From: The SANS Institute (NewsBitessans.org)
Date: Fri Aug 01 2008 - 12:51:50 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

************************************************************************
SANS NewsBites August 1, 2008 Vol. 10, Num. 60
************************************************************************
TOP OF THE NEWS
  Collaborative Blacklisting Significantly Improves Results
  US Government Slow to Adopt Encryption on Mobile Devices
  Nearly 4,000 Laptops Lost or Stolen in European Airports Every Week
  IBM's Internet Security Systems X-Force Report
THE REST OF THE WEEK'S NEWS
  LEGAL MATTERS
    McKinnon Extradition Appeal Denied
  HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
    IRS Employee Pleads Guilty to Accessing Celebrity Files
  COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
    MPAA Lawsuits Target Movie Streaming Sites
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
    FBI Warns of "FBI vs. Facebook" Spam Spreading Storm Worm
    Oracle Issues Out-of-Cycle Alert, Says it Will Issue Patch
  ATTACKS, INTRUSIONS, DATA THEFT & LOSS
    Attack May Have Compromised Univ. of Texas at Dallas Data
    DNS Attack Affects BreakingPoint Server
  MISCELLANEOUS
    Olympic Journalists May Not Have Unfettered Internet Access in
       Beijing
    PRC Offers Guide to Credit Monitoring Services

******** A Challenge/Gift for People Who have CEH Certifications *******
The new GPEN (GIAC Penetration Tester) Certification measures mastery
of tools that are so up to date and measures pen testing skills so
effectively that people who buy penetration testing have begun asking
for it in potential pen testers. As a gift to the CEH community, SANS
is offering free testing to 50 active CEH holders who want to
demonstrate that their skills cover the most up to date set of tools and
effective pen testing procedures, as well. The first 50 CEH's who ask
will be allowed to take the exam at no cost. If you want to take the
exam, email me (apallersans.org).
*************************************************************************
TRAINING UPDATE
- - Las Vegas (9/28-10/6) http://www.sans.org/ns2008 NETWORK SECURITY 2008)
- - Boston (8/9-8/16) http://www.sans.org/boston08/
- - Virginia Beach (8/21-8/29): http://www.sans.org/vabeach08/
- - Chicago (9/3-9/10) http://www.sans.org/chicago08 AUDIT & COMPLIANCE
- - and in 100 other cites and on line any time: www.sans.org
*************************************************************************

TOP OF THE NEWS
 --Collaborative Blacklisting Significantly Improves Effectiveness
(July 31, 2008)
At the USENIX Security Conference this week in San Jose, researchers
from SRI and the Internet Storm Center released the results of a test
implementation of a new service, called Highly Predictive Blacklisting.
Rather than relying on general shared lists or highly specific and
personalized ones, HPB uses a link analysis algorithm similar to
Google's PageRank to rank attackers based on an estimation of how
dangerous the site is and how closely it is associated with other sites
being attacked by the same attackers. Together the algorithm does a
pretty good job of estimating the probability that the attacker will
target a user's network in the future. Details of the new service are
outlined in a paper that won Best Paper at the USENIX Security
conference.
http://www.securityfocus.com/brief/780
http://www.usenix.org/events/sec08/tech/zhang.html
[Editor's Note (Ullrich): DShield will allow you to generate these
blacklists. All submitters are able to retrieve "HPB" s for their
account. (http://isc.sans.org/howto.html). dShield participation is a
free service of the SANS Institute.
(Paller): For more than a decade, governments have been searching for a
way to get companies to share cyber security data. The project
described in this paper may provide the first good answer to that
question, because no organization can gain the benefit of improved
blacklisting unless they share the attack data their site is
experiencing. Thousands of sites are already participating in the
collaborative data project at the Internet Storm Center resulting in
some of the best data available anywhere (see the "Top 10 Rising Ports"
and "World Map" of the sources of attacks at http://isc.sans.org), but
this new project could make Storm Center data even more useful and the
participants much better protected than those who do not participate.]

 --US Government Slow to Adopt Encryption on Mobile Devices
(July 29, 2008)
According to a report from the Government Accountability Office (GAO),
just 30 percent of mobile devices at 24 federal agencies are encrypted.
The GAO's report recommends that the Office of Management and Budget
(OMB) "clarify governmentwide encryption policy," particularly what
types of data need to be encrypted. There is no federal law that
specifically requires encryption to protect data, but has OMB
recommended that agencies use it and required that computers and other
devices containing sensitive data be encrypted.
http://www.gcn.com/online/vol1_no1/46758-1.html?topic=security&CMP=OTC-RSS
http://www.gcn.com/newspics/GAOencrypt_06-27-2008.pdf
http://www.fcw.com/online/news/153305-1.html?topic=security
http://www.securityfocus.com/brief/784
http://www.pcworld.com/businesscenter/article/149080/most_sensitive_data_on_government_laptops_unencrypted.html

 --Nearly 4,000 Laptops Lost or Stolen in European Airports Every Week
(July 29, 30 & 31, 2008)
Research conducted by the Ponemon Institute on behalf of Dell found that
nearly 4,000 laptop computers are lost or stolen every week in major
European airports. The airports reporting the largest number of missing
laptops are London Heathrow, Amsterdam Schiphol, and Paris Charles De
Gaulle. The study gathered information about airports in the entire
EMEA (Europe, Middle East, Africa) region. Nearly 60 percent of machines
missing in the EMEA region's eight largest airports are never reclaimed.
Forty-two percent of business travelers in the EMEA region say they have
not backed up company data on their laptops, and 55 percent have not
safeguarded the data from access by unauthorized users should their
devices get lost or stolen. A similar study of business travelers in US
airports found that 12,000 laptops a week are lost or stolen in US
airports.
http://www.siliconrepublic.com/news/article/11124/cio/missing-4-000-laptops-a-week-in-european-airports
http://www.vnunet.com/vnunet/news/2223012/eu-travellers-losing-laptops-airports
http://www.finfacts.com/irishfinancenews/article_1014326.shtml
[Editor's Note (Schultz): These are truly dismal, although entirely
believable findings. At a minimum, organizations need to beef up their
information security awareness efforts to help employees become more
aware of risks associated with lost or stolen laptops and what to do to
help prevent laptops from being lost or stolen.]

 --IBM's Internet Security Systems X-Force Report
(July 29, 30 & 31, 2008)
Cyber attackers are closing the lag time between vulnerability
disclosures and actively exploiting the flaws - less than 24 hours in
many cases. This means that fewer people will even be aware of the
vulnerability, let alone have taken action to mitigate the risk of
exploit. Attack code was available for 94 percent of disclosed flaws
in web browsers less than 24 hours after their disclosure. The figure
for PC vulnerability exploits released within 24 hours of disclosure is
80 percent. The statistics come from IBM Corp.'s Internet Security
Systems X-Force report, which examined cyber attack events during the
first half of 2008. The report states that attackers are less often
searching for vulnerabilities on their own, and more often are using
automated tools to exploit disclosed vulnerabilities, so the work is in
essence being done for them. The report takes researchers to task for
releasing information about vulnerabilities in a way that makes it
easier for attackers to exploit them.
http://news.smh.com.au/technology/online-threats-materializing-faster-study-shows-20080729-3mhx.html
http://www.theregister.co.uk/2008/07/29/x_force_threat_report/print.html
http://www.vnunet.com/vnunet/news/2222896/security-researchers-aiding-crooks
http://www.zdnetasia.com/news/security/0,39044215,62044358,00.htm
[Editor's Note (Northcutt): The report is worth reading! The biggest eye
opener for me is the increase in medium level vulnerabilities:
http://www-935.ibm.com/services/us/iss/xforce/midyearreport/xforce-midyear-report-2008.pdf
(Honan): This report highlights that you can no longer depend on your
patching processes to keep you secure. You need to look at other areas
such as enhancing permitter security, security awareness training and
ensuring you are monitoring logs for suspicious activity. It should
also serve to remind you to review your incident response plan as the
likelihood of your systems being compromised is higher given the speed
at which exploit code is being published combined with the automated
tools attackers are using.]

*************************************************************************

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
 --McKinnon Extradition Appeal Denied
(July 30 & 31, 2008)
The UK Law Lords have voted to allow Gary McKinnon's extradition to the
US to face hacking charges. McKinnon admits to having infiltrated
computer systems at NASA, The Pentagon and other US government agencies,
but maintains he was searching for information on UFOs; the US
government says McKinnon caused hundreds of thousands of dollars worth
of damage. McKinnon rejected initial plea deals from US authorities,
which would have had him serving most of his sentence in the UK.
McKinnon's lawyers are opposed to the extradition because they say he
could be treated like a terrorist and that he could face up to 60 years
in prison. Having lost the appeal to the Law Lords, McKinnon's attorney
says the case will be taken to the European Court of Human Rights.
http://www.guardian.co.uk/technology/2008/jul/30/gary.mckinnon?gusrc=rss&feed=networkfront
http://www.out-law.com/page-9311
http://news.bbc.co.uk/2/hi/uk_news/7532713.stm
http://www.washingtonpost.com/wp-dyn/content/article/2008/07/30/AR2008073000758_pf.html
http://www.heise.de/english/newsticker/news/113593
http://www.publications.parliament.uk/pa/ld200708/ldjudgmt/jd080730/mckinn-1.htm

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
 --IRS Employee Pleads Guilty to Accessing Celebrity Files
(July 28, 2008)
US Internal Revenue Service (IRS) employee John Snyder has pleaded
guilty to snooping into tax files of celebrities. Snyder is believed
to have accessed the accounts of nearly 200 well-known individuals since
2003. Snyder worked with business accounts and was not supposed to
access individuals' files. He faces up to one year in jail and a fine
of US $250,000 when he is sentenced on August 20.
http://www.upi.com/Top_News/2008/07/28/Man_pleads_to_snooping_in_tax_records/UPI-62491217290237/
[Editor's Note (Northcutt): The IRS is to be commended. They have
researched over 4k potential snooping events. This is going to improve
deterrence. By the way, Mr. Snyder is a well known author on baseball
and has published 17 books. Is it just me, or does he bear a resemblance
to Saddam H? Here is a related story below with a photo:
http://news.cincinnati.com/apps/pbcs.dll/article?AID=/20080729/NEWS0103/807290350/0/NEWS0103 ]

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
 --MPAA Lawsuits Target Movie Streaming Sites
(July 29 & 30, 2008)
The Motion Picture Association of America (MPAA) has sued two websites
for allegedly streaming movies free-of-charge, including some new
releases, such as the new Batman movie, The Dark Knight. One of the
sites, FOMDB.com, was no longer available as of Wednesday, but the
other, MovieRumor.com, was still showing pirated films. The MPAA's
lawsuits allege the sites violated movie studios' copyrights; they seek
damages and ask that the court order the sites to shut down.
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=209900532
http://news.cnet.com/8301-1023_3-10001721-93.html
[Editor's Note (Northcutt): As part of my research for NewsBites I went
to MovieRumor to determine whether it was still possible to download
Dark Knight. The web page says "this account has been suspended"]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
 --FBI Warns of "FBI vs. Facebook" Spam Spreading Storm Worm
(July 30, 2008)
The FBI and the Internet Crime Complaint Center (IC3) have both issued
warnings about a new batch of spam emails that are trying to spread the
Storm worm. The emails have "FBI vs. Facebook" in the subject line and
ask recipients to click on a link that purports to be a story about the
FBI and Facebook, but which actually downloads malware onto their
computers and makes them part of the Storm worm botnet.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9111094&source=NLT_PM&nlid=8
http://news.cnet.com/8301-1009_3-10002760-83.html
http://www.stripes.com/article.asp?section=104&article=56497
http://www.fbi.gov/pressrel/pressrel08/stormworm073008.htm

 --Oracle Issues Out-of-Cycle Alert, Says it Will Issue Patch
(July 29 & 30, 2008)
Oracle has released an out-of-cycle security alert for a buffer overflow
flaw in the Apache Connector component (mod_weblogic) of the Oracle
Weblogic Server, which used to be known as BEA WebLogic server. The
vulnerability could be exploited remotely without authentication. A fix
is not yet available, but Oracle offers two workarounds users can employ
to protect vulnerable machines until a patch is available. Attack code
for the vulnerability was released just days after Oracle's scheduled
quarterly security release in mid-July.
http://www.oracle.com/technology/deploy/security/alerts/alert_cve2008-3257.html
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=209900007
http://www.theregister.co.uk/2008/07/29/oracle_unpatched_weblogic_flaw/print.html
http://www.gcn.com/online/vol1_no1/46764-1.html?topic=security&CMP=OTC-RSS

ATTACKS, INTRUSIONS, DATA THEFT & LOSS
 --Attack May Have Compromised Univ. of Texas at Dallas Data
(July 31, 2008)
A cyber attack on the computer network at the University of Texas at
Dallas may have compromised personally identifiable information of as
many as 9,100 people. The attack was discovered in mid-July. The
potentially compromised data include Social Security numbers (SSNs),
names, addresses and email addresses. The campus is notifying those
affected by the breach: 8,298 former students or graduates and 804
faculty and staff members.
http://www.dallasnews.com/sharedcontent/dws/dn/latestnews/stories/080108dnmetUTD.1f0bd372.html
[Editor's Note (Veltsos): While many universities across the US have
stopped using Social Security Numbers (SSNs) as identifiers, SSNs can
still be found in many instances of databases and spreadsheets stored
by various departments and business units. Academic institutions should
engage in broad information security assessments to locate and either
secure or destroy what non-IT staff often refer to as "shadow
databases.]

 --DNS Attack Affects BreakingPoint Server
(July 30 & 31, 2008)
A server at BreakingPointSystems was redirecting users to phony websites
because of a DNS cache-poisoning attack on a local Internet service
provider (ISP). BreakingPoint researcher HD Moore's Metasploit Project
was the first to release an exploit for the widely publicized Kaminksy
DNS flaw. The attack caused BreakingPoint employees' machines to be
redirected from Google.com to a phony Google page running
advertisements. Moore pointed out that it was the ISP, not the company,
that suffered the attack and that no systems or data were compromised.
http://www.vnunet.com/vnunet/news/2222925/dns-exploit-comes-back
[Editor's Comment (Ullrich): This attack shows how we depend on infrastructure we do not control.
(Northcutt): Several blogs/web articles claim that HD Moore himself was
a victim of the DNS exploit; I do not believe it. I do believe this
illustrates the danger of talking with reporters, Infoworld URL was
still active at the time I posted this:
http://www.infoworld.com/article/08/07/30/DNS_attack_writer_a_victim_of_his_own_creation_1.html
http://valleywag.com/5031005/dns-hack-author-gets-dns-hacked
http://www.genwi.com/read/6913656 ]

MISCELLANEOUS
 --Olympic Journalists May Not Have Unfettered Internet Access in Beijing
(July 30 & 31, 2008)
The International Olympic Committee (IOC) has acknowledged that it
accepted a deal with Chinese officials that will have foreign
journalists unable to access certain Internet sites during the summer
games in August. Earlier, China had promised to allow journalists to
"report freely" while they are in Beijing. However, when the Olympic
Village press center opened last week, reporters have found they are
unable to access "Web sites carrying content that the Chinese propaganda
authorities deemed harmful to national security and social stability."
The Internet restrictions are similar to those imposed on Chinese
citizens. In an apparent show of good faith, the Chinese language BBC
website has been unblocked in China, although some are concerned that
it will be blocked again once the Olympic Games are over. China
unblocked the English language BBC website in March.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9111159&source=rss_topic17
http://www.nytimes.com/2008/07/31/sports/olympics/31china.html?hp=&pagewanted=print
http://www.washingtonpost.com/wp-dyn/content/article/2008/07/30/AR2008073000747_pf.html
http://news.bbc.co.uk/2/hi/asia-pacific/7535280.stm

 --PRC Offers Guide to Credit Monitoring Services
(July 28, 2008)
In the interest of the growing industry offering credit monitoring and
protection, The Privacy Rights Clearinghouse (PRC) has published an
online guide called "Straight Talk About Identity Theft Monitoring
Services." The various services offered on the open market "vary
tremendously," and many of the services offered by the companies can be
had at little or no cost to savvy consumers. The guide describes what
types of identity theft are and are not covered by monitoring services
and lists steps consumers can take on their own to protect their
identities and credit. It also offers a list of what to look for in a
credit monitoring service.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9111019
http://www.privacyrights.org/fs/fs33-CreditMonitoring.htm

*************************************
The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescastore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin,
Ireland.

Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security
courses at Minnesota State University, Mankato. He is the President of
Prudent Security LLC and also serves as the President of the Mankato
Chapter ISSA.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkiTPasACgkQ+LUG5KFpTkZysACgnkmYmLlNztO7pP4xBwjpBpIX
+lgAnAkhZiqO1LG8YQ3cFRhA80IaC9b3
=bqPk
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]