From: The SANS Institute (NewsBitessans.org)
Date: Fri Sep 26 2008 - 13:43:13 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Registration just opened for the largest Washington DC security training
program featuring DoD 8570 courses required for security certification
and the new penetration testing courses that have won rave reviews. In
all 16 six-day courses plus a dozen one- and two-day courses including
the new "Secure Coding in .NET" course. December 10-16, 2008
http://www.sans.org/cdi08

*************************************************************************
SANS NewsBites September 26, 2008 Vol. 10, Num. 76
*************************************************************************
TOP OF THE NEWS
  ISPs Promise Not to Use Targeted Advertising Without Obtaining Explicit
     Consent from Users
  Judge Grants New Trial in Jammie Thomas Music Sharing Case
  Researchers Find Users Often Click Through Dialog Windows Without Reading
THE REST OF THE WEEK'S NEWS
COURT CASES & LEGAL ISSUES
  No Charges in Palin eMail Hacking Case
ARRESTS, CHARGES & CONVICTIONS
  Another Guilty Plea in TJX Case
  Man Charged in Maserati Customer Database Hack
(September 22 & 23, 2008)
SPAM, PHISHING & ONLINE SCAMS
  Timberland and Partner to Pay Us $7 Million to Settle SMS Spam Case
UPDATES AND PATCHES
  Cisco Issues a Dozen Security Advisories
  Mozilla Updates Firefox
STUDIES AND STATISTICS
  Study: Most Distributed Denial-of-Service Attacks Originate in US
MISCELLANEOUS
  Upstream Provider Steps in to Save Intercage
  Cyber War Games - You Are Invited

*************************************************************************
TRAINING UPDATE
- - SANS CDI in Washington 30 courses; big security tools expo; lots of
evening sessions: http://www.sans.org/ cdi08/
- - Monterey (10/31-11/6) http://www.sans.org/info/30738
- - Sydney Australia (10/27-11/1) http://www.sans.org/sydney08/
- - Vancouver (11/17-11/22) http://www.sans.org/vancouver08/
and in 100 other cites and on line any time: www.sans.org
*************************************************************************

TOP OF THE NEWS
 --ISPs Promise Not to Use Targeted Advertising Without Obtaining
   Explicit Consent from Users
(September 25, 2008)
Representatives from three of the four largest US Internet service
providers (ISPs), Verizon, AT&T and Time Warner Cable, told the Senate
Committee on Commerce, Science and Transportation that if they ever
decide to use targeted advertising systems, they will provide details
of their plans to their customers and require their explicit permission
to participate in the programs. They also told the members of the panel
that they want a chance to develop and establish best practices for
targeted advertising systems and customer data collection before privacy
legislation is considered. Thomas J. Tauke, executive VP of public
affairs, policy and communications at Verizon added that a simple
click-to-opt-in approach does not take the issue seriously enough. Many
users are prone to clicking to agree with the measures without reading
the details. Tauke said the process should be more comprehensive,
making the details of the program clear, and also give them the option
of withdrawing themselves from the program at a later date.
http://www.washingtonpost.com/wp-dyn/content/article/2008/09/25/AR2008092504135_pf.html
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9115612&source=rss_topic17
[Editor's Note (Pescatore): Taking the opt-in approach is definitely the
way to go, with a few "are you sure?" clicks thrown in for good measure.
Equally important, however, is how well the carriers will protect their
storage of the customer data.]

 --Judge Grants New Trial in Jammie Thomas Music Sharing Case
(September 25, 2008)
A US federal judge in Minnesota has granted a new trial for Jammie
Thomas, who was convicted last year of copyright infringement and fined
US $220,000. US District Judge Michael Davis ruled that he had erred
in his jury instructions in such a way as to have "substantially
prejudiced" Thomas's rights. In his ruling, Judge Davis also urged US
legislators to change copyright laws so people could not be fined
excessively in similar cases. The issue is whether the plaintiffs have
to prove that people downloaded the music Thomas had made available or
if merely making the files available in and of itself constitutes
copyright infringement. Davis said an earlier ruling set a precedent
for having to prove downloading actually took place; he had told the
jury that the need for proof was not necessary.
http://news.smh.com.au/technology/judge-grants-new-trial-in-music-downloading-case-20080925-4nle.html
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9115621&source=rss_topic17

 --Researchers Find Users Often Click Through Dialog Windows
Without Reading
(September 23 & 25, 2008)
An experiment conducted by psychologists at North Carolina State
University found that computer users often fail to distinguish fake
Windows dialog boxes from legitimate ones. Sixty-three percent of the
42 students participating in the experiment clicked OK whenever a pop-up
window appeared, ignoring anomalies that should have clued them in to
the potential for malicious activity. The subjects appeared to view
pop-up windows as hindering their intended activity; clicking the OK
button is the virtual equivalent of brushing away flies.
http://www.networkworld.com/news/2008/092508-computer-users-overeager-to-click.html?hpg1=bn
http://arstechnica.com/news.ars/post/20080923-study-confirms-users-are-idiots.html
[Editor's Note (Schultz): This research confirms the obvious, but it
nevertheless significant in that it provides controlled, experimental
data that shed some light on the magnitude of the problem of users
clicking OK just to get rid of security related dialog boxes that pop
up.]

************************** Sponsored Links: ***************************
1) 2-Day Training Class Hosted by the FISMA Center FISMA 101:
Certification & Accreditation Concepts November 13-14, 2008 Columbia,
Maryland
http://www.sans.org/info/33553

2) ALERT: Forrester Webcast: How Hackers Launch Web 2.0 Browser Exploits
and Methods for Protecting your Users
http://www.sans.org/info/33563
*************************************************************************

THE REST OF THE WEEK'S NEWS

COURT CASES & LEGAL ISSUES
 --No Charges in Palin eMail Hacking Case
(September 23 & 24, 2008)
A grand jury has failed to return charges against a Tennessee college
student who has been implicated in the case of hacking Governor Sarah
Palin's Yahoo! email account. It is unclear what prevented the jury
from returning charges. It is possible that certain key evidence is not
yet ready, or it could be a point of law, as the intruder looked at
email that had already been opened.
http://www.theregister.co.uk/2008/09/24/palin_hack_no_charges_yet/
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=cybercrime_and_hacking&articleId=9115371&taxonomyId=82&intsrc=kc_top

ARRESTS, CHARGES & CONVICTIONS
 --Another Guilty Plea in TJX Case
(September 23 & 24, 2008)
A second man has pleaded guilty to charges stemming from the TJX data
security breach case. Christopher Scott has pleaded guilty to computer
hacking, access device fraud and identity theft charges. Under the terms
of his plea bargain deal, Scott could face up to 22 years in prison and
a fine of up to US $ 1 million. A statement from the US Attorney's
office in Boston indicates that Scott specialized in breaking into
wireless networks. Another man charged in the case, Damon Patrick Toey,
pleaded guilty to four felony counts last week. The alleged mastermind
of the scheme, Albert Gonzalez, could face life in prison if he is
convicted; he has pleaded not guilty. Eight other suspects in the case
have yet to enter their pleas.
http://www.theregister.co.uk/2008/09/23/tjx_hack_suspect_guilty_plea/
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9115458&source=rss_topic17

 --Man Charged in Maserati Customer Database Hack
(September 22 & 23, 2008)
A California man has been arraigned on a variety of charges, including
extortion and illegally accessing a protected computer, for allegedly
breaking into a Maserati North America website earlier this year,
stealing customer data and threatening to divulge the security problems
he exploited unless he received payment. Bruce Mengler has pleaded not
guilty to the charges. Mengler allegedly used a program that guessed
customer PINs; when the program was successful, he would allegedly log
in to the site as that customer and obtain the associated information,
most often a name and address.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9115385&source=rss_topic17
http://www.signonsandiego.com/news/northcounty/20080922-1725-bn22indict.html
[Editor's Note (Veltsos): In its privacy policy, Maserati North America
claims "privacy to be of utmost importance and takes its
responsibilities regarding the security of your personal information
seriously." Yet, it decided that the best way to provide this assurance
was through a weak authentication mechanism consisting solely of
customer last name and PIN.
"You are required to have a unique PIN and a valid Last Name to access
information [on] this Web site..."
http://www.maseratiamerica.com/LegalNotice.aspx]
[Editor's Note (Veltsos): This story highlights how important the
automatic lockout of an account after x number of failed attempts is. ]

SPAM, PHISHING & ONLINE SCAMS
 --Timberland and Partner to Pay Us $7 Million to Settle SMS Spam Case
(September 21 & 23, 2008)
Timberland, the outdoor gear company, and its partner GSI Commerce Inc.
will pay US $7 million to settle a lawsuit brought on behalf of people
who received unsolicited text messages advertising Timberland products.
Unsolicited commercial text messages are illegal in the US under the
Telephone Consumer Protection Act. The money will go into a fund to
reimburse people who received the messages; in addition, US $200,000
will be given to a local charity. Timberland and GSI both maintain they
are not at fault in the situation; a third party company was responsible
for obtaining the consent of the people who received the message.
http://news.idg.no/cw/art.cfm?id=7D463458-17A4-0F78-317F29F8A7231B04
http://www.masshightech.com/stories/2008/09/22/daily19-Timberland-laces-up-7M-text-spam-settlement.html
http://www.theregister.co.uk/2008/09/23/timberland_sms_lawsuit_payout/

UPDATES AND PATCHES
 --Cisco Issues a Dozen Security Advisories
(September 24 & 25, 2008)
Cisco has released a dozen security advisories to address flaws in its
IOS software and Cisco Unified Communications Manager. The flaws could
be exploited to gain access to sensitive data, gain control of
vulnerable devices, interrupt voice services, crash systems, or create
denial-of-service conditions, in most cases without the need for login
credentials.
http://www.theregister.co.uk/2008/09/25/cisco_patch_batch/print.html
http://www.heise-online.co.uk/security/Cisco-cleans-up-Numerous-DoS-vulnerabilities-in-IOS-resolved--/news/111604
http://www.cisco.com/en/US/products/products_security_advisories_listing.html
Internet Storm Center:
http://isc.sans.org/diary.html?storyid=5078

 --Mozilla Updates Firefox
(September 24, 2008)
Mozilla has released Firefox updates to address a dozen security flaws.
All of the vulnerabilities affect Firefox 2.x; users are urged to
upgrade to version 2.0.017 or manually upgrade to version 3. About half
of the vulnerabilities affect Firefox 3.x; users should upgrade to
version 3.0.2. The fixes will be automatically pushed to current users
and will be apparent the next time the browser is restarted. Mozilla has
rated four of the vulnerabilities as critical; they could be exploited
to cause crashes with memory corruption, allow privilege escalation and
arbitrary code execution.
http://news.cnet.com/8301-1009_3-10049925-83.html?part=rss&subj=news&tag=2547-1009_3-0-20
[Editor's Note (Pescatore): Comment on the Cisco (the previous story)
and Mozilla vulnerabilities, along with the ones Microsoft and Apple
announced earlier this month: A lot of critical vulnerabilities exposed
this month and a lot of "malformed input" vulnerabilities starting to
show up, including ones in complex documents and audio streams. Looks
like it is time for the software vendors to ratchet up the security
focus in development life cycles to address these more complex
vulnerabilities before products ship.
(Ullrich): Firefox 3.0.2 has a known issue if you store passwords with
international characters in Firefox. If you use this feature, please
wait until version 3.0.3 is released. It should be out shortly (maybe
by the time you read this?).]
Internet Storm Center:
http://isc.sans.org/diary.html?storyid=5081
http://isc.sans.org/diary.html?storyid=5074

STUDIES AND STATISTICS
 --Study: Most Distributed Denial-of-Service Attacks Originate in US
(September 22, 23 & 24, 2008)
According to statistics gathered by SecureWorks, the United States tops
the list of the source of distributed denial-of-service attacks. The
information is culled from data about attacks on Secure Works' customers
so far this year. The figures indicate that 20.6 million attacks
originated in the US; China follows with 7.7 million attacks. A
SecureWorks researcher says the numbers demonstrate that the US and
China have large numbers of compromised PCs that are being manipulated
as part of botnets and observes that by not ensuring their PCs are
secure, people are putting others at risk as well as themselves.
http://www.gcn.com/online/vol1_no1/47200-1.html?topic=security
http://www.theregister.co.uk/2008/09/23/us_based_cyber_attacks/
http://www.securityfocus.com/brief/827

MISCELLANEOUS
 --Upstream Provider Steps in to Save Intercage
(September 23 & 24, 2008)
Just days after the ISP Intercage lost its last upstream provider,
another provider has stepped in to allow the controversial network
provider to continue operations. Intercage has received considerable
press about the amount of malware hosted on its network, causing its
upstream suppliers to sever their business relationships with the
company. Provider UnitedLayer has agreed to provide service to
Intercage after the company severed ties with Esthost, a webhost
believed to be responsible for much of the malware on Intercage's
network. Intercage also plans to establish a system that allows users
to submit complaints about malicious sites on its network. Pacific
Internet Exchange (PIE), the last company that had been providing
service to Intercage, dropped the company as a customer after Spamhaus
placed blocks on of 1,000 of its IP addresses.
http://www.theregister.co.uk/2008/09/24/intercage_back_online/
http://www.pcworld.com/businesscenter/article/151437/controversial_isp_intercage_now_back_online.html
[Editor's Note (Ullrich): It appears that Intercage is without upstream
again as of this morning.]

 --Cyber War Games - You Are Invited
Come see this year's Integrated Cyber Exercise II (ICE II) October 1-3
at SANS Network Security 2008 ICE II will feature Paul and Larry of
pauldotcom.com in a Hacker throw-down to see who is the best network
attacker and defender. Paul and Larry will each have a major network to
defend while they also attack each other. The event is open to all SANS
Las Vegas attendees. Players can pick a side, defend their own network,
attack at will or view and snipe from a distance. This year's event will
feature more hardware including VoIP and SCADA. Enhanced scoring
visualization and 3D graphics and even a complete traffic generator to
hide the attackers. Come hang out in the spectator room and be eligible
for random prize drawings sponsored by ThinkGeek, AirScanner, Syngress,
CACE Technologies and Lone Pine Embroidery. Watch as phones, servers,
cameras and even our own power grid are attacked and defended across
three nights of fun, education and mayhem. Fortinet will be providing
complete IDS monitoring and reporting while Core Security and Immunity
will be demonstrating in the Red Cell room.

*************************************************************************
The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescastore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Brian Honan is an independent security consultant based in Dublin,
Ireland.

Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security
courses at Minnesota State University, Mankato. He is the President of
Prudent Security LLC and also serves as the President of the Mankato
Chapter ISSA.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkjdJEEACgkQ+LUG5KFpTka4agCeN6E6hu679N93DwtSsaI7EZp3
YXYAoIJVkR1xT9POXB1bdKwg5017Hm+r
=07H5
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]