|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (NewsBites
sans.org)
Date: Tue Jul 08 2008 - 16:33:19 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Free briefing on how the Chinese attacks work: "Is Troy Burning?"
Thursday, July 24, at SANSFIRE 2008 in Washington DC. See item after
the third story.
Folks involved in IT and process control in utilities, pipelines and
other critical infrastructures should plan for a trip to Amsterdam in
early September for the SCADA Security Summit. Most major European
nations helped plan the program; it is really good. Registration just
opened: http://www.sans.org/euscada08_summit/
Early registration savings (up to $350) for SANS Virginia Beach ends at
midnight (EDT) on Wednesday night July 9.
http://www.sans.org/vabeach08/
*************************************************************************
SANS NewsBites July 8, 2008 Vol. 10, Num. 53
*************************************************************************
TOP OF THE NEWS
New Bavarian Law Allows Police to Physically Install Spyware
Texas Law Requires Computer Technicians to Have PI Licenses
Viacom Seeks YouTube Viewing Database
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
Stolen Backup Tapes Recovered, Three People Arrested
Lawyer Gets Two Year Suspension for Breaking Into eMail Accounts
ACLU and EFF Sue US Justice Dept. for Cellphone Tracking Information
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Virgin Media Filesharing Warning Letters are Part of Education Campaign
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Microsoft to Issue Four Security Bulletins in July
Mozilla Updates Firefox 2.0, Announces End of Support for 2.x in
December
Coreflood Trojan Exploits Admin Tool to Spread
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Cyber Thieves Targeted Citibank ATMs in 7-Eleven Stores
Freedom Credit Union Issues New Debit Cards After Breach
NHS Manager Suspended After Laptop Stolen From Car
STATISTICS, STUDIES & SURVEYS
McAfee Releases Results of Global SPAM Experiment
MISCELLANEOUS
Google Caches Retain Stolen Data
************ Sponsored By the Virtualization Security Summit ************
What are the economic and flexibility payoffs from going virtual? How
can they be quantified? Which of the four leading virtual platforms
provides the most security today? Attend the Virtualization Security
Summit August 7-8 and learn the answers to these and other key
Virtualization security questions.
http://www.sans.org/info/30618
*************************************************************************
TRAINING UPDATE
- - Wash. DC (7/22-7/31) (SANSFire 2008) http://www.sans.org/sansfire08
- - Boston (8/9-8/16) http://www.sans.org/boston08/
- - Virginia Beach (8/21-8/29): http://www.sans.org/vabeach08/
- - and in 100 other cites and on line any time: www.sans.org
*************************************************************************
TOP OF THE NEWS
--New Bavarian Law Allows Police to Physically Install Spyware
(July 7, 2008)
Legislators in the German state of Bavaria have approved a law that
would allow police to place spyware on the computers of individuals
suspected of being terrorists or posing other serious criminal threats.
The measure goes beyond federal laws, which allow authorities to place
spyware on suspects' computers remotely. The Bavarian law allows
authorities to enter suspects' homes and physically place the spyware
on the computer if remote installations do not work. Judicial warrants
would not be required. Authorities would also be permitted to conduct
searches of the homes. Opponents of the measure say it is
unconstitutional.
http://www.theregister.co.uk/2008/07/07/bavaria_police_spyware_plan/print.html
[Editor's Note (Pescatore): Every society has to achieve a balance
between privacy and law enforcement. In many modern societies, the need
to obtain a court-ordered warrant has been the mechanism to assure that
in each individual case law enforcement needs outweigh privacy rights.
While this approach is certainly not perfect, serious abuses have
occurred almost without exception every time the warrant requirement has
been removed from the process. Worse, when such abuses are detected they
often lead to over-reaching privacy legislation that hampers law
enforcement and intelligence abilities for years to come. Maintaining
that balance is good for both sides.
(Veltsos): Allowing law enforcement to install spyware without a warrant
is a slippery slope from both privacy and legal standpoints. Imagine
that spyware is installed at the home of an American businessman living
in Bavaria. How would his employer respond? How would the US government
respond?]
--Texas Law Requires Computer Technicians to Have PI Licenses
(June 26, 208)
The Institute for Justice has filed a lawsuit against the Texas Private
Security Board because of a 2007 law that requires computer repair
technicians to obtain government-issued private investigators' (PI)
licenses. Technicians could face both civil and criminal penalties if
they take "any action that the government deems to be an
'investigation.'" The definition of investigation is broad and includes
many commonly performed repairs. To obtain a license, computer repair
shop owners would have to obtain a criminal justice degree or complete
a three-year apprenticeship with a licensed PI. Consumers who knowingly
use an unlicensed operation to conduct an "investigation" would also be
subject to penalties.
http://www.ij.org/first_amendment/tx_computer_repair/6_26_08pr.html
[Editor's Note (Guest Editor, Rob Lee): Part of this suit began when
Best Buy's Geek Squad was served a cease and desist letter for stating
to customers that they can perform "computer forensics" to aid clients
in discovering how they were compromised. Does this PI license
requirement make sense to anyone?]
(Northcutt): The State of Texas is putting the Geek Squad tag line to
test, "There's nothing we haven't seen. Go ahead. Use us." This
legislation goes beyond dumb. The Geek Squad's "forensics" would be to
help the end users understand the errors they made that caused their
systems to become compromised. One would think this is something
government would want to support. I would be surprised if Best Buy
doesn't hand Texas its hat.
(Schultz): Hopefully, reason will prevail, and this nonsensical law will
be repealed. Requiring a PI license to perform a computer repair just
does not make sense.]
--Viacom Seeks YouTube Viewing Database
(July 3 & 4, 2008)
YouTube has been ordered to turn over its logging database of users'
viewing habits. The order stems from a lawsuit brought by Viacom
against Google, which owns YouTube. The lawsuit alleges that YouTube
users are encouraged to upload pirated content from Viacom-owned
networks, including MTV, VH1 and Nickelodeon. The suit aims to
demonstrate that the pirated clips are viewed more frequently than are
clips of amateur content uploaded to YouTube. The database includes
viewers' usernames and IP addresses. YouTube has asked permission to
remove the usernames and IP addresses before submitting the information.
Viacom General Counsel Michael Fricklas says the company is not pursuing
individual viewers, but instead wants the information to prove its
contention that the pirated content is more popular than non-pirated
content. Privacy advocates are concerned that even with user names and
IP addresses removed, other data could be used to identify individual
users. The judge did refuse to grant Viacom's request for access to the
Google search engine source code.
http://www.washingtonpost.com/wp-dyn/content/article/2008/07/03/AR2008070302359_pf.html
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9106518&intsrc=hm_list
http://www.cnn.com/2008/TECH/biztech/07/03/youtubelawsuit.ap/index.html
http://www.msnbc.msn.com/id/25522070/
http://www.latimes.com/business/la-fi-youtube4-2008jul04,0,7881532.story
************ How The Chinese Attacks Work: "Is Troy Burning?" ***********
Free briefing on how the Chinese attacks work: "Is Troy Burning?"
Thursday July 24, at SANSFire 2008 in Washington DC. Limited to SANS
alumni, their bosses, and DoD employees. If you have been wondering
exactly how the Chinese attacks are executed, you and/or your bosses may
attend a private briefing at SANSFire by Internet Storm Center handler
Maarten Van Horenbeeck. (You do not need to be registered for SANSFire
to attend; but you must be on the invited list - see below)
Maarten led investigations of the targeted attacks since 2002. He forged
relationships with various NGOs (non-governmental organizations) who
shared information about these targeted attacks with him. He has been
able to connect these attacks against various NGOs to a small number of
attackers, and determined that the attacks originate from PRC nationals.
During his research, he found that the same groups attack US government
contractors and US government agencies. The talk will cover the methods
used to launch the malware and infect targets, how the malware is
controlled and how certain waves of attacks relate to current political
events (e.g Falun Gong, Tibet) and more. You'll need to be on the
invited list. Email infosans.org with subject "Is Troy Burning?" with
the name(s) and title(s) and organization of proposed attendees. If you
are accepted, we'll send the exact time and place by return mail.
SANSFire attendees will have a second, separate briefing by Maarten.
*************************************************************************
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
--Stolen Backup Tapes Recovered, Three People Arrested
(June 3, 2008)
Three people have been arrested in connection with the theft of tapes
containing personal information of 1.5 million University of Utah
Hospital patents. More than 950,000 of the records include Social
Security numbers (SSNs). The tapes have been recovered. The FBI is
conducting an investigation to see if they can determine whether or not
the data were accessed; both local law enforcement and hospital
representatives believe it is unlikely. Nonetheless, many patients have
expressed concern that their medical information could be disclosed or
their driver's license numbers misused and have joined two potential
class-action lawsuits. The tapes were stolen from the car of a courier
for Perpetual Storage, a company hired by the hospital. The courier
violated company policy by leaving the tapes in his car.
http://www.sltrib.com/news/ci_9765160
[Editor's Note (Ullrich): Interesting to see proof that backup tapes are
actually targeted for theft, and don't just get lost in the mail. The
reaction of the hospital is the by-now-predictable "oh... it's not that
bad" dance.]
--Lawyer Gets Two Year Suspension for Breaking Into eMail Accounts
(July 3, 2008)
Charleston, West Virginia attorney Michael P. Markins has been suspended
from the state bar for two years for breaking into the email accounts
of nine attorneys at another law firm. Markins, whose wife worked at
the other firm, suspected she was having an affair with one of her
clients. He accessed other attorneys' accounts out of curiosity. When
he resumes his practice, Markins must be supervised for one year. He
must also complete 12 hours of legal ethics education, and pay court
costs of more than US $1,500.
http://sundaygazettemail.com/News/200807020721
[Editor's Note (Ullrich): is it just me, or does the punishment sound
like a weak "slap on the wrist"?
(Northcutt): It is worth noting that Offutt, Fisher and Nord
systematically used the attorney's last names as their password.
According to this story Mrs. Markins got pregnant during this period and
had twins, so I hope they can get their marriage back on track:
http://www.herald-dispatch.com/homepage/x1985634761 ]
--ACLU and EFF Sue US Justice Dept. for Cellphone Tracking Information
(July 2, 2008)
The American Civil Liberties Union (ACLU) and the Electronic Frontier
Foundation (EFF) have filed a lawsuit against the US Department of
Justice under the Freedom of Information Act (FOIA) seeking records
about the US government's use of cellphones as tracking devices. The
ACLU and the EFF want to find out how frequently cellphones were used
to track people's locations without first establishing probable cause.
The ACLU filed a FOIA request with the Department of Justice in November
2007 seeking the information, but received an incomplete response. The
ACLU's original request was prompted by a Washington Post article that
revealed that federal agents were "asking courts to order cellphone
companies to furnish real-time tracking data on individuals and that
courts sometimes have ordered the data released without first requiring
a showing of probable cause."
http://www.washingtonpost.com/wp-dyn/content/article/2008/07/01/AR2008070102884_pf.html
http://www.eweek.com/c/a/Security/DOJ-Sued-Over-Cell-Phone-Tracking-Practices/
http://www.aclu.org/images/asset_upload_file864_35873.pdf
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
--Virgin Media Filesharing Warning Letters are Part of Education Campaign
(July 3, 2008)
Virgin Media has sent letters to approximately 800 customers warning
them against illegal content downloading. The letters are part of a
cooperative campaign between Virgin and the BPI (British Phonographic
Industry), the body that represents the British recorded music business.
The BPI is pushing all UK ISPs to implement a three-strikes policy
regarding illegal downloads. Users would receive two warnings and then
have their Internet service disconnected if they continue to download
pirated content. Virgin is the only ISP to respond positively to the
suggestion and is adamant that the letters are part of an education
campaign and do not constitute implementation of a three-strikes policy.
Other ISPs have pointedly refused to cooperate. The BPI is considering
taking ISPs that do not cooperate to court. Presently, the BPI monitors
filesharing networks and identifies downloaders by their IP addresses.
The BPI then notifies ISPs of the suspected illegal activity. There is
no distinction made between individuals who download one file and those
who download thousands.
http://news.bbc.co.uk/2/hi/technology/7486743.stm
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
--Microsoft to Issue Four Security Bulletins in July
(July 3 & 4, 208)
According to its Advance Notification website, Microsoft will release
four security bulletins on Tuesday, July 8; all four have been given
severity ratings of important. Two of the flaws could allow elevation
of privilege, one could allow remote code execution, and the fourth
could allow spoofing. Affected products include Microsoft Windows,
Microsoft SQL Server and Microsoft Exchange Server. One of the updates
affects Windows Vista. Some of the updates will require restarts.
http://www.microsoft.com/technet/security/bulletin/ms08-jul.mspx
http://www.vnunet.com/vnunet/news/2220734/low-key-patch-tuesday-planned
http://www.channelregister.co.uk/2008/07/04/ms_july_patch_tuesday_pre_alert/print.html
http://www.pcpro.co.uk/news/210534/nothing-on-the-critical-list-for-patch-tuesday.html
[Editor's Note (Ullrich): Microsoft released an important bulletin
yesterday (Monday 7-7). While not a patch, it is yet another ActiveX
control users should enable via a killbit.
http://www.microsoft.com/TechNet/security/advisory/955179.mspx
http://isc1.sans.org/diary.html?storyid=4672]
--Mozilla Updates Firefox 2.0, Announces End of Support for 2.x
in December
(July 2, 2008)
Mozilla has issued an update for Firefox 2.0 to address 13 security
flaws. Five of the vulnerabilities fixed in Firefox 2.0.0.15 are rated
critical. Of those, three can be exploited to execute malicious code;
the other two could allow "crashes with evidence of memory corruption"
and could lead to remote code execution exploits. Mozilla also noted
that it will discontinue support for Firefox 2.x in mid-December 2008.
Users are encouraged to upgrade to Firefox 3.0.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9106278&source=NLT_PM&nlid=8
--Coreflood Trojan Exploits Admin Tool to Spread
(July 2 & June 30, 2008)
The Coreflood Trojan horse program uses Microsoft's PsExec
administration tool to spread through computer networks. The malware
has infected hundreds of thousands of computers. Coreflood, also known
as AFcore, steals sensitive information, including banking and brokerage
accounts usernames and passwords; it has amassed a 50GB database of
stolen information. This marks a change for Coreflood; previous
versions were used to launch denial-of-service attacks.
http://www.infoworld.com/archives/emailPrint.jsp?R=printThis&A=/article/08/07/02/Trojan_lurks_waiting_to_steal_admin_passwords_1.html
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
--Cyber Thieves Targeted Citibank ATMs in 7-Eleven Stores
(July 3, 2008)
According to court documents from a banking computer system security
breach case, attackers focused on the computers that approve ATM
withdrawals to steal PIN numbers. The ATM machines in question are
Citibank-branded and in 7-Eleven convenience stores, but belong to a
company called Cardtronics, which also operates some of them; a company
called Fiserv operates the others. While industry standards require
that PINs and other sensitive financial information be protected with
strong encryption, not all ATM operators have implemented that measure.
The attacks targeted data in real-time transactions. There are
approximately 5,700 Citibank-branded ATMs in 7-Eleven stores. Three
people have been arrested in the case and have been charged with
conspiracy and fraud. The attackers allegedly stole more than US $2
million.
http://www.foxnews.com/story/0,2933,375484,00.html
http://business.timesonline.co.uk/tol/business/money/consumer_affairs/article4259009.ece
--Freedom Credit Union Issues New Debit Cards After Breach
(July 2, 2008)
Freedom Credit Union in Springfield, Massachusetts has issued new debit
cards and PINs to its customers following a data security breach. The
card information may have been captured and used to commit fraud. The
number of affected customers has not been disclosed.
http://www.masslive.com/news/index.ssf/2008/07/freedom_credit_union_warns_cus.html?category=Business+category=Chicopee+category=Crime+category=Franklin%20County+category=Northampton+category=Springfield
--NHS Manager Suspended After Laptop Stolen From Car
(June 30, 3008)
A National Health Service hospital manager has been suspended following
the theft of a work laptop computer from his car on June 18 in
Edinburgh, Scotland. The computer holds unencrypted data belonging to
more than 20,000 patients and includes names and medical information.
The manager faces disciplinary action. Affected patients have been
notified. An investigation is underway but no arrests have been made.
http://www.theherald.co.uk/news/news/display.var.2371758.0.NHS_manager_is_suspended_after_losing_computer.php
[Editor's Note (Pescatore): there are a lot of things wrong here. It
sounds good to say "Leaving unprotected personal information on laptop
computers is against NHS guidelines." and it is easy to say "you
shouldn't leave your laptop in a car." However, why give out laptops if
people are not going to carry them around to get work done? If you do
give employees laptops, you *know* they *are* going to download
sensitive information and the laptops *are* going to be lost or stolen.
If you pretend that is not true, please change the policy to say "We
have provided you with laptops but leave them at work and don't use
them."
(Veltsos): While NHS had a policy against storing unencrypted
information on laptops, it obviously had not deployed encryption on all
of its laptops.]
STATISTICS, STUDIES & SURVEYS
--McAfee Releases Results of Global SPAM Experiment
(July 1 & 2, 2008)
McAfee has released findings from its Global SPAM Experiment (SPAM
stands for Spammed Persistently All Month). The 50 participants from
10 different countries were each given a PC and an email account and
expected to surf the web unprotected for one month to see what effect
the activity would have on the level of spam each received. The
volunteers were expected to respond to every spam email and click on all
pop-ups. Volunteers received an average of 70 spam messages every day.
US participants received the most spam - 23,233 messages in one month.
The next highest rate was found in Brazil, where volunteers received a
total of 15,856 messages in one month. Volunteers from France and
Germany received fewer than 3,000 messages during the month.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=management&articleId=9106258&taxonomyId=14&intsrc=kc_feat
http://news.bbc.co.uk/2/hi/technology/7482991.stm
http://www.mcafee.com/us/about/press/corporate/2008/20080701_181015_c.html
MISCELLANEOUS
--Google Caches Retain Stolen Data
(July 7, 2008)
Stolen sensitive personal data, including financial account information,
have been found to linger in Google caches for months even after the
server holding the stolen information has been disabled. Cyber
criminals collect information through keystroke loggers and store the
data on servers. When the servers are discovered, they are taken down,
but the Google pages are not unless specific requests are made. A
Google spokesperson said that in general, the company does not remove
cached information, but that it eventually disappears on its own after
the original source is no longer accessible.
http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/07/07/BUHR11CK6Q.DTL&type=printable
[Editor's Note (Pescatore): Google does provide a lot of tools (assuming
you have a Googlemail account) to remove content from their site, but
the real issue is that the sensitive information was somewhere it
shouldn't be - Google just found it. Google could surely do more
proactive things like voluntarily "redacting" certain formatted
information (like a Social Security Number or Tax ID number or credit
card number) but that's a very slippery slope. Probably Google's best
move would be to facilitate a process by which responsible parties (law
enforcement, government, card companies) can facilitate getting the
content flushed before a Googlebot would normally get back and see an
error 404.]
*************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin,
Ireland.
Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security
courses at Minnesota State University, Mankato. He is the President of
Prudent Security LLC and also serves as the President of the Mankato
Chapter ISSA.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkhz2E8ACgkQ+LUG5KFpTkb+0ACfX4uSbu2lQUbl3EROsPreVxVV
wgAAn2/MoIFchYR1fXAo2ejkZUYMl144
=SXh3
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]