|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (NewsBites
sans.org)
Date: Fri Jul 18 2008 - 12:52:48 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Fascinating news stories in this issue. Plus..
+For everyone, registration is now open for the annual Network Security
Conference in Las Vegas. http://www.sans.org/info/29439
+And for DC area folks, there's a briefing next Thursday on the inside
data of how the Chinese attacks work.
See http://www.sans.org/washington_troy/
Alan
*************************************************************************
SANS NewsBites July 18, 2008 Vol. 10, Num. 56
*************************************************************************
TOP OF THE NEWS
Unpatched Windows PCs "Own3d" In Less Than Four Minutes (or Maybe 16 Hours)
Romanian Police Arrest 24 Cybercrime Suspects
More Privacy Offices Proposed Under New Bill
European Court to Hear Case on Swedish Surveillance Law.
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
Spammer Gets 30 Months for Inundating AOL
Charges Against New Zealand Botmaster Dropped
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Information Assurance Certification Guidelines Issued by The DoD
POLICY & LEGISLATION
EU Commission Wants UK Government To Probe Targeted Advertising
U.K.'s ICO Fears Communications Database is "A Step Too Far"
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
PDF Vulnerability in Blackberry Enterprise Server.
Mozilla Patches Two Critical Firefox Flaws
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Rogue Employee Locks San Francisco's Network
Facebook Bug Exposes Members' Data
STATISTICS, STUDIES & SURVEYS
Structure of Cybercrime Gangs Revealed
--Researchers Find Partially Encrypted Disks Leak Data
*************************************************************************
TRAINING UPDATE
- - Wash. DC (7/22-7/31) (SANSFIRE 2008) http://www.sans.org/sansfire08
- - Boston (8/9-8/16) http://www.sans.org/boston08/
- - Virginia Beach (8/21-8/29): http://www.sans.org/vabeach08/
- - and in 100 other cites and on line any time: www.sans.org
*************************************************************************
TOP OF THE NEWS
--Unpatched Windows PCs "Own3d" In Less Than Four Minutes (or Maybe 16 Hours)
(July 14, 2008)
Researchers at the Internet Storm Center estimate that it takes about
four minutes for an unpatched Windows PC to be compromised once it
connects to the Internet. The survival time has consistently dropped
over the past years due to the increasing number of worms and viruses
and hackers using more and more automated attacking tools. However, a
researcher with the German Honeypot Project claims the survival time is
much higher than 4 minutes and in fact is nearer 16 hours. Either way,
both researchers agree that systems that are not set up with a secure
configuration, fully patched, and protected appropriately should not be
connected to the Internet.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9109938&source=rss_topic17
http://www.theregister.co.uk/2008/07/15/unpatched_pc_survival_drops/
[Editor' Note (Paller): Compromised PCs enable malicious access through
VPNs to critical systems. This is why the secure configurations under
the Federal Desktop Core Configuration are so valuable. Companies
around the world are beginning to use them, because they make computers
far harder to compromise and because it saves money and keeps you more
secure through Microsoft testing patches for you. The patches can be
installed immediately on all conforming systems without wasted patch
testing time and cost.]
--Romanian Police Arrest 24 Cybercrime Suspects
(July 16, 2008)
In a joint operation between the FBI and Romanian law enforcement,
Romanian police conducted a number of raids in the cities of Bucharest,
Ramnicu Valcea, Sibiu, Alexandria, Dragasani, and Hundeoara and arrested
24 people suspected of belonging to a cybercrime gang. The gang is
believed to be involved in a number of online scams such as identity
theft, credit card and auction fraud scams that netted approximately
EUR 400,000 or (US $634,000). It is believed the gang targeted their
victims on websites such as eBay, craigslist.com and Equine.com. The
alleged leader of the gang, Romeo Chita, was arrested in a property
owned by Romanian politician Dumitru Puzdrea, who denies all knowledge
of the criminal activity.
http://www.pcworld.com/businesscenter/article/148519/romainian_authorities_arrest_cybercrime_suspects.html?tk=rl_noinform
http://www.theregister.co.uk/2008/07/17/romania_cybercrime_arrests/
http://www.mediafax.ro/engleza/alleged-internet-fraud-network-leader-found-in-romanian-lawmaker-s-home.html?6966;2782723
--More Privacy Offices Proposed Under New Bill
(July 15, 2008)
Privacy officers for each of the Homeland Security Department's
components will be a requirement under a bill, H.R. 5170, which is
currently under consideration in the House of Representatives. "The
presence of a full-time Component Privacy Officer would ensure that
privacy considerations are integrated into the decision-making process
at all of the DHS Components," the measure's authors wrote. Of the nine
components within the DHS, four of them have full-time privacy officers.
http://www.fcw.com/online/news/153141-1.html?topic=privacy
--European Court to Hear Case on Swedish Surveillance Law.
(July 15, 2008)
The Swedish government will have to defend its introduction of a recent
telecommunications surveillance law. An independent group, the Centrum
for Rattvisa (CFR) or Justice Center, claims the bill violates Articles
8 and 13 of the European Convention on Human Rights. Article 8
guarantees European citizens the right to privacy, while Article 13
gives them the right to hold authorities accountable for violations of
the human rights convention. The controversial law was narrowly voted
in last month and allows Swedish security services to eavesdrop on all
international calls into and out of Sweden. In response to the new law
TeliaSonera, the Finnish-Swedish telecoms operator, has moved its
servers from Sweden to Finland and Google is also considering a similar
course of action.
http://www.thelocal.se/13052/20080715/
http://www.theregister.co.uk/2008/07/17/echr_swedish_wiretap_law_review/
*************************************************************************
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
--Spammer Gets 30 Months for Inundating AOL
(July 16, 2008)
A 27 year old New Yorker, Adam Vitale, has been sentenced to 30 months
imprisonment after being convicted of sending spam to 1.2 million AOL
members. Vitale was also ordered to pay compensation of $180,000 to
AOL. Vitale and his accomplice, Todd Moeller, used open relay proxies
and falsified email headers to bypass the AOL spam filters. Vitale and
Moeller were arrested after they tried to sell their spam distribution
list to a government informant.
http://www.cio.com/article/437918/Spammer_Gets_Months_for_Inundating_AOL
http://www.theregister.co.uk/2008/07/16/aol_spam_sentencing/
--Charges Against New Zealand Botmaster Dropped
(July 15, 2008)
A judge in New Zealand dismissed charges against an 18 year old man,
Owen Thor Walker , who had pleaded guilty for his part in an
international cyber-crime network that stole over $20.4m from private
bank accounts. Walker, who went by the online moniker of "Akill," was
accused of writing a sophisticated Trojan which employed encryption
techniques enabling it to bypass anti-virus software. New Zealand
investigators claimed it was one of the "most advanced" programs they
had seen. After both the prosecution and defense counsels pleaded for
leniency so that Walker could work with the police in the future, Judge
Judith Potter dismissed the charges against Walker. She did so as she
believed a conviction could jeopardise a bright career and that Walker
was a man with a potentially outstanding future in law enforcement.
http://www.theregister.co.uk/2008/07/15/nz_botmaster_escapes_conviction/
http://www.vnunet.com/vnunet/news/2221717/kiwi-hacker-walks-free-court
http://news.bbc.co.uk/2/hi/asia-pacific/7509052.stm
[Editor's Note (Skoudis): I'm deeply troubled by the logic of this
decision. I personally think it opens the doors for more of this kind
of crime. If we want to curb cyber attacks, we have to go in the
opposite direction -- to make people realize that there are serious
penalties for engaging in this behavior. Love letters from judges and
prosecutors extolling the advanced technical skills and promising future
of someone who abetted cyber crime don't help at all.]
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
--Information Assurance Certification Guidelines Issued by The DoD
(July 17, 2008)
The U.S Department of Defense's "Information Assurance Workforce
Improvement Program" details the industry standard certifications that
technical and management personnel must attain if they are responsible
for running a governmental organization's Information Assurance program.
Some people feel that this is an important development as these
requirements will also become de-facto standards for the private sector.
http://www.networkworld.com/newsletters/sec/2008/071408sec2.html?nladname=071708securitystrategiesal&code=nlsecstrat149147
http://www.dtic.mil/whs/directives/corres/pdf/857001m.pdf
[Editor's Note (Pescatore): While these requirements will definitely
spill over to those who contract with the DoD, the way the DoD does
Information Assurance is very different, and not always better, than the
way private industry firms do Information Security. ]
POLICY & LEGISLATION
--EU Commission Wants UK Government To Probe Targeted Advertising
(July 16, 2008)
Viviane Reding, the European Union commissioner for information society
and media, has warned the UK government that it needs to take actions
to safeguard consumer privacy in relation to behavioral ad targeting
technology such as that provided by Phorm. Phorm's technology can be
used by Internet Service Providers to track end user activity on the
Internet and place advertisements based on their online activity. Phorm
already has agreements in place with some of the U.K.'s top ISPs such
as the BT Group PLC (BT), Carphone Warehouse's (CPW.LN) Talk Talk and
Virgin Media. In a letter to the U.K. government Ms Reding said "It is
very clear in E.U. directives that unless someone specifically gives
authorization (to track consumer activity on the Web) then you don't
have the right to do that,". She went on to say that if the U.K.
government didn't resolve the issue, the commission could take it to the
European Court of Justice.
http://www.easybourse.com/bourse-actualite/marches/eu-commission-wants-uk-government-to-probe-targeted-488767
http://www.theregister.co.uk/2008/07/16/eu_warns_uk_over_phorm/
--U.K.'s ICO Fears Communications Database is "A Step Too Far"
(July 15, 2008)
As the U.K.'s Information Commissioner Richard Thomas published his
office's annual report, he has raised concerns that a central database
to hold records of all phone and internet communications of U.K.
citizens would be "a step too far for the British way of life".
Currently under EU Data Retention legislation each ISP and
telecommunications company in the U.K. holds their own individual
database. Police and other security agencies have to apply for separate
search warrants to access each database. It is thought a centralized
database would provide better efficiencies in the fight against serious
crime and terrorism. Mr. Thomas said the proposals to implement such a
database under the upcoming Communications Data Bill should not proceed
without proper public and parliamentary debate.
http://news.bbc.co.uk/2/hi/uk_news/politics/7507627.stm
http://www.vnunet.com/computing/news/2221699/communcations-database-step-far
http://www.heise.de/english/newsticker/news/112905
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
--PDF Vulnerability in Blackberry Enterprise Server.
(July 16, 2008)
RIM, the makers of the Blackberry handheld devices, has issued an
advisory warning of a critical vulnerability in the PDF Distiller
component of the attachment service for Blackberry Enterprise Server.
This service is used to prepare PDF email attachments for display on
Blackberry handhelds. The vulnerability can be used to inject and
execute code on the server and affects versions BlackBerry Enterprise
Server 4.1 Service Pack 3 (4.1.3) to 4.1 Service Pack 5 (4.1.5) and
BlackBerry Unite! prior to 1.0 Service Pack 1 (1.0.1) Bundle 36. Until
a patch is released RIM are advising users of the Blackberry Enterprise
Server to disable PDF processing in the Attachment Service.
http://news.zdnet.co.uk/security/0,1000000189,39448050,00.htm
http://www.heise.de/english/newsticker/news/112904
http://www.blackberry.com/btsc/dynamickc.do?externalId=KB15766&sliceId=SAL_Public&command=show&forward=nonthreadedKC&kcId=KB15766
[Editor's Note (Skoudis): This flaw indicates a very promising attack
vector for the bad guys -- exploiting servers that render documents on
behalf of clients. It's an interesting twist -- using an exploit that
is very similar to the multitude of client-side exploits today, but
targeting a server's document-rendering code. Look for more of these
kinds of flaws in the future, and not just in RIM's products. The hunt
is on for more of this kind of issue, to be sure.
(Pescatore): There was a similar BES Attachment Services vulnerability
with PNG files several years ago. While there do not seem to be active
exploits out yet, since you can allow attachment viewing in general
while disabling PDF viewing in particular, that is the prudent path
until they patch. I hope RIM is thoroughly testing Attachment Services
for other malformed file vulnerabilities and not just reacting to each
new one reported.]
--Mozilla Patches Two Critical Firefox Flaws
(July 17, 2008)
Mozilla has released patches to address two critical flaws in the
Firefox browser. Firefox 2.0.0.16 and Firefox 3.0.1 address the "carpet
bomb" threat to Windows users who had both the Apple Safari and Firefox
installed on the same system. The other vulnerability addressed is in
Firefox's CSSValue array data structure which could be exploited to
force a crash and to run malicious code. Users of Firefox 2.0 were also
reminded by Mozilla that support for that version of the browser will
end in December of this year in line with its policy of only supporting
older versions of software for six months after a major release.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9110199&source=NLT_AM&nlid=1
http://www.heise.de/english/newsticker/news/112947
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
--Rogue Employee Locks San Francisco's Network
(July 15, 2008)
San Francisco city officials are unable to access the city's computer
network after a disgruntled computer engineer, 43 year old Terry Childs,
reset all network administrator passwords. The network affected is the
city's Fibre WAN network which contains about 60% of all network traffic
for city officials. It is believed Childs took the action after a
security assessment discovered evidence of tampering with the network
resulting in the police investigating the case. Police have arrested
Childs and he has been charged with four counts of computer tampering
on the network. Childs was previously convicted in 1982 for aggravated
burglary and served five years probation.
http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/07/14/BAOS11P1M5.DTL
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9110176&source=NLT_SEC&nlid=38
http://www.vnunet.com/vnunet/news/2221855/san-francisco-government-locked
http://news.zdnet.co.uk/security/0,1000000189,39448038,00.htm
[Editor's Note (Veltsos): Security staff should be closely scrutinized
before, during, and after employment. A strong password policy would
have required that network device passwords be changed after the firing
of any staff member with those access credentials.
(Schultz): This incident serves as yet another an ugly reminder of the
damage and disruption that one strategically placed individual can do
in the world of computing. Too often system and network administrators,
both of whom "own the keys to the shop" in IT environments, can do
virtually anything without sufficient scrutiny.]
--Facebook Bug Exposes Members' Data
(July 16, 2008)
A beta version of the Facebook website enabled the birth date of members
to be viewed even if they had requested the information to be kept
confidential. The problem was discovered over the weekend and Facebook
has now fixed the problem. In a statement the company said "For a brief
period of time, a small number of users were able to access a private
beta of Facebook's new site design meant only for developers. During
that time, some of those users had their birthdays revealed due to a
bug."
http://www.vnunet.com/vnunet/news/2221777/facebook-exposes-members
http://www.metro.co.uk/news/article.html?in_article_id=221076&in_page_id=34
http://www.heise-online.co.uk/security/Facebook-fixes-data-leak--/news/111117
STATISTICS, STUDIES & SURVEYS
--Structure of Cybercrime Gangs Revealed
In its recent Malicious Code Research Center (MCRC) report, Finjan Inc.
provided details on how the world of cybercrime is changing. According
to the report the days of individual groups of hackers dealing in stolen
credit card details are over and are now being replaced by an
organizational structure similar to that found in the business world.
The report also highlights a sharp drop in the price for compromised
financial details due to an overabundance of supply. Prices for bank
account details with PIN numbers have dropped from $100 each to $10 or
$20. The report notes that criminals are now moving to other types of
stolen data such as medical records, business information and personnel
files, which may prove to be more lucrative.
http://www.networkworld.com/news/2008/071508-researchers-trace-structure-of-cybercrime.html?page=1
http://www.scmagazineuk.com/Business-booms-for-organised-cybercriminals/article/112499/
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=209100133
--Researchers Find Partially Encrypted Disks Leak Data
(July 15, 2008)
A joint research team consisting of members from the University of
Washington and British Telecom, and which included Bruce Schneier, have
discovered that applications such as Microsoft Word and Google Desktop
can leave data exposed even when it is stored on a partially encrypted
drive. Users employing full disk encryption do not face the same issue.
The problem appears to be in the way certain applications temporarily
stores files in non-encrypted parts of the disk making that data
available for recovery with forensic tools. The problems were
discovered when examining TrueCrypt's implementation of the 'Deniable
File System' (DFS). The data leakage was discovered in version 5.1a of
TrueCrypt and appears to be addressed in TrueCrypt 6.0.
http://www.cio.com/article/print/437919
http://news.zdnet.co.uk/security/0,1000000189,39448526,00.htm
http://www.heise-online.co.uk/security/Vista-Word-and-Google-Desktop-circumvent-TrueCrypt-function--/news/111118
*************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescastore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin,
Ireland.
Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security
courses at Minnesota State University, Mankato. He is the President of
Prudent Security LLC and also serves as the President of the Mankato
Chapter ISSA.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkiA0AgACgkQ+LUG5KFpTkaaGQCePpHagaXlPpAhIsFXj1ZMpX+X
1eQAmgJeKcbfhOkmtwIgXmwlb6MyimvC
=m9KC
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]