|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (NewsBites
sans.org)
Date: Tue Oct 14 2008 - 12:32:49 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
If you use *any* tools to help with compliance with PCI, FISMA, SOX,
FDCC or other laws/regulations, check out the last story of this issue
about "What Works in Compliance Tools."
Early results from the new 2008 security professional salary survey seem
to be illuminating the coming changes in valuation of various cyber
security jobs. The only way to get access to the information is to
participate in the survey. This is not your typical salary survey. In
addition to measuring and comparing salaries, we are taking a deeper
look at the value of education and certification as well as geographic
location, industry, and years of experience. Try to complete it today
(takes 15 minutes or less) at http://survey.sans.org/survey"
Alan
*************************************************************************
SANS NewsBites October 14, 2008 Vol. 10, Num. 81
*************************************************************************
TOP OF THE NEWS
New Anti-Piracy Law Imposes Stronger Penalties
World Bank Servers Have Been Attacked a Half-Dozen Times in the Last Year
Bugged Chip-and-Pin Machines Stealing Payment Card Data
Allegations of Wiretapping Improprieties at NSA Facility
THE REST OF THE WEEK'S NEWS
ARRESTS, CHARGES & CONVICTIONS
Man Behind CastleCops DDoS Attack Draws Two-Year Sentence
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
TIGTA Report Finds Lack of Management Control on Some Computer Systems
SPAM, PHISHING & ONLINE SCAMS
Malware-Laden Spam Pretends to be Windows Security Update
ACTIVE EXPLOITS, WORMS & VIRUSES
Proof-of-Concept Code Released for Windows Privilege Elevation Flaw
DATA LOSS & EXPOSURE
Stolen Laptop Holds Pension Data
STUDIES AND STATISTICS
Consumer Reports Online Security Guide
NRI Secure Technologies (Japan) Web Application Security Assessment
Trend Analysis Report
MISCELLANEOUS
Microsoft to Introduce Two Security Enhancements on October 14
What Works In Security Compliance Tools?
************************* Sponsored By CA *******************************
How can your organization utilize identity management technologies to
cost-effectively manage and control user identities and demonstrate
security compliance? Information provided in this IDC whitepaper can be
used to guide your efforts on how to optimize and improve identity
management deployments to make them more efficient. Learn more at
http://www.sans.org/info/34203
*************************************************************************
TRAINING UPDATE
- - SANS CDI in Washington 30 courses; big security tools expo; lots of
evening sessions: http://www.sans.org/ cdi08/
- - Monterey (10/31-11/6) http://www.sans.org/info/30738
- - Sydney Australia (10/27-11/1) http://www.sans.org/sydney08/
- - Vancouver (11/17-11/22) http://www.sans.org/vancouver08/
and in 100 other cites and on line any time: www.sans.org
*************************************************************************
TOP OF THE NEWS
--New Anti-Piracy Law Imposes Stronger Penalties
(October 13, 2008)
US President George W. Bush has signed into law the Prioritizing
Resources and Organization for Intellectual Property Act (PRO-IP), which
imposes more stringent penalties on people convicted of music and movie
piracy. The bill creates an executive-level position, Intellectual
Property Enforcement Coordinator, who will advise the White House on
protecting both domestic and international IP. The law has the backing
of the Recording Industry Association of America (RIAA) and the Motion
Picture Association of America (MPAA) as well as of the US Chamber of
Commerce. The US Justice Department opposed the creation of the IP
czar, saying such a position would undermine its authority.
http://uk.reuters.com/article/technologyNews/idUKTRE49C7EI20081013
http://news.cnet.com/8301-13578_3-10064527-38.html
http://www.pcmag.com/article2/0,2817,2332432,00.asp
--World Bank Servers Have Been Attacked a Half-Dozen Times in the Last Year
(October 10 & 12, 2008)
The World Bank Group's computer network has reportedly come under attack
at least half a dozen times since the middle of 2007. At least 18
servers were compromised. A World Bank spokesperson said "that at no
point in time was any sensitive information accessed." However, it is
nearly impossible to determine whether data were stolen, and attackers
are known to install malware that collects sensitive information and
seeks out other vulnerable computers on the network.
Internet Storm Center: http://isc.sans.org/diary.html?storyid=5161
http://www.foxnews.com/story/0,2933,435681,00.html
http://news.cnet.com/8301-1009_3-10063522-83.html?part=rss&subj=news&tag=2547-1009_3-0-20
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9116933&source=rss_topic17
http://www.usatoday.com/money/industries/banking/2008-10-12-world-bank-hackers_N.htm?csp=34
The World Bank says the problem is not as great as press reports imply:
http://www.theregister.co.uk/2008/10/13/world_bank_hack_attack/
http://www.vnunet.com/vnunet/news/2228040/hackers-aim-world-bank
http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=211100222
--Allegations of Wiretapping Improprieties at NSA Facility
(October 10, 2008)
Three former workers at the National Security Agency (NSA)'s wiretapping
facility at Fort Gordon, Georgia between 2001 and 2007 have alleged that
US spies listened to personal conversations of Americans living abroad
and on occasion, shared the conversations they heard with each other.
The employees say there was scant supervision and conflicting
instructions regarding expectations. Senate intelligence committee
Senator John D. Rockefeller IV (D-W.Va.) says his staff is gathering
more information about the allegations and may hold hearings.
http://www.washingtonpost.com/wp-dyn/content/article/2008/10/09/AR2008100902953_pf.html
http://blog.wired.com/27bstroke6/2008/10/kinne.html
[Editor's Note (Pescatore): This type of thing always goes in cycles.
The abuses of the McCarthy and Nixon eras in the US lead to privacy laws
and clear limitation of the intelligence agencies' domestic charter in
the 1970s. As a 21 year old new hire at NSA in 1978, I got called on the
carpet and reprimanded for tuning a lab receiver across domestic mobile
phone frequencies to test a piece of gear - there was strong supervision
and very clear instructions. The pressure swung too far in that
direction and lead to intelligence failures that enabled events like the
terrorist attacks of 2001. Now things have swung too far the other way
and it is time to correct again. ]
--Bugged Chip-and-Pin Machines Stealing Payment Card Data
(October 10 & 11, 2008)
Crime syndicates with members in China and Pakistan have managed to
place devices in chip-and-pin machines that steal payment card data. The
devices were planted in the machines before they were sent from China
to stores in England, Ireland, Denmark, Belgium and the Netherlands.
The stolen information was sent over mobile phone networks to people in
Pakistan who then used the cards to make fraudulent purchases and
withdrawals. The simplest way of determining if a given machine has
data stealing capabilities is to weigh it; the devices add several
ounces to each of the machines. The attack has been going on for nine
months; losses are estimated to be between US $50 million and US $100
million, but could ultimately be higher.
http://www.telegraph.co.uk/news/newstopics/politics/lawandorder/3173346/Chip-and-pin-scam-has-netted-millions-from-British-shoppers.html
http://online.wsj.com/article/SB122366999999723871.html
[Editor's Note (Veltsos): The FBI has also been investigating instances
of counterfeit networking and computer gear having been sold to the
Department of Defense. The threat posed by outsourced electronic parts
is real.
http://www.businessweek.com/magazine/content/08_41/b4103034193886.htm
http://www.businessweek.com/magazine/content/08_41/b4103038201037.htm]
************************* SPONSORED LINK ******************************
1) Cisco IT Security Forum
Learn about data leakage, PCI compliance, identity theft, botnets,
crimeware, security trends, and more. Register Today
http://www.sans.org/info/34208
*************************************************************************
THE REST OF THE WEEK'S NEWS
ARRESTS, CHARGES & CONVICTIONS
--Man Behind CastleCops DDoS Attack Draws Two-Year Sentence
(October 8 & 13, 2008)
Gregory King has been sentenced to two years in prison and ordered to
pay more than US $69,000 in restitution for launching distributed
denial-of-service (DDoS) attacks against the CastleCops and KillaNet
technologies websites. The attacks took place in early 2007 and caused
an estimated US $70,000 in damage. King admitted to the attacks in
June. He had faced a maximum sentence of 20 years in prison and a fine
of half-a-million dollars, but prosecutors agreed to a reduced sentence
in exchange for guilty pleas to two felony counts of transmitting code
to cause damage to protected computers.
http://www.theregister.co.uk/2008/10/13/castlecops_attacker_sentenced/
http://www.centralvalleybusinesstimes.com/stories/001/?ID=10031
[Editor's Note (Northcutt): Curiously, I was trying to access
http://www.castlecops.com/CLSID.html several times today and timed out
each time, wonder if there is any correlation between the two events.]
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
--TIGTA Report Finds Lack of Management Control on Some Computer Systems
(October 9, 2008)
According to a report from the Treasury Inspector General for Tax
Administration (TIGTA), three computer systems at the US Internal
Revenue Service (IRS) Office of Research, Analysis and Statistics lack
adequate access management controls. The IRS's security policies were
found to be adequate, but enforcement needs improvement. The report
found there to be insufficient guidance and compliance oversight of IRS
security policies; in addition, no vulnerability scanning software had
been deployed. Eleven percent of employees on the systems reviewed were
permitted access without required authorization from managers; systems
were not configured to disable inactive accounts.
http://www.nextgov.com/nextgov/ng_20081009_3974.php
http://www.treas.gov/tigta/auditreports/2008reports/200820176fr.pdf
POLICY AND LEGISLATION
SPAM, PHISHING & ONLINE SCAMS
--Malware-Laden Spam Pretends to be Windows Security Update
(October 11, 2008)
New spam messages are spreading, purporting to contain "an experimental
private version of an update for all Microsoft Windows OS users." While
there is nothing new about malware spreading in the guise of security
updates, the fact that these messages are arriving just as Microsoft is
scheduled to release its October update makes it more likely that the
attackers will have a greater level of success. The executable file
attached to the message infects users' computers with malware. The spam
offers several clues that it is not legitimate; the grammar is dodgy and
the message claims that the update addresses versions of Windows that
are no longer supported and for which patches would not therefore be
issued. Microsoft never sends security updates as email attachments.
http://www.vnunet.com/vnunet/news/2228041/malware-writers-spoof-patch
[Editor's Note (Ullrich): An interesting feature of this e-mail is the
use of a fake PGP signature. The signature block is actually just random
data, but it is supposed to provide the e-mail with more credibility.
(Skoudis): It's also interesting that the bad guys continue to have
massive grammar problems in their phishing schemes. Some of their prose
is almost comical. Perhaps someday we'll see organized cyber crime
rings employing in-house grammarians to clean up their wording before
they foist it on unsuspecting users.
(Pescatore): this is another data point why "private patches" (patches
that come from other than the software vendor) are a very bad idea.]
ACTIVE EXPLOITS, WORMS & VIRUSES
--Proof-of-Concept Code Released for Windows Privilege Elevation Flaw
(October 10, 2008)
Proof-of-concept exploit code for a privilege elevation vulnerability
in Windows XP, Vista, Server 2003 and Server 2008 has been published.
The person who disclosed the flaw earlier this year has now published
the exploit code because he feels that six months is long enough to have
had time to create a fix for the problem. The flaw was first noted back
in March, when Microsoft initially dismissed it as a "design flaw."
The company later agreed that it was a bona fide security problem. It
is not known if the flaw will be addressed in this month's Microsoft
security update, which is scheduled to be released on Tuesday, October
14.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9116924&source=rss_topic17
http://www.microsoft.com/technet/security/advisory/951306.mspx
DATA LOSS & EXPOSURE
--Stolen Laptop Holds Pension Data
(October 10 & 13, 2008)
Deloitte has acknowledged that a laptop stolen from an employee's bag
contains personally identifiable information of more than 150,000
pension holders. The data include names, National insurance numbers and
salaries, but not bank data or addresses. A notice from Deloitte says
that the security measures implemented on the laptop include encryption.
http://www.theregister.co.uk/2008/10/13/deloitte_data_loss_vodafone/
http://news.bbc.co.uk/2/hi/uk_news/7664274.stm
STUDIES AND STATISTICS
--NRI Secure Technologies (Japan) Web Application Security Assessment
Trend Analysis Report
A security assessment survey of 169 websites conducted by Japan's
leading cyber security consulting organization, NRI Secure Technologies,
Ltd., during the 2007 fiscal year found that 41 percent of the sites had
critical security flaws that could allow access to sensitive
information. An additional 30 percent of the sites were found to have
vulnerabilities that could lead to information leaks. The majority of
vulnerabilities in websites were found to be due to "incomplete
measures," in which security measures have been applied to some extent,
but not broadly enough to prevent access to sensitive data.
http://www.nri-secure.co.jp/news/2008/1010_report.html
[Editor's Note (Skoudis): This report offers great insights into the
problems we face with web security. In particular, it makes it clear
that, from a defensive perspective, we aren't getting any better. And,
as the bad guys ramp up their attack skills and techniques, we are in
fact falling behind, relatively speaking (i.e., with a constant level
of vulnerabilities and steadily increasing threat, our relative risk
rises). The remaining prevalence of XSS attacks is particularly
disheartening, as this vector offers attackers major opportunities for
controlling victim's browsers to undermine applications.
(Pescatore): This is a fairly optimistic view, probably because the
survey was skewed towards financial companies and overall security in
Japan tends to be higher in general. Most similar studies show more like
75% of sites have critical security flaws. One factoid they did state,
which mirrors what I see a lot, is that web sites that have never had a
vulnerability assessment are four times more likely to have a critical
flaw than those that had assessments. Seems simple but I'm always
surprised to find how many businesses do not regularly check their web
sites for vulnerabilities - even if you are sure you locked the doors,
rattling the door knobs to be sure is a very good idea.]
--Consumer Reports Online Security Guide
This consumer education guide to making online experiences safe includes
information about auction scams, spam, viruses, spyware, phishing, ID
theft and a special section regarding keeping children safe online.
There are also ratings for security suites and antiphishing toolbars,
an interactive phishing quiz, and videos about cell phone spam, phishing
and methods CR uses to test the security suites.
http://www.consumerreports.org/cro/electronics-computers/resource-center/cyber-insecurity/cyber-insecurity-hub.htm
[Editors' Note (Veltsos and Paller): Year after year, Consumer Reports
is one of the best all-in-one resources for home users and end users;
it provides clear and simple advice and remains vendor neutral.]
MISCELLANEOUS
--Microsoft to Introduce Two Security Enhancements on October 14
(October 9 & 13, 2008)
Along with its anticipated 11 security bulletins, Microsoft will
introduce a new feature and a new program on Tuesday, October 14. The
"Exploitability Index" is a three-step scale that will accompany each
flaw addressed; the added information is intended to help users and
administrators prioritize the patches. The scale's levels are
Consistent Exploit Code Likely; Inconsistent Exploit Code Likely; and
Functioning Exploit Code Unlikely. Microsoft will also launch the
Microsoft Active Protections Program (MAPP) which will allow vendors
advance knowledge of flaws that will be patched each month.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9117018&source=rss_topic17
http://www.networkworld.com/news/2008/100908-11-microsoft-security-updates-due.html?hpg1=bn
http://blogs.technet.com/msrc/archive/2008/10/09/october-2008-advanced-notification.aspx
[Editor's Note (Skoudis): This additional information from Microsoft
looks very promising. Sure, bad guys may use it to determine where to
focus their efforts in creating exploits. However, the bad guys can
figure that out on their own pretty well now anyway. On balance, I
believe this information will be more useful to organizations in
prioritizing fixes than it will be to bad guys in prioritizing their
exploit writing.]
--What Works In Security Compliance Tools?
(October 14, 2008)
Twenty five leading software vendors jointly developed a list of which
laws, regulations, standards are driving the sales of their products.
In order from most to least important, they are: (1) PCI-DSS, (2 tie)
FISMA and SOX, (4 tie) HIPAA and GLBA, (6) NERC, (7 tie) ISO 17799 and
FDCC (OMB06-16). The next big step is to ask readers to look at this
from the user side: If you have ever bought a tool to help with
compliance, please take a moment and answer three quick questions:
1. Which of the laws/regulations/standards drove the purchase of the tool?
2. Which tool did you buy (and rate it from 1 great to 3 poor in its
effectiveness to help you make compliance easier.
3. In what way did the tool improve your organization's actual security
(beyond compliance). Remember John Pescatore's sage guidance: First
secure your systems, then worry about compliance." Send answers to
apallersans.org with subject "compliance tools"
*************************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescastore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Brian Honan is an independent security consultant based in Dublin,
Ireland.
Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security
courses at Minnesota State University, Mankato. He is the President of
Prudent Security LLC and also serves as the President of the Mankato
Chapter ISSA.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkj00CQACgkQ+LUG5KFpTkb6HACfYJDM4yQFi33n0ghvFqeHifgn
8JEAnRpm9A0LP5OZfb4FLaG8nz5zi4iw
=w4Vn
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]