From: The SANS Institute (NewsBitessans.org)
Date: Fri Oct 10 2008 - 13:23:03 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

* Update on The Coolest Jobs in Cyber Security. Even if you reviewed
the jobs list earlier this week and offered commentary, please take 2
minutes to add your ratings of which jobs you think are coolest.
     http://www.surveymethods.com/EndUser.aspx?98BCD0CF99DECFC2
* Valuable new web page. The job that is coming out on top in the
"coolest jobs" competition is forensics. Rob Lee and the other top guns
in forensics have put together a wonderful new web page for people
interested in the leading edge of forensics at
http://forensics.sans.org/
Those leaders will also be discussing the lessons they have been
learning from the nation-state attacks and more at next week's Forensics
summit http://www.sans.org/info/34088
* Research question. Has anyone done a comparison showing what IPSonar
does that cannot be done with nmap? Email apallersans.org if you have.
Thanks in advance.
                                        Alan
*************************************************************************
SANS NewsBites October 10, 2008 Vol. 10, Num.
80
*************************************************************************
TOP OF THE NEWS
  US Army Program Seeks Out Unauthorized Applications Clickjacking
  Proof-of-Concept Demos Posted Quantum Encryption-Protected Network
  Debuted at Conference
THE REST OF THE WEEK'S NEWS
  ARRESTS, CHARGES & CONVICTIONS
     Man Admits Role in Phishing Scheme Alleged Palin eMail Hacker
     Indicted
  SPAM, PHISHING & ONLINE SCAMS
     Temporary Drop in Spam Volume Linked to Atrivo Going Offline
    Spammers Ordered to Pay US $236 Million
  ACTIVE EXPLOITS, WORMS & VIRUSES
     Asus Acknowledges That Malware Shipped on Eee Box Computers
  UPDATES AND PATCHES
     Microsoft to Issue Eleven Security Bulletin On October 14
  DATA LOSS & EXPOSURE
     Contractor Allegedly Accessed Shell Oil Employee Database
  MISCELLANEOUS
    Missing MOD Hard Disk Contains 1.5m Pieces of Personal Information

*************************************************************************
TRAINING UPDATE
- - SANS CDI in Washington 30 courses; big security tools expo; lots of
evening sessions: http://www.sans.org/ cdi08/
- - Monterey (10/31-11/6) http://www.sans.org/info/30738
- - Sydney Australia (10/27-11/1) http://www.sans.org/sydney08/
- - Vancouver (11/17-11/22) http://www.sans.org/vancouver08/
and in 100 other cites and on line any time: www.sans.org
*************************************************************************

TOP OF THE NEWS
 -- US Army Program Seeks Out Unauthorized Applications
(October 7, 2008)
The US Army Information Management Support Center has put software on
11,000 desktop computers that will detect unauthorized applications. Any
ones discovered are reported to the Configuration Control Board, which
also lets the user know what has occurred. In some cases, users have
the opportunity to explain why the application is on the computer. If
the application is deemed unnecessary, it can be removed remotely.
http://www.networkworld.com/news/2008/100708-army-desktop-software.html?fsrc=netflash-rss
[Editor's Note (Ulrich): This is a great attempt to finally make
"whitelists" work. I hope the US Army staff will share the lessons they
learn. In my opinion, we should all focus more on lists of software we
want to see on our systems, vs. the classic anti-malware approach of
using incomplete lists of software we do not want.
(Pescatore): This can be a very effective approach to providing balance
between strict security (lockdown) and letting users install whatever
they want (chaos) but a responsive process to deal with discovered
applications rapidly requires a high level of staffing. Backing it up
with an "uber-whitelist" of applications that are known to be safe (not
just known to be owned by the enterprise) and don't require rapid
removal is key, but in today's world the "grey list" of unknown
applications that users install is growing larger and larger.
(Weatherford): If the Army Information Management Support Center can
determine what "unauthorized" software is, they've obviously already
identified the "authorized" software category. So why let users install
"unauthorized" software at all? I envision a weekly Configuration
Control Board "Captains Mast" where users are hauled before a panel of
judges in funny wigs and given "the opportunity to explain why the
software is on their desktop." Wouldn't it be easier to just not allow
users to install software in the first place, with a process for gaing
official permission?]

 -- Clickjacking Proof-of-Concept Demos Posted
(October 7, 8 & 9, 2008)
More information about clickjacking vulnerabilities has been released.
Two researchers had planned to talk about the attack technique several
weeks ago, but decided to postpone the greater part of their talk to
allow vendors time to address the flaws in their products. This week,
proof-of-concept demonstrations of the attack technique were posted to
the Internet. The most recent version of NoScript, the Firefox add-on,
protects users from being tricked by clickjacking attacks.
http://blogs.zdnet.com/security/?p=2005&tag=nl.e539
http://news.zdnet.co.uk/security/0,1000000189,39500483,00.htm
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9116638&source=rss_topic17
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9116800
http://www.vnunet.com/vnunet/news/2227827/adobe-warns-clickjacking
[Editor's Note (Northcutt): I love NoScript,the plugin for Firefox that
allows you to choose whether to run scripts from a given web site, but
am not sure that it protects fully against clickjacking. Some web sites
simply require that you run scripts. If you want the information or
services from those websites, you have to allow scripts, and at that
point I expect you are vulnerable.
(Honan): More details of this problem can be found at Jeremiah
Grossman's blog
http://jeremiahgrossman.blogspot.com/2008/10/clickjacking-web-pages-can-see-and-hear.html.
As Jeremiah points out in his post this vulnerability can be used to
eavesdrop on peoples conversations using their PC microphones which
could have ramifications for industrial espionage and national security.
Kudos to Adobe, Jeremiah and R-Snake on how they handled this issue.]

 --Quantum Encryption-Protected Network Debuted at Conference
(October 9, 2008)
Scientists at the SECOQC conference in Vienna, Austria demonstrated the
first computer network protected by quantum key distribution. The six
nodes of the network are connected by fiber optic cables. The essence
of quantum key distribution relies on the Heisenberg Uncertainty
Principle, which says that quantum information cannot be measured
without disturbing it; therefore, if someone were to eavesdrop on
communication protected by quantum encryption, the key would be altered,
alerting the recipient that the communication had been intercepted.
http://news.bbc.co.uk/2/hi/science/nature/7661311.stm
[Editor's Note (Northcutt): I think they are talking about quantum key
distribution which has been around for a while. NIST has a neat writeup:
http://www.nist.gov/public_affairs/releases/quantumkeys_background.htm
Here is the description from the conference:
http://www.secoqc.net/html/conference/
And here is a paper from 2007:
http://w3.antd.nist.gov/pubs/892-papers/Quantum%20Key%20Distribution%20Network.pdf ]

************************* SPONSORED LINK ******************************
1) Attend the Forensics and Incident Response Summit October 13-14 in
Las Vegas to learn about the latest tools and techniques.
http://www.sans.org/info/34088
*************************************************************************

THE REST OF THE WEEK'S NEWS
ARRESTS, CHARGES & CONVICTIONS
 -- Man Admits Role in Phishing Scheme
(October 7 & 9, 2008)
Sergiu Daniel Popa of Romania has admitted that he was part of a
phishing scheme that stole US $700,000 over a three-year period. He
pleaded guilty to possession of unauthorized access devices and
aggravated identity theft. Popa lived in the US for nearly seven years;
he was extradited from Spain in June to face the charges. Popa faces
up to 10 years in prison and a US $500,000 fine. According to his plea
agreement, Popa stole identities of more than 7,000 people.
http://www.theregister.co.uk/2008/10/09/romanian_phishing_guilty_plea/
http://www.startribune.com/local/30566739.html?elr=KArksLckD8EQDUoaEyqyP4O:DW3ckUiD3aPc:_Yyc:aU7EaDiaMDCiUT

 -- Alleged Palin eMail Hacker Indicted
(October 8 & 9, 2008)
A federal grand jury has indicted Tennessee college student David
Kernell on one count of accessing a computer without authorization for
allegedly breaking into Alaska Governor Sarah Palin's Yahoo! email
account. Kernell has pleaded not guilty; if he is convicted, he could
face up to five years in prison and a US $250,000 fine. The attacker
used the password reset feature to gain access to Governor Palin's
account and posted several of the email messages online. Information
from a proxy service used by the attacker linked the suspicious activity
to Kernell through an IP address.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9116606&source=rss_topic17
http://news.bbc.co.uk/2/hi/americas/7661117.stm
http://knoxville.fbi.gov/dojpressrel/2008/kxhacking100808.htm
[Editor's Note (Veltsos): As hacker feats go, this was no rocket
science. Most web-based email provider use the same weak authentication
mechanisms when processing a reset password request: they ask for
account details that are easily obtainable for anyone with a public
personae (in Palin's case, birthday, zip code, where she met her
spouse). Anyone using a web-based email account is vulnerable to the
same kind of account hijacking.]

SPAM, PHISHING & ONLINE SCAMS
 -- Temporary Drop in Spam Volume Linked to Atrivo Going Offline
(October 9, 2008)
According to a report from Message Labs, when upstream providers cut off
service to California-based Internet service provider (ISP) Atrivo, the
amount of detected spam and botnet activity dropped significantly for
several days. Atrivo was notorious for providing service to numerous
scammers and cyber criminals. The decline will likely be short-lived
as the scammers search out alternate providers, but the temporary
downward spike indicates that the charges leveled at Atrivo were on the
mark.
http://voices.washingtonpost.com/securityfix/2008/10/spam_volumes_plummet_after_atr.html?nav=rss_blog
[Editor's Note (Honan): The Altrivo case demonstrates how the community
can act together to make the Internet a safer place for all. In the
real world businesses with bad reputations or unethical business
practises are ostracised, we should apply the same standards to
businesses on the Internet. ]

 --Spammers Ordered to Pay US $236 Million
(October 8, 2008)
A US District Judge in Iowa has ordered Henry Perez and Suzanne Bartok
of Arizona to pay US $236 million for sending millions of unsolicited
commercial emails. Robert Kramer the owner of Iowa-based CIS Internet
Services, sued Perez and Bartok, who ran a company called AMP Dollar
Savings, for inundating his network with spam. Perez and Bartok used a
program called "Bulk Mailing 4 Dummies" to send out messages that
advertised home mortgage refinancing.
http://www.theregister.co.uk/2008/10/08/mom_and_pop_spammer_judgement/

ACTIVE EXPLOITS, WORMS & VIRUSES
 -- Asus Acknowledges That Malware Shipped on Eee Box Computers
(October 9, 2008)
Asus is warning its customers in Japan of malware on recently shipped
Eee Box desktop computers running Windows. The virus resides on the D
drive in a file called recycled.exe. When the D drive is opened, the
virus starts copying itself onto the C drive and all connected USB
media. Asus has not said how the malware came to be on the drive. The
malware is old enough that it should be detected by most anti-virus
programs.
http://www.heise-online.co.uk/security/Asus-warns-of-a-virus-infection-in-shipping-Eee-Boxes--/news/111691
http://blogs.zdnet.com/security/?p=2016
http://www.vnunet.com/vnunet/news/2227855/asus-warns-infected-eee-box-pcs

UPDATES AND PATCHES
 -- Microsoft to Issue Eleven Security Bulletin On October 14
(October 9, 2008)
Microsoft plans to release 11 security bulletins on Tuesday, October 14.
The updates will address vulnerabilities in Windows, Active Directory,
Internet Explorer, Office and Host Integration Server. Four of the
bulletins have maximum severity ratings of critical, six are rated
important and one is rated moderate. The vulnerabilities include remote
code execution, elevation of privileges and information disclosure.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9116818&source=rss_topic17
http://www.microsoft.com/technet/security/Bulletin/MS08-oct.mspx

DATA LOSS & EXPOSURE
 -- Contractor Allegedly Accessed Shell Oil Employee Database
(October 6, 7 & 8, 2008)
Shell Oil has warned its employees that their personal information may
have been compromised. An employee of a third-party contractor working
on-site for Shell was escorted off the premises after it emerged that
the individual had allegedly accessed a database containing personally
identifiable information of most current and former Shell employees.
Shell has noted that in four instances, employee's Social security
numbers (SSNs) were used to file phony unemployment claims. Shell has
terminated its contract with the third-party company.
http://www.theregister.co.uk/2008/10/07/shell_oil_database_breach/
http://news.zdnet.co.uk/security/0,1000000189,39499984,00.htm
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=cybercrime_and_hacking&articleId=9116421&taxonomyId=82&intsrc=kc_top
[Editor's Note (Schultz): Although no organization savors the thought
of an incident of this nature occurring, it appears that to its credit,
Shell Oil at least had sufficient monitoring procedures to be able to
detect such incidents.
(Pescatore): This appears to be an authorized user (it has no real
bearing that it was a contractor) with legitimate access rights doing
unauthorized things with some of the sensitive data. This is where
access controls don't help and when such small quantities of data are
being retrieved, data base activity monitoring and data loss prevention
alerts may not have been effective, either. The most likely approach to
reducing this type of thing (elimination is not realistic) is having
employee agreements and vendor contracts that have financial liability
clauses that go beyond termination of employment or contract.]

MISCELLANEOUS
 --Missing MOD Hard Disk Contains 1.5m Pieces of Personal Information
(October 11, 2008)
The UK's Ministry Of Defense has admitted to losing a portable hard
drive which contained the personal details of up to 1.5 million pieces
of information including details of over 100,000 active service
personnel and 600,000 recruits. The missing disk was not encrypted. Of
particular concern is the missing data include details on personnel who
served in Northern Ireland and may be terrorist targets. The lost
information includes details such as individuals' passport numbers,
addresses, date of birth and in some cases banking details. The
portable disk was being held by the main IT contractor for the MOD, EDS.
EDS reported the drive missing after a priority report was carried out
on October the 8th. Over the past four years over 658 laptops have gone
missing from the MOS with 26 memory sticks containing sensitive
information missing since January 2008.
http://news.bbc.co.uk/2/hi/uk_news/7662604.stm
http://www.theregister.co.uk/2008/10/10/mod_data_loss/

*************************************************************************
The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescastore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Brian Honan is an independent security consultant based in Dublin,
Ireland.

Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security
courses at Minnesota State University, Mankato. He is the President of
Prudent Security LLC and also serves as the President of the Mankato
Chapter ISSA.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkjvkq4ACgkQ+LUG5KFpTkZnRQCeOqrdlZUhZ0Ag6hY39rIvQ9j1
IO0An3Q6ALotYN/n+l283Gb9DL5TeBE8
=z4d/
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]