From: The SANS Institute (NewsBitessans.org)
Date: Fri Aug 08 2008 - 13:01:20 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

*************************************************************************
SANS NewsBites August 8, 2008 Vol. 10, Num. 62
*************************************************************************
TOP OF THE NEWS
  Appeals Court to Re-Examine Definition of Interception in Valence Media
     email Case
  Consumer Reports Publishes State of the Net 2008
  Groups Offer Tools for Olympic Games Travelers to Circumvent Chinese
     Internet Censoring
THE REST OF THE WEEK'S NEWS
  HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
    UK Passport Chips Easily Cloned
    TSA Vendor Laptop Reported Stolen, Then Found
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
    Malware Pretends to be Flash Player Update
    Microsoft to Issue a Dozen Security Bulletins on Tuesday
    Kaminsky Speaks About DNS Flaw
    Oracle Issues Patch for WebLogic Vulnerability
  ATTACKS, INTRUSIONS, DATA THEFT & LOSS
    Breach Forces Irish Banks to Reissue Credit Cards
    Eleven Charged in Connection with Multiple Data Heists
    Cypriot Jailed for Hacking Webcams, Attempting Extortion; Florida Man
       Arrested in Webcam Voyeur Case
  MISCELLANEOUS
    Cybercrime Gang Used Coreflood to Gather Huge Amounts of Financial
       Data
    Snooping on Medical Files of the Famous Continues to be a Problem

************************ Sponsored By PacketMotion **********************

The NEW ComputerWorld Report on Security Blind Spots is Available!
We all know blind spots are bad for drivers but are you aware of how
potentially disastrous they can be for IT security professionals? Click
here to download this complimentary report, which includes the
perspective from government and industry thought leaders.

http://www.sans.org/info/31553
*************************************************************************
TRAINING UPDATE
- - NETWORK SECURITY 2008: Las Vegas (9/28-10/6) 50 courses; big tools
expo; lot's of evening sessions: http://www.sans.org/ns2008)
- - Boston (8/9-8/16) http://www.sans.org/boston08/
- - Virginia Beach (8/21-8/29): http://www.sans.org/vabeach08/
- - Chicago (9/3-9/10) http://www.sans.org/chicago08 AUDIT & COMPLIANCE
- - and in 100 other cites and on line any time: www.sans.org
*************************************************************************

TOP OF THE NEWS
 --Appeals Court to Re-Examine Definition of Interception in
Valence Media email Case
(August 6, 2008)
A federal appeals court in California will decide whether to overturn a
lower court decision that determined Rob Anderson did not violate the
Wiretap Act; Anderson configured his former business associate's server
to forward copies of corporate emails to his Google mail account. He
then sent the information gathered from filesharing company Valence
Media and sent it on to the Motion Picture Association of America
(MPAA), who paid him US $15,000. At issue is the judicial definition
of interception regarding electronic communication. Judge
Florence-Marie Cooper wrote in her August 2007 decision that "Anderson's
actions did not halt the transmission of the messages to their intended
recipients. As such, under well-settled case law, as well as a reading
of the statute and the ordinary meaning of the word 'intercept,'
Anderson's acquisitions of the emails did not violate the Wiretap Act."
The Electronic Frontier Foundation (EFF) and the Electronic Privacy
Information Center (EPIC) have filed amicus briefs on behalf of the
defendant in the case.
http://www.washingtonpost.com/wp-dyn/content/article/2008/08/05/AR2008080503421_pf.html
[Editor's Note (Schultz): The Judge Florence-Marie Cooper's
interpretation of "interception" in this case is incredibly different
from how most information security professionals would interpret this
concept. It will thus be quite interesting to see how the appeals court
will rule in this matter.
(Nortchutt): Here is a more sensational version of the story including
the MPAA saying "we don't care how you get it" and Anderson having "a
change of heart":
http://news.cnet.com/Torrentspy-names-alleged-MPAA-hacker---page-2/2100-1030_3-6087146-2.html ]

 --Consumer Reports Publishes State of the Net 2008
(September 2008)
According to Consumer Reports' State of the Net 2008 report, the odds
of becoming a victim of cybercrime have dropped over the last year from
one in four to one in six. Of the 2,071 online households polled for
the study, 19 percent do not have antivirus software on their computers,
36 percent do not have antispyware software on their computers, and 75
percent do not use anti-phishing toolbars. While the incidence of spam,
spyware and serious viruses have declined, phishing is on the rise, and
threats overall are becoming more insidious. Consumer Reports has also
compiled a list of the top security blunders Internet users make,
including accessing accounts through email links, downloading free
software, and assuming security software is protecting the computer, but
letting antivirus and antispyware subscriptions expire.
http://www.consumerreports.org/cro/electronics-computers/computers/internet-and-other-services/protect-yourself-online/state-of-the-net-2008/protect-yourself-online-state-of-the-net.htm
http://www.consumerreports.org/cro/cu-press-room/pressroom/archive/2008/09/0809-eng0809olb.htm

 --Groups Offer Tools for Olympic Games Travelers to Circumvent Chinese Internet Censoring
(August 5 & 7, 2008)
The Chaos Computer Club is making available USB sticks with technology
that will allow visitors to China for the Olympics to circumvent
Chinese Internet censorship measures. The sticks contain copies of the
TorBrowser and Torprojects software and will be available only for the
duration of the Olympic Games. Chaos has also set up a website where
people can download the software. Another group, FoeBuD, is selling
similar devices. TOR is a network of servers around the world that
allows anonymization of data sent over the Internet. The Global
Internet Freedom Consortium is also offering a package of tools to help
Beijing Olympic visitors evade Chinese censorship.
http://www.theregister.co.uk/2008/08/07/torbrowser_olympics/print.html
http://www.guardian.co.uk/technology/2008/aug/07/censorship.hacking
http://www.vnunet.com/vnunet/news/2223248/chinese-offered-tools-crack-firewall
[Editor's Note (Grefer): The website of The TOR Project is
http://www.torproject.org/]

*************************************************************************

THE REST OF THE WEEK'S NEWS
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
 --UK Passport Chips Easily Cloned
(August 6, 2008)
Tests conducted for The Times found that the UK's new microchipped
passports can be cloned in just minutes. The forged passports were not
detected as such by Golden Reader, the software recommended for use in
international airports. The microchips were designed with the intent
of protecting the country from terrorism and organized crime. The
findings also raise concerns about 3,000 blank passports that were
stolen last week; officials said they posed no danger because passports
could not be forged. The tests were conducted by a security researcher
at the University of Amsterdam.
http://www.timesonline.co.uk/tol/news/uk/crime/article4467106.ece
[Editor's Note (Pescatore): There is an old adage of the rope swing
designed by committee ending up with the swingee slamming into the trunk
of the tree. The designs of both the new passports and electronic voting
machines have definitely followed that same sorry path. Both efforts
seemed to have focused more on technology for technology's sake than for
any increase in security, or even in maintaining prior levels of
security.]

 --TSA Vendor Laptop Reported Stolen, Then Found
(August 5, 2008)
Earlier this week, the Transportation Security Administration (TSA)
reported that a laptop containing unencrypted personally identifiable
information of more than 33,000 people enrolled in the registered
traveler program was missing. When it learned the laptop was missing,
the TSA suspended registration in the program. The laptop was thought
to be stolen from an office at San Francisco International Airport; the
computer was later found in that same office. The laptop belongs to
Verified Identity Pass Inc., a vendor for the program. The TSA says
that Verified Identity Pass was not in compliance with TSA encryption
requirements. Verified Identity Pass has been told to notify all
affected individuals and to stop using unencrypted computers. The
company is investigating whether the computer was stolen or just
misplaced, but some have observed that the underlying problem is that
the data on the machines were not encrypted.
http://www.fcw.com/online/news/153393-1.html
http://www.theregister.co.uk/2008/08/05/missing_laptop/print.html
http://www.sfgate.com/cgi-bin/article.cgi?f=/n/a/2008/08/05/financial/f102608D05.DTL&tsp=1
[Editor's Note (Pescatore): Lost or found: 33,000 times $80/year is
about $2.6M per year in revenue and an 8% profit margin is about
$211,000. Looks like there was probably room to put a $50 encryption
program on the laptops.]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
 --Malware Pretends to be Flash Player Update
(August 6 & 8, 2008)
Malware masquerading as a Flash Player update has been spreading in
several guises recently. There are reports that spam messages claim to
offer a link to CNN Top 10 news stories, and MySpace and FaceBook
messages purporting to offer links to interesting video clips tell users
that to view the content, they must download a new version of Flash.
However, instead of Flash, users' computers become infected with
malware.
http://blogs.pcmag.com/securitywatch/2008/08/facebook_worm_spreads_rapidly.php
http://securecomputing.net.au/News/119041,faked-cnn-spam-blitz-pushes-fake-flash.aspx
[Editor's Note (Northcutt): All and all a fairly decent fake; this
should be part of your organization's next awareness briefing.]

 --Microsoft to Issue a Dozen Security Bulletins on Tuesday
(August 7, 2008)
Microsoft will issue twelve security bulletins next week, according to
the advance notification website. The updates will address critical
flaws in Windows, Office, Internet Explorer and the media player that
comes bundled with Vista. Seven of the bulletins in the scheduled
monthly release have been given severity ratings of critical, while the
remaining five have severity ratings of important. Each of the seven
critical flaws could be exploited remotely; at least one of the flaws
has already been exploited.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9111965&intsrc=hm_list
http://www.microsoft.com/technet/security/bulletin/ms08-aug.mspx

 --Kaminsky Speaks About DNS Flaw
(August 6 & 7, 2008)
Earlier this week, Dan Kaminsky spoke publicly about his discovery of a
DNS vulnerability that has garnered much attention in the last few
weeks. Speaking at the Black Hat conference in Las Vegas on August 6,
Kaminsky said that while patches have been available for some time, only
half of the DNS servers worldwide had applied patches. The flaw
Kaminsky discovered allows attackers to redirect Internet communications
(web, email, ftp, spam filter, updates, etc) to any server they wish by
changing the critical mapping between domain names and IP addresses. A
majority of vendors have released patches to fix this DNS vulnerability
and companies worlwide should move quickly to patch their DNS servers.
"Everything breaks when DNS breaks," said Kaminsky.
http://news.bbc.co.uk/2/hi/technology/7546557.stm
http://voices.washingtonpost.com/securityfix/2008/08/kaminsky_details_dns_flaw_at_b.html?nav=rss_blog
http://news.smh.com.au/technology/major-internet-security-flaw-also-affects-email-20080806-3qsx.html
http://www.theregister.co.uk/2008/08/06/kaminsky_black_hat/print.html

 --Oracle Issues Patch for WebLogic Vulnerability
(August 7, 2008)
Oracle has issued an out-of-cycle patch for a vulnerability in WebLogic
Server and WebLogic Express. The buffer overflow flaw could be
exploited to crash or even inject code into vulnerable systems. Oracle
normally issues security updates quarterly; news of this flaw emerged
shortly after Oracle's scheduled July release. Users should apply the
patch as soon as possible as active exploits have been detected.
http://www.theregister.co.uk/2008/08/07/oracle_weblogic_patch/print.html
https://support.bea.com/application_content/product_portlets/securityadvisories/2793.html
[Editor's Note (Veltsos): The idea of patch cycles is as outdated as the
idea that firewalls alone will keep you safe. As the security community
has previously reported, hackers are using the time between patches to
attack with new and as-yet-undiscovered (therefore unpatched) exploits.
A quarterly patch cycle gives attackers a 89-day window to develop and
deploy exploits.]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS
 --Breach Forces Irish Banks to Reissue Credit Cards
(August 8, 2008)
Major banks in Ireland were forced to cancel hundreds of credit cards
following a data security breach at a leading retailer. The breach was
discovered when the thieves began testing the stolen account numbers by
making small purchases. Irish Payment Service Organisation (IPSO) head
of card services Una Dillon says the breach likely occurred at an
Internet-based retailer.
http://www.irishexaminer.com/irishexaminer/pages/story.aspx-qqqg=ireland-qqqm=ireland-qqqa=ireland-qqqid=69351-qqqx=1.asp

 --Eleven Charged in Connection with Multiple Data Heists
(August 5 & 6, 2008)
Eleven people have been indicted in connection with the massive data
theft from numerous retailers, including TJX, BJ's Wholesale Club,
Barnes & Noble, DSW, Sports Authority, OfficeMax, Forever 21, Dave &
Busters, Boston Market. According to US Attorney General Michael
Mukasey, the group allegedly found vulnerable computer networks with
scanners, broke into the networks and installed sniffers to harvest the
information, then sold it and in some cases used it themselves to commit
fraud. The alleged ringleader, a US citizen named Albert Gonzalez, was
working as an informant for the Secret Service while the scheme was
unfolding; he had been arrested in 2003 for access device fraud. Three
of the people charged are US citizens; the other eight are foreign
nationals living abroad.
http://www.washingtonpost.com/wp-dyn/content/article/2008/08/05/AR2008080501859_pf.html
http://www.nytimes.com/2008/08/06/business/06theft.html?_r=1&hp=&adxnnl=1&adxnnlx&oref=slogin
http://www.securityfocus.com/news/11530?ref=rss
http://www.theregister.co.uk/2008/08/06/retail_hacking_ring_analysis/print.html
http://www.usdoj.gov/opa/pr/2008/August/08-ag-689.html

 --Cypriot Jailed for Hacking Webcams, Attempting Extortion;
Florida Man Arrested in Webcam Voyeur Case
(August 5, 2008)
In Cyprus, a 47-year-old man has been given a four-year jail sentence
for breaking into webcams to spy on teenage girls. The computers became
infected with a Trojan horse program when users opened infected
attachments. The man used the Trojan to obtain control of the webcams,
and in at least one instance, took a picture of one of his victims. The
man tried to blackmail the girl with the picture; the girl contacted
police instead. He was arrested in 2005. In a separate story, a
Florida man has been arrested for allegedly placing a program called
Webcam Spy Hacker on a woman's computer; she had brought the machine to
him to fix. Craig Feigin allegedly used the webcam in her computer to
take pictures of her and then sent them to a web server. Feigin also
allegedly installed the same program on the computers of seven or eight
other women.
http://www.theregister.co.uk/2008/08/05/webcam_hacker_jailed/print.html
http://www.groundreport.com/Media_and_Tech/Marisel-Garcia-Caught-in-Webcam-Spy-Hacker-Craig-F
[Editor's Note (Northcutt): May be a bigger problem than a lot of people
realize. Look at the GHB online device page:
http://johnny.ihackstuff.com/ghdb.php?function=summary&cat=18
And it has been going on for a long time:
http://media.barometer.orst.edu/media/storage/paper854/news/2002/11/26/News/Student.Punished.For.Webcam.Misuse-2294791.shtml ]

MISCELLANEOUS
 --Cybercrime Gang Used Coreflood to Gather Huge Amounts of Financial Data
(August 5,6 & 7, 2008)
According to information gathered by SecureWorks director of malware
research Joe Stewart, Russian cybercriminals using the Coreflood Trojan
managed to amass more than 500 GB of sensitive data, including financial
account numbers, user names and passwords. The attackers took advantage
of Microsoft's PsExec to spread Coreflood from one infected PC to all
Windows systems on the same network. Coreflood has been operating in
one form or another since 2002; the server from which Stewart obtained
the information had been in operation since 2005. The server was shut
down earlier this year.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9111960&source=rss_topic17
http://voices.washingtonpost.com/securityfix/2008/08/online_crime_gang_stole_millio.html?nav=rss_blog
http://www.gcn.com/online/vol1_no1/46837-1.html
http://www.nytimes.com/2008/08/06/technology/06hack.html?_r=2&oref=slogin&pagewanted=print
[Editor's Comment (Northcutt) For Microsoft's introduction to PsExec, a
tool designed to execute processes on remote systems, see:
http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx ]

 --Snooping on Medical Files of the Famous Continues to be a Problem
(August 5 & 6, 2008)
An unspecified number of Sparrow Hospital employees were disciplined or
fired for attempting to view the computerized medical files of Michigan
Governor Jennifer Granholm. Gov. Granholm was admitted to the hospital
for surgery in late April. The breach was detected during a routine
audit; Gov. Granholm has been notified of the incident. In a separate
story, the number of UCLA Medical Center employees who improperly
accessed patient files of celebrities was higher than the initial
estimate. Between January 2004 and June 2006, the number of employees
believed to have accessed celebrity files is 127, nearly double the
prior figure. State regulators have chastised the hospital for not
taking adequate measures to protect patient privacy. Proposed state
legislation to penalize those who improperly access patient files would
impose fines of US $1,000 to US $250,000 for individual healthcare
workers and US $25,000 to US $250,000 for healthcare facilities for
violations.
http://www.freep.com/apps/pbcs.dll/article?AID=/20080806/NEWS06/308060008/1008
http://www.latimes.com/features/health/medicine/la-me-health5-2008aug05,0,7987606,print.story

*************************************
The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescastore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin,
Ireland.

Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security
courses at Minnesota State University, Mankato. He is the President of
Prudent Security LLC and also serves as the President of the Mankato
Chapter ISSA.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkicdl0ACgkQ+LUG5KFpTkb0iACfb37aG+x1/lycWUMS9jBIy+Vt
blEAoKCTgKFe2GO5Pw5Qjbu93ByJe2nn
=wSER
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]