From: The SANS Institute (NewsBitessans.org)
Date: Fri May 30 2008 - 12:47:41 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A big week for cyber security news stories. Newsbites editor Ed Skoudis
put it in perspective, "Consider this NewsBites in its totality (nation
state espionage, power grid vulnerabilities, nuclear facilities,
radiation dispersal rumors, congressman discussing threats, and more),
and you can see we're in the midst of a sea change in the willingness
to discuss the threats we now face. It's not just petty cyber crime any
more. Increasingly, there are national security implications and
massive safety issues associated with information security
vulnerabilities in our critical infrastructure. Lives are at stake."

Speaking of Ed (he's the top penetration testing expert in the US), he
and Eric Cole and Mike Poor had a wonderful (argumentative) webcast
yesterday on the most critical new developments and trends in security.
Listening to it is like being a fly on the wall at a SANS speaker lunch.
It's free: https://www.sans.org/webcasts/show.php?webcastid=91898
                                 Alan

*************************************************************************
SANS NewsBites May 30, 2008 Vol. 10, Num. 43
*************************************************************************
TOP OF THE NEWS
  Growing Evidence Suggests China Poses Significant Cyber Threat
  Q&A With US Rep. Jim Langevin on Power Grid Security Concerns
  Commerce Dept. Laptop May Have Been Breached During Dec. Trip to China
  Societe Generale Releases Breach Investigation Findings
THE REST OF THE WEEK'S NEWS
  LEGAL MATTERS
    Man Arrested and Charged in Online Brokerage Account Fraud Scheme
    French Authorities Detain 22 in Website Attacks
  HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
    Attackers Take Down Nuclear Plant Websites to Coincide with Rumors
    Israeli AG Says Employer May Not Read Employee eMail Without Consent
  SPYWARE, SPAM & PHISHING
    ICANN Directs Registrars to Take Steps to Authenticate WHOIS Data
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
    Adobe Flash Vulnerability
    Apple Releases OS X Updates
  ATTACKS, INTRUSIONS, DATA THEFT & LOSS
    Comcast Domain Hijacked For Several Hours
    BPO Owner Allegedly Stole and Sold Former Customer's Data
    Conn. Atty. General Pushing BNY Mellon for More Specific
  Breach Information
LIST OF UPCOMING FREE SANS WEBCASTS

********************** Sponsored By Symantec ****************************

Where Is Your Confidential Data and How Do You Protect It? A Real Life
Customer Success Join Rich Mogull, founder of Securosis L.L.C. and
former Gartner analyst, and Starla Rivers, Technical Security Architect
at Sharp, as they address how to easily deploy DLP and quickly realize
the solution benefits.
http://www.sans.org/info/29309
*************************************************************************
TRAINING UPDATE
Where can you find the newest Penetration Testing techniques,
Application Pen Testing, Hacker Exploits, Secure Web Application
Development, Security Essentials, Forensics, Wireless, Auditing, both
new Pen Testing courses, CISSP, and SANS' other top-rated courses plus
evening sessions with Internet Storm Center handlers.
- - SANSFIRE 2008 in Washington DC (7/22-7/31) SANS' biggest summer program
      with many bonus sessions and a big exhibition of security products:
      http://www.sans.org/info/26774
- - London (6/2-6/7) and Amsterdam (6/16-6/21) and Brussels (6/16-6/21)
      http://www.sans.org/secureeurope08
- - Denver (6/7-6/13) http://www.sans.org/rockymnt2008/
- - Singapore (6/30-7/5) http://www.sans.org/singapore08/
- - Boston (8/9-8/16) http://www.sans.org/boston08/
- - and in 100 other cites and on line any time: www.sans.org
*************************************************************************

TOP OF THE NEWS
 --Growing Evidence Suggests China Poses Significant Cyber Threat
(May 31, 2008)
US government officials and cyber security experts say there is mounting
evidence that China may have gained access to both government and
private sector computer networks, and that Chinese hackers may have been
responsible for two major US power blackouts in the last few years.
Although there has never been a direct accusation that China was behind
the attacks, neither has the government explicitly said that China was
not involved. There is also growing evidence that Chinese hackers are
gaining access to US computer systems to gather proprietary information.
In one case, a businessman traveling to China discovered once he got
there that the people he was meeting with already knew the bottom line
of every negotiating point.
http://www.nationaljournal.com/njmagazine/print_friendly.php?ID=cs_20080531_6948
[Editor's Note (Veltsos): The scenario described is eerily similar to
one described in the book "The Spy's Guide: Office Espionage" by Melton,
Piligian, & Swierczynski (ISBN-13: 978-1931686600).]

 --Q&A With US Rep. Jim Langevin on Power Grid Security Concerns
(May 27, 2008)
US Representative Jim Langevin (D-RI), who chairs the House Subcommittee
on Emerging Threats, Cybersecurity and Science and Technology, is
"bothered by the fact that the [Aurora] vulnerability is still not fully
mitigated." In March 2007, the US Department of Homeland Security (DHS)
conducted the "Aurora Generator Test," which demonstrated that attackers
could destroy generators by gaining remote access to power plants'
control systems. Langevin discussed possible action that could help
improve security, including giving the Federal Energy Regulatory
Commission (FERC) the "legal authority to require the industry to comply
with closing vulnerabilities," and "regulation on systems used by the
electric grid and other entities" to encourage control systems vendors
to create more secure products.
http://www.investors.com/Tech/TechExecQA.asp?artid=296765228592148
[Editor's Note (Schutz): If FERC is not given more power and authority,
power/utilities companies will continue to leave vulnerabilities in
critical power plant systems unpatched.]

 --Commerce Dept. Laptop May Have Been Breached During Dec. Trip to China
(May 29, 2008)
Anonymous sources say that an investigation is underway into whether the
contents of a government laptop were copied during Commerce Secretary
Carlos M. Gutierrez's December trip to China. The information may have
been used to gain access to Commerce computers; following Gutierrez's
return, US CERT was called to the Department of Commerce three times to
manage serious intrusion attempts.
http://www.themonitor.com/articles/department_12470___article.html/china_commerce.html
[Editor's Note (Veltsos): When traveling overseas, corporate and
government officials must ensure that the data entrusted to them is
appropriately protected from unauthorized access, disclosure, or
modification. Full-disk encryption and two-factor authentication
mechanisms should be present on laptops containing sensitive data. Some
security professionals further recommend that travel laptops should be
devoid of sensitive data; instead the data should be accessed once
on-site by retrieving it from a secure, online, source.]

 -- Societe Generale Releases Breach Investigation Findings
(May 28, 2008)
Societe Generale has released the findings of an investigation it
conducted along with PricewaterhouseCoopers regarding the US $7 billion
loss incurred as a result of surreptitious transactions conducted by
trader Jerome Kerviel. According to the report, Kerviel's skill at
evading "the system of checks and balances ... designed to prevent such
overtrading" combined with his supervisor's lack of understanding of the
system allowed the situation to go on for as long as it did.
http://www.darkreading.com/document.asp?doc_id=155024&f_src=darkreading_informationweek
[Editor's Note (Honan): I recommend that you read the report,
http://www.efinancialnews.com/downloadfiles/2008/05/2350755836.pdf. It
highlights how a combination of insufficient technical, procedural and
personnel controls can combine to create opportunities for
exploitation.]

THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
 --Man Arrested and Charged in Online Brokerage Account Fraud Scheme
(May 29, 2008)
Michael Largent has been indicted on charges of computer fraud, wire
fraud and mail fraud for allegedly exploiting a common practice at
online brokerages of sending tiny deposits to new accounts to verify
their authenticity. Largent allegedly collected nearly US $50,000 by
setting up thousands of online brokerage accounts under phony names as
well as his own, one of a series of missteps that led authorities to
discover his identity. Largent also allegedly used a small range of IP
addresses through which he created the phony accounts, another clue that
helped point to his identity.
http://www.heise-online.co.uk/security/Cunning-micro-deposit-fraudster-not-quite-smart-enough--/news/110817
[Editor's Note (Skoudis): Thank goodness for dumb mistakes by the bad
guys! That's how we often get them. Look for their errors. Even the
skilled ones sometimes get complacent or cocky, and then we've got a
chance to detect them.]

 --French Authorities Detain 22 in Website Attacks
(May 29, 2008)
Police in France have detained 22 people between the ages of 14 and 25
who are believed to have been involved with attacks on websites based
in France, Russia and Iceland. If those apprehended are convicted, they
could face up to two years in prison and a fine of 30,000 euro (US
$46,502). The penalties could be more stringent if they are found
guilty of more serious crimes. French authorities point out that small
businesses need to pay closer attention to computer security.
http://www.channelregister.co.uk/2008/05/29/dijon_police_arrest_22_alleged_hacker_youths/print.html
[Editor's Note (Schultz): Not too many years ago a number of small
businesses succumbed to an variety of attacks that severely disrupted
their business operations. At that time security experts pointed out
that businesses of this size can be disproportionally affected by
security-related incidents, thus dictating the need for strong risk
management efforts. As has happened so much in the information security
arena, however, the warnings went unheeded, and now new warnings of the
same nature have been issued after small businesses have once again been
adversely affected by another rash of attacks.]

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
 --Attackers Take Down Nuclear Plant Websites to Coincide with Rumors
(May 23, 2008)
Websites that allow users to check real-time radiation levels for
Russian nuclear power plants were attacked and rendered unavailable for
a time after false rumors appeared on a number of Internet forums about
a nuclear accident in the northwestern part of the country. The phony
reports said there were radioactive emissions from a plant near St.
Petersburg. The Automatic Radiation Environment Control System (ASKRO)
is designed to allow users to have access to radiation security
information; the system has been restored.
http://en.rian.ru/russia/20080523/108202288.html

 --Israeli AG Says Employer May Not Read Employee eMail Without Consent
(May 29, 2008)
The Israeli Attorney General has ruled that employers may not read their
employees' email without their free and informed consent. Attorney
general Menachem Mazuz submitted the opinion to the National Labor Court
which was hearing an appeal filed by an employee whose employer had been
granted access to email from her personal computer.
http://www.globes.co.il/serveen/globes/docview.asp?did=1000347043&fid=942

SPYWARE, SPAM & PHISHING
 --ICANN Directs Registrars to Take Steps to Authenticate WHOIS Data
(May 27, 2008)
The Internet Corporation for Assigned Names and Numbers (ICANN) has sent
enforcement notices to domain registrars that are believed to have
registered the majority of websites that benefit from spam traffic. One
study showed that just 20 of the 800 ICANN accredited registrars are
responsible for 90 percent of the questionable sites. The enforcement
notices ask the registrars to provide information about what steps they
have taken to identify and address inaccuracies in the WHOIS data
associated with the domains. If the registrars do not address the
information problems within a specified amount of time, they could lose
their ICANN accreditation.
http://www.gcn.com/online/vol1_no1/46351-1.html?topic=security&CMP=OTC-RSS
http://www.metimes.com/Security/2008/05/29/analysis_crackdown_on_domain_name_crooks/7755/

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
 --Adobe Flash Vulnerability
(May 27 & 28, 2008)
A new round of SQL injection attacks is targeting Adobe Flash.
Stand-alone versions of the current versions of Flash are apparently
vulnerable to the attacks, but updated browser plug-ins are not. At
this time, the goal of these attacks appears to be to steal online
gamers' login credentials; however, more serious attacks using this same
vector are likely.
http://www.theregister.co.uk/2008/05/27/new_adobe_flash_vuln/print.html
http://www.darkreading.com/document.asp?doc_id=155020&WT.svl=news1_2

 --Apple Releases OS X Updates
(May 28, 2008)
Apple has released Mac OS X 10.5.3 and security update 2008-003. The
updates comprise dozens of fixes, including one for a remote code
execution flaw in the Flash Player Plug-in and another for a flaw in
iCal that could be exploited to execute arbitrary code or cause
unexpected application termination. Two other flaws in iCal remain
unaddressed.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9090738&source=rss_topic17
http://www.informationweek.com/news/hardware/mac/showArticle.jhtml?articleID=208400745
http://www.scmagazineuk.com/Apple-releases-latest-Leopard-OS-update/article/110643/
http://www.eweek.com/c/a/Security/Apple-Cures-iCal-Ills/
http://support.apple.com/kb/HT1897

ATTACKS, INTRUSIONS, DATA THEFT & LOSS
 --Comcast Domain Hijacked For Several Hours
(May 29, 2008)
Comcast Internet subscribers were unable to access their email, news,
and technical support for several hours late Wednesday, May 28 and into
the following day. Attackers hijacked the Comcast domain name for about
five hours, but there is no evidence that email or other private data
were accessed. Law enforcement authorities have been informed of the
incident.
http://www.nytimes.com/aponline/business/AP-TEC-Comcast-Web-Hack.html?_r=1&partner=rssnyt&emc=rss&oref=slogin
http://www.theregister.co.uk/2008/05/29/comcast_domain_hijacked/

 --BPO Owner Allegedly Stole and Sold Former Customer's Data
(May 29, 2008)
The owner of a business processing outsourcing (BPO) company in
Ahmedabad, India is accused of stealing data from a Florida company and
selling the information to that company's rivals within the US. The data
are valued at Rs 1 crore (US $233,809). Noble Ventures Inc, the Florida
company, cancelled its contract with Maulik Dave's company more than
three months ago. After the contract was cancelled, Dave allegedly
broke into Noble Ventures' database, stole 8.5 million records and sold
them.
http://timesofindia.indiatimes.com/Ahmedabad/City_BPO_accused_of_data_theft/articleshow/3081539.cms
[Editor's Note (Honan): Remember the insider threat also applies to
those you outsource to. Ensure that your termination process, be that
hostile or amicable, of contracts with outsourced providers includes
mechanisms to revoke any access to your systems they may have had.]

 --Conn. Atty. General Pushing BNY Mellon for More Specific
Breach Information
(May 28 & 29, 2008)
Connecticut Attorney General Richard Blumenthal says he will keep
pressing Bank of New York (BNY) Mellon for a complete accounting of all
individuals and organizations affected by its recently disclosed data
security breach. In February, backup tapes belonging to BNY Mellon
disappeared from the back of a van. "The delay in notification is
inexplicable and totally unacceptable," according to Blumenthal. The
breach is believed to affect as many as 4.5 million individuals.
http://media-newswire.com/release_1067289.html
http://www.wallstreetandtech.com/advancedtrading/showArticle.jhtml?articleID=208400880&cid=RSSfeed_TechWeb
[Editor's Note (Northcutt): This is quickly turning into a textbook case
of how not to handle a data breach. The 90 day delay in notification
followed by the fact they cannot demonstrate what is on the tape could
really impact them. Blumenthal may be grandstanding a bit, but his
efforts to get other states such as New Jersey heavily involved this
could be bad for BNY Mellon. One of the things I have been watching for
major breaches is the stock price of the company. They went down less
than most similar banks on the day of the announcement and are up 1.5%
today. It seems that until and unless some of these class action suits
really hurt a company, breaches are going to be a yawner issue and
companies will not encrypt their backups. ]

UPCOMING SANS WEBCAST SCHEDULE:

Tool Talk Webcast: Log Management: No Longer Optional How to Choose the
Right Tool for the Job
WHEN: Tuesday, June 3, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Andrew Hay
http://www.sans.org/info/28704
Sponsored By: Q1 Labs http://www.q1labs.com/

Both network and security professionals agree - a log management
solution is no longer optional. It's now a required tool in their
arsenal. Unfortunately, many of their log management projects have
failed because the solution they chose was unable to support the size
and scope of the deployment and/or effectively deliver useful results.
During this webcast Andrew Hay will discuss important considerations
when selecting and deploying a log management solution for your
organization and how to avoid some of the pitfalls.

SANS Special Webcast: Fourth Annual Log Management Survey
WHEN: Thursday, June 5, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Jerry Shenk and Anton Chuvakin
http://www.sans.org/info/28709
Sponsored By: LogLogic http://www.loglogic.com/

The fourth annual Log Management Survey will compare and contrast how
respondents use their log data, their challenges, and what they hope to
derive out of their log data in the future.

SANS Special Webcast: Testing; vulnerabilities, defenses and configuration
WHEN: Tuesday, June 10, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Jerry Shenk
http://www.sans.org/info/28714
Sponsored By: Core Security http://www.coresecurity.com/

This webinar will arm you with all the necessary plans for using
penetration testing to investigate your organization's vulnerabilities,
defenses and configurations - including lab testing your processes - to
help you understand what the finished product should look like.

Internet Storm Center Webcast: Threat Update
WHEN: Wednesday, June 11, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Johannes Ullrich
http://www.sans.org/info/28719

This monthly webcast discusses recent threats observed by the Internet
Storm Center, and discusses new software vulnerabilities or system
exposures that were disclosed over the past month. The general format
is about 30 minutes of presentation by senior ISC staff, followed by a
question and answer period.

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer
for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkhANMgACgkQ+LUG5KFpTkbMJACdEn5XFE+NtcF0c8DVZab/1nwg
e/kAoIhl3YAG3aiXo3LNorQL3PSw9sGi
=aOMP
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]