Elsevier and Seisint
(March 27, 2008)
The Federal Trade Commission (FTC) says it has reached a settlement with
TJX regarding the data breach that exposed millions of customer records
resulting in significant payment card fraud. According to an FTC
statement, TJX did not have basic data protection mechanisms, such as
firewalls and wireless security, in place, and it had not kept its
software patching and anti-virus signatures up to date. The terms of
the settlement demand that TJX develop a "comprehensive security program
reasonably designed to protect the security, confidentiality, and
integrity of personal information it collects from or about consumers."
The program will be audited by a third-party every two years for the
next twenty years. The settlement does not impose any fines on TJX.
The FTC also reached settlements with data brokers Reed Elsevier and
Seisint.
http://www.scmagazineus.com/FTC-settles-with-TJX-over-breach/article/108363/
http://www.forbes.com/markets/feeds/afx/2008/03/27/afx4823849.html
http://www.ftc.gov/opa/2008/03/datasec.shtm
http://www.ftc.gov/os/actions.shtm
[Editor's Note (Schultz): The FTC did not go far enough--it should also
have fined TJX.
(Shpantzer): Basically TJX got a settlement from the government that
forces them to have information security and audit processes that should
have been in place before the breach. Is this really going to be a
deterrent to other companies that don't have current antivirus in
place?]
--Indiana Breach Notification Law Gets Toughened Up
(March 25, 2008)
Indiana will have a stronger data protection and breach notification law
as of July 1, 2008 thanks to Indiana University graduate student and
blogger Chris Soghoian. Soghoian asked his state representative Matt
Pierce to look more closely at the state's breach notification law,
which said companies did not have to report data breaches involving
"unauthorized acquisition of a portable electronic device on which
personal information is stored, if access to the device is protected by
a password that has not been disclosed." With input from Soghoian,
Representative Pierce submitted a bill to address weaknesses in the
current law. After some finagling in the state Senate, both houses
unanimously passed the bill and Governor Mitch Daniels signed it into
law on March 25. Now companies will be exempt from reporting breaches
only if all the data on the stolen device are "protected by encryption
and the encryption key has not been compromised or disclosed, and is not
in the possession of or known to the person who, without authorization,
acquired or has access to the portable electronic device."
http://www.cnet.com/surveillance-state/8301-13739_1-9902569-46.html?tag=head
[Editor's Note (Schultz): Not too long ago, there was considerable doubt
whether a better breach notification law would be passed in Indiana.
Many kudos go to Mr. Soghoian and Rep. Pierce!]
--Delinquent Tax Collection Contractors Protected Data
(March 26 & 27, 2008)
A report from the Treasury Inspector General for Tax Administration
(TIGTA) found that the two private collection agencies hired by the
Internal Revenue Service (IRS) to pursue delinquent tax payments have
done a good job of ensuring that taxpayer data are protected. Pioneer
Credit Recovery and CBE Group kept the files secure on their systems and
restricted file access to employees who needed to access those files.
In addition, they configured their workstations to prevent files from
being copied to the workstations or removable media. The IRS has met
with criticism for outsourcing the collection work.
http://www.treas.gov/tigta/auditreports/2008reports/200820078fr.html
http://www.fcw.com/online/news/152067-1.html
[Editor's Note (Schultz): It is good to learn of success stories such
as this one--they tend to be few and far between in the struggle to
protect financial and personal data.]
************************** Sponsored Links: ***************************
1) Attend the Application Security Summit June 2-3 in Las Vegas and hear
what others are saying about application security.
http://www.sans.org/info/26663
*************************************************************************
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
--42 Months in Prison for Data Theft and Card Fraud
(March 26, 2008)
Former Compass Bank programmer James Kevin Real was sentenced to 42
months in prison for stealing a hard drive containing customer data and
using them to commit identity fraud. Real was also ordered to repay
more than US $32,000 that he and an accomplice stole from customers'
accounts. Real used the stolen data to create 250 phony debit cards;
he used 45 of them to commit fraud. Court documents indicate the data
were stolen in May 2007 and that the fraud occurred in June and July
2007. Alabama is just one of 11 states that do not require consumer
notification of personal data breaches.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9072198&source=rss_topic17
--Washington State AG Sues Alleged Software Scammer
(March 26, 2008)
The Washington state attorney general has filed a civil lawsuit against
Ron Cooke, owner of Messenger Solutions, for allegedly violating the
state's Computer Spyware Act and Consumer Protection Act by running a
scheme that encouraged people to purchase bogus security software.
First, users' computers would be inundated with pop-up advertisements
through the Windows Messenger Service. Then they would start to receive
messages telling them their computers were infected with malware and
that they should try installing one of the software programs the company
offered, for which they were ultimately charged US $20. That software
actually sent messages to other computers to start the cycle over again.
The complaint seeks an injunction to stop Cooke from continuing the
scheme as well as civil penalties and consumer refunds.
http://www.channelregister.co.uk/2008/03/26/spyware_purveyor_sued/print.html
http://www.heise-online.co.uk/security/Bogus-security-software-vendor-lands-in-US-court--/news/110407
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9072058&intsrc=hm_list
http://www.consumeraffairs.com/news04/2008/03/wa_spyware.html
--Man Gets Five Years Probation for Planting Logic Bomb
(March 20, 2008)
Jeffery Howard Gibson, who formerly worked for and created a
computer-based training program for St. Cloud (Minnesota) Hospital, has
been sentenced to five years of probation for infecting hospital
computers with malware. Gibson was employed by the hospital between
July 2005 and June 2006; he placed a logic bomb on the system during the
spring and summer of 2006. He was also ordered to pay more than US
$28,000 in restitution and serve 120 hours of community service by
helping develop a cyber ethics presentation for St. Cloud University
students.
http://www.sctimes.com/apps/pbcs.dll/article?AID=2008103190043
POLICY & LEGISLATION
--Putin Signs Orders to Segregate Networks with Access to Secrets
(March 21, 2008)
Russian President Vladimir Putin has signed executive orders that would
restrict connections between computers containing state or official
secrets and networks that reach beyond the country's borders. The
Federal Security Services (FSB) will grant special permission when
government organizations want to connect networks that access secrets,
with foreign networks. If permission is granted, those computers will
be equipped with encryption software provided by the FSB.
http://www.themoscowtimes.com/stories/2008/03/21/014.html
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
--Firefox Update Addresses 10 Vulnerabilities
(March 26 & 27, 2008)
Mozilla has released a Firefox update to address a total of 10
vulnerabilities in the browser, five of them critical. Users are
strongly urged to upgrade to Firefox version 2.0.0.13. The critical
flaws could be exploited to crash Firefox or the browser's JavaScript
engine and allow arbitrary code execution.
Internet Storm Center: http://isc.sans.org/diary.html?storyid=4196
http://www.theregister.co.uk/2008/03/27/firefox_security_flaws_update/print.html
http://www.heise-online.co.uk/security/Firefox-update-fixes-critical-security-vulnerabilities--/news/110405s
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9072018&source=rss_topic17
http://www.mozilla.org/projects/security/known-vulnerabilities.html#Firefox
http://www.us-cert.gov/cas/techalerts/TA08-087A.html
MISCELLANEOUS
--Comcast Will Alter Traffic Management Practices
(March 27 & 28, 2008)
After coming under fire for slowing down traffic from filesharing sites,
Comcast says it will now treat all Internet traffic equally. Comcast
maintained that it gave the filesharing traffic lower priority because
it would overwhelm local cable lines; however, now the company plans to
work with BitTorrent to develop ways to send large files. Comcast new
traffic management technique involves slowing download speeds for those
who are using the most bandwidth when traffic gets heavy.
http://www.nytimes.com/2008/03/28/technology/28comcast.html?_r=1&ei=5088&en=c59007553af47bf6&ex=1364356800&oref=slogin&partner=rssnyt&emc=rss&pagewanted=print
http://www.news.com/8301-10784_3-9904494-7.html
--Guardian Newspaper Backs Off Deal with Phorm
(March 26, 2008)
The Guardian Newspaper says it will not use Phorm, the controversial
targeted advertising company. In mid-February, the newspaper had said
it was working with Phorm, which would customize advertisements for
users based on sites they have visited. In an email message to a
concerned reader, Guardian advertising manager Simon Philby wrote "We
have concluded at this time that we do not want to be part of the
[Phorm] network. Our decision was in no small part down to the
conversations we had internally about how this product sits with the
values of our company."
http://www.theregister.co.uk/2008/03/26/guardian_phorm_uturn/print.html
http://blogs.guardian.co.uk/technology/2008/03/26/guardian_announces_it_will_not_use_phorm.html
--Canadian Univ. Faculty Unhappy with Decision to Use Google Apps
(March 24 & 26, 2008)
The faculty association of Lakehead University in Thunder Bay, Ontario,
has filed a grievance against the university administration for using
Google Apps to replace the old and faltering computer system. Although
the move saved the university money (the tools are free), because the
data are held in the US, they are subject to US laws, which are at odds
with Canadian privacy laws. Any data hosted on US servers are deemed
searchable by authorities under the US Patriot Act. Canadian law
guarantees individuals the right to privacy of their information and to
inform them when the information is shared. The faculty was told not
to transmit private data over the system.
http://www.theglobeandmail.com/servlet/story/RTGAM.20080324.wrgoogle24/BNStory/Technology/
[Editor's Note (Pescatore): There are other issues, like e-Discovery,
that have to be addressed if business data is stored on public servers
like Google Apps and the like. There are certainly ways to use such
public applications securely but it doesn't come for free.]
--Hannaford was PCI Compliant During Breach
(March 21 & 22, 2008)
What differentiates the Hannaford Bros. supermarket chain data breach
from other large breaches is that the company was found to be in
compliance with the Payment Card Industry (PCI) Data Security Standard
even while the attack was underway. The card information was stolen
during the authentication process of the transactions. The attack
compromised as many as 4.2 million cards. The PCI standards are
ambiguous about exactly when data need to be encrypted.
http://news.smh.com.au/hannaford-data-breach-offers-twists-from-prior-attacks/20080318-201z.html
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=206904986
[Editor's Note (Pescatore): First off, PCI compliance (any compliance,
really) just means you were deemed compliant at the time of the audit.
It says nothing about what you are like 15 minutes later. However, the
bigger point is the focus always has to be on protecting customer and
business data from attack, not on just gaining compliance. There has
been no shortage of security incidents at companies that were SarBox and
PCI compliant, or government agencies that were FISMA compliant. The
ones you *don't* read about because they *don't* have incidents are the
ones that focus first on securing critical data, *then* demonstrate
compliance. Too many only focus on the latter. ]
--Closing the Back Doors in Printers, Computers, and Appliances
Hundreds of millions of devices are being placed on networks with
built-in back doors. Printers, routers, computers, control systems,
storage systems, medical devices, nearly every automated device has
them. The manufacturers of these systems never told you how vulnerable
you are. One victim said "It's as if the people who are supposed to help
me put a big sign on my door saying 'the key is under the mat by the
back door,' and anyone can come in and violate me and my family." These
vulnerable back doors were installed to allow remote management; they
are fully functioning processors with network connections, operating
systems, and memory. In addition to being able to disable the device,
in many cases they provide remote back-door access to the main CPU and
storage of the computer or other device. They may not be logged or
monitored and therefore can be attacked repeatedly without fear of being
caught. In Intel-based PCs and servers they are usually called BMCs, or
baseboard management controllers and are used as intelligent controllers
for inventory, monitoring, logging, and recovery control functions
available independent of the main processors, BIOS, and operating
system. Similar functions are provided on UNIX systems, and on printers
and medical devices and other appliances but are often not called BMCs.
This research project is designed to develop detailed technical
procurement language that organizations can use to ensure these back
doors are "closed and locked" when the devices are delivered. These
back doors have already been implicated as attackers in successful
denial of service tools and can be used to access and change the data
being processed by the devices.
Here are initial research questions that need to be answered. If you
think of other important questions, please propose them.
1. What are the vulnerabilities of these back doors (Telnet, FTP, hard
coded passwords, etc.) and how can they be exploited. This should be
done within device family - for smart printers for example
2. What types of damage can be done by an attacker who gains a foothold
through these back doors.
3. How could an attacker jump from the back door processor to the main
processor, or extract or change data being processed by the main
processor or storage systems of the computer or appliance?
4. What are the most important security controls that must be engineered
into every such device to protect them from remote or local
exploitation?
If you have run tests on these back doors or have the access, tools and
willingness to do so quickly, email apallersans.org We can provide
funding for the work.
LIST OF UPCOMING FREE SANS WEBCASTS
SANS Special Webcast: Stephen Northcutt Presents: Managing Vulnerability
Situational Awareness
WHEN: Wednesday, April 2, 2008 at 2:00 PM EDT (1800 UTC/GMT)
FEATURING: Stephen Northcutt
http://www.sans.org/info/24668
Sponsored By: Core Security Technologies
Stephen Northcutt challenges leaders to move past "Security Theater",
practices like confiscating nail files in airport security or running
vulnerability scans and taking no action or pretending a SIEM "partial
implementation" actually helps create effective security. If we want to
get better and actually implement security well one of the atomic keys
is to configure the system correctly and maintain that configuration.
Stephen will discuss the three views, the inside view, outside view and
user view that give us the information we need to assess the
configuration of our system. We can use tools like the Center for
Internet Security toolsets to create the inside view, vulnerability
scanners and exploitation tools like CORE for the outside view and to
get the user view we need to run a number of tests to determine the
level of awareness and practice. The data from all three views gives us
the ability to accurately assess our exposure to threat.
SANS Special Webcast: Data Leakage Landscape
WHEN: Thursday, April 3, 2008 at 1:00 PM EDT (1800 UTC/GMT)
FEATURED SPEAKERS: Barb Filkins, Robert Hemeryck and Malte Pollmann
http://www.sans.org/info/24673
Sponsored By: TrendMicro and Utimaco Software
Data leakage occurs everywhere computing is conducted - whether it be
hand-helds, USB tokens or even protected internal computers where cut,
copy and paste functions are difficult to control. Organizations need a
map of these leakage points so they can plug them and protect themselves
against regulatory violations. This Webcast discusses where and how data
leaks, what types of privacy violations these leakage points present,
and what to do about them.
Internet Storm Center: Threat Update Webcast
WHEN: Wednesday, April 9, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Johannes Ullrich
http://www.sans.org/info/25514
This monthly webcast discusses recent threats observed by the Internet
Storm Center, and discusses new software vulnerabilities or system
exposures that were disclosed over the past month. The general format
is about 30 minutes of presentation by senior ISC staff, followed by a
question and answer period.
WhatWorks in Event Log Management: Solving FISMA Compliance Demands
WHEN: Thursday, April 10, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Elvis Shields-Moreland and Alan Paller
http://www.sans.org/info/24659
Sponsored By: LogLogic
A need to meet the vague requirements of FISMA compliance prompted
Lockheed to look for a new log management product to replace a recently
acquired tool with one more suited to its manpower and skill level
requirements. The company found a solution that had lower total cost of
ownership, could process all logs and had correlation capabilities to
show attack indicators.
Tool Talk Webcast: A Blueprint for Successful NAC Deployments
WHEN: Wednesday, April 16, 2008 at 1:00 PM EDT (1800 UTC/GMT)
FEATURING: John Curry
http://www.sans.org/info/24618
Sponsored By: StillSecure
This webinar will discuss the challenges associated with NAC deployments
and provide organizations with a blueprint on how to cost-effectively
take advantage of this critical technology. Learn first hand how your
organization can benefit from this ground-breaking technology.
*******************************************************************
Be sure to check out the following FREE SANS archived webcasts:
Tool Talk Webcast: The ABC's of Dealing with Unique Network Security
Risks in a World of Open Campus Networks
WHEN: Wednesday, March 5, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Brian Mehlman
http://www.sans.org/info/22979
Sponsored By: Q1 Labs
SANS Special Webcast: A Response to the "Cold Boot Attack" Announcement
WHEN: Thursday, March 6, 2008 at 3:00 PM EST (1900 UTC/GMT)
FEATURING: John Strand
https://www.sans.org/webcasts/show.php?webcastid=91884
********************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer
for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin,
Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkftIXgACgkQ+LUG5KFpTkZCVwCghw2UcNnN+K2YYeXdE/sLCe/h
qLUAnRMkUaizy5QGQPqhzmmLbcnGg2sQ
=TiwU
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]