From: The SANS Institute (NewsBitessans.org)
Date: Tue Aug 19 2008 - 12:23:15 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The early registration deadline discount for SANS Network Security 2008
(the largest security conference and expo in the fall) is tomorrow
evening.
http://www.sans.org/info/29439

*************************************************************************
SANS NewsBites August 19, 2008 Vol. 10, Num. 65
*************************************************************************
TOP OF THE NEWS
  Woman Wrongly Sued by RIAA Awarded More Than US $100,000 in Legal Fees
  More Than One-Third of Vista Purchasers Downgrade to XP
  Captcha Technology Doing Double Duty
THE REST OF THE WEEK'S NEWS
  LEGAL ISSUES
    Man Pleads Guilty in LimeWire Data Theft Case
    Ruling a Boon to Creative Commons License
  SPYWARE, SPAM AND PHISHING
    New Zealand University eMail Server Used to Send Spam
  ATTACKS AND BREACHES
    Attack Hijacks Firefox Clipboard
    Irish Police Searching for Cyber Thieves
    Credit Card Data Stolen from Louisiana and Mississippi Restaurants
    Florida's Wuesthoff Health System Pre-Registration Website Breached
  MISCELLANEOUS
    Internet Giants Respond to call for Voluntary Code of Conduct

*********************** Sponsored By ArcSight, Inc. *********************

Complimentary Webinar with ArcSight: 5 Steps to Better Security with
SIEM - Security Information and Event Management (SIEM) projects are
driven by compliance requirements and real-time security threats. To be
effective, you need to address threats by correlating vast amounts of
data. Learn what advanced correlation provides, Glean high-value
security intelligence through correlation, Address the top 5 security
scenarios and gain enhanced visibility

http://www.sans.org/info/31868
*************************************************************************
TRAINING UPDATE
- - NETWORK SECURITY 2008: Las Vegas (9/28-10/6) 50 courses; big tools
  expo; lots of evening sessions: http://www.sans.org/ns2008)
- - Boston (8/9-8/16) http://www.sans.org/boston08/
- - Virginia Beach (8/21-8/29): http://www.sans.org/vabeach08/
- - Chicago (9/3-9/10) http://www.sans.org/chicago08 AUDIT & COMPLIANCE
- - and in 100 other cites and on line any time: www.sans.org
*************************************************************************

TOP OF THE NEWS
 --Woman Wrongly Sued by RIAA Awarded More Than US $100,000 in Legal Fees
(August 15 & 18, 2008)
A US Federal Court has awarded Tanya Andersen more than US $100,000 in
legal fees and interest following her successful fight against a lawsuit
brought by the Recording Industry Association of America (RIAA). The
RIAA accused Andersen and her eight-year-old daughter of illegally
downloading music onto their PC. Andersen denied the allegations and
offered her computer for the RIAA to inspect. The RIAA declined the
offer and served papers on Andersen. During the court case, her PC was
inspected by the RIAA, which found no evidence of wrongdoing. The case
was eventually dropped. Andersen has filed a separate lawsuit against
the RIAA for malicious prosecution.
http://www.vnunet.com/vnunet/news/2224122/single-mum-wins-107-951-riaa
http://yro.slashdot.org/article.pl?sid=08/08/15/1145236
http://www.theinquirer.net/gb/inquirer/news/2008/08/15/music-weasels-pay-tanya
[Editor's Note (Shpantzer): In a related note, see this link for new
research on possible abuse of DMCA takedown notices:
http://dmca.cs.washington.edu/ ]

 --More Than One-Third of Vista Purchasers Downgrade to XP
(August 18, 2008)
Statistics gathered by Devil Mountain Software indicate that nearly 35
percent of new PCs have been downgraded from Vista to Windows XP.
Microsoft's end-user licensing agreement allows users who have purchased
Vista Business and Vista Ultimate to downgrade to Windows XP
Professional; those who purchased Vista Enterprise are permitted to
downgrade to XP. Devil Mountain Software operates the
exo.performance.network.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9112885&intsrc=hm_list
http://www.infoworld.com/article/08/08/18/news-vista-downgrade-stat_1.html
[Editor's Note (Pscatore): I know it is popular to bash Vista, but from
a security perspective, this is pretty silly. Delaying upgrading to
Vista is one thing, buying a new PC with the capacity to run Vista and
going backwards to XP makes no sense. At this point the applications
that don't work with Vista are all badly written applications that
should be shunned anyway.]

 --CAPTCHA Technology Doing Double Duty
(August 14, 2008)
A new version of CAPTCHA technology, which is used to verify that
certain online tasks are being performed by humans and not automated
systems, is now being used to help decipher old books and newspapers.
Instead of random combinations of characters, people are presented with
a word that has stumped computerized transcription systems. When three
users type in the same word, the system decides that it must be the
correct answer. Most digitization projects rely on optical character
recognition (OCR), which for books published prior to 1900 has an
accuracy rate of 80 percent; the new tool improves the systems' accuracy
rates to more than 99 percent. CAPTCHA stands for Completely Automated
Public Turing test to tell Computers and Humans Apart.
http://technology.timesonline.co.uk/tol/news/tech_and_web/article4531184.ece

************************** SPONSORED LINKS: *****************************
1) Protecting Your Highly-Distributed Retail Network: Why PCI
Compliance May Be No Bargain
http://www.sans.org/info/31873

2) Visit the SANS Buyers Guide for updated listings and useful
information when selecting the latest in IT security technologies.
http://www.sans.org/info/31878

3) Join your peers at the Penetration Testing and Ethical Hacking Summit
- - London September 17.
http://www.sans.org/info/31883
*************************************************************************

THE REST OF THE WEEK'S NEWS
LEGAL ISSUES
 --Man Pleads Guilty in LimeWire Data Theft Case
(August 18, 2008)
Nineteen-year-old Jason M. Milmont has pleaded guilty to felony
unauthorized access to a computer to further a fraud. Milmont allegedly
infected other people's computers with bot software through the LimeWire
filesharing program. He allegedly used the compromised computers to
steal financial information. He has agreed to pay more than US $73,000
in restitution; he could face up to five years in prison and a US
$250,000 fine when he is sentenced in October.
http://www.sci-tech-today.com/news/Teen-Hacker-Pleads-Guilty-to-Fraud/story.xhtml?story_id=10200BE0O53O
http://www.casperstartribune.net/articles/2008/08/16/news/casper/2c6fb0ecfe2ddf6c872574a700057d26.txt

 --Ruling a Boon to Creative Commons License
(August 14 & 15, 2008)
In a victory for open source software, the US Court of Appeals for the
Federal Circuit has overturned a lower court decision that said open
source software owners could not take legal action for copyright
violation against others who used the software. The higher court
disagreed, finding that even free licenses place conditions on how
people may use copyrighted work and that if those conditions are
violated, the people can be sued for copyright infringement. The case
that initiated the proceedings involved the question of whether or not
a software developer, Matthew Katzer, did not abide by the terms of the
open-source Artistic License when he took Robert Jacobsen's code and
used it to create commercial software to control model trains.
http://www.vnunet.com/computing/news/2224071/open-source-gets-legal
http://www.theregister.co.uk/2008/08/14/open_source_creative_commons_license_victory/print.html
http://www.heise.de/english/newsticker/news/114308
http://news.bbc.co.uk/2/hi/technology/7561943.stm
http://www.cafc.uscourts.gov/opinions/08-1001.pdf
[Editor's Note (Northcutt): On a scale of one to huge, this is a huge
decision. Where would we be without open source software? We will be
far less well off, doomed to buggy expensive software.]

SPYWARE, SPAM AND PHISHING
 --New Zealand University eMail Server Used to Send Spam
(August 15, 2008)
Four staff members at the University of Otago (New Zealand) fell prey
to a spear phishing attack that tricked them into providing their login
credentials. The attackers used the information to gain access to the
University's computer email server and used it to send about 1.55
million spam emails. The phishing emails appeared to come from the
University's IT department; the recipients were asked to provide user
names and passwords or else their access to email would be revoked.
University of Otago staff members have been warned that requests for
login information are "most likely fraudulent."
http://www.odt.co.nz/print/17905
[Editor's Note (Honan): The article states that staff members had
previously been warned not to respond to suspicious email requests. The
fact that four people fell for this phishing email demonstrates that
your security awareness program needs to be a continuous process and not
simply a series of once off exercises.]

ATTACKS AND BREACHES
 --Attack Hijacks Firefox Clipboard
(August 15 & 18, 2008)
A recently discovered attack targets the clipboard in the Firefox
browser running on both Mac and Windows computers. Users' machines
become infected when they visit seemingly innocuous websites only to
find that a malicious link has been copied to the clipboard. The link
persists even after the user copies new text; the only way to get rid
of it is to reboot. The link takes those who click on it to a site
where they are told that their computers are infected with malware and
must be cleaned immediately by what they say is an anti-malware program.
The malicious link has been detected in flash-based advertisements on a
number of websites.
http://www.siliconrepublic.com/news/article/11223/cio/firefox-and-safari-users-under-cyber-attack
http://www.theregister.co.uk/2008/08/15/webbased_clipboard_hijacking/print.html
http://news.bbc.co.uk/2/hi/technology/7567889.stm
[Editor's Note (Grefer): (Grefer): To eliminate the majority of
flash-based and other advertising from their Firefox browser, users
might want to take a closer look at the free Adblock Plus add-on:
https://addons.mozilla.org/en-US/firefox/addon/1865
http://adblockplus.org/
In addition, the free NoScript add-on will allow you to restrict which
sites are allowed to perform any scripted actions:
https://addons.mozilla.org/en-US/firefox/addon/722
http://noscript.net/ ]

 --Irish Police Searching for Cyber Thieves
(August 18, 2008)
Police in Ireland are looking for a group of cyber thieves who stole
details of approximately 20,000 credit and debit cards. Group members
posing as maintenance workers from banks entered a number of shops and
placed devices on point of sale terminals to capture the data. Many of
the devices have been recovered. Police also have closed circuit TV
footage that should help with their investigation. Banks have
temporarily restricted debit card withdrawals to 100 Euros daily for
those transactions outside the country.
http://www.examiner.ie/irishexaminer/pages/story.aspx-qqqg=ireland-qqqm=ireland-qqqa=ireland-qqqid=70122-qqqx=1.asp
Additional coverage with a nice overview of the Chip and Pin security
found in Irish ATM cards:
http://www.networkworld.com/news/2008/081808-scammers-replace-credit-card-readers.html?nladname=081908securityal&code=nlsecuritynewsal154578
[Editor's Note (Honan): This type of attack, posing as support or
maintenance personnel, is very successful and unless you have trained
your staff appropriately in how they should verify such visitors to your
facilities you could become victim of it too. The method most likely
used in this case may have been the chip and pin relay attack as
outlined by the University of Cambridge at
http://www.lightbluetouchpaper.org/2007/02/06/chip-pin-relay-attacks/
(Veltsos): Physical security weaknesses are often overlooked and can
provide an easy way to get access to sensitive information. Readers
interested in a 360-degree view of information security should take look
at Johnny Long's No Tech Hacking book; a sample chapter is available
online at: http://www.notechhacking.com/]

 --Credit Card Data Stolen from Louisiana and Mississippi Restaurants
(August 18, 2008)
US Federal law enforcement authorities are searching for the culprits
behind a rash of credit card data thefts from restaurants in Louisiana
and Mississippi. The thieves apparently sought out businesses using
unsecured wireless networks to steal the information that has been used
to commit fraud totaling more than US $1 million. The group tried to
sell the information on the Internet. US Attorney David Dugas said the
case is likely to involve individuals overseas, as have other cases
recently in the news. US Secret Service agents and representatives
from Visa were scheduled to conduct a meeting for area restaurant owners
to explain how they can protect customer data.
http://www.forbes.com/feeds/ap/2008/08/18/ap5334017.html
[Editor's Note (Honan): The fact that these credit card numbers were
stolen via unsecured wireless networks highlights not only the failure
of technology to secure the data in this case, but also the failure of
management to realise their ethical responsibilities and their
obligations with regards to the PCI DSS standard. Unfortunately this
failure is a symptom I regularly see amongst many small to medium
businesses. ]

 --Florida's Wuesthoff Health System Pre-Registration Website Breached
(August 15, 2008)
Wuesthoff Health System in Florida is notifying approximately 500
patients that their personal information may have been compromised when
unknown individuals gained access to its pre-registration website. The
site, which has been taken down, allowed patients to provide
registration information ahead of time for surgery, lab work and other
procedures. Wuesthoff intends to track the intruders, but subpoenas
necessary to gain the information will not be immediately available.
Encryption is normally used to protect patient data on Wuesthoff
systems, but the company recently installed Google Analytics, which may
have opened a path for the intruders.
http://www.floridatoday.com/apps/pbcs.dll/article?AID=/20080815/BUSINESS/808150326/1006/NEWS01

MISCELLANEOUS
 --Internet Giants Respond to call for Voluntary Code of Conduct
(August 4 & 18, 2008)
Google, Microsoft and Yahoo have responded to a request from US Senator
Richard Durbin (D-Ill.) for suggestions for a voluntary code of conduct
for corporations. Specifically, the three companies submitted reports
describing how human rights apply to the Internet and how Internet
companies can ensure that human rights laws are observed. Yahoo is
especially aware of the issue, having been heavily criticized for
providing Chinese authorities with information that led to the arrest
of dissidents who had expressed their opinions on the Internet.
http://www.vnunet.com/vnunet/news/2224128/tech-giants-pitch-human-rights
http://durbin.senate.gov/showRelease.cfm?releaseId=301020
http://latimesblogs.latimes.com/technology/2008/08/major-internet.html

*************************************************************************
Request for Canadian Specific Security Content
If anyone has a pointer to legal issues related to information security,
we would like to create a reference guide to be available when we run
shows in Canada. Also, if you have a favorite reference that is
distinctly Canadian and related to infosec and are willing to share that
would be awesome. Please send to Stephensans.edu. Thank you
*************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescastore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security
courses at Minnesota State University, Mankato. He is the President of
Prudent Security LLC and also serves as the President of the Mankato
Chapter ISSA.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkiq8ogACgkQ+LUG5KFpTkbgnACeIZSV1aLfugrzS0Gtiitx4ucK
zAwAn0SDsv5QXZj5XWdLiiJ1HNUitQAM
=1yaC
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]