From: The SANS Institute (NewsBitessans.org)
Date: Fri Jul 11 2008 - 14:35:07 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

*************************************************************************
SANS NewsBites July 11, 2008 Vol. 10, Num. 54
*************************************************************************
TOP OF THE NEWS
  Critical DNS Flaw - Have You Fixed It?
  Dutch University Sued by RFID Chip Manufacturer
  U.S. Senators Pass New Wiretapping Measure
  UK House of Lords Call for Data Breach Disclosure Law
THE REST OF THE WEEK'S NEWS
  HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
    NHS Trusts to Have Third Party Audits
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
    Trojan Exploits Zero Day Bug in Microsoft Word
    Quiet Patch Tuesday for July
  ATTACKS, INTRUSIONS, DATA THEFT & LOSS
    Man Convicted for Attempted US$142m Electronic Fraud
    Data Breach Exposes Personal Details of US Supreme Court Justice
    Data Center Shut Down by Thieves
  STATISTICS, STUDIES & SURVEYS
    IRS Claims Tax-related Identity Theft Rose 644%
  
********* The Forensics, eDiscovery, and Incident Response Summit ******
Las Vegas, October 13-14
You have been looking for the best practices in forensics - especially
in responding to credit card theft and large scale nation state attacks,
and for how to respond to ediscovery demands and major incidents. This
Summit brings together people like Bryan Sartin (Cybertrust, Verizon)
talking about effective techniques for responding to the latest Payment
Card Industry Threats, and Kevin Johnson and Tom Liston (Intelguardians)
showing you how to investigate intruders who know your network better
than you. Plus a dozen more of the best and brightest in the industry.
That's why we call it the Summit. If you do forensics or incident
response, this is an important meeting for your career.
http://www.sans.org/forensics08_summit/
*************************************************************************
TRAINING UPDATE
- - Wash. DC (7/22-7/31) (SANSFIRE 2008) http://www.sans.org/sansfire08
- - Boston (8/9-8/16) http://www.sans.org/boston08/
- - Virginia Beach (8/21-8/29): http://www.sans.org/vabeach08/
- - and in 100 other cites and on line any time: www.sans.org
*************************************************************************

TOP OF THE NEWS
 --Critical DNS Flaw - Have You Fixed It?
(9th July 2008)
A major flaw discovered in the Domain Name System (DNS) has been
secretly worked upon for the past few months by computer and software
manufacturers and a fix to the problem was announced on Tuesday. Dan
Kaminsky of IO Active discovered the flaw while doing some non-security
related research and contacted each of the main vendors. In a
coordinated effort each of the vendors kept the details of the issue
secret while developing the fix. Details of the problem will remain
secret until Kaminsky releases more details at Black Hat 2008 in August.
http://news.cnet.com/8301-10789_3-9985815-57.html
http://news.bbc.co.uk/2/hi/technology/7496735.stm
http://www.theregister.co.uk/2008/07/09/dns_fix_alliance/
http://www.siliconrepublic.com/news/article/10991/cio/security-experts-join-to-fix-major-flaw-in-webs-backbone
http://technology.timesonline.co.uk/tol/news/tech_and_web/article4301557.ece
[Editor's Note (Honan): According to an article in The Register
(http://www.theregister.co.uk/2008/07/09/dns_bug_student_discovery/) the
flaw was originally discovered 3 years ago by a student, Ian Green,
studying for his GIAC Security Essentials Certification (GSEC). Ian's
paper is available at
http://www.sans.org/reading_room/whitepapers/dns/1567.php (Northcutt):
This problem may be old news; but it is time to get it fixed.]

 --Dutch University Sued by RFID Chip Manufacturer
(8th July 2008)
NXP Semiconductors is suing Radboud University in a bid to prevent the
university presenting a paper on cracking the Oyster smartcard, used
widely on the London public transport network. Researchers at the
university plan to reveal how they hacked and cloned the NXP
manufactured MiFare RFID chip used in the Oyster Card at an upcoming
security conference to be held in October in Spain. NXP Semiconductors
wishes to stop the paper from being published for "safety reasons."
http://www.vnunet.com/computing/news/2221160/chip-maker-sues-oyster-hackers
http://news.zdnet.co.uk/security/0,1000000189,39444421,00.htm?r=2
[Editor's Note (Schultz): Who is NXP trying to fool? Almost certainly
numerous other individuals and/or organizations currently know how to
crack the Oyster smartcard, or if not, they will very soon. Suppressing
the dissemination of vulnerability-related information has over time
proven at best to be a very temporary fix.
(Northcutt): Great opportunity to see how common the EURO zone really is.
(Pescatore): I dunno, details on a hack for the Dutch version of this
came out 6 months ago and the details on this one came out in March.
While I certainly hope the presentation will attempt to minimize how
much easier they make it for the bad guys, this horse is way out of the
barn.]

 --U.S. Senators Pass New Wiretapping Measure
(9th July 2008)
The U.S. Senate has approved a bill providing legal protection to
telecommunication companies that took part in an electronic surveillance
program targeting terrorism. The bill, the Foreign Intelligence
Surveillance Act (FISA) Amendments Act, was passed by 69 votes to 28 and
will now go to President Bush to sign. Critics of the bill claim it
allows for warrantless surveillance and eavesdropping on the
telecommunications of American citizens and does not have adequate
safeguards.
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=208808232
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9108258&source=NLT_SEC&nlid=38
http://www.washingtonpost.com/wp-dyn/content/article/2008/07/09/AR2008070901780.html

 --UK House of Lords Call for Data Breach Disclosure Law
(8th July 2008)
The Science and Technology Committee in the United Kingdom's House of
Lords has published a follow up report on personal internet security in
which they call for the introduction of data breach disclosure laws.
The report also calls for a reversal in the rules whereby victims of
cybercrime are supposed to report the crime to their banks rather than
the police. In addition, the House of Lords wants legislation to be
introduced to ensure banks are held responsible for losses resulting
from electronic fraud. The committee published a report in 2007 with a
number of recommendations which the UK government subsequently did not
implement. The recent spate of data breaches, such as the 25 million
personal records lost by the HMRC (Her Majesty's Revenue and Customs),
has put internet security firmly in the spotlight. The report is
available from
http://www.publications.parliament.uk/pa/ld200708/ldselect/ldsctech/131/131.pdf
http://www.theregister.co.uk/2008/07/08/peers_cybercrime_shakeup/
http://news.zdnet.co.uk/security/0,1000000189,39444410,00.htm?r=2
[Editor's Note (Pescatore): Definitely needed. I was one of those who
thought the "orgies of disclosure" in the US would lead to
desensitization and lead to disclosure "mea culpas" being seen as less
expensive than preventing the problem. I was dead wrong - CEOs and
boards of directors don't seem to get desensitized to bad press, even
though consumers have proven they do. Having one of your competitors or
peers go through a disclosure event is one of the best ways to win
budget battles.
(Honan): The BBC have a comedy sketch that highlights the issue of who
is responsible for losses incurred resulting from identity theft, the
banks or the customer http://www.youtube.com/watch?v=CS9ptA3Ya9E]

THE REST OF THE WEEK'S NEWS
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
 --NHS Trusts to Have Third Party Audits
(8th July 2008)
National Health Service Trusts in the United Kingdom is being urged to
engage with independent auditors to ensure appropriate data-handling
techniques are being employed by staff. Currently each trust is
required to carry out its own "information governance assurance"
self-assessments. NHS Trusts are currently rolling our encryption to all
computers containing patients' personal data, but acknowledge that they
will not have completed the project on time. Marlene Winfield, national
patient lead for NHS IT body Connecting for Health, acknowledged the
delay in the roll-out of encryption and said "We realize there is going
to be a delay before everything is encrypted but we are relying on
alternative measures and many more safeguards." She further added that
the health trusts have implemented new training and disciplinary
measures for staff and that bulk transfer of unencrypted data has been
suspended.
http://news.zdnet.co.uk/security/0,1000000189,39443788,00.htm?r=2

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
 --Trojan Exploits Zero Day Bug in Microsoft Word
(10th July 2008)
Microsoft has warned that attackers are actively exploiting a previously
unknown vulnerability in Microsoft Word. The vulnerability has been
confirmed in Microsoft Word version 2002 with Service Pack 3.
Researchers in Symantec are investigating whether other versions are
impacted. In a post to the Microsoft Security Response Blog Microsoft
states "we are aware of limited, targeted attacks attempting to use the
reported vulnerability, but we will continue to track this issue."
http://www.scmagazineuk.com/Attackers-target-zero-day-Microsoft-Word-bug/article/112272/
http://www.theregister.co.uk/2008/07/09/zero_day_word_flaw/
http://blogs.technet.com/msrc/archive/2008/07/08/vulnerability-in-microsoft-word-could-allow-remote-code-execution.aspx

 --Quiet Patch Tuesday for July
For the first time since March 2007 Microsoft's monthly security update
does not contain bulletins with a rating higher than important. July's
security update contains four bulletins addressing nine vulnerabilities
in Microsoft Windows, Exchange Server and Outlook.
http://www.vnunet.com/vnunet/news/2221097/microsoft-issues-monthly
http://www.informationweek.com/news/security/app_security/showArticle.jhtml?articleID=208803255

ATTACKS, INTRUSIONS, DATA THEFT & LOSS
 --Man Convicted for Attempted US$142m Electronic Fraud
(7th July 2008)
A bank clerk working with HSBC bank has been sentenced to nine years
imprisonment for his part in an attempted electronic fraud of STG 72
million (US $142 million). Jagmeet Channa was sentenced to 90 months
for conspiracy to defraud and nine years for money laundering. Channa
is believed to have been the inside man in the attempted fraud. He used
stolen login credentials belonging to co-workers to transfer funds from
HSBC accounts to accounts held in third party banks in Morocco and in
Manchester, England. HSBC was quickly alerted to the transfers when
Channa left one of the accounts he raided with a negative balance. CCTV
images were used to eliminate the workers who owned the login
credentials that Channa abused.
http://www.theregister.co.uk/2008/07/07/hsbc_electronic_heist_sentencing/
http://news.bbc.co.uk/2/hi/uk_news/england/london/7493443.stm

 --Data Breach Exposes Personal Details of US Supreme Court Justice
(10th July 2008)
An employee at the Wagner Resource Group, an investment firm in McLean,
VA., exposed the personal details of 2,000 of the company's clients
after installing the peer-to-peer software LimeWire onto his computer.
The victims include a number of lawyers and Supreme Court Justice
Stephen Breyer. The breach was not discovered for six months until a
reader of The Washington Post's Security Fix Blog discovered the
information on LimeWire and notified the Post.
http://www.washingtonpost.com/wp-dyn/content/article/2008/07/08/AR2008070802997_pf.html
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=208808240
http://blog.washingtonpost.com/securityfix/2008/07/us_supreme_court_judge_data_ex_1.html?nav=rss_blog

 --Data Center Shut Down by Thieves
(10th July 2008)
A number of websites hosted by Cable & Wireless went offline after
thieves stole vital networking equipment from the company's Watford
network site. The theft resulted in some prominent websites, such as The
Financial Times and Sainsbury's, being unavailable. Cable & Wireless
stated it has "experienced unforeseen network issues that have
regrettably had an effect on a number of our customers." UK police have
highlighted that the theft of metal, such as copper wire found in
telecommunications links, is the fastest growing area of crime they
currently deal with.
http://www.theregister.co.uk/2008/07/10/cable_wireless_robbery/
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9108838&source=NLT_SEC&nlid=38
[Editor's Note (Pescatore): Information security people really are *not*
good at physical security, and for good reason there has been way less
convergence of the two than the hype would have suggested - the two are
very different disciplines. However, integration and cooperation between
the two is very important. In that vein, everyone go nudge their
physical security people to make sure our companies haven't gotten lax
on mail room security. We haven't seen Anthrax or mail bombs in a while
but that doesn't mean we won't see them again - and theft of computers
or sensitive tapes and the like from mailrooms can lead to having to go
through a disclosure event. Check out the US Postal Service publication
166 at http://www.usps.com/cpim/ftp/pubs/pub166/welcome.htm for good
guidelines.]

STATISTICS, STUDIES & SURVEYS
 --IRS Claims Tax-related Identity Theft Rose 644%
(8th July)
A report released by the U.S. Internal Revenue Service (IRS) states that
tax-related identity theft has had a seven fold increase over a four
year period ending September 07. The report also highlights that
efforts by the IRS to deal with the victims of the crime can often
exasperate the problem. The number of cases where criminals use the
Social Security numbers of their victims to seek fraudulent claims or
employment has risen 644% since 2004. The IRS' attempts to deal with the
problem often results in delays or frozen refunds to the victims or with
them facing collection actions such as liens and levies. Nina Olson,
the National Taxpayer Advocate, says "While the IRS is reforming some
aspects of its approach to identity theft, its procedures for dealing
with victims have been a significant part of the problem,"
http://www.nydailynews.com/money/2008/07/08/2008-07-08_taxrelated_identity_theft_rose_644_irs_o.html
[Editor's Note (Pescatore): Well, since in the US we still do online tax
filing with nothing more than a reusable PIN, hard to be surprised that
tax related identity theft is growing. The IRS has done nothing to raise
the bar in security here.
(Schultz): Given all the IRS data security problems that have been
identified over the years, these statistics are by no means surprising.
At the same time, however, the IRS deserves credit for addressing many
of these problems.]

*************************************
The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin,
Ireland.

Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security
courses at Minnesota State University, Mankato. He is the President of
Prudent Security LLC and also serves as the President of the Mankato
Chapter ISSA.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkh3rQUACgkQ+LUG5KFpTkZVsQCglVf0FjKtlJ5dWUXO2E6xfggy
+n8AoIodaSOGGy3k6626TnwL/0PrUuOn
=bo8C
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]