From: The SANS Institute (NewsBitessans.org)
Date: Tue Jun 17 2008 - 13:25:14 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

*************************************************************************
SANS NewsBites June 17, 2008 Vol. 10, Num. 48
*************************************************************************
TOP OF THE NEWS
  Verizon Study Says Most Data Breaches are External
  Estonian Undersecretary of Defense Talks About Last Year's Cyber
     Attacks
  Man Exonerated After Examination Determines Malware Downloaded Pornography
THE REST OF THE WEEK'S NEWS
  LEGAL MATTERS
    Canada Unveils Digital Copyright Reform Act
    Casino Workers Indicted for Allegedly Stealing Customer List
    Law Lords Hear McKinnon Extradition Appeal
    MySpace Awarded US $6 Million in Spam Case
  HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
    Presidential Directive Requires Biometric Database Interoperability
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
    Cisco Warns of Authentication Vulnerabilities in SNMP
  ATTACKS, INTRUSIONS, DATA THEFT & LOSS
    Indiana Credit Unions Investigating Unauthorized Overseas Withdrawals
  STATISTICS, STUDIES & SURVEYS
    Blogger Arrests on the Rise
    22 Percent of European PC Users Say They Were Hit by Cyber Crime
  MISCELLANEOUS
    Kaspersky Publishes Recovery Information for Files Encrypted
       by Gpcode Trojan
LIST OF UPCOMING FREE SANS WEBCASTS

********************** Sponsored By IBM (Watchfire) *********************

You wouldn't lock your front door and leave the windows wide open, so
why invest in network security if you have no plans for your Web
applications?
IBM(r) Rational(r) AppScan is an application scanner that monitors,
identifies and helps remediate security vulnerabilities. Download
AppScan and try it free today to see how it can help protect against
intrusion.
http://www.sans.org/info/29764

*************************************************************************
TRAINING UPDATE
- - Wash. DC (7/22-7/31) (SANSFIRE 2008) http://www.sans.org/sansfire08
- - Singapore (6/30-7/5) http://www.sans.org/singapore08/
- - Boston (8/9-8/16) http://www.sans.org/boston08/
- - and in 100 other cites and on line any time: www.sans.org
*************************************************************************

TOP OF THE NEWS
 --Verizon Study Says Most Data Breaches are External
(June 16, 2008)
A four-year study from Verizon of 500 data security breaches found that
73 percent of data loss incidents come from external sources.
Thirty-nine percent of the data breaches involved some level of business
partner responsibility, although it was not always deliberate. For
instance, attackers gained access to company systems by compromising
remote vendors' credentials. Insider data breaches, while less
prevalent than expected, were often more serious than their external
counterparts; the number of records compromised in internal breaches on
average exceeded the number compromised in external breaches by a factor
of 10.
http://www.out-law.com/page-9179
http://www.infoworld.com/archives/emailPrint.jsp?R=printThis&A=/article/08/06/16/Insider_threat_exaggerated_says_study_1.html
http://www.heise-online.co.uk/security/Startling-findings-in-Verizon-Data-Breach-Report--/news/110936
http://www.verizonbusiness.com/resources/security/databreachreport.pdf
[Editor's Note (Skoudis): This is a fascinating read, and kudos to
Verizon for releasing it. There are lots of gems here that I also see
in many of the breach cases I investigate, including: "Ninety percent
of known vulnerabilities exploited by these attacks had patches
available for at least six months prior to the breach," and, "...the
most common of which was data that was not known to be on the
compromised system." I encourage you to read the study to learn from
the mistakes of others.
(Kreitner): The learning that results from this kind of forensic
analysis of actual security failures is invaluable if it is used as
feedback to inform our security investments. It also is useful to guide
the selection of security outcome metrics we should be tracking on a
continuing basis to determine how well or poorly our security
investments are working. Cybersecurity begs for more application of
causality oriented feedback learning. The lack of this type of analysis
and feedback is a great weakness in so-called risk management.]

 --Estonian Undersecretary of Defense Talks About Last Year's Cyber Attacks
(June 16, 2008)
In an interview, Estonian undersecretary of Defense Lauri Almann
describes how his department responded to the barrage of cyber attacks
on government networks last spring. A team was assembled from a variety
of departments and organizations including Estonian CERT. They quickly
put out an alert to other CERTs worldwide to get international help.
Almann described two phases of attacks, the second more sophisticated
than the first. Although it is not possible to say with absolute
certainty who was responsible for the attacks, Almann says the attack
patterns make it clear that it was an organized effort.
http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn&story.id=46457
[Editor's Note (Northcutt): This is an important article. Estonia
clearly realizes the next war they are involved in will have a
significant cyber warfare dimension. Another good article is a
reflection on the attack a year after the event:
http://news.zdnet.co.uk/security/0,1000000189,39408158,00.htm ]
(Veltsos): Botnets have changed the rules for network-based attacks. As
Mr. Almann points out, "There is no such thing as a personal computer.
Everyone's computer can be used to attack another country." Every
government entity needs to review its own readiness and response
procedures when faced with this type of unconventional attack. Botnets
are like a multi-headed hydra; striking down one host or IP address
results in new hosts on new IP addresses.
(Honan): One interesting point to come out of this interview is the
recommendation that incident response teams should constantly review
their response processes and tactics to prepare for new threats. If you
have not done so, I recommend you review your own IR processes to see
if they are up to date and suitable to the latest threat landscape
affecting your organisation.]

 --Man Exonerated After Examination Determines Malware Downloaded
Pornography
(June 16, 2008)
Prosecutors in Massachusetts have dropped charges against Michael Fiola,
who was accused of downloading child pornography onto his work computer.
Fiola was employed as an investigator at the Massachusetts Department
of Industrial Accidents (DIA). He was issued a laptop in November 2006
that was determined to have been misconfigured; an examination of the
computer turned up evidence that malware had surreptitiously downloaded
the images onto the computer. There is no evidence that the downloaded
images had ever been viewed on the computer. The content was discovered
during an investigation prompted by a broadband bill that was several
times those of his co-workers. Fiola was fired when the offending files
were found.
http://www.pcworld.com/businesscenter/article/147151/state_workers_child_porn_charges_dropped_virus_blamed.html
http://www.theregister.co.uk/2008/06/16/forensics_clear_child_abuse_suspect/print.html
[Editor's Note (Skoudis): I expect this case to be referenced a lot in
so-called "Trojan defenses", essentially blaming backdoors/bots on a
computer for malfeasance conducted by that machine. While it sounds
like that defense was legitimately applied in this case, the case will
likely be cited in other cases that aren't so clear.
(Northcutt): I wasn't there, haven't examined the computer, but it only
takes a page of Google results for "malware pornography" to come to the
conclusion that getting infected by malware when visiting porn sites is
much more likely than malware visiting porn sites to download pictures.]

********************** SPONSORED LINK *********************************
1) SANS WhatWorks: Easing the Pains of PCI Compliance at AirTran Airways
Read More
http://www.sans.org/info/29769

2) Expert Webcast: The Path to a Secure Application. A security
checklist to eliminate errors and design flaws that put you at risk.
http://www.sans.org/info/29774
*************************************************************************

THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
 --Canada Unveils Digital Copyright Reform Act
Canada has unveiled its own copyright protection and reform legislation.
Influenced by similar legislation in the USA and other countries it is
a bill that " ...balances the interests of Canadians who use digital
technology and those who create content" according to Government
sources. A previous version of the bill had been denounced by consumer
advocates and retracted. The impact will likely be far reaching, with
heavy penalties for uploading content and circumvention of digital
'locks'. Worrisome are limitations making backup copies of CDs or DVDs
illegal. Canadian law will likely now be more concerned with policing
and restricting digital content use than privacy or consumer protection.
(Thanks to Adrien de Beaupre, SANS Internet Storm Center Handler, for
this report.)
http://www2.parl.gc.ca/HousePublications/Publication.aspx?Docid=3570473&file=4
Some commentary here: http://www.michaelgeist.ca/tags/canadian+dmca

 --Casino Workers Indicted for Allegedly Stealing Customer List
(June 16 & 17, 2008)
Three casino workers have been indicted on charges related to the theft
of a list of more than 20,000 "top level players" from the Tropicana
Casino and Resort in Atlantic City, NJ. The three were once employed
at the Tropicana, but have since left for jobs at other casinos. The
data on the list include names, addresses, and gambling data. John
Conklin, Justin Litterelle and James DiMarco were all charged with theft
by unlawful taking, computer theft and conspiracy. Conklin also faces
a charge of witness tampering for allegedly having a lawyer make
Litterelle sign a false affidavit saying that Conklin had not asked him
to download the information.
http://cbs3.com/newjerseywire/22.0.html?type=local&state=NJ&category=n&filename=NJ--Tropicana-PlayerL.xml
http://www.nj.com/southjersey/index.ssf/2008/06/three_charged_with_stealing_tr.html
http://www.newsday.com/news/local/wire/newjersey/ny-bc-nj--tropicana-playerl0616jun16,0,289889.story

 --Law Lords Hear McKinnon Extradition Appeal
(June 16 & 17, 2008)
Gary McKinnon's extradition appeal is now before the House of Lords.
McKinnon is accused of breaking into US government computers from his
home in London. He has been fighting extradition to the US because he
fears a lengthy sentence and being treated like a terrorist. The Law
Lords will examine alleged threats made by US authorities. McKinnon has
admitted to accessing the computer systems in question but maintains
that he was merely curious that that the networks had lax security.
McKinnon's legal team said that if this effort proved unsuccessful, they
would take his case to the European Court of Human Rights.
http://news.bbc.co.uk/2/hi/uk_news/7456216.stm
http://www.theregister.co.uk/2008/06/16/mckinnon_law_lords/print.html
http://news.scotsman.com/uk/Scot-fights-US-hacking-move.4190558.jp

 --MySpace Awarded US $6 Million in Spam Case
(June 16, 2008)
A court-appointed arbitrator has ruled that Scott Richter and his
company Media Breakaway must pay MySpace US $6 million in damages and
legal fees for inundating MySpace members with spam. Some of the spam
was allegedly sent from hijacked accounts; Media Breakaway maintained
that independent contractors sending messages for the company are to
blame for the problem.
http://www.usatoday.com/tech/news/computersecurity/2008-06-16-myspace-win_N.htm?csp=34
http://news.cnet.com/8301-10784_3-9969899-7.html
http://www.cio.com/article/397663/Former_spam_King_Must_Pay_MySpace_Million
[Editor's Note (Shpantzer): Outsourcing to contractors is like
delegating to your employees. They will do the work, correctly or
incorrectly, but the responsibility is still yours.]

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
 --Presidential Directive Requires Biometric Database Interoperability
(June 5 & 16, 2008)
A presidential directive released earlier this month "establishes a
framework to ensure that Federal executive departments and agencies use
mutually compatible methods and procedures in the collection, storage,
use, analysis, and sharing of biometric ... information" so they can
easily share the information. Agencies will also be required to make
sure they comply with privacy and information security laws, policies
and procedures.
http://www.fcw.com/print/22_17/policy/152825-1.html?type=pf
http://www.fas.org/irp/offdocs/nspd/nspd-59.html
[Editor's Comment (Northcutt): Yeah, and what controls will be in place
to ensure the system designed to protect us against "KST"s (Known and
Suspected Terrorists) will not be abused? Anyway, it is a fascinating
technical and database problem, how do you compare a fingerprint to an
iris scan. Here are the standards; they were announced in February of
this year: http://engineers.ihs.com/news/standards/biometrics.htm ]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
 --Cisco Warns of Authentication Vulnerabilities in SNMP
(June 13, 2008)
Cisco has issued an advisory warning of two security flaws in version 3
of the Simple Network Management Protocol (SNMP). The authentication
vulnerabilities could be exploited to gain access to system data or
change network equipment configurations. The vulnerabilities affect a
number of Cisco products although Cisco products ship with SNMP turned
off by default. Patches for the flaws are available.
http://www.gcn.com/online/vol1_no1/46464-1.html?topic=security&CMP=OTC-RSS
http://www.cisco.com/en/US/products/products_security_advisory09186a00809ac83b.shtml
[Editor's Note (Skoudis): This is an interesting one, given that one of
the reasons to move to SNMPv3 is its improved security over earlier
versions. Please test and deploy these patches quickly if you used
SNMPv3 in your Cisco environment. Because SNMP messages occur over UDP,
they can be easily spoofed. One can imagine tools that spray spoofed
UDP messages into a target environment that take advantage of this
flaw.]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS
 --Indiana Credit Unions Investigating Unauthorized Overseas Withdrawals
(June 16, 2008)
Teachers Credit Union in South Bend Indiana is investigating reports
from about 100 members that funds had been withdrawn from their accounts
via ATMs in Russia, the Ukraine, and other overseas locations. Ten
members of Notre Dame Federal Credit Union reported unauthorized
withdrawals as well.
http://www.chicagotribune.com/news/chi-ap-in-creditunions-brea,0,5481329,print.story
http://www.wsbt.com/news/local/19979729.html
[Editor's Note (Veltsos): Credit card companies employ theft prevention
systems requiring travelers to provide advance notice of which countries
would be visited. Banks, credit unions, and payment networks might do
well to consider implementing a similar deny-all, allow-only-permitted
approach.]

STATISTICS, STUDIES & SURVEYS
 --Blogger Arrests on the Rise
(June 16, 2008)
The most recent World Information Access (WIA) report, an annual report
from the University of Washington, found that 64 people have been
arrested since 2003 for blogging about their personal opinions about
their governments or human rights abuses. There were 36 arrests for
blogging on political issues in 2007; three times higher than the
previous year's figure. More than half of the 64 arrests were made in
just three countries -- China, Egypt, and Iran -- although bloggers have
also been arrested in the US, the UK, France and Canada. The average
prison sentences for those arrested was 15 months.
http://news.bbc.co.uk/2/hi/technology/7456357.stm
http://www.wiareport.org/index.php/2008-briefing-booklet/

 --22 Percent of European PC Users Say They Were Hit by Cyber Crime
(June 9, 2008)
A study of 7,000 European PC users found that 22 percent have
experienced some type of cyber crime. When asked if they believed they
would ever be victims of certain types of crimes, 34 percent of
respondents said they believed they would experience cyber crime, while
22 percent said they would likely be hit by burglary. Among specific
countries, 32 percent of Italian people had experienced cyber crime,
while 31 percent of UK respondents said the same thing. The survey was
conducted by Ipsos on behalf of AVG Technologies.
http://www.vnunet.com/vnunet/news/2218582/national-economies-threatened

MISCELLANEOUS
 --Kaspersky Publishes Recovery Information for Files Encrypted
by Gpcode Trojan
(June 16, 2008)
Kaspersky Lab, which earlier this month called for a group effort to
crack a 1,024-bit encryption key used in a new variant of ransomware,
has published information about how to recover files that the Gpcode.ak
Trojan horse program has encrypted. Kaspersky's call for a group effort
to crack the encryption key used by Gpcode.ak met with resistance from
some researchers.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9098338&source=rss_topic17

UPCOMING SANS WEBCAST SCHEDULE

SANS Special Webcast Series: Security Insights with Dr. Eric Cole
This month's topic: Information Security Priorities for the SMB
WHEN: Wednesday, June 18, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Dr. Eric Cole
http://www.sans.org/info/28734

SMBs need IT security solutions that are easy to adopt and maintain.
How are small and medium-size businesses (SMBs) adopting, using, and
managing IT security technologies, including security information
management (SIM), network security, intrusion prevention, application
security, content filtering, and network access control (NAC)? Leading
areas of focus for SMB security programs are data security and business
continuity, followed by application security and access control to
support partners and channels as their business grows. While these
issues are not unlike those facing larger enterprises, SMBs must
prioritize their security program most carefully to avoid costly
pitfalls. Undiscovered security threats that slow down the large
enterprise can cause the SMB to close its doors if they are not prepared
for risk avoidance.

SANS Special Webcast: Endpoint Security: Point- Solution or Protection Platform
WHEN: Tuesday, June 24, 2008 at 3:00 PM EDT (1900 UTC/GMT)
FEATURING: Stephen Northcutt and Dan Teal
https://www.sans.org/webcasts/show.php?webcastid=91963
Sponsored By: CoreTrace http://www.coretrace.com/

Join SANS President Stephen Northcutt as he reviews the key features in
endpoint security that really matter, how to shop for the best products,
and why implementing defense in depth on your organization's endpoint
is a best practice.

SANS Special Webcast: Top 10 Oracle Security Risks
WHEN: Wednesday, June 25, 2008 at 3:00 PM EDT (1800 UTC/GMT)
FEATURING: Tanya Baccam
https://www.sans.org/webcasts/show.php?webcastid=91968

This keynote is an introduction to some of the Oracle Database risks that
exist, and highlights the "Top 10" critical areas that should be
checking when conducting an Oracle database audit.

Ask the Expert: Lessons from the Frontline: Avoiding Costly Breach
Investigation Mistakes and Downtime
WHEN: Thursday, June 26, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Ed Skoudis
http://www.sans.org/info/28754
Sponsored By: Mu Security http://www.mudynamics.com/

This webcast will discuss some of the most egregious mistakes made by
enterprises and network operators who have suffered costly and/or
embarrassing security breaches.

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin,
Ireland.

Christophe Veltsos is president of the Mankato Chapter of the ISSA.
Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkhX6z0ACgkQ+LUG5KFpTkam+wCeJDk7LKGK0PgsmP+Zu+p3Yxep
ju8An15a18uUrq0qjvh+pP/bRYL+dE4y
=4gHU
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]