|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (NewsBites
sans.org)
Date: Tue Apr 01 2008 - 12:09:28 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The last item in this issue is a pointer to Rich Bejtlich's summary of
new patterns in cyber defense. Definitely worth a read.
Some great news: SANS' new penetration testing classes are getting the
highest ratings of any new courses since the Wireless class was
launched. If you do pen testing - either application pen testing or
traditional pen testing, these courses help make sure your tools and
skills are state of the art.
Application Pen Testing
Fundamentals: http://sans.org/training/description.php?mid=692
In Depth: http://sans.org/training/description.php?mid=942
Network Pen Testing: http://www.sans.org/training/description.php?mid=937
And if you hire pen testers, come find out how to find the best ones and
make sure they are doing the job right, at the buyers' summits:
Web App Security Summit: http://sans.org/info/24609
Pen Testing and Ethical Hacking Summit: http://sans.org/pentesting08_summit/
Alan
*************************************************************************
SANS NewsBites April 1, 2008 Vol. 10, Num. 26
*************************************************************************
TOP OF THE NEWS
Hannaford Attackers Placed Malware on All Store Servers
Computers Used in RCMP Investigation Infected with Malware
Study: Microsoft Manages Patches Better than Apple
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
Swatter Draws Three-Year Sentence
POLICY & LEGISLATION
Washington State RFID Data Theft Bill Gets Gov.'s Signature
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Exploit Code for Microsoft Office Flaw Released
Storm Worm Stepping Up Recruitment Efforts
iFrame Attack Continues Spreading
Two Flaws in Safari 3.1 For Windows
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Job Applicant Data Stolen from Irish Employment Site
Antioch University Data Breach Affects 70,000
MISCELLANEOUS
Ten Themes in Digital Defense
LIST OF UPCOMING FREE SANS WEBCASTS
************************ Sponsored By Sybase ****************************
Future Proofing Mobile Device Security and Management - Webcast It can
cost over $2,500 a year to provision, manage, maintain, update, and take
care of a single mobile device. Therefore, anything you do to make
mobile device management and security more efficient is a good idea.
Learn more now.
http://www.sans.org/info/26743
*************************************************************************
TRAINING UPDATE
Where can you find the newest Penetration Testing techniques,
Application Pen Testing, Hacker Exploits, Secure Web Application
Development, Security Essentials, Forensics, Wireless, Auditing, CISSP,
and SANS' other top-rated courses?
- - SANS 2008 in Orlando (4/18-4/25) SANS' biggest program with myriad
bonus sessions and a huge exhibition of security products:
http://www.sans.org/sans2008
- - San Diego (5/9-5/16) http://www.sans.org/securitywest08
- - Toronto (5/10-5/16) http://www.sans.org/toronto08
- - and in 100 other cites and on line any time: www.sans.org
*************************************************************************
TOP OF THE NEWS
--Hannaford Attackers Placed Malware on All Store Servers
(March 28, 2008)
More details are emerging about the Hannaford Bros. data breach.
Hannaford now says that the attackers managed to place malware on
servers at each of the Maine-based company's stores in New England, New
York and Florida. When the malware was detected, the company replaced
all the servers, according to a letter from Hannaford general counsel
to Massachusetts officials. The Hannaford breach is unusual because
while most data thefts have involved stored data, this breach stole data
while they were in transit between systems during the transaction
authorization process.
http://www.computerworld.com/action/article.do?command=printArticleBasic&articleId=9073138 http://www.theregister.co.uk/2008/03/28/massive_credit_card_breach_explained/print.html
http://www.boston.com/news/local/articles/2008/03/28/advanced_tactic_targeted_grocer/?page=full
[Editor's Note (Pescatore): This type of incident really isn't all
*that* unusual, as compromised servers have long been used to capture
what is flowing through them. Many incidents at retailers, universities
and businesses have resulted in the discovery of servers that were
compromised for long periods of time.]
--Computers Used in RCMP Investigation Infected with Malware
(March 29, 2008)
Computers used in a Royal Canadian Mounted Police (RCMP) investigation
were infected with malware, according to a letter written by a senior
Kamloops (British Columbia) Crown prosecutor. The computers held more
than 250,000 pieces of evidence in a multi-million dollar case known as
Project Eau. An officer connected the computers to the Internet and
used them to view pornography, visit chat sites, and download music and
video files. The officer also downloaded a variety of software,
including LimeWire and an Internet chat program. The machines were
connected to the Internet for more than a year-and-a-half and were
disconnected only after the RCMP learned they had been made part of a
zombie network and were being used for sending spam.
http://www.canada.com/vancouversun/news/story.html?id=20ae6f79-876e-4bec-9a1f-e6b6ca111893
[Editor's Note (Skoudis): There are some incredibly vital lessons in
this story for all of us who perform investigations. Make sure you are
using trusted machines dedicated to the analysis tasks for your work,
and not the system you use for e-mail, web surfing, and practice
analysis.]
--Study: Microsoft Manages Patches Better than Apple
(March 31, 2008)
A study from researchers at the Computer and Engineering Networks
Laboratory at the Swiss Federal Institute of Technology found that
Microsoft's lag time in getting patches out is improving, while Apple's
is getting worse. Overall, Apple has more vulnerabilities, takes longer
to address them with fixes, and has more attacks on unpatched flaws.
http://www.theregister.co.uk/2008/03/31/apple_security_response_pants/print.html
http://www.heise.de/english/newsticker/news/105717
http://www.informationweek.com/software/showArticle.jhtml?articleID=207000806&subSection=Operating+Systems
[Editor's Note (Schultz and Paller): Microsoft deserves considerable
credit for doing increasingly better over the years when it comes to
dealing with security issues such as addressing vulnerabilities. No
vendor is perfect, but Microsoft in many ways is now setting a very
positive example for the rest of the software industry to follow.
(Skoudis): In my opinion, Apple operates in this way because it can get
away with it, while Microsoft couldn't. That is, malware authors and
computer attackers are far more aggressive against Microsoft because of
the market share of its products, making it a juicy target for organized
crime. As Apple's market share inches upwards, they will likely have
to radically improve the way they are handling the release of important
security patches.]
*************************** Sponsored Link: ***************************
1) SANS Third Annual Log Management Survey
What are the challenges in log management? Have perceptions changed
since last year? Help us find out! Take the survey at
http://www.sans.org/info/26748
*************************************************************************
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
--Swatter Draws Three-Year Sentence
(March 28, 2008)
A Washington state man has been sentenced to three years in prison for
swatting. Randal T. Ellis pleaded guilty to five felony counts
including computer access and fraud. Swatting involves calling
emergency services with a spoofed phone number and reporting an incident
serious enough to cause authorities send out a SWAT team to manage the
situation. Ellis was also ordered to pay nearly US $15,000 in
restitution, most of which will go to the Orange County (California)
Sheriff Department where the incident took place.
http://www.smh.com.au/news/security/hacker-jailed-for-swat-team-prank/2008/03/28/1206207349894.html
http://www.ocregister.com/articles/ellis-call-caller-2006151-calls-team
POLICY & LEGISLATION
--Washington State RFID Data Theft Bill Gets Gov.'s Signature
(March 27, 28 & 31, 2008)
Washington state governor Chris Gregoire has signed into law a bill that
makes data theft with the use of RFID technology punishable by a prison
sentence of up to 10 years. The legislation was prompted by the
increased use of RFID tags in driver's licenses and other identification
cards. The bill will take effect on July 1, 2008.
http://www.theregister.co.uk/2008/03/28/us_rfid_bill/print.html
http://seattletimes.nwsource.com/html/businesstechnology/2004316711_rfidside31.html
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
--Exploit Code for Microsoft Office Flaw Released
(March 31, 2008)
Exploit code for a known vulnerability in Microsoft Office has been made
public. The attack targets one flaw that was patched on March 11 in
Microsoft's security bulletin MS08-016. The attack uses a PowerPoint
file to exploit the Microsoft Office File Memory Corruption
Vulnerability, which was given a severity rating of critical for users
running Office 2000. Other versions of Microsoft Office may also be
affected.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9073399&source=rss_topic17
--Storm Worm Stepping Up Recruitment Efforts
(March 31, 2008)
The Storm worm appears to be using April Fool's Day to attempt to round
up more computers. The email contains a brief message followed by a
link to a numeric Internet address. Clicking on the link can infect
vulnerable machines with malware that will make them part of the Storm
worm botnet.
Internet Storm Center: http://isc.sans.org/diary.html?storyid=4222
http://www.news.com/8301-10789_3-9906880-57.html?part=rss&subj=news&tag=2547-1_3-0-20
http://www.net-security.org/malware_news.php?id=929
[Editor's Note (Skoudis): I received a ton of these e-mail messages
yesterday and today, and you probably did too. From a malware research
perspective, it's never been easier to get samples for analysis. Just
check your e-mail filters.]
--iFrame Attack Continues Spreading
(March 28 & 31, 2008)
The iFrame attacks that have made news in recent weeks are spreading to
more prominent websites. Among the sites infected are USA Today,
Target, and Wal-Mart. The most recent attack targets search engine
results; the results are manipulated so that users are likely to visit
sites that have been infected with malware.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9073098&source=rss_topic17
http://www.vnunet.com/vnunet/news/2213090/search-engine-attack-lingers
http://www.news.com/8301-10784_3-9905951-7.html?part=rss&subj=news&tag=2547-1_3-0-20
http://ddanchev.blogspot.com/2008/03/massive-iframe-seo-poisoning-attack.html
[Editor's Note (Northcutt): (Northcutt): Reading at least one of the
stories and Danchev's blog is recommended. I have not validated
Danchev's work, but it certainly appears that you can make the world a
better place by blocking four IP addresses,:
* 72.232.39.252
* 195.225.178.21
* 89.149.243.201
* 89.149.220.85 ]
--Two Flaws in Safari 3.1 For Windows
(March 27 & 31, 2008)
After meeting with criticism for the way it was launched, Apple's Safari
3.1 for Windows is facing reports of two highly critical
vulnerabilities. One is a remote code execution flaw and the other
allows attackers to display their own content in browser pages without
changing what's in the address bar. Last week, Apple included Safari
3.1 as part of an update to iTunes and QuickTime, prompting some to call
its release a stealth update that makes it possible for users to
download the browser even when "they didn't ask for [it]."
http://www.informationweek.com/news/showArticle.jhtml?articleID=207000123
http://www.scmagazineus.com/Two-vulnerabilities-found-in-Safari-browser-for-Windows/article/108450/
[Editor's Note (Grefer): Apparently Steve Jobs mentioned his intention
to push a browser down users' throats at last year's World Wide
Developers Conference:
http://tech-buzz.net/2008/03/21/apple-duped-itunes-users-to-install-safari/]
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
--Job Applicant Data Stolen from Irish Employment Site
(March 31, 2008)
A cyber thief has stolen personal information submitted to Irish online
recruitment firm Jobs.ie. A web address outside of Ireland was used to
download client information. The attacker used login credentials
supplied to employers registered with the agency; the credentials were
illegally obtained. Jobs.ie has notified the individuals affected by
the data theft.
http://www.siliconrepublic.com/news/news.nv?storyid=single10628
http://www.ireland.com/newspaper/frontpage/2008/0331/1206752249000.html
[Editor's Note (Honan): In the absence of mandatory breach disclosure
laws in Ireland Jobs.ie should be commended for notifying affected
clients within 24 hours of detecting the breach.]
--Antioch University Data Breach Affects 70,000
(March 28, 2008)
Antioch University has acknowledged that the personal information of
approximately 70,000 individuals was accessed on their computer system
three separate times in 2007. The breaches affect current and former
students, applicants to the school and employees dating back to 1996.
When the university learned of the problem, it took the affected server
offline.
http://www.washingtonpost.com/wp-dyn/content/article/2008/03/28/AR2008032802398_pf.html
MISCELLANEOUS
--Ten Themes in Digital Defense
(March 19, 2008)
Richard Bejtlich has compiled a list of "ten themes to describe the
state of affairs and some general strategies for digital defense" he
observed while attending a variety of conferences. The items include
"we cannot stop intruders, only raise their costs;" "less vulnerability
management, more system integrity analysis;" and "less blacklisting,
more whitelisting."
http://taosecurity.blogspot.com/2008/03/ten-themes-from-recent-conferences.html
[Editor's Note (Skoudis): This is an awesome list, and kudos to Richard
Bejtlich for releasing it. Some of its conclusions are debatable, but
every one of them is thought-provoking and worthwhile in pondering how
to apply its wisdom to your own organization's defenses. Very nice.]
LIST OF UPCOMING FREE SANS WEBCASTS
SANS Special Webcast: Eric Cole - Proving Web Vulnerabilities redux with
Knowledge Compression (TM).
WHEN: Available NOW on YouTube.com
Featuring: Dr. Eric Cole
If you don't find it on YouTube - it is here http://www.sans.org/info/26743
Sponsored By: Core Security
An eight minute, information-packed remix of an earlier webcast. Grab
the slides, click on the YouTube link and you are good to go. The goal
is to get you the information you need as quickly as possible. Learn the
core reasons for web vulnerabilities and how you can test for them. We
would love to hear your thoughts about this YouTube experiment; drop us
a note with your comments, stephensans.edu
***
SANS Special Webcast: Stephen Northcutt Presents: Managing Vulnerability
Situational Awareness
WHEN: Wednesday, April 2, 2008 at 2:00 PM EDT (1800 UTC/GMT)
FEATURING: Stephen Northcutt
http://www.sans.org/info/24668
Sponsored By: Core Security Technologies
Stephen Northcutt challenges leaders to move past "Security Theater",
practices like confiscating nail files in airport security or running
vulnerability scans and taking no action or pretending a SIEM "partial
implementation" actually helps create effective security. If we want to
get better and actually implement security well one of the atomic keys
is to configure the system correctly and maintain that configuration.
Stephen will discuss the three views, the inside view, outside view and
user view that give us the information we need to assess the
configuration of our system. We can use tools like the Center for
Internet Security toolsets to create the inside view, vulnerability
scanners and exploitation tools like CORE for the outside view and to
get the user view we need to run a number of tests to determine the
level of awareness and practice. The data from all three views gives us
the ability to accurately assess our exposure to threat.
***
SANS Special Webcast: Data Leakage Landscape
WHEN: Thursday, April 3, 2008 at 1:00 PM EDT (1800 UTC/GMT)
FEATURED SPEAKERS: Barb Filkins, Robert Hemeryck and Malte Pollmann
http://www.sans.org/info/24673
Sponsored By: TrendMicro and Utimaco Software
Data leakage occurs everywhere computing is conducted - whether it be
hand-helds, USB tokens or even protected internal computers where cut,
copy and paste functions are difficult to control. Organizations need a
map of these leakage points so they can plug them and protect themselves
against regulatory violations. This Webcast discusses where and how data
leaks, what types of privacy violations these leakage points present,
and what to do about them.
***
Internet Storm Center: Threat Update Webcast
WHEN: Wednesday, April 9, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Johannes Ullrich
http://www.sans.org/info/25514
This monthly webcast discusses recent threats observed by the Internet
Storm Center, and discusses new software vulnerabilities or system
exposures that were disclosed over the past month. The general format
is about 30 minutes of presentation by senior ISC staff, followed by a
question and answer period.
***
WhatWorks in Event Log Management: Solving FISMA Compliance Demands
WHEN: Thursday, April 10, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Elvis Shields-Moreland and Alan Paller
http://www.sans.org/info/24659
Sponsored By: LogLogic
A need to meet the vague requirements of FISMA compliance prompted
Lockheed to look for a new log management product to replace a recently
acquired tool with one more suited to its manpower and skill level
requirements. The company found a solution that had lower total cost of
ownership, could process all logs and had correlation capabilities to
show attack indicators.
***
Tool Talk Webcast: A Blueprint for Successful NAC Deployments
WHEN: Wednesday, April 16, 2008 at 1:00 PM EDT (1800 UTC/GMT)
FEATURING: John Curry
http://www.sans.org/info/24618
Sponsored By: StillSecure
This webinar will discuss the challenges associated with NAC deployments
and provide organizations with a blueprint on how to cost-effectively
take advantage of this critical technology. Learn first hand how your
organization can benefit from this ground-breaking technology.
*******************************************************************
Be sure to check out the following FREE SANS archived webcasts:
Tool Talk Webcast: The ABC's of Dealing with Unique Network Security
Risks in a World of Open Campus Networks
WHEN: Wednesday, March 5, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Brian Mehlman
http://www.sans.org/info/22979
Sponsored By: Q1 Labs
SANS Special Webcast: A Response to the "Cold Boot Attack" Announcement
WHEN: Thursday, March 6, 2008 at 3:00 PM EST (1900 UTC/GMT)
FEATURING: John Strand
https://www.sans.org/webcasts/show.php?webcastid=91884
********************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer
for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin,
Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkfyXHgACgkQ+LUG5KFpTkYcvQCfWapm2Vghsbq4iAM/lRBRR96+
peUAmwQc343WrtxIcrJx7mtCFxeMWMwf
=mnhw
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]