|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (NewsBites
sans.org)
Date: Fri Jun 27 2008 - 12:49:33 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Three interesting events - each for a special subset of the security
community:
+ European critical infrastructure owners (utilities and oil & gas
mainly) and government experts will share what works in protecting
control systems and SCADA in Amsterdam September 8-9
http://www.sans.org/euscada08_summit/agenda.php
+ The smartest people in virtual security will share what doesn't work
(and what does) at a gathering in Washington DC August 7-8
http://www.sans.org/virtualization08_summit/
+ Nearly all the people who know how to find the Chinese infections -
like the ones that hit DoD and the one that got into Congress recently-
plus how to respond when the FBI or Secret Service tell your bosses a
lot of your systems have been compromised, are getting together in Las
Vegas in October to share the most useful tools and techniques in
forensics.
http://www.sans.org/forensics08_summit/
Alan
*************************************************************************
SANS NewsBites June 27, 2008 Vol. 10, Num. 51
*************************************************************************
TOP OF THE NEWS
UK Information Commissioner Will Serve Enforcement Notices on HMRC and
MoD
Senate Subcommittee Hearing Focuses on CBP Seizure of Electronic
Devices
Privacy Officers and Marketing Depts Have Different Ideas About Data
Security
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
Former Employee Allegedly Deleted Organ Bank Data
SPYWARE, SPAM & PHISHING
Charter Communications Suspends NebuAd Pilot
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Two IE Flaws Discovered
Adobe Fixes JavaScript Flaw in Acrobat and Reader
Microsoft Issues List of Tools to Help Protect Sites from SQL Attacks
Ruby Patches Five Flaws
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Marshall Islands Cut Off From Incoming eMail by DDoS Attack
STATISTICS, STUDIES & SURVEYS
Ten Networks Account for Nearly Half of All Malicious Sites
MISCELLANEOUS
Dutch Government Wants to Halt Publication of Mifare Flaw Paper
*************************************************************************
TRAINING UPDATE
- - Wash. DC (7/22-7/31) (SANSFIRE 2008) http://www.sans.org/sansfire08
- - Singapore (6/30-7/5) http://www.sans.org/singapore08/
- - Boston (8/9-8/16) http://www.sans.org/boston08/
- - and in 100 other cites and on line any time: www.sans.org
*************************************************************************
TOP OF THE NEWS
--UK Information Commissioner Will Serve Enforcement Notices on
HMRC and MoD
(June 25, 2008)
Following the release of a verdict from the Independent Police
Complaints Commission, a report from Pricewaterhouse Coopers chairman
Kieran Poynter regarding the HMRC data loss incident, and a report from
Sir Edward Burton regarding the incidents at MoD, UK Information
Commissioner Richard Thomas says his office will serve enforcement
notices on HM Revenue & Customs (HMRC) and the Ministry of Defence (MoD)
for "deplorable failures" at both departments that led to violations of
the Data Protection Act. Last year, HMRC acknowledged the loss of
computer disks containing personally identifiable information of 25
million families; MoD acknowledged that it lost a number of laptops, one
of which contained sensitive data of 600,000 recruits. Compliance with
the enforcement notices will include implementing all recommendations
made. The departments will be required to submit annual progress reports
for the next three years.
http://news.zdnet.co.uk/security/0,1000000189,39439030,00.htm
http://www.vnunet.com/computing/news/2220012/hmrc-mod-guilty-deplorable
http://www.heise-online.co.uk/security/Information-Commissioner-to-sanction-HMRC-and-MOD-for-data-loss--/news/111004
http://www.scmagazineuk.com/Poynter-Review-IPCC-severely-criticise-HMRC-over-data-breach/article/111698/
http://www.theregister.co.uk/2008/06/25/hmrc_data_loss_reports/print.html
[Editor's Note (Honan): The Poynter report is available at
http://www.hm-treasury.gov.uk/media/0/1/poynter_review250608.pdf It is
a very good read including nearly 20 pages of recommendations and I
would recommend you read it to see if any of them could be applicable
to your organisation.]
--Senate Subcommittee Hearing Focuses on CBP Seizure of Electronic Devices
(June 24 & 25, 2008)
The US Senate Judiciary Committee's Subcommittee of the Constitution,
Civil Rights and Property Rights heard testimony regarding the US
Customs and Border Protection (CBP) search policies that have allowed
the search and seizure of personal and work laptops and other electronic
devices at US borders. While some maintain that laptops are no
different from luggage, others contend that the practice is unlawful,
as the devices have been seized without probable cause. Earlier this
year, the 9th Circuit Court of Appeals ruled that CBP does not need
reasonable suspicion to conduct the searches. Electronic Frontier
Foundation Lee Tien senior staff attorney said his organization "does
not dispute that the Fourth Amendment works differently at the border,
but 'differently' does not mean 'not at all.'"
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyId=15&articleId=9103338&intsrc=hm_topic
http://www.nextgov.com/nextgov/ng_20080624_3037.php
[Editor's Note (Northcutt): So much for the land of the free. Let's take
a look at some real people stories and remember, this could be you, just
takes one customs agent that wants to jerk you around and you are
jerked:
http://www.washingtonpost.com/wp-dyn/content/article/2008/02/06/AR2008020604763.html
http://blogs.ittoolbox.com/security/dmorrill/archives/search-and-seizure-of-your-laptop-at-the-border-approved-23927
http://www.usnews.com/articles/news/national/2008/06/24/seizing-laptops-and-cameras-without-cause.html
http://www.freep.com/apps/pbcs.dll/article?AID=/20080626/NEWS07/806260435/1009
http://www.truthout.org/article/us-border-agents-copying-contents-travelers-laptops
(Honan): An interesting side effect of the CBP search policies is that
many companies are now rethinking how best to protect sensitive data for
mobile users. It is ironic though that it is the threat of a US
government agency accessing a company's sensitive data that is driving
this corporate rethink and not the threat of criminals getting their
hands on the same information.]
--Privacy Officers and Marketing Depts Have Different Ideas
About Data Security
(June 23, 2008)
A study from the Ponemon Institute reveals a disconnect between what
privacy and security officers believe about the level of protection
afforded customer data and what the marketing department is actually
doing with the data. Eighty percent of respondents from marketing
departments said their companies share customer email addresses with
third parties, while just 47 percent of security and privacy officers
said they shared email addresses. Twenty-nine percent of marketing
respondents said they believe their companies share Social Security
numbers, while just seven percent of privacy professionals said their
companies shared that information. There is no reason to believe that
conflicting responses came from within the same company, but the general
trend is worrisome. The study was funded by Strongmail.
http://www.forbes.com/2008/06/21/privacy-security-marketing-tech-security-cx_ag_0623privacy_print.html
[Editor's Note (Schultz): The results of this study are fascinating. It
is easy to be lulled into believing that data protection is far better
than it actually is. The solution is systematic and thorough compliance
enforcement, something that is for the most part missing or deficient
in many organizations.]
*************************************************************************
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
--Former Employee Allegedly Deleted Organ Bank Data
(June 26, 2008)
Danielle Duann has been indicted for allegedly breaking into the
computer system at an organ bank and deleting patient data. Duann
allegedly accessed the LifeGift Organ Donation Center database shortly
after she was fired from her position as technology director at the
Houston, TX organ bank, despite the fact that her administrative rights
and passwords were revoked upon her termination. She then allegedly
deleted database records and accounting invoice files. The lost data
were restored from backups. If she is convicted, Duann could face up
to 10 years in prison and a US $250,000 fine.
http://news.cnet.com/8301-10789_3-9978151-57.html?part=rss&subj=news&tag=2547-1_3-0-20
http://houston.fbi.gov/dojpressrel/pressrel08/ho06242008.htm
More detail: http://www.chron.com/disp/story.mpl/headline/metro/5854484.html
[Editor's Note (Northcutt): Revoking administrative rights only works
if the administrator can't create another login with administrative
rights without being detected. While not perfect, this is a good read
for the problem of terminating someone that had insider access. I would
love to hear your insights on what organization's should do
(stephensans.edu):
http://searchsecurity.techtarget.com.au/contents/17984-How-to-create-and-enforce-employee-termination-procedures ]
SPYWARE, SPAM & PHISHING
--Charter Communications Suspends NebuAd Pilot
(June 25 & 26, 2008)
Charter Communications says it has suspended its planned pilot of the
NebuAd online behavioral advertising system. NebuAd has come under
increased scrutiny and criticism for unauthorized deep packet
modification and other questionable means of tracking consumer behavior.
Charter said that if it uses NebuAd in the future "it should be on the
basis that NebuAd will not intercept customers' data and plant false
code in it."
http://www.heise-online.co.uk/security/US-ISP-backs-off-from-NebuAd--/news/110997
http://www.internetnews.com/ec-news/article.php/3755631/NebuAd+The+Third+Rail+for+ISPs.htm
[Editor's Comment (Northcutt): we wrote a short course once at SANS,
titled Staying Invisible on the Internet. No one ever signed up for it.
People even asked, "why would I take the course unless I had something
to hide". For the life of me, I do not understand why people tolerate
total invasion of personal privacy, but they do. That means NebuAd did
not succeed with this one ISP, but mark my words, unless we educate
people and explain why privacy is a good thing, they will. The Wikipedia
article has a list of ISPs using or considering deploying NebuAd in case
you think Charter is the only one: http://en.wikipedia.org/wiki/NebuAd
http://www.nebuad.com/company/press_releases/press_01_28_08.php ]
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
--Two IE Flaws Discovered
(June 26, 2008)
Two flaws in Internet Explorer (IE) have been discovered. The first is
a cross-site scripting flaw in IE6 in the form of a validation error
when the browser handles the "location" or "location.href" property of
a window object. Until a fix is available, users should disable
scripting in IE6 or upgrade to IE7. The other flaw affects IE7 and is
a spoofing vulnerability.
http://www.eweek.com/c/a/Security/Researchers-Reveal-Security-Holes-in-Internet-Explorer/
--Adobe Fixes JavaScript Flaw in Acrobat and Reader
(June 25, 2008)
Adobe has released updated versions of its Acrobat and Adobe Reader to
address a critical JavaScript input validation vulnerability that could
be exploited to allow remote code execution. The flaw is being actively
exploited. It affects versions 8.1.2 and earlier of both products.
Users are urged to update to the newest versions of Reader and Acrobat
as soon as possible.
http://www.scmagazineuk.com/Vulnerability-in-Adobe-Acrobat-leads-to-public-exploit/article/111674/
http://www.heise-online.co.uk/security/New-danger-from-PDF-files--/news/110996
http://www.adobe.com/support/security/bulletins/apsb08-15.html
--Microsoft Issues List of Tools to Help Protect Sites from SQL Attacks
(June 24 & 26, 2008)
Microsoft has issued a security advisory regarding the recent escalation
of SQL injection attacks. The "attacks do not exploit a specific
software vulnerability, but instead target web sites that do not follow
secure coding practices for accessing and manipulating data stored in a
relational database." The advisory includes a list of suggested tools
to help administrators protect their sites.
http://www.eweek.com/c/a/Security/Microsoft-Responds-To-The-SQL-Injection-Problem/
http://www.heise-online.co.uk/security/Microsoft-warns-of-SQL-injection-attacks--/news/110998
http://www.theregister.co.uk/2008/06/26/microsoft_hp_sql_injection_tools/print.html
http://www.microsoft.com/technet/security/advisory/954462.mspx
--Ruby Patches Five Flaws
(June 23, 24, 2008)
The Ruby Project has fixed five serious security flaws in versions 1.8
and 1.9 of the open-source programming language. The flaws, which would
be trivial to exploit, could allow remote code execution or a
denial-of-service attack. Users are urged to upgrade to the newest
versions, available on the Ruby website.
http://www.theregister.co.uk/2008/06/23/group_patches_ruby/print.html
http://www.techworld.com/security/news/index.cfm?newsID=101993
http://www.securityfocus.com/brief/761
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
--Marshall Islands Cut Off From Incoming eMail by DDoS Attack
(June 25 & 26, 2008)
A distributed denial-of-service (DDoS) attack on the Marshall Islands'
only Internet service provider (ISP) left the tiny country without the
capability to receive incoming email. While messages can be sent
between National Telecommunications Authority (NTA) customers, mail from
other ISPs is still not making its way to NTA customers. NTA general
manager Anthony Muller servers would be added to help prevent a
recurrence. The attack began on Tuesday and it could be days before the
system is back to normal.
http://www.smh.com.au/news/security/marshall-islands-hit-by-zombie-attack/2008/06/25/1214073315525.html
http://www.scmagazineuk.com/Pacific-island-knocked-off-internet-by-DDoS-attack/article/111744/
http://www.theregister.co.uk/2008/06/25/email_ddos/
STATISTICS, STUDIES & SURVEYS
--Ten Networks Account for Nearly Half of All Malicious Sites
(June 25, 2008)
Analysis of more than 213,000 sites hosting malware found that more than
half are running under Chinese IP addresses. The analysis was conducted
by Stopbadware.org, which acknowledged that it couldn't say how many of
the sites are deliberately serving malware and how many are legitimate
sites that were infected. The total number of malware-infected sites
detected is up 300 percent over last year. Stopbadware.org manager Maxim
Weinstein says that the increase could be attributed in part of
increased efforts to find malicious sites, but that other statistics
cited by other groups recently indicate the likelihood that malware
infection is on the rise, likely because of SQL attacks. The US network
spreading the most malware is Google, which is a Stopbadware.org sponsor
and the source of the analyzed data. In addition, just 10 networks
hosted nearly half of the sites. They acknowledge that Google bots
searching for malware are concentrating on Chinese servers, which could
also explain the results.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9103378&source=rss_topic17
http://www.theregister.co.uk/2008/06/24/stopbadware_report/print.html
[Editor's Note (Ranum): According to Chinese Government announcements,
the internet population of China is about the same as that of the US,
or higher. And, because unlicensed copies of Windows are prevalent, and
patches are not available, we predict that the number of vulnerable
systems and websites in China is probably the highest in the world.
Thus, simple demographics argues that a majority of jump-off points for
mal-hosting and attacks will originate in China. What is less clear is
whether the people behind the systems and sites are in China, or not.
(Cole): The key lesson is that if you block a small subset of sites
that your organization does not need, you can go a long way to block
malicious content from coming into your site. You should also check
Incident Storm Center (incidents.org) on a regular basis to update your
IP block list.]
MISCELLANEOUS
--Dutch Government Wants to Halt Publication of Mifare Flaw Paper
(June 25, 2008)
Dutch government officials have called on researchers at Radboud
University to not publish a paper detailing security flaws in the Mifare
RFID chip used in the UK's Oyster prepaid public transportation
smartcard. The chip was also being used in a Dutch travel system card;
that project has been postponed. One of the researchers said that the
content of the paper is not attack code, but acknowledged that other
groups may have begun developing exploit code. "Killing the messenger
does not solve the problem," said researcher Bart Jacobs. "This paper
serves the interest of our society."
http://www.theregister.co.uk/2008/06/25/publication_chip_flaws_under_threat/print.html
*************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin,
Ireland.
Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security
courses at Minnesota State University, Mankato. He is the President of
Prudent Security LLC and also serves as the President of the Mankato
Chapter ISSA.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkhlIUcACgkQ+LUG5KFpTkZ/RgCeNAZcNSjq3+r6nh68WSIZy5dI
ScMAoIAauKdj5mO6N00gzr9GoJQp9W+d
=1CO5
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]