From: The SANS Institute (NewsBitessans.org)
Date: Fri Apr 04 2008 - 11:51:35 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

*************************************************************************
SANS NewsBites April 4, 2008 Vol. 10, Num. 27
*************************************************************************
TOP OF THE NEWS
  Software Engineer Indicted for Theft of Trade Secrets
  British ISP Says it Won't Adopt BPI's Anti-Piracy Suggestions
  TJX Reaches Tentative Settlement with MasterCard
THE REST OF THE WEEK'S NEWS
  LEGAL MATTERS
    Davidson Companies Faces Lawsuit Over Data Compromise
    New Zealand Teen Pleads Guilty in Botnet Case
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
    Apple Patches QuickTime for Windows and Mac
    Microsoft Will Release Eight Security Bulletins next Week
  ATTACKS, INTRUSIONS, DATA THEFT & LOSS
    Vt. Ski Area Data Breach Resembles Hannaford Breach
  MISCELLANEOUS
    US Legislator's Data is on Missing NIH Computer
    Laptop Hacked in Contest Makes Brief Appearance on eBay
    SEOs Meet Hackers: Part One
    Bruce Schneier: Seeing the World from the Attacker's Perspective
LIST OF UPCOMING FREE SANS WEBCASTS

*********************** Sponsored By PacketMotion ***********************

Are your internal controls and acceptable use policies for consultants,
temporary, and high-risk users working? What information assets are in
jeopardy? Find the facts, blind spots and new technology regarding
real-time visibility and control of network user transactions. Download
the FREE whitepaper "TRUST BUT VERIFY: 24/7 Monitoring of High-risk
User Activity in the Network" now.
http://www.sans.org/info/27048

*************************************************************************
TRAINING UPDATE
Where can you find the newest Penetration Testing techniques,
Application Pen Testing, Hacker Exploits, Secure Web Application
Development, Security Essentials, Forensics, Wireless, Auditing, CISSP,
and SANS' other top-rated courses?
- - SANS 2008 in Orlando (4/18-4/25) SANS' biggest program with myriad
    bonus sessions and a huge exhibition of security products:
       http://www.sans.org/sans2008
- - San Diego (5/9-5/16) http://www.sans.org/securitywest08
- - Toronto (5/10-5/16) http://www.sans.org/toronto08
- - and in 100 other cites and on line any time: www.sans.org

*************************************************************************

TOP OF THE NEWS
 --Software Engineer Indicted for Theft of Trade Secrets
(April 3, 2008)
Hanjuan Jin, a former software for a Chicago-based telecommunications
company, has been indicted for allegedly stealing trade secrets from a
telecommunications company and attempting to take the data to China.
When her luggage was searched at O'Hare International Airport in
Chicago, authorities discovered confidential technical documents and
computer memory devices holding documents that belong to an unnamed
company. Customs agents retained the documents and equipment. The
intellectual property in the case is estimated to be worth US $600
million.
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=207001607
http://www.chicagotribune.com/news/local/chi-trade-secrets-both-03apr03,1,7663316.story
[Editor's Note (Honan): Kudos to the affected company for having a data
classification scheme in place for printed material which alerted the
customs officials that something was amiss. ]

 --British ISP Says it Won't Adopt BPI's Anti-Piracy Suggestions
(April 4, 2008)
Carphone Warehouse-owned Internet service provider (ISP) TalkTalk has
vehemently rejected the British Phonographic Industry's (BPI) suggestion
that ISPs monitor customers downloading habits and impose a "three
strikes and you're out" policy for repeat offenders. According to
Carphone Warehouse chief executive Charles Dunstone, "The music industry
has consistently failed to adapt to changes in technology and now seeks
to foist their problems on someone else."
http://www.guardian.co.uk/technology/2008/apr/04/internet.technology
http://www.telegraph.co.uk/money/main.jhtml?xml=/money/2008/04/04/cncarphone10.xml
[Editor's Note (Schultz): What Dunstone has said is very true. The real
solution to the problem of music and movie piracy is for these
industries to develop technology that thwarts piracy rather than forcing
ISPs to monitor for and stop piracy by its customers when it occurs. ]

 --TJX Reaches Tentative Settlement with MasterCard
(April 2, 2008)
Under the terms of a settlement reached with MasterCard Inc., TJX Cos.
will pay up to US $24 million to financial institutions for losses they
incurred as a result of the data breach that exposed payment card
information of millions of TJX customers. The settlement will be valid
only if 90 percent of the banks that issued the cards involved in fraud
claims decide to accept it. TJX reached a settlement with Visa in
November of last year under which they will pay up to US $40.9 million.
http://www.boston.com/business/ticker/2008/04/tjx_settles_wit_1.html
http://www.informationweek.com/news/security/showArticle.jhtml;jsessionid=BHVOKI12BIYXYQSNDLPSKH0CJUNN2JVN?articleID=207001404&_requestid=621884

************************** Sponsored Links: ***************************
1) SANS-LogLogic Third Annual Log Management Survey What are the
challenges in log management? Have perceptions changed since last year?
Help us find out! Take the survey at http://www.sans.org/info/27053

2) Free Biometric Security White Paper. Implement strong, compliant
security policies and make user's lives easier.
http://www.sans.org/info/27058

3) Come to the Application Security Summit and Penetration Testing &
Ethical Hacking Summit - Las Vegas June 2-3.
http://www.sans.org/info/27063 http://www.sans.org/info/27068

*************************************************************************

THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
 --Davidson Companies Faces Lawsuit Over Data Compromise
(April 2, 2008)
A Montana law firm has filed a class-action suit against the Davidson
Companies, alleging the company's negligence led to a breach of its
computer system that exposed the names and Social Security numbers
(SSNs) of 226,000 of the financial services company's clients. The
lawsuit alleges that "the Davidson Companies failed to comply with the
industry standards designed to protect such confidential and personal
information from theft" and failed to provide "adequate safeguards in
its storage and handling of its clients' confidential personal and
financial information." There have been no reported instances of
identity fraud related to the data compromise.
http://www.greatfallstribune.com/apps/pbcs.dll/article?AID=/20080402/NEWS01/804020303

 --New Zealand Teen Pleads Guilty in Botnet Case
(April 1, 2008)
New Zealand teen Owen Thor Walker has pleaded guilty to a variety of
charges, including accessing a computer for dishonest purposes,
interfering with computer systems, possessing software for committing
crime, and accessing computer systems without authorization. Walker is
believed to be the ringleader of a group that surreptitiously recruited
more than a million computers into a botnet. Walker could face a prison
sentence of up to five years, but the judge in the case indicated he was
considering a sentence that does not involve custody.
http://news.bbc.co.uk/2/hi/asia-pacific/7323733.stm
http://www.breitbart.com/article.php?id=080401110723.35qiroer&show_article=1
[Editor's Note (Honan): Walker's Botnet skimmed at least _20 million (US
$31 million), anything less than a custodial sentence will send the
wrong message to online criminals.]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
 --Apple Patches QuickTime for Windows and Mac
(April 3, 2008)
Apple has released a fix for QuickTime for both Mac OS X and Windows.
The fix addresses 11 vulnerabilities in the multimedia player. The
flaws include a privilege escalation vulnerability in the way QuickTime
handles Java and arbitrary code execution and information disclosure
vulnerabilities that can be exploited through maliciously crafted
QuickTime movies. The patch updates QuickTime to version 7.4.5.
http://www.securityfocus.com/brief/715
http://www.heise-online.co.uk/security/Apple-closes-11-security-holes-in-QuickTime--/news/110463
http://www.us-cert.gov/cas/techalerts/TA08-094A.html
http://support.apple.com/kb/HT1241

 --Microsoft Will Release Eight Security Bulletins next Week
(April 3, 2008)
On Tuesday, April 8, Microsoft plans to release eight security bulletins
to address vulnerabilities in Windows Vista, XP, 2000, Server 2003, and
Server 2008 as well as Explorer. Five of the bulletins have severity
ratings of critical; all five address remote code execution flaws. The
remaining three bulletins, all of which have severity ratings of
important include a remote code execution flaw, an elevation of
privilege flaw, and a flaw that can allow spoofing. The updates will
all require restarts.
http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml;jsessionid=BHVOKI12BIYXYQSNDLPSKH0CJUNN2JVN?articleID=207001596&_requestid=619656
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9074740&intsrc=hm_list
http://www.microsoft.com/technet/security/bulletin/ms08-apr.mspx

ATTACKS, INTRUSIONS, DATA THEFT & LOSS
 --Vt. Ski Area Data Breach Resembles Hannaford Breach
(March 31 & April 2, 2008)
The Okemo Mountain Resort Ski Area in Vermont has issued an advisory
saying that an intrusion may have resulted in more than 46,000 payment
card transactions being compromised over several weeks in February.
Some Okemo data appear to have been stolen during the transaction
authorization process, as were the data in the Hannaford Bros. breach.
The intrusion may also have compromised information on more than 18,000
credit cards used in transactions during the first several months of
2006. A forensic review concluded that systems at two other resorts
owned by the same company did not experience intrusions.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9074339&source=rss_topic17
http://www.okemo.com/okemowinter/security_update.asps
[Editor's Note (Pescatore): These types of incidents, and the MSNBC/USA
Today/Miami > Dolphins compromised web server incidents, are showing
that there are a lot of compromised servers that are starting to be put
to active cyber crime use. Good time to do some spring cleaning (I guess
"fall pruning" if you are in the southern hemisphere) to make sure
critical systems don't have rootkit or bot client issues: Compare the
installed images against known good baselines, make sure all custom apps
have been tested for the web vulnerabilities that are commonly
exploited, etc.]

MISCELLANEOUS
 --US Legislator's Data is on Missing NIH Computer
(April 3, 2008)
A US legislator whose personal information is on a laptop computer
stolen from a National Institute of Health (NIH) researcher's car wants
the inspector general at the Department of Health and Human Services to
conduct an investigation. Among the questions Representative Joe Barton
(R-Tex.) wants answered is whether or not NIH has an effective means of
contacting individuals affected by such a breach; at least one person
did not learn his information was on the computer until he contacted NIH
himself. It is also unclear whether or not the laptop was encrypted and
why the initial estimate of affected individuals fell short by 500.
http://www.washingtonpost.com/wp-dyn/content/article/2008/04/02/AR2008040203371_pf.html

 --Laptop Hacked in Contest Makes Brief Appearance on eBay
(April 1, 2008)
The man who won a laptop computer he hacked in a contest at the
CanSecWest conference last week made a short-lived attempt to sell the
machine on eBay. Shane Macaulay had offered the Fujitsu U810 Windows
Vista-equipped laptop, saying that it was possible his exploit code
could be derived from the machine. eBay removed the listing because
they do not allow the sale of "anything that would do harm." Macaulay
also received a US $5,000 cash prize for his successful hack of the
computer. Macaualy's attack exploited a flaw in Adobe Flash Player.
Adobe researchers say they knew of the flaw before Macaulay's attack and
that they plan to patch it later this month.
http://www.nytimes.com/idg/IDG_002570DE00740E180025741E005FFB74.html?ref=technology&pagewanted=print
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9074719&source=rss_topic17

 --SEOs Meet Hackers: Part One
(March 31, 2008)
In the first article of a two-part series, Scott Berinato provides an
overview of search engine optimizer (SEO) practices. While black hat
hackers clearly inhabit shady territory, black hat (or gray hat, as they
are sometimes called) SEOs often violate search engine terms of service
agreements, but not laws. Initially, SEOs were employed by companies to
help them get top rankings in search engine results. As the arena
became more competitive, SEO's skills were being noticed by people hired
to carry out more nefarious schemes.
http://www.csoonline.com/article/print/221689

 --Bruce Schneier: Seeing the World from the Attacker's Perspective
(March 20, 2008)
"Security professionals - at least the good ones -- see the world
differently," says Bruce Schneier. "The security mindset involves
thinking about how things can be made to fail." Schneier notes that the
world would be a safer place if more people were trained in the art of
the security mindset. Professor Tadayoshi Kohno is teaching a class at
the University of Washington to try and instill the security mindset in
his students. According to Schneier, "the security mindset is a
valuable skill that everyone can benefit from, regardless of career
path."
http://www.wired.com/politics/security/commentary/securitymatters/2008/03/securitymatters_0320
[Editor's Note (Grefer): (Grefer): While this approach helps, from
personal experience I can say that all the best suggestions, warnings
and cautions are not of much use if the decision makers don't buy into
them. It would not hurt to get them sensitized to the issues by
suggesting they attend "SANS Security Leadership Essentials for
Managers" http://www.sans.org/training/description.php?mid=62 and
preferably also "Hacking for Managers"
http://www.sans.org/training/description.php?mid=159 ]

LIST OF UPCOMING FREE SANS WEBCASTS

SANS Special Webcast: Eric Cole - Proving Web Vulnerabilities Redux with
Knowledge Compression (TM)
WHEN: Available NOW on YouTube
FEATURING: Dr. Eric Cole
To find it on YouTube click here: https://www.sans.org/webcasts/special.php
Sponsored By: Core Security http://www.coresecurity.com/

This webcast is an eight minute information packed remix of an earlier
webcast. Grab the slides, click on the YouTube link and you are good to
go. The goal is to get you the information you need as quickly as
possible. Learn the core reasons for web vulnerabilities and how you can
test for them. We would love to hear your thoughts about this
experiment, drop us a note with your comments, stephensans.edu The
video of the webcast redux is live on youtube.com

***
Internet Storm Center: Threat Update Webcast
WHEN: Wednesday, April 9, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Johannes Ullrich
http://www.sans.org/info/25514

This monthly webcast discusses recent threats observed by the Internet
Storm Center, and discusses new software vulnerabilities or system
exposures that were disclosed over the past month. The general format
is about 30 minutes of presentation by senior ISC staff, followed by a
question and answer period.

***
WhatWorks in Event Log Management: Solving FISMA Compliance Demands
WHEN: Thursday, April 10, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Elvis Shields-Moreland and Alan Paller
http://www.sans.org/info/24659
Sponsored By: LogLogic

A need to meet the vague requirements of FISMA compliance prompted
Lockheed to look for a new log management product to replace a recently
acquired tool with one more suited to its manpower and skill level
requirements. The company found a solution that had lower total cost of
ownership, could process all logs and had correlation capabilities to
show attack indicators.

***
SANS Special Webcast: Eric Cole's "Find and Fix Security Exposures
before You're in a Heap of Trouble"
WHEN: Tuesday, April 15, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Dr. Eric Cole
http://www.sans.org/info/25519
Sponsored By: Core Security http://www.coresecurity.com/

Please join Eric Cole for a discussion of how to keep your information
systems in check as the vulnerability landscape rolls out around you
with this free webcast: "Find and Fix Security Exposures before You're
in a Heap of Trouble"

During the webcast, Eric will examine the technologies available for
assessing both the security of your network systems and the
effectiveness of the defenses meant to protect them.

***
Tool Talk Webcast: A Blueprint for Successful NAC Deployments
WHEN: Wednesday, April 16, 2008 at 1:00 PM EDT (1800 UTC/GMT)
FEATURING: John Curry
http://www.sans.org/info/24618
Sponsored By: StillSecure

This webinar will discuss the challenges associated with NAC deployments
and provide organizations with a blueprint on how to cost-effectively
take advantage of this critical technology. Learn first hand how your
organization can benefit from this ground-breaking technology.

*******************************************************************
Be sure to check out the following FREE SANS archived webcasts:

Tool Talk Webcast: The ABC's of Dealing with Unique Network Security
Risks in a World of Open Campus Networks
WHEN: Wednesday, March 5, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Brian Mehlman
http://www.sans.org/info/22979
Sponsored By: Q1 Labs

SANS Special Webcast: A Response to the "Cold Boot Attack" Announcement
WHEN: Thursday, March 6, 2008 at 3:00 PM EST (1900 UTC/GMT)
FEATURING: John Strand
https://www.sans.org/webcasts/show.php?webcastid=91884
********************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer
for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkf2VDsACgkQ+LUG5KFpTkaC9QCeJ8S9gcs9hMQVLWjg80KzaByY
OXMAniM46IeH67Il3Pvejt64leOSVqdm
=TX8T
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]