From: The SANS Institute (NewsBitessans.org)
Date: Fri Jul 25 2008 - 13:18:01 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

*************************************************************************
SANS NewsBites July 25, 2008 Vol. 10, Num. 58
*************************************************************************
TOP OF THE NEWS
  DNS Exploits Released
  Six ISPs Sign Piracy-Fighting Memorandum
  Study: Banks Use Unsecure Practices on Websites
THE REST OF THE WEEK'S NEWS
  LEGAL MATTERS
    Four-Year Sentence for Selling Counterfeit Software
    Appeals Court Says Credit Union May Seek Damages From Credit Card
       Processor
  HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
    NIST Publishes Revised Performance Measurement Guide for
       Information Security
  SPYWARE, SPAM & PHISHING
    Prolific Spammer Sentenced to Prison
    Accused Phisher Pleads Guilty
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
    Mozilla Updates Thunderbird
    UK Computers Infected with Asprox
  ATTACKS, INTRUSIONS, DATA THEFT & LOSS
    Airline Check-in Kiosks Suspected in Card Fraud
  MISCELLANEOUS
    Rogue SF Network Admin Gives Up Passwords
    Spam King Kills His Wife and Child

*************************************************************************
TRAINING UPDATE
- - Las Vegas (9/28-10/6) http://www.sans.org/ns2008 NETWORK SECURITY 2008)
- - Boston (8/9-8/16) http://www.sans.org/boston08/
- - Virginia Beach (8/21-8/29): http://www.sans.org/vabeach08/
- - Chicago (9/3-9/10) http://www.sans.org/chicago08 AUDIT & COMPLIANCE
- - and in 100 other cites and on line any time: www.sans.org
*************************************************************************

TOP OF THE NEWS
 --DNS Exploits Released
(July 24, 2008)
Two exploits for the recently disclosed DNS security flaw have surfaced
this week. Initially, details of the flaw were going to be kept under
wraps until the Black Hat conference in Las Vegas next month, but
earlier this week a researcher made some educated guesses as to the
nature of the flaw and his speculations were confirmed. The discussion
was inadvertently posted to a blog that has since been taken down. The
flaw was discovered several months ago and vendors were alerted so they
could prepare patches before the vulnerability became public knowledge.
http://www.heise-online.co.uk/security/DNS-vulnerability-exploits-released--/news/111168
http://www.eweek.com/c/a/Security/DNS-Flaw-Details-Leaked-Accidentally/?kc=rss
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9110622&intsrc=hm_list
[Editor's note (Ullrich): This vulnerability is already being exploited
and easy to-use-exploit tools have been released.]

 --Six ISPs Sign Piracy-Fighting Memorandum
(July 24 & 25, 2008)
A half dozen UK Internet service providers (ISPs) have signed a
Memorandum of Understanding (MOU), agreeing to work with the BPI
(British Phonographic Industry) to help stop illegal music file sharing.
The ISPs will send warning letters to customers suspected of using their
Internet connections to share pirated music files. The MOU covers users
who upload and who download the files. It also commits the ISPs to
developing legitimate music services. The Motion Picture Association
of America (MPAA) has also signed the agreement. Virgin and BT have
already sent letters to some of their users identified by BPI as
persistent file sharers. BPI is pushing for a three-strikes system that
would cut off the Internet connections of those who persist in illegal
file sharing, but ISPs are reluctant to adopt the practice.
http://news.bbc.co.uk/2/hi/technology/7522334.stm
http://news.smh.com.au/technology/british-internet-service-providers-agree-to-work-together-against-illegal-downloading-20080724-3kfq.html
http://news.zdnet.co.uk/communications/0,1000000085,39452072,00.htm

 --Study: Banks Use Unsecure Practices on Websites
(July 22, 23 & 24, 2008)
Researchers at the University of Michigan found, in a 2006 study, that
76 percent of US banking websites have design flaws that could put
customers at risk for data theft and fraud. The research did not
discover vulnerabilities in the websites, but instead focused on the
practices banks use that inure customers to potential online dangers by
reinforcing bad security habits. The problems lie in the fact that many
banks are "condition[ing] customers to ignore potential clues about
whether the banking site they're visiting is real" or phony. For
example, many banks redirect online customers to third-party sites
without informing the customers, place secure login boxes on unsecure
pages, or use email addresses or Social Security numbers (SSNs) as
default user names. Researchers plan to present their findings at a
conference on Friday, July 25. The research was conducted on the online
websites of 214 US banks of all sizes.
http://www.msnbc.msn.com/id/25819973/
http://www.zdnetasia.com/news/security/0,39044215,62044110,00.htm
http://www.ns.umich.edu/htdocs/releases/story.php?id=6652
http://www.eecs.umich.edu/~laura/webusability/websites.html
http://cups.cs.cmu.edu/soups/2008/program.html
http://cups.cs.cmu.edu/soups/2008/proceedings/p117Falk.pdf
[Editor's Note (Schultz): The proof is in the pudding, so to speak.
Whether or not banks use secure Web site practices should thus be
determined by the Web sites' resistance to attacks, not by design flaws
found by outsiders.]

*************************************************************************
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
 --Four-Year Sentence for Selling Counterfeit Software
(July 23 & 24, 2008)
Jeremiah Joseph Mondello has been sentenced to four years in prison for
selling counterfeit software on eBay. Mondello was found guilty of
aggravated identity theft, criminal copyright infringement and mail
fraud. He was also ordered to forfeit US $225,000 in profits and to
serve 450 hours of community service upon completion of his prison
sentence. Mondello used information obtained through a keystroke logger
to set up the eBay and PayPal accounts he used to sell the counterfeit
software, which included pirated copies of Symantec, Adobe and Intuit
software.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9110621&source=rss_topic17
http://www.theregister.co.uk/2008/07/24/ebay_auction_fraudster/print.html

 --Appeals Court Says Credit Union May Seek Damages From Credit
Card Processor
(July 21, 2008)
A US Court of Appeals has reinstated a damages claim dismissed two years
ago by a US District Court judge. The claim regarding credit card
processor Fifth Third Bancorp's obligation to pay a portion of damages
incurred by a Pennsylvania credit union as a result of the 2004 BJ's
Wholesale Club data security breach. The original complaint was brought
by the Pennsylvania State Employee's Credit Union, which spent US
$100,000 to cancel and reissue cards for its customers whose data were
compromised in the breach. The case now goes back to district court.
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=209400073

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
 --NIST Publishes Revised Performance Measurement Guide for Information Security
(July 22, 2008)
The National Institute of Standards and Technology (NIST) has issued
Special Publication 800-55, Revision 1, "Performance Measurement Guide
for Information Security." The document is designed to provide
practical guidance for government agencies on how to conduct required
security evaluations of IT systems specified in several laws, including
the Clinger-Cohen Act and the Federal Information Security Management
Act (FISMA). The document replaces the original version, which was
published five years ago.
http://www.gcn.com/online/vol1_no1/46698-1.html
http://csrc.nist.gov/publications/nistpubs/800-55-Rev1/SP800-55-rev1.pdf
[Editor's Note (Honan): Industry standard based ISMS (Information
Security Management System), such as ISO 27001, require you to measure
how effective your ISMS is so that areas of improvements can be
identified. This publication provides a number of useful guidelines in
helping you to meet that requirement.
(Veltsos): Revision 1 provides quantifiable information security metrics
to gauge and analyze the implementation, the efficiency, and the
effectiveness of security controls and their value to the organization.
In particular, Appendix A contains nineteen sample measures that every
CISO should be aware of.]

SPYWARE, SPAM & PHISHING
 --Prolific Spammer Sentenced to Prison
(July 23, 2008)
Robert Alan Soloway has been sentenced to nearly four years in federal
prison for sending millions of spam emails. Soloway was also ordered
to forfeit more than US $700,000 he made from his scheme. He has
previously been sued in civil court for spamming, and owes civil
penalties totaling more than US $17 million. Soloway used a program
called Dark Mailer to send out the spam that promoted his business
selling spamming software.
http://www.theregister.co.uk/2008/07/23/soloway_sentenced/print.html

 --Accused Phisher Pleads Guilty
(July 23, 2008)
Ovidiu-Ionut Nicola-Roman has pleaded guilty to one count of conspiracy
to commit fraud. Nicola-Roman, who is Romanian, was located in Bulgaria
and extradited to the US in September 2007. He is allegedly part of a
phishing ring. In one case, the group sent emails to certain bank's
customers, telling them their accounts were inaccessible because
administrators were upgrading the system and asking them to verify their
account details at a secure online database. The group hit the banking
site with a distributed denial of service (DDoS) attack at the same time
to lend their claim legitimacy.
http://www.theregister.co.uk/2008/07/23/romanian_phisher_guilty_plea/print.html

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
 --Mozilla Updates Thunderbird
(July 24, 2008)
Mozilla has issued Thunderbird version 2.0.0.16 to address nine security
flaws. All of the flaws have already been patched in Firefox - eight
in the browser's most recent update (version 2.0.0.15) and one that was
patched last week. None of the vulnerabilities fixed was deemed
critical; Mozilla has assigned all nine flaws severity ratings of
moderate or low.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9110643&intsrc=hm_list

 --UK Computers Infected with Asprox
(July 23, 2008)
Numerous UK government and commercial websites have recently become
infected with malware called Asprox. The malware infects visitors'
computers without their knowledge and collects their personal
information. Users became aware of the malware only after discovering
that their personal data had been used to commit fraud, including
unauthorized account withdrawals.
http://technology.timesonline.co.uk/tol/news/tech_and_web/the_web/article4381034.ece
[Editor's Note (Veltsos): Asprox is only the latest in a series of
rapidly growing attacks on legitimate web sites. The latest Sophos
Security Threat Report reported 90% of infected web pages are hosted on
legitimate sites; a new infected web site was detected every five
seconds. In addition to US and UK government sites, other major web
sites such as Google's Blogspot.com, and Sony Playstation were found to
be hosting malware as well, much of it due to SQL injection attacks.]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS
 --Airline Check-in Kiosks Suspected in Card Fraud
(July 24, 2008)
WestJet Airlines Ltd. has placed a temporary ban on the use of credit
cards to identify fliers at self-service check-in kiosks at all airports
in Canada. The move comes amid surfacing reports of investigations into
instances of credit card fraud that have a strong correlation with air
travel at one airport in particular, believed to be Toronto's Pearson
International Airport. Visa and MasterCard have both issued statements
indicating that they are investigating reported fraud. Passengers may
check in at the self-service kiosks with passports, reservation numbers,
frequent flier cards, or by entering their last names.
http://www.theglobeandmail.com/servlet/story/LAC.20080724.RCREDITCARDS24/TPStory/National
[Editor's Note (Schultz): If this turns out to be true, this will not
be the last case where this happens. While many of us find the
airline's kiosks of great value they are often placed in locations where
they are not in plain view and able to be tampered with. The same thing
applies to many of the card readers at gas stations that are out of
sight.]

MISCELLANEOUS
 --Rogue SF Network Admin Gives Up Passwords
(July 23 & 24, 2008)
Terry Childs, the network administrator accused of hijacking the city
of San Francisco's computer network, has surrendered the access
passwords he created that locked users out of the system. Childs had
refused to give up the passwords, but a visit from San Francisco Mayor
Gavin Newsom convinced him to reveal them. In addition to allegations
of hijacking, Childs has been accused of installing software to allow
remote access to the system and planting a program to delete files
during scheduled system maintenance. The judge denied a request to
lower Childs's bail.
http://www.theregister.co.uk/2008/07/23/sf_admin_gives_passwords/print.html
http://www.theregister.co.uk/2008/07/23/sf_admin_stays_jailed/print.html
http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=209600496
[Editor's Note (Honan): You should never rely on only one person having
complete administrative access to your systems or networks as not all
DR plans can rely on the local mayor to recover the passwords. So ask
yourself whether your network is owned by the business or 0wned by IT
and react accordingly.]

 --Spam King Kills His Wife and Child
(July 25 2008)
"Spam King" Edward "Eddie" Davidson, a convicted spammer, fatally shot
his wife and young daughter in an apparent murder-suicide Thursday while
being sought after escaping prison last weekend, authorities said.
http://www.usatoday.com/tech/2008-07-25-spam-king-slaying_N.htm?csp=34

*************************************
The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescastore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin,
Ireland.

Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security
courses at Minnesota State University, Mankato. He is the President of
Prudent Security LLC and also serves as the President of the Mankato
Chapter ISSA.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkiKDcwACgkQ+LUG5KFpTkY8YwCfRFT5BgX3qrj0JgBiLYTqBpLU
dKgAn2M7/mw/cDc4V9iDN1S6Au3BeYQp
=cGHG
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]