From: The SANS Institute (NewsBitessans.org)
Date: Tue Jun 10 2008 - 13:02:14 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tomorrow is the last day for early registration discounts for SANSFIRE
2008 (July 22-31 in Washington, DC).
                                       Alan
*************************************************************************
SANS NewsBites June 10, 2008 Vol. 10, Num. 45
*************************************************************************
TOP OF THE NEWS
  The Changing Landscape of Cyber Threats
  Study Says Hong Kong and China Host Greatest Proportion of Malicious Sites
  Trend Micro Won't Seek VB100 Certification
THE REST OF THE WEEK'S NEWS
  HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
    Home Affairs Committee Report Says UK Not a Surveillance Society
    UK Home Office Web Page Used in Phishing Scheme
    US Presidential Candidates on Internet and Technology Issues
    UK Government Depts Report Disciplinary Action for Data Breaches
  MALWARE, VULNERABILITIES AND PATCHES
    Kaspersky Wants Help Cracking Ransomware Encryption Key
  ATTACKS, INTRUSIONS, DATA THEFT & LOSS
    Dubai Development Company Investigating Data for Sale on eBay
  MISCELLANEOUS
    Australia Launches Threat Alert Service for SMBs
    ISP's Plan to Use Targeted Ad Program Spurs Call for Investigation
    Why Security is a Hard Sell
LIST OF UPCOMING FREE SANS WEBCASTS

*************************************************************************
TRAINING UPDATE
- - Wash. DC (7/22-7/31) (SANSFIRE 2008) http://www.sans.org/sansfire08
- - Singapore (6/30-7/5) http://www.sans.org/singapore08/
- - Boston (8/9-8/16) http://www.sans.org/boston08/
- - and in 100 other cites and on line any time: www.sans.org
*************************************************************************

TOP OF THE NEWS
 --The Changing Landscape of Cyber Threats
(June 4, 2008)
Speaking at the Government Forum of Incident Response and Security Teams
(GFIRST) conference, Jeanie Larson, program manager of the Incident
Management Division at the US Department of Energy, said, "The old
perimeter model [of cyber security incident response] is ineffective."
If the absolute number of cyber attacks declines, it doesn't mean that
the cyber threat has declined. Instead, people responsible for
responding to cyber security incidents need to be on the lookout for
targeted attacks. Even one compromised workstation could be a more
serious threat than a large number of infections, depending on that
workstation's user. One hindrance to addressing emerging cyber threats
effectively is the difficulty many government agencies have with sharing
information with each other and even within their own organizations.
http://www.federalnewsradio.com/?nid=169&sid=1415201
[Editor's Note (Ranum): People keep saying stuff like "The old perimeter
model [of cyber security incident response] is ineffective" but I don't
see anyone offering a viable alternative. Isn't that a bit unsettling?
I've been in this industry long enough to watch some organizations
flip-flop back and forth repeatedly between perimeter and host security
approaches. They invariably find that neither, unless it is executed
with incredible discipline, works by itself. You can tell a security
n00b when they say the perimeter model doesn't work - just ask them
"what do you intend to do about DNS and ARP?" If they don't have a good
answer (they never do) take away their internet car-keys until they
sober up.
(Schultz): The lack of information sharing within U.S. government
agencies has been a problem over many years. Despite numerous attempts
to promote better information sharing, individuals within the government
tend to persist in viewing possession of security-related information,
especially information about security-related threats and incidents, as
power. Accordingly, they withhold information from others. ]

 --Study Says Hong Kong and China Host Greatest Proportion of
Malicious Sites
(June 4 & 6, 2008)
A report from McAfee says that the country domain hosting the highest
proportion of malicious websites is Honk Kong (.hk) with 19.2 percent
of tested websites hosting some type of malware. Following Hong Kong
are China (.cn) with 11.8 percent, and the Philippines (.ph) and Romania
(.ro). The likelihood of downloading malicious software while web
surfing increased 41 percent over last year, according to the report.
Among the safest country domains were Finland (.fi), Japan (.jp) and
Australia (.au); the .gov domain also had a very low incidence of
malicious sites. Of generic top-level domains, .info is still the
riskiest - 11.7 percent of .info sites potentially contain malware.
http://www.securityfocus.com/brief/749
http://www.gcn.com/online/vol1_no1/46417-1.html?topic=security&CMP=OTC-RSS
http://www.msnbc.msn.com/id/24966835/

 --Trend Micro Won't Seek VB100 Certification
(June 8 & 9, 2008)
TrendMicro says it will no longer seek VB100 certification for its
products. The VB100 certification tests antivirus products against the
WildList, a small set of malware signatures, to see if they can detect
a small sample of known virus signatures without any false positives.
Trend Micro maintains that the most significant Internet threats are no
longer viruses, but Trojans and bot software, for which VB100 does not
test. Panda has not submitted its products for VB100 certification
since 2002. Standards and methods for testing antivirus products have
been hot topics for some time; earlier this year, companies that make
security software and the laboratories that conduct the testing agreed
to create the Anti-Malware Testing and Standards Organization (AMTSO)
to develop best practices and standards for testing the products. Virus
Bulletin, the company that conducts the VB100 testing, says that a
string of passed certifications indicates a well-maintained product.
The company says the WildList will evolve to include Trojans.
http://www.securityfocus.com/news/11522
http://www.pcworld.com/businesscenter/article/146833/antivirus_vendors_gripe_that_test_isnt_current.html

********************** SPONSORED LINKS *********************************
1) PCI Compliance: You Can't Be the Big Cheese if Your Network is Full of Holes
http://www.sans.org/info/29499

2) Expert Webcast: The Path to a Secure Application. A security
checklist to eliminate errors and design flaws that put you at risk.
http://www.sans.org/info/29504
*************************************************************************

THE REST OF THE WEEK'S NEWS
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
 --Home Affairs Committee Report Says UK Not a Surveillance Society
(June 9, 2008)
The UK House of Commons Home Affairs Committee has published a report
titled "A Surveillance Society," which expresses the committee's opinion
that the UK is not presently a surveillance society but could become one
if policies regarding data collection and retention are not clearly
established. The report recommends that "in the design of its policies
and systems for collecting data, the Government should adopt a principle
of data minimization: it should collect only what is essential, to be
stored only for as long as is necessary."
http://www.publications.parliament.uk/pa/cm200708/cmselect/cmhaff/58/58i.pdf
http://www.theregister.co.uk/2008/06/08/home_affairs_report_surveillance/print.html
http://www.heise-online.co.uk/security/UK-Parliament-rejects-surveillance-society-concept--/news/110875
[Editor's Note (Weatherford): This is an interesting subject for a
report by a government with over 4M CCTV cameras installed throughout
the country, one for every 14 people and where each person is monitored
on camera an average of 300 times a day. When you add in the electronic
footprint of cell phone calls, email, and credit card transactions, I'd
say they are getting pretty close to being what the report says they are
not.
(Honan): Interestingly the 2007 annual report from Privacy International
shows the UK to have one of the most extensive surveillance societies
in the world and the country with most surveillance within the European
Union:
http://www.privacyinternational.org/article.shtml?cmd%5B347%5D=x-347-559597
]

 --UK Home Office Web Page Used in Phishing Scheme
(June 8, 2008)
Phishers managed to establish a phony web page on the UK's Home Office
crime reduction website. The attackers then sent out email messages
asking customers of a certain Italian bank to visit the fraudulently
established page and confirm their login credentials. The breach was
detected and resolved within a day.
http://www.telegraph.co.uk/news/uknews/2091958/Fraudsters-hack-into-Home-Office-website.html?service=print

 --US Presidential Candidates on Internet and Technology Issues
(June 5, 2008)
This article lays out the major US presidential candidates' positions
on important technology issues, including net neutrality, broadband
availability, H1B visas, privacy and intellectual property. One analyst
observes that the current candidates "see the social Internet as another
form of broadcast media," but future candidates will need to harness the
power of social applications to get in touch with what voters are
thinking.
http://www.pcmag.com/print_article2/0,1217,a%253D228276,00.asp

 --UK Government Depts Report Disciplinary Action for Data Breaches
(June 4, 2008)
The UK Department for Work and Pensions says it disciplined 20 employees
for data security infringements between April 2007 and March 2008. The
infringements included "breaches of data-protection requirements" and
"inappropriate use of personal or sensitive data." It does not appear
that any staff members were dismissed over the incidents. Over the same
period of time, HM Revenue & Customs (HMRC) disciplined 192 employees.
The two organizations employ roughly the same number of people.
http://www.zdnet.co.uk/misc/print/0,1000000169,39429132-39001093c,00.htm

MALWARE, VULNERABILITIES AND PATCHES
 --Kaspersky Wants Help Cracking Ransomware Encryption Key
(June 6 & 8, 2008)
Kaspersky is asking for help in cracking a 1024-bit RSA key used in a
Trojan horse variant. The Gpcode Trojan horse program has been used in
ransomware attacks over the last two years and encrypts files on
infected computers; the attackers demand payment to unlock the files.
The key is created by Microsoft Enhanced Cryptographic Provider.
Researchers estimate that cracking the key would require millions of
computers working for about a year, so they are calling on others to
help.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9094818&source=rss_topic17
http://www.theregister.co.uk/2008/06/06/ransomeware_call_to_arms/print.html
[Editor's Note (Veltsos and Honan): While up to date anti-virus software
will provide protection against this type of attack, timely and up to
date backups provide the ultimate defence. A well tested daily backup
strategy would go a long way in preventing the need to crack 1024-bit
encryption in the first place by having a suitable Recover Point
Objective (amount of tolerable data loss). The backups should be
encrypted, of course, but this time, you hold the key to your data.
(Northcutt): Well, it is interesting, I will spot you, that. They have
published two RSA public keys and are asking folks to brainstorm ways
to factor the key. http://www.viruslist.com/en/weblog ]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS
 --Dubai Development Company Investigating Data for Sale on eBay
(June 5, 2008)
Dubai-based Damac Properties is investigating how a database containing
personally identifiable information of more than 8,000 of its customers
turned up for sale on eBay. The offering has since been removed. The
compromised data include email addresses and phone numbers of investors
in the development company.
http://www.itp.net/news/521308-damac-clients-information-offered-on-ebay
[Editor's Comment (Northcutt): This has happened a couple of times. UC
Berkeley had a stolen laptop with about the same number of records turn
up for sale on eBay, as well:
http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/06/07/BAR9115907.DTL ]

MISCELLANEOUS
 --Australia Launches Threat Alert Service for SMBs
(June 9, 2008)
The Australian government has launched an online Internet threat alert
service aimed at small and midsize businesses. The service is free and
offers advice on security threats and how to mitigate them. Other alert
services are tailored more to large companies with professional security
resources and expertise, but small businesses lack that sort of support.
The service will also alert customers to Australia-focused threats, such
as specific phishing schemes. Some believe that ISPs should still do
more to protect users from Internet threats.
http://www.zdnetasia.com/news/security/0,39044215,62042374,00.htm

 --ISP's Plan to Use Targeted Ad Program Spurs Call for Investigation
(June 6, 2008)
Privacy and consumer advocacy groups in the US and Canada are calling
on US legislators to conduct an investigation into a cable television
and Internet provider's plan to launch a targeted advertising program.
St. Louis, Missouri-based Charter Communications plans to share
customers' web search information with NebuAd, a plan Charter maintains
will enhance its customers' online experience. There are reports that
other ISPs are considering similar schemes.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9094498&source=rss_topic17

 --Why Security is a Hard Sell
(May 26, 2008)
Bruce Schneier makes a strong argument for building security into
products rather than pursuing the arduous job of selling security
products as add-ons. Schneier says that the reason security products
are such a hard sell is exemplified in Prospect Theory, the foundation
of modern behavioral economics. In essence, the theory states that
people will choose a for-sure smaller gain over a possible larger gain,
but will opt for a possible big loss over a certain small loss. Simply
put in terms of security products, people are reluctant to make a small
investment to protect themselves from a security breach; instead, they
are willing to take the chance that they will not be the target of a
cyber security incident. Baking security into all products from the
start makes selling security a non-issue.
http://www.cio.com/article/print/367913
[Editor's Note (Weatherford): Once again, Bruce nails it with a
thought-provoking example that will help people re-evaluate and
repackage their approach to selling security.]

UPCOMING SANS WEBCAST SCHEDULE

Internet Storm Center Webcast: Threat Update
WHEN: Wednesday, June 11, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Johannes Ullrich
http://www.sans.org/info/28719

This monthly webcast discusses recent threats observed by the Internet Storm
Center, and discusses new software vulnerabilities or system exposures that
were disclosed over the past month. The general format is about 30 minutes
of presentation by senior ISC staff, followed by a question and answer
period.

Tool Talk Webcast: A Million Little Pieces: Detecting Fraudulent
Transactions
WHEN: Tuesday, June 17, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Brian Contos
http://www.sans.org/info/28729
Sponsored By: ArcSight http://www.arcsight.com/

Today's business is digital across the board, relying on digital processes,
communications, assets, and commerce. This has spawned a massive increase in
fraud. We read about it nearly every week, and in almost every case, the
problem seems obvious in hindsight. Societe Generale, with $7 billion in
trading fraud, is the current poster child. Too often, fraud could have been
detected and stopped if only someone noticed the connection between several
activities, each of which was fine in isolation. Taken together, however,
they paint a picture of fraud.

SANS Special Webcast Series: Security Insights with Dr. Eric Cole
This month's topic: Information Security Priorities for the SMB
WHEN: Wednesday, June 18, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Dr. Eric Cole
http://www.sans.org/info/28734

SMBs need IT security solutions that are easy to adopt and maintain. How
are small and medium-size businesses (SMBs) adopting, using, and managing IT
security technologies, including security information management (SIM),
network security, intrusion prevention, application security, content
filtering, and network access control (NAC)? Leading areas of focus for SMB
security programs are data security and business continuity, followed by
application security and access control to support partners and channels as
their business grows. While these issues are not unlike those facing larger
enterprises, SMBs must prioritize their security program most carefully to
avoid costly pitfalls. Undiscovered security threats that slow down the
large enterprise can cause the SMB to close its doors if they are not
prepared for risk avoidance.

SANS Special Webcast: Endpoint Security: Point- Solution or Protection
Platform
WHEN: Tuesday, June 24, 2008 at 3:00 PM EDT (1900 UTC/GMT)
FEATURING: Stephen Northcutt and Dan Teal
https://www.sans.org/webcasts/show.php?webcastid=91963
Sponsored By: CoreTrace http://www.coretrace.com/

Join SANS President Stephen Northcutt as he reviews the key features in
endpoint security that really matter, how to shop for the best products, and
why implementing defense in depth on your organization's endpoint is a best
practice.

Ask the Expert: Lessons from the Fontline: Avoiding Costly Breach
Investigation Mistakes and Downtime
WHEN: Thursday, June 26, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Ed Skoudis
http://www.sans.org/info/28754
Sponsored By: Mu Security http://www.mudynamics.com/

This webcast will discuss some of the most egregious mistakes made by
enterprises and network operators who have suffered costly and/or
embarrassing security breaches.

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin,
Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkhOuLIACgkQ+LUG5KFpTkbgWQCgnxlB7BISnJLXxF8hHdD2tvmE
kOEAoIc/dpIQfUHbFgtpUZjgxDxn5Ypa
=6DKI
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]