From: The SANS Institute (NewsBitessans.org)
Date: Tue Jun 24 2008 - 13:27:07 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tomorrow (Wednesday) is the late registration deadline for savings for
SANSFIRE 08 in Washington, DC (http://www.sans.org/sansfire08 .
                                      Alan

*************************************************************************
SANS NewsBites June 24, 2008 Vol. 10, Num. 50
*************************************************************************
TOP OF THE NEWS
  House Approves FISA Amendments Act, Telecoms Get Retroactive Immunity
  PCI Standard Section 6.6 Addresses Web Application Security
  Microsoft Tool Ousts Password Stealing Malware from 2 Million PCs
  Dutch Researchers Break Mifare RFID Technology
THE REST OF THE WEEK'S NEWS
  LEGAL MATTERS
    Alleged Earthquake Warning Hacker Arrested
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
    Mac OS X Trojans Detected
    Apple's Safari Update Addresses Blended Threat
  ATTACKS, INTRUSIONS, DATA THEFT & LOSS
    Lost Disk Holds Scottish Ambulance Service Call Data
    Stolen Computer Holds Outsourced Human Resources Data
    Florida Bank Notifies Customers of Debit Card Data Breach
  STATISTICS, STUDIES & SURVEYS
    One-third of IT Professionals Have Snooped on Co-Workers
  MISCELLANEOUS
    California Wants ISPs to Join Fight Against Child Pornography
LIST OF UPCOMING FREE SANS WEBCASTS

******************** Sponsored By Palo Alto Networks ********************

A Firewall Won Interop 2008 Grand Prize? How can that be? Firewalls
haven't changed much in 15 years. Until now! Get to know next
generation firewall solutions from Palo Alto Networks, and you'll
discover why we won the Interop 2008 Best of Show Grand Prize. Start
by learning about patent-pending App-ID technology, our secret sauce!
http://www.sans.org/info/30279
*************************************************************************
TRAINING UPDATE
- - Wash. DC (7/22-7/31) (SANSFire 2008) http://www.sans.org/sansfire08
- - Singapore (6/30-7/5) http://www.sans.org/singapore08/
- - Boston (8/9-8/16) http://www.sans.org/boston08/
- - and in 100 other cites and on line any time: www.sans.org
*************************************************************************

TOP OF THE NEWS
 --House Approves FISA Amendments Act, Telecoms Get Retroactive Immunity
(June 20, 2008)
The US House of Representatives has approved the Foreign Intelligence
Surveillance Act (FISA) Amendments Act, which extents the National
Security Agency's blanket permission to conduct surveillance on phone
and email traffic going in and out of the US. It also provides
retroactive immunity for telecommunications companies that complied with
US government orders to allow surveillance between September 11, 2001
and January 17, 2007.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9101538&intsrc=hm_list
http://online.wsj.com/article/SB121391360949290049.html?mod=googlenews_wsj

 --PCI Standard Section 6.6 Addresses Web Application Security
(June 23, 2008)
Section 6.6 of the Payment Card Industry (PCI) Data Security Standard
will come into effect on June 30. Section 6.6 requires that companies
with stored credit card or other consumer financial data install
application firewalls around all Internet-facing applications or have
all the applications' code reviewed for security flaws.
http://www.vnunet.com/vnunet/news/2219820/pci-standard-lacking-secerno
https://www.pcisecuritystandards.org/pdfs/infosupp_6_6_applicationfirewalls_codereviews.pdf

 --Microsoft Tool Ousts Password Stealing Malware from 2 Million PCs
(June 20, 2008)
The updated version of Microsoft's Malicious Software Removal Tool,
released on June 10, has already removed password-stealing malware from
more than 2 million PCs. The malicious software targets gaming
passwords; on the first day alone, a piece of malware called Taterf was
removed from 700,000 machines. The malware often gets onto the PCs
through undisclosed flaws.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9101878&intsrc=hm_list
[Editor's Note (Pescatore): The malware often gets onto PCs because
users download and install it. There is no need for "undisclosed" flaws,
it is simple social engineering. The answer to the current wave of
threats is not patching, it is better in-bound malware blocking and
application control for what does get on PCs.
(Skoudis): Those are huge numbers. And, given that the malware steals
passwords, those users whose machines have been cleansed of the
infection have to assume that their OS and web application passwords
were compromised, possibly for banking, e-commerce, and even some
enterprise system administrator passwords. I encourage anyone who was
infected with these nasties to change their passwords on all of their
accounts accessed via the infected machine.]

 --Dutch Researchers Break Mifare RFID Technology
(June 21 & 23, 2008)
Researchers at a Dutch university have broken the security of the Mifare
RFID chip, which is used in the Oyster card, a prepaid smartcard used
for travel on UK public transportation. Mifare RFID technology is also
used in the UK to access government departments, hospitals and schools.
The research was presented to the Dutch Parliament, which earlier this
year postponed implementation of a prepaid transportation smartcard
based on the same technology. The Dutch government is also replacing
Mifare cards used to access government buildings.
http://www.zdnet.co.uk/misc/print/0,1000000169,39437719-39001093c,00.htm
http://www.vnunet.com/vnunet/news/2219828/london-oyster-cracked
http://www.telegraph.co.uk/news/newstopics/politics/2168791/Oyster-card-fears-over-Mifare-security.html
http://www.theregister.co.uk/2008/06/23/dutch_clone_oyster_card/print.html
[Editor's Note (Schultz): Over the past few years we've seen repeated
claims concerning security weaknesses in the RFID chip. It was only a
matter of time before there was a proof of concept of how these
weaknesses can be exploited in real life settings.]

***********************************************************************
THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
 --Alleged Earthquake Warning Hacker Arrested
(June 15, 17 & 23, 2008)
Chinese authorities have arrested a 19-year-old man for allegedly
hacking into the website of the Guangxi Seismological Bureau in late May
and altering the site to display a phony earthquake warning. The man,
identified only as Chen, has allegedly admitted to the attack, saying
he wanted to demonstrate his skill. The phony message, which warned of
an earthquake of magnitude nine or greater, came just weeks after severe
earthquakes in Sichuan province killed thousands of people.
http://www.thestandard.com/news/2008/06/23/global-dispatches-chinese-quake-site-hacker-arrested
http://news.xinhuanet.com/english/2008-06/15/content_8373570.htm
http://www.vnunet.com/vnunet/news/2219251/chinese-quake-hacker-caught

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
 --Mac OS X Trojans Detected
(June 20, 21 & 23, 2008)
A recently detected Mac OS X Trojan horse program exploits a flaw in
Apple Remote Desktop Agent (ARDAgent) to load itself as root and take
control of vulnerable machines. The malware has numerous capabilities,
including keystroke logging, opening ports in the firewall to evade
detection, taking pictures with the built-in camera and turning on file
sharing. Users can protect their systems by removing ARDAgent from its
normal location and archiving it. A second Trojan affecting Macs
pretends to be a poker application and tries to gain secure shell access
to vulnerable machines.
http://www.scmagazineus.com/Two-in-the-wild-trojans-target-Mac-OS-X/article/111551/
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9101898&intsrc=hm_list
http://www.theregister.co.uk/2008/06/23/mac_trojan/print.html
[Editor's Note (Pescatore): Since Apple's market share at enterprises
will double in 2008, this item and the Safari patches points out that
Apple needs to make progress in its secure development life cycle, and
enterprises must factor the cost of patching Apple PCs into the
acquisition costs or in the costs of letting users use their own Macs
for company business.
(Skoudis): The underlying vulnerability here is an old-fashioned SUID
root program called ARDAgent that attackers can trick into running code
on their behalf as root in a local privilege escalation attack. SUID
root programs aren't inherently evil -- a normal system needs several
of them for day-to-day operation. But if SUID programs aren't carefully
designed and implemented, they could lead to this kind of attack. To
get an inventory of all SUID root programs on a Mac or Linux system, you
could run: "find / -user 0 -perm -4000". I'm sure attackers are
searching for other Mac programs with similar flaws.]

 --Apple's Safari Update Addresses Blended Threat
(June 19 & 20, 2008)
Apple has released an updated version of Safari for Windows. The update
addresses four vulnerabilities, including one involved in a blended
threat that could allow attackers to place malware on the Windows
desktop because of a weakness in the way Safari interacts with certain
Windows components. The change made involves prompting users before
saving downloaded files and changing the default download location in
Windows. Apple had previously said it did not consider the flaw to be a
security issue.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9101239&intsrc=hm_list
http://www.securityfocus.com/brief/760
[Editor's Note (Pescatore): See comment on the previous story.]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS
 --Lost Disk Holds Scottish Ambulance Service Call Data
(June 23, 2008)
The Scottish Health Secretary has acknowledged that a Scottish Ambulance
Service disk containing details of hundreds of thousands of emergency
calls was lost earlier this month. The Scottish government learned of
the loss on June 19; the disk was in the possession of a courier company
at the time. The compromised data include information about more than
890,000 calls made to the Scottish Ambulance Service's Paisley center
since February 2006. The encrypted and password-protected disk was sent
on June 9, but it never arrived at its destination.
http://www.timesonline.co.uk/tol/news/uk/scotland/article4201288.ece
[Editor's Note (Honan): Too often we read of data being compromised due
to it not being encrypted on laptops or other media, so Kudos to the
Scottish Ambulance Service for taking the steps to encrypt this data.]

 --Stolen Computer Holds Outsourced Human Resources Data
(June 23, 2008)
Computer equipment stolen from the Walnut Creek, California offices of
Colt Express Outsourcing Services contains human resources data of
several of the company's clients, including CNET Networks. The
compromised data for CNET include names, birth dates, Social Security
numbers (SSNs) and employment information of CNET health insurance
beneficiaries. Local police are investigating.
http://www.pcworld.com/businesscenter/article/147460/cnet_employees_notified_after_data_breach.html

 --Florida Bank Notifies Customers of Debit Card Data Breach
(June 23, 2008)
Bank Atlantic in Tampa, Florida has acknowledged that a security breach
at an unnamed local merchant compromised some of the bank's customers'
MasterCard debit cards. Customers are urged to keep a close watch on
their account activity and to apply for a new card. One customer
reported being notified of the breach by a phone call.
http://www.myfoxtampabay.com/myfox/pages/News/Detail?contentId=6830565&version=1&locale=EN-US&layoutCode=TSTY&pageId=3.2.1

STATISTICS, STUDIES & SURVEYS
 --One-third of IT Professionals Have Snooped on Co-Workers
(June 19, 2008)
According to a survey of 300 IT professionals, nearly one-third have
abused administrative passwords to look at confidential information
about their co-workers. Close to half of the respondents also said they
had accessed information that was not related to their positions. Just
30 percent of administrative passwords get changed every quarter, while
nine percent are never changed, meaning that even people no longer
employed by the company can gain privileged access to the system.
http://news.zdnet.com/2424-1009_22-207179.html
Direct link to survey press release (not full results):
http://www.cyber-ark.com/news-events/pr_20080619.asp

MISCELLANEOUS
 --California Wants ISPs to Join Fight Against Child Pornography
(June 20, 2008)
California Governor Arnold Schwarzenegger and state Attorney General
Edmund G. Brown Jr. have called for Internet service providers (ISPs)
to take an active role in stopping the spread of child pornography.
Schwarzenegger and Brown sent a letter to the California Internet
Provider Association, which has more than 100 members, asking them to
follow the lead set by Verizon, Time Warner Cable, and Sprint. Those
three ISPs have struck a deal with New York State Attorney general
Andrew Cuomo to remove child pornography cached on their servers and
blocking channels that are known to distribute the offensive content.
Some civil liberties proponents have expressed concern with the methods
that would be used to block the user groups because such a broad action
could stifle legitimate discussions.
http://www.informationweek.com/news/internet/policy/showArticle.jhtml?articleID=208700989
http://news.cnet.com/8301-10784_3-9973966-7.html?part=rss&subj=news&tag=2547-1_3-0-20
http://gov.ca.gov/press-release/9933/
[Editor's Note (Pescatore): If scoped and overseen correctly, having
ISPs take active roles in filtering or blocking illegal content
(including malware) is a very needed thing. However, just as the FISA
Amendment Act had to include clauses giving telcos some liability
relief, the same thing will have to happen for ISPs. Privacy advocacy
groups have valid concerns, but there can be a middle ground to make a
dent in the bad stuff without causing open season for frivolous lawsuits
against ISPs.
(Guest Editor Donald Smith): The "deal they struck" was a bargain to
prevent them from being charged with "fraud and deceptive business
practices". I am not saying those ISPs are the "bad guys" but it
shouldn't be spun to make them into the "good guys" either. Quoting the
story posted at:
http://www.dslreports.com/shownews/Verizon-Sprint-TWC-To-Block-Child-Porn-95154
"The agreements resulted from an eight-month investigation and sting
operation in which undercover agents from Mr. Cuomo's office, posing as
subscribers, complained to Internet providers that they were allowing
child pornography to proliferate online, despite customer service
agreements that discouraged such activity. Verizon, for example, warns
its users that they risk losing their service if they transmit or
disseminate sexually exploitative images of children. After the ISPs
failed to react to the undercover agents' complaints, NY AG Andrew Cuomo
threatened them with charges of "fraud and deceptive business
practices.]

UPCOMING SANS WEBCAST SCHEDULE

SANS Special Webcast: Endpoint Security: Point- Solution or Protection
Platform
WHEN: Tuesday, June 24, 2008 at 3:00 PM EDT (1900 UTC/GMT)
FEATURING: Stephen Northcutt and Dan Teal
http://www.sans.org/info/30044
Sponsored By: CoreTrace http://www.coretrace.com/

The continuous and rapid changes in malware and antivirus solutions are
a reflection of the creativity and passion today's hackers and
cyber-criminals have for damaging and disrupting an individual or
organizational IT environment. As malware improves, better endpoint
security solutions must follow. Currently it is unlikely an endpoint
system outside of a corporate network could survive a determined
attacker's efforts. Classic personal firewall and antivirus solutions
are not proving to be enough in the fight against malware and products
in these markets are being replaced with endpoint protection often using
whitelisting techniques to help enterprises with performance gains and
reduction in security related costs. This webcast will discuss the
current trends in endpoint solutions and offer guidance on both
commercial and free tools to seek the functionality they need, even if
it comes from multiple solutions. Join SANS President Stephen Northcutt
as he reviews the key features in endpoint security that really matter,
how to shop for the best products, and why implementing defense in depth
on your organization's endpoint is a best practice.

SANS Special Webcast: Top 10 Oracle Security Risks
WHEN: Wednesday, June 25, 2008 at 3:00 PM EDT (1800 UTC/GMT)
FEATURING: Tanya Baccam
https://www.sans.org/webcasts/show.php?webcastid=91968

This keynote is an introduction to some of the Oracle Database risks
that exist, and highlights the "Top 10" critical areas that should be
checking when conducting an Oracle database audit.

Ask the Expert: Lessons from the Frontline: Avoiding Costly Breach
Investigation Mistakes and Downtime
WHEN: Thursday, June 26, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Ed Skoudis
http://www.sans.org/info/28754
Sponsored By: Mu Security http://www.mudynamics.com/

This webcast will discuss some of the most egregious mistakes made by
enterprises and network operators who have suffered costly and/or
embarrassing security breaches.

SANS Special Webcast: A 2008 Perspective on Malicious Software
WHEN: Tuesday, July 8, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Lenny Zeltser
http://www.sans.org/info/29803

In this webcast, Lenny Zeltser surveys the characteristics of today's
malware, exemplified by recently-seen bots, downloaders, keyloggers, and
malicious scripts. He discusses samples that employed self-defense,
social engineering, fast-flux DNS, man-in-the-middle attacks, extortion
demands, and so on. Tune in to better understand what we're up against.
This talk will expand your perspective of the modern malware landscape,
empowering you to adjust your defenses and risk mitigation strategizes.

Internet Storm Center: Threat Update
WHEN: Wednesday, July 9, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Johannes Ullrich and Michael Yaffe
http://www.sans.org/info/29808
Sponsored By: Core Security http://www.coresecurity.com/

This monthly webcast discusses recent threats observed by the Internet
Storm Center, and discusses new software vulnerabilities or system
exposures that were disclosed over the past month. The general format
is about 30 minutes of presentation by senior ISC staff, followed by a
question and answer period.

*************************************
The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security
courses at Minnesota State University, Mankato. He is the President of
Prudent Security LLC and also serves as the President of the Mankato
Chapter ISSA.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkhhMGIACgkQ+LUG5KFpTkaWdQCglyy75coQBsJTkbR9TL/MhoBS
W40AoJtvaAU1zGhevTKB8m/PBq0Dl9DH
=X98X
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]