|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (NewsBites
sans.org)
Date: Fri Jun 20 2008 - 13:12:55 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
A surprising result appeared in the first large test of the secure
coding assessment exams in Java and C: they found that programmers are
exceptionally well versed in the types of vulnerabilities that may crop
up, but shockingly unable to find and fix those vulnerabilities.
Apparently security awareness classes do not solve the problem, but give
false confidence. Another large scale test - on line and live (in DC) -
is coming next month, If you have at least 100 programmers and can
persuade ten or so to test the assessment and give feedback, please
email spasans.org. They will get a lot of value from it.
Alan
*************************************************************************
SANS NewsBites June 20, 2008 Vol. 10, Num. 49
*************************************************************************
TOP OF THE NEWS
Appeals Court Grants 4th Amendment Protection to Electronic Messages
Software Engineer First to be Sentenced Under Economic Espionage Act
Swedish Parliament Passes Eavesdropping Law
US Congress to Consider Eavesdropping Law
Voting Machine Trade Group Wants to Help Draft Certification Standards
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
High School Seniors Face Prison for Hacking
SPYWARE, SPAM & PHISHING
NebuAd Comes Under Fire for Allegedly Violating User Privacy and
Security
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Critical Flaw Affects Firefox Versions 3.0 and 2.x
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Indiana Bank Server Breach Leads to Unauthorized ATM Withdrawals
Citibank Server Breach Likely Source of Compromised ATM Cards
Photobucket Blames DNS Problem for Attack
STANDARDS & BEST PRACTICES
Brokerage Fined for Lax Customer Data Security Safeguards
MISCELLANEOUS
Java Jive
Smuggling Ring's Computers Held Nuclear Weapon Blueprints
LIST OF UPCOMING FREE SANS WEBCASTS
*************************************************************************
TRAINING UPDATE
- - Wash. DC (7/22-7/31) (SANSFIRE 2008) http://www.sans.org/sansfire08
- - Singapore (6/30-7/5) http://www.sans.org/singapore08/
- - Boston (8/9-8/16) http://www.sans.org/boston08/
- - and in 100 other cites and on line any time: www.sans.org
*************************************************************************
TOP OF THE NEWS
--Appeals Court Grants 4th Amendment Protection to Electronic Messages
(June 19, 2008)
The 9th US Circuit Court of Appeal has ruled that employers may not
access employees' text and email messages if the company has contracted
with an outside organization to transmit those messages. According to
the ruling, employers may only access employees' email if the messages
are stored on an internal server. The original case was brought by
Ontario, California police officers who sued after a wireless provider
gave the police department records of text messages they had received.
This is the first federal appellate decision to provide 4th Amendment
protection to electronic messages.
http://www.usatoday.com/tech/news/techpolicy/2008-06-19-privacy-work-communications_N.htm?csp=34
http://www.latimes.com/business/la-me-text19-2008jun19,0,933444.story
[Editor's Note (Schultz): The Fourth Amendment protects individuals from
unreasonable search and seizure. As such, a strong case can be made for
employees whose contest the right of employers to intercepted and read
employees' email. The fact that this ruling basically allows companies
access to employees' messages if a company's mail servers are involved,
but not when mail services are outsourced is a fascinating twist to this
controversial legal issue.
(Skoudis): If this decision holds, it has some pretty important
implications on outsourcing of messaging services. On numerous
occasions, I've had CIOs tell me that they were thinking about dumping
their costly and difficult-to-maintain internal mail infrastructure and
going to something like a private branded Gmail. A ruling like this
would certainly complicate such plans, especially for enterprise
incident handlers.
(Veltsos): While the city had notified employees of its email and text
message monitoring policy, it had not consistently applied such policy
across its workforce and chose instead to focus on a few individuals.
Employers must take notice and review their outsourced communications
service contracts to ensure a balance of right-to-monitor, employee
privacy expectations, and consistent policy enforcement. ]
--Software Engineer First to be Sentenced Under Economic Espionage Act
(June 18 & 19, 2008)
Software engineer Xiaodong Sheldon Meng has been sentenced to two years
in prison for economic espionage. Meng will also serve three years of
supervised release following the completion of his prison sentence, pay
a US $10,000 fine, and forfeit computer equipment seized in his case.
The sentence is the first handed down under the Economic Espionage Act
of 1996. Meng stole proprietary information from his former employer,
Quantum3D Inc., and used it in presentations to make sales to foreign
government representatives.
http://www.cybercrime.gov/mengSent.pdf
http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/06/19/BARD11B9U7.DTL
[Editor's Note (Skoudis): This is the first sentence under that 12 year
old act. I expect this to be the first of many in coming years, given
the evolving nature of espionage.]
--Swedish Parliament Passes Eavesdropping Law
(June 19, 2008)
New legislation in Sweden will allow the country's intelligence bureau
to snoop on international phone calls, email and faxes. The
surveillance can be conducted without first obtaining a court order.
Critics of the new law say it tramples people's individual rights.
Proponents counter that the law is a necessary move to protect national
security.
http://news.bbc.co.uk/2/hi/europe/7463333.stm
[Editor's Comment (Northcutt): there was blog talk about protesting in
the streets and the like before the vote, but after the law was passed
as near as I can tell from Internet searches, no such thing happened.
The law passed by 143 to 138 and with some maneuvering, it becomes
effect in January. This is genuine big brother stuff, so Europe's
traditional stand for privacy seems to be softening. You will recall
France has passed law to stop Internet piracy that is also fairly
invasive. The really interesting thing is that the Scandinavian
telephone system is tightly intertwined so this will affect neighboring
countries as well:
http://technology.timesonline.co.uk/tol/news/tech_and_web/article4150152.ece
http://technology.timesonline.co.uk/tol/news/tech_and_web/article4173030.ece]
--US Congress to Consider Eavesdropping Law
(June 19, 2008)
New FISA legislation in the US will allow the country's intelligence
bureaus to snoop on international phone calls, email and faxes. The
surveillance can be conducted without first obtaining a court order.
Critics of the new law say it tramples people's individual rights.
Proponents counter that the law is a necessary move to protect national
security.
http://www.cnn.com/2008/POLITICS/06/19/congress.wiretaps/index.html
http://www.eff.org/files/filenode/att/FISAINTRO_001_xml.pdf ]
Editor's Comment (Northcutt): I've got the deja vu feeling all over again]
--Voting Machine Trade Group Wants to Help Draft Certification Standards
(June 19, 2008)
The Election Technology Council (ETC), an industry trade group that
represents voting system providers, has issued a report calling for a
voice in developing voting system certification requirements. An ETC
report says that the current process, currently overseen by the Election
Assistance Commission (EAC), is "a broken system that treats the
regulated industry more as an adversary and less as a key stakeholder."
Voting system manufacturers are not technically a regulated industry,
despite ETC's claim, because EAC is not a regulatory agency and the
certification process is voluntary. However, 80 percent of US states
require some level of certification for voting systems to be used in
elections.
http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn_daily&story.id=46489
http://www.electiontech.org/documents/ETC-BROKEN.pdf
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
--High School Seniors Face Prison for Hacking
(June 18 & 19, 2008)
Two California high school students are facing charges for a variety of
offenses related to unauthorized access to the school's computers.
Tesoro High School senior Omar Khan allegedly stole teachers' login
credentials with spyware and used the information to change his grades
and those of others. He also allegedly broke into the school building
after hours to conduct the attacks. Administrators were alerted to the
situation when they noted a change in the normally mediocre student's
grades, and they notified authorities. Khan faces a variety of charges
including unauthorized computer access, burglary, identity theft and
receiving stolen property; if convicted on all counts, he could face up
to 38 years in prison. His alleged co-conspirator Tanvir Singh, also a
senior, faces charges of hacking, burglary and conspiracy, which could
bring him a maximum sentence of three years. Khan and Singh also
allegedly broke into the school in an attempt to steal a test.
http://www.theregister.co.uk/2008/06/19/teen_school_hack_charges/print.html
http://www.ocregister.com/ocregister/homepage/abox/article_2071946.php
SPYWARE, SPAM & PHISHING
--NebuAd Comes Under Fire for Allegedly Violating User Privacy and Security
(June 19, 2008)
NebuAd, a targeted behavioral advertising company, has come under fire
from advocacy groups for "wiretapping, forgery and browser hijacking."
NebuAd is being used by US Internet service providers (ISPs) to provide
a service much like that offered by Phorm in the UK. According to a
technical report, NebuAd's activity is comparable to a malicious
intrusion - it hijacks browsers, conducts man-in-the-middle attacks and
performs a number of other objectionable actions.
http://www.heise-online.co.uk/security/Report-slams-US-advert-server-for-wiretapping-forgery-and-browser-hijacking--/news/110957
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9100378&source=rss_topic17
http://www.freepress.net/files/NebuAd_Report.pdf
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
--Critical Flaw Affects Firefox Versions 3.0 and 2.x
(June 19, 2008)
Just hours after Mozilla released Firefox version 3.0, researchers have
notified the company of a security flaw that could be exploited to
execute arbitrary code. The flaw also requires some user action to be
exploited. The flaw affects Firefox versions 3.0 and 2.x, which means
it was not introduced in the new version of the browser. No details of
the flaw will be released until Mozilla has made a fix available.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=open_source&articleId=9100878&taxonomyId=88&intsrc=kc_top
http://www.gcn.com/online/vol1_no1/46494-1.html?topic=security&CMP=OTC-RSS
http://www.securityfocus.com/brief/759
[Editor's Note (Skoudis): Perhaps this could be a new olympic sport --
speed vulnerability finding. Actually, it sounds like the people who
discovered the flaw knew about it before the much-hyped Firefox 3.0
release, and timed their sale of the vulnerability information to
TippingPoint to coincide with the 3.0 release. It's just a theory, but
I'll bet that the vuln info was much more valuable given the new version
hype.]
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
--Indiana Bank Server Breach Leads to Unauthorized ATM Withdrawals
(June 19, 2008)
A server breach at 1st Source Bank in South Bend, Indiana on May 12 is
the likely source of information used in a rash of fraudulent ATM
transactions in Russia, Ukraine, Turkey and the Czech Republic. The
fraud affects bank customers and credit union members of at least six
institutions in the area. The breached server held ATM transaction data
for 1st Source and other institutions that used 1st Source ATMs. 1st
Source shut down all its compromised cards and issued new ones to its
members; it also informed the other institutions that the information
had been compromised.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9101158&source=rss_topic17
--Citibank Server Breach Likely Source of Compromised ATM Cards
(June 18, 2008)
According to court documents, federal prosecutors say that cyber
attackers breached the security of a Citibank server that processes ATM
withdrawals, possibly harvesting the account details and PINs in
real-time during legitimate transactions. Two men have been charged in
connection with fraudulent use of the compromised accounts; the pair
allegedly withdrew hundreds of thousands of dollars. The men are not
believed to be responsible for the server breach, but did obtain the
stolen information and used it to manufacture phony ATM cards. The
alleged intrusion and subsequent crime spree may also be an explanation
for Citibank's decision to reduce the maximum amount for ATM withdrawals
late last year. According to a sworn affidavit, Citibank notified the
FBI that "a Citibank server that processes ATM withdrawals at 7-Eleven
convenience stores had been breached." The two men charged in the case,
Yuriy Ryabinin and Ivan Biltse, also allegedly stole significant sums
of money through fraudulent use of iWire prepaid MasterCard accounts.
http://blog.wired.com/27bstroke6/2008/06/citibank-atm-se.html
--Photobucket Blames DNS Problem for Attack
(June 18, 2008)
The Photobucket photo sharing website came under DNS attack earlier this
week. Instead of seeing pictures, site visitors were instead treated
to a message in Turkish from the attacker. Photobucket says the problem
was related to "an error in [its] DNS hosting services," and that no
personal information was compromised. The problem was fixed within an
hour of its discovery. Some researchers say the explanation does not
ring true and want Photobucket to clarify the situation.
http://www.theregister.co.uk/2008/06/18/photobucket_dns_hack/print.html
STANDARDS & BEST PRACTICES
--Brokerage Fined for Lax Customer Data Security Safeguards
(June 19, 2008)
The UK's Financial Services Authority (FSA) has fined Merchant
Securities Group Limited GBP 77,000 (US $152,000) for providing
inadequate protection for its customers' personal data. Among the
problems cited are the use of instant messaging and web-based email and
failing to verify the identities of customers who phoned the company.
In addition, unencrypted backup tapes of customer data were stored at a
staff member's home. There is no evidence that any customer information
was compromised.
http://www.theregister.co.uk/2008/06/19/fsa_fines_msgl/print.html
http://www.heise-online.co.uk/security/UK-stockbrokers-fined-Lb77-000-for-lax-security--/news/110966
[Editor's Note (Honan): Having staff take backup tapes home is a common
"cost effective" tape offsite solution. However as this story points
out that practice exposes data to considerable risk. Given the
availability and competitiveness of many Internet based backup solutions
these companies should look more closely at this option.]
MISCELLANEOUS
--Java Jive
(June 17, 2008)
Risk Advisory Services manager Craig Wright notes that his Internet
connected Jura Impressa F90 coffee maker has a number of software flaws
that could be exploited to change the brewing strength of the coffee,
change the amount of water used for each cup, possibly causing puddles,
and engineer incompatible settings that break the machine. Attackers
could also "gain access to the Windows XP system it is running on at the
level of the user."
http://www.securityfocus.com/archive/1/493387
http://it.slashdot.org/article.pl?no_d2=1&sid=08/06/17/1941200
[Editor's Note (Honan): On numerous occasions when working with clients
I have discovered issues with these type of devices that have undermined
the security of their network. Default passwords, misconfigurations and
unpatched operating systems can allow these devices be a point of attack
onto your network. So make sure you include them in your risk
assessment, vulnerability management process and protect them
accordingly.
(Veltsos): This past year many security researchers have been raising
the alarm about the vulnerabilities hiding in embedded devices. Many
such devices run trimmed-down operating systems (often Linux-derived),
come bundled with outdated or exploitable programs, and offer little or
no patching capability. As more devices become internet-capable, the
threat landscape expands into unconventional and often overlooked
devices, from coffee makers to fridges, from digital picture frames to
internet webcams.
(Kreitner): Finally, cyber security will get some attention when people
realize it could mess with their coffee. That's serious. Call in the
risk managers. Get on this right away.]
--Smuggling Ring's Computers Held Nuclear Weapon Blueprints
(June 15 & 16, 2008)
According to a draft report from former UN arms inspector David
Albright, an international smuggling ring somehow obtained blueprints
for an advanced nuclear warhead. The information was found in 2006 on
computers belonging to the group. There is no way of knowing if the
information was shared with other countries or groups before the
computers were seized.
http://www.msnbc.msn.com/id/25169704.
http://www.guardian.co.uk/world/2008/jun/16/nuclear.pakistan
UPCOMING SANS WEBCAST SCHEDULE
SANS Special Webcast: Endpoint Security: Point- Solution or Protection
Platform
WHEN: Tuesday, June 24, 2008 at 3:00 PM EDT (1900 UTC/GMT)
FEATURING: Stephen Northcutt and Dan Teal
http://www.sans.org/info/30044
Sponsored By: CoreTrace http://www.coretrace.com/
The continuous and rapid changes in malware and antivirus solutions are
a reflection of the creativity and passion today's hackers and cyber-
criminals have for damaging and disrupting an individual or
organizational IT environment. As malware improves, better endpoint
security solutions must follow. Currently it is unlikely an endpoint
system outside of a corporate network could survive a determined
attacker's efforts. Classic personal firewall and antivirus solutions
are not proving to be enough in the fight against malware and products
in these markets are being replaced with endpoint protection often using
whitelisting techniques to help enterprises with performance gains and
reduction in security related costs. This webcast will discuss the
current trends in endpoint solutions and offer guidance on both
commercial and free tools to seek the functionality they need, even if
it comes from multiple solutions. Join SANS President Stephen Northcutt
as he reviews the key features in endpoint security that really matter,
how to shop for the best products, and why implementing defense in depth
on your organization's endpoint is a best practice.
SANS Special Webcast: Top 10 Oracle Security Risks
WHEN: Wednesday, June 25, 2008 at 3:00 PM EDT (1800 UTC/GMT)
FEATURING: Tanya Baccam
https://www.sans.org/webcasts/show.php?webcastid=91968
This keynote is an introduction to some of the Oracle Database risks
that exist, and highlights the "Top 10" critical areas that should be
checking when conducting an Oracle database audit.
Ask the Expert: Lessons from the Frontline: Avoiding Costly Breach
Investigation Mistakes and Downtime
WHEN: Thursday, June 26, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Ed Skoudis
http://www.sans.org/info/28754
Sponsored By: Mu Security http://www.mudynamics.com/
This webcast will discuss some of the most egregious mistakes made by
enterprises and network operators who have suffered costly and/or
embarrassing security breaches.
SANS Special Webcast: A 2008 Perspective on Malicious Software
WHEN: Tuesday, July 8, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Lenny Zeltser
http://www.sans.org/info/29803
In this webcast, Lenny Zeltser surveys the characteristics of today's
malware, exemplified by recently-seen bots, downloaders, keyloggers, and
malicious scripts. He discusses samples that employed self-defense,
social engineering, fast-flux DNS, man-in-the-middle attacks, extortion
demands, and so on. Tune in to better understand what we're up against.
This talk will expand your perspective of the modern malware landscape,
empowering you to adjust your defenses and risk mitigation strategizes.
Internet Storm Center: Threat Update
WHEN: Wednesday, July 9, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Johannes Ullrich and Michael Yaffe
http://www.sans.org/info/29808
Sponsored By: Core Security http://www.coresecurity.com/
This monthly webcast discusses recent threats observed by the Internet
Storm Center, and discusses new software vulnerabilities or system
exposures that were disclosed over the past month. The general format
is about 30 minutes of presentation by senior ISC staff, followed by a
question and answer period.
*************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin,
Ireland.
Christophe Veltsos is president of the Mankato Chapter of the ISSA.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkhb4cYACgkQ+LUG5KFpTkaAmwCgmJx5MwZo6933hSUK9bHh6V8K
2cAAoJ+8WbKL2XXVdLWOoxcY8KuhfvOE
=OZEa
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]