From: The SANS Institute (NewsBitessans.org)
Date: Fri Oct 17 2008 - 13:06:05 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

*************************************************************************
SANS NewsBites October 17, 2008 Vol. 10, Num. 82
*************************************************************************
TOP OF THE NEWS
  FBI Sting: DarkMarket Carder Forum Yields Big Criminal Roundup
  DHS Criticized Again Over Lack of Cyber Attack Preparedness
  State Data Encryption Laws Starting to Take Effect
  Common Cause Report Says Some US States Need to Do More to
     Ensure Voting Accuracy
  Fortify Report Examines Reliability of Voting Systems
THE REST OF THE WEEK'S NEWS
  CYBER AND FINANCIAL SYSTEMS
    U.S. Intelligence Officials Increasingly Worried That Hackers Could
       Wreak Havoc On The Financial System
  GOVERNMENT SYSTEMS AND HOMELAND SECURITY
    UK Ministry of Defence Now Says Lost Drive Holds Data on 1.7 Million
       People
  SPAM, PHISHING & ONLINE SCAMS
    FTC Takes Action Against Prolific Spammers
  UPDATES AND PATCHES
    Adobe Update Addresses Clickjacking Flaw
    Microsoft Issues 11 Security Bulletins
  STUDIES AND STATISTICS
    Security Suite Vendors Question Secunia Study
  MISCELLANEOUS
    Police Buy Computer Tracking Service Licenses for Students and Other
       Residents

****************** Sponsored By ArcSight, Inc. **************************

Complimentary Whitepaper: Mitigating Fraud with the ArcSight SIEM Platform, 2008
Detecting, investigating and responding to fraudulent transactions
from within and outside an organization is an essential function of
business operations. Unfortunately, most organizations have inadequate
solutions in place to deter fraudsters and lack the support tools
for fraud investigators to quickly identify fraud and respond to the
threats effectively.
This whitepaper will outline the requirements for
an effective fraud mitigation solution. http://www.sans.org/info/34249

*************************************************************************
TRAINING UPDATE
- - SANS CDI in Washington 30 courses; big security tools expo; lots of evening sessions: http://www.sans.org/ cdi08/
- - Monterey (10/31-11/6) http://www.sans.org/info/30738
- - Sydney Australia (10/27-11/1) http://www.sans.org/sydney08/
- - Vancouver (11/17-11/22) http://www.sans.org/vancouver08/
and in 100 other cites and on line any time: www.sans.org
*************************************************************************

TOP OF THE NEWS
 --FBI Sting: DarkMarket Carder Forum Yields Big Criminal Roundup (October 14 & 16, 2008)
Documents obtained by a German public radio station show that the
DarkMarket carder forum was actually a US FBI sting operation.
The site was used as a haven to buy and sell card information,
other financial account data and devices used to make cloned cards.
The site operated for nearly two years and helped gather intelligence
that led to at least 56 arrests and prevented the loss of millions
of dollars to fraud. The FBI ran the sting operation in cooperation
with the UK's Serious Organized Crime Agency (SOCA) and authorities
in Turkey and Germany.
http://www.theregister.co.uk/2008/10/14/darkmarket_sting/
http://news.bbc.co.uk/2/hi/uk_news/7675191.stm
http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9117361&taxonomyId=17&intsrc=kc_top
[Editor's Note (Paller): Another great example of how good the FBI
cyber crime program really is. They make cyber criminals work a
lot harder and take a lot more risk. What can be more important?
There are three key differences between the FBI and other agencies
responsible for cyber security: Priorities (they focus on the most
important attacks)); Proactive (they use innovative investigative
techniques to infiltrate groups during their activity, rather than
merely reacting after the fact); and partnerships (where the partners
in the private sector and in foreign law enforcement are people who
can actually get things done.)]

 --DHS Criticized Again Over Lack of Cyber Attack Preparedness
(October 13, 2008)
Chairman of the US House Homeland Security Committee Rep. Bennie
Thompson (D-Miss.) says the US Department of Homeland Security (DHS)
has not taken necessary steps to prepare for major cyber attacks.
DHS was to have completed eight planning scenarios and accompanying
documents regarding preparation for different vectors of attack,
including cyber attacks as the foundation of the National Response
Framework. Rep. Thompson has asked DHS to submit a schedule for
completion of the scenarios and associated documents by October
23. Just weeks ago, the DHS was criticized by the Commission of Cyber
Security for the 44th Presidency regarding its lack of preparedness
for fighting cyber attacks; the Commission recommended placing the
locus of national cyber security somewhere else. DHS has refuted the
Commission's allegations, saying that "a reorganization of roles and
responsibilities is the worst thing that could be done to improve
our nation's security posture against very real and increasingly
sophisticated cyberthreats."
http://www.fcw.com/online/news/154055-1.html
http://news.cnet.com/8301-10787_3-10048033-60.html
[Editor's Note (Pescatore): There is a lot of political
maneuvering going on, pretty much standard operating procedure for
an administration change. The major problem is that information
security is a very big business and there are major competing
interests in government to control budgets - but also in private
industry to influence potential spending. The real bottom line is *no*
government agency is going to ever actually drive protection of the
thousands of businesses connected to the Internet any more than any
government agency can protect the wired or wireless telephone system
- - or the economy. Thinking there can be a centralized solution to
a totally distributed problem is like sending battleships after
terrorists. However, there are proven mechanisms for how government
and industry can cooperate for the good of the whole. Ten years ago
Presidential Decision Directive 63 laid out what is still the best
roadmap for the role government can play in all this - but since it
didn't try to create new empires or new pork barrel opportunities it
has largely been ignored.
(Northcutt): Timing is everything and this comes just after the
Air Force is having second thoughts about their Cyber Command. The
US has not prioritized security and this will probably bite us:
http://blog.wired.com/defense/2008/08/air-force-suspe.html ]

 --State Data Encryption Laws Starting to Take Effect
(October 16, 2008)
A law that took effect this month in Nevada requires that all
businesses encrypt electronically transmitted customer data. While
Nevada's encryption law is the first to take effect, other states
are starting to enact similar laws. A Massachusetts law that will
take effect in January 2009 will require businesses that collect
information about Massachusetts residents to encrypt sensitive
data stored on laptops and other portable electronic devices.
Businesses are subject to the state laws if they have customers or
otherwise conduct business operations within those states.
http://online.wsj.com/article/SB122411532152538495.html
[Editor's Note (Schultz): I predict that Nevada's law requiring
encryption of transmitted customer information will (like California
SB1386) serve as a huge impetus for passing similar legislation in
other states.]

 --Common Cause Report Says Some US States Need to Do More to
Ensure Voting Accuracy
(October 16, 2008)
A study released by Common Cause warns that "On November 4, 2008,
voting machines will fail somewhere in the United States in one or
more jurisdictions in the country. Unfortunately, we don't know
where. For this reason, it is imperative that every state prepare
for system failure. [States are urged to] take steps necessary to
insure that inevitable voting machine problems do not undermine
either the individual right to vote or our ability to count each
vote cast." The report examined laws, regulations and procedures
regarding voting systems in four areas: provisions for machine
repairs and availability of paper ballots; requirements for ballot
accounting and vote reconciliation; use of a voter verifiable paper
record; and post election audits of those verifiable paper records.
Six states received high ratings in all categories; 10 states received
low ratings in three of four categories.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9117347&source=rss_topic17
http://www.brennancenter.org/content/resource/is_america_ready_to_vote

 --Fortify Report Examines Reliability of Voting Systems
(October 15, 2008)
A report from Fortify looks at the reliability of the various voting
systems used in the US. Three of the six voting technologies -
hand-counted ballots, optical scan ballots and absentee ballots -
are fairly reliable; they are expected to be used for approximately 60
percent of ballots in the upcoming US general election. Two others -
punch cards and lever machines - present some serious problems, but
they are not widely used. Direct Recording Electronic voting systems,
which are expected to be used for approximately 33 percent of ballots,
are notoriously unreliable: they do not provide an easy way to verify
individual votes, and they are easy to manipulate.
http://blogs.usatoday.com/technologylive/2008/10/50-of-voting-sy.html?loc=interstitialskip
http://www.betanews.com/newswire/pr/Fortify_Software_Releases_Voting_Guide_in_Time_for_November_Elections/145273

************************* SPONSORED LINK ******************************
1) Sign up for SANS Webcast: Enterprise Log Management for Incident Handlers
October 23, 2008 at 1:00 PM ET sponsored by Q1 Labs
http://www.sans.org/info/34254

*************************************************************************

THE REST OF THE WEEK'S NEWS
CYBER AND FINANCIAL SYSTEMS
 --U.S. Intelligence Officials Increasingly Worried That Hackers Could Wreak Havoc On The Financial System
(October 17, 2008)
Today's National Journal, Shane Harris has a timely article
illuminating examples of cyber security events that have caused
significant problems for financial institutions, an dthe worries US
intelligence officials are expressing. In closing, he quotes the
Tom Kellerman, one of the first to shine a light on this problem,
saying, "The reality is, we've been building our vaults out of wood
in cyberspace for too long."
http://www.shaneharris.net/2008/10/toxic-information.html

GOVERNMENT SYSTEMS AND HOMELAND SECURITY
 --UK Ministry of Defence Now Says Lost Drive Holds Data on 1.7
Million People
(October 14, 2008)
The UK Ministry of Defence (MoD) has revised its estimate of the number
of individuals affected by the loss of a hard drive from 100,000 to
1.7 million. Those who had made an initial inquiry about serving in
the armed forces would have just their names and phone numbers on
the drive, but those who had applied had provided information that
includes next of kin and passport and national insurance numbers,
driver's license information and banking data. The drive is believed
to be unencrypted.
http://www.theregister.co.uk/2008/10/14/mod_bigger_loss/
http://www.vnunet.com/vnunet/news/2228142/mod-loss-total-hit-million

SPAM, PHISHING & ONLINE SCAMS
 --FTC Takes Action Against Prolific Spammers
(October 14 & 15, 2008)
The US Federal Trade Commission (FTC) has taken action against two men
described by Spamhaus.org CIO as "probably the most prolific spammers
at the moment." The FTC has obtained a court order that shuts down six
companies operated by Lance Atkinson and Jody Smith by prohibiting the
pair from sending unsolicited commercial email messages and freezes
assets associated with their companies. The FTC logged more than
three million complaints about spam associated with Atkinson's and
Smith's companies. The FTC is working with authorities in New Zealand,
where Atkinson is a native, although he currently lives in Australia.
http://www.theregister.co.uk/2008/10/14/prolific_spammers_targeted/
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9117227&source=rss_topic17
http://www.cnn.com/2008/TECH/ptech/10/15/spam.ring.shutdown.ap/index.html?eref=rss_tech
http://www.nytimes.com/2008/10/15/technology/internet/15spam.html?_r=2&adxnnl=1&oref=slogin&partner=rssnyt&emc=rss&adxnnlx=1224075611-bJVZsnBCB/SL580PciC+EQ&oref=slogin
http://www.ftc.gov/opa/2008/10/herbalkings.shtm

UPDATES AND PATCHES
 --Adobe Update Addresses Clickjacking Flaw
(October 15 & 16, 2008)
Adobe has issued an update for its Flash Player software to address
the clickjacking vulnerability. Clickjacking is a term coined to
describe a series of flaws that allow attackers to trick users into
clicking on potentially malicious links. The update also addresses
an interoperability problem between Flash Player and Firefox and the
clipboard vulnerability. Users are encouraged to update Flash Player
to version 10.
http://www.theregister.co.uk/2008/10/16/adobe_update_thwarts_clickjacking/
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9117268&source=rss_topic17
http://www.adobe.com/support/security/bulletins/apsb08-18.html

 --Microsoft Issues 11 Security Bulletins
(October 14, 15 & 16, 2008)
On Tuesday, October 14, Microsoft released 11 security bulletins to
address vulnerabilities in Microsoft Windows, Internet Explorer,
Microsoft Host Integration Server and Microsoft Office. The
vulnerabilities could be exploited to allow information disclosure,
remote code execution and privilege elevation. Four of the bulletins
are rated critical, six are rated important and one is rated moderate.
http://www.theregister.co.uk/2008/10/15/microsoft_october_patch_tuesday/
http://www.microsoft.com/technet/security/bulletin/ms08-Oct.mspx
http://isc.sans.org/diary.html?storyid=5180&rss

STUDIES AND STATISTICS
 --Security Suite Vendors Question Secunia Study
(October 15, 2008)
Makers of antivirus products and security suites are calling into
question the validity of a recent study from Secunia. The study
tested a dozen security suites against "300 exploits targeting
vulnerabilities in various high-end, high-profile programs" and
found the highest scoring suite caught just 64 of the 300 exploits.
Some of the companies whose products were tested say that just one
aspect of their products was examined. Others whose products were
not included called the study a publicity stunt.
http://www.darkreading.com/document.asp?doc_id=166027&f_src=drdaily
http://www.theregister.co.uk/2008/10/15/secunia_tests_backlash/
[Editor's Note (Skoudis): Designing a thorough and fair test regimen
is quite difficult, and running the suite of tests against increasingly
complex products is very time consuming and expensive. Matt Carpenter
and I did this in 2007 for seven endpoint security products, and it
consumed two months of our time. Whenever you see a test report of
security products, make sure you look carefully at the description
of the test methodology and testbed to determine what they measured
and how. No test suite is perfect, but some better reflect operational
environments than others.]

MISCELLANEOUS
 --Police Buy Computer Tracking Service Licenses for Students and Other Residents
(October 15, 2008)
Police in Nottinghamshire, UK are paying for licenses for computer
tracking and recovery software for people who live in high-crime
areas. Last year, at least 665 laptop computers were stolen in
Nottingham city. The software connects to a monitoring center once
a day; the frequency changes to every 15 minutes if the machine is
reported stolen.
http://news.zdnet.co.uk/security/0,1000000189,39517297,00.htm
http://www.scmagazineuk.com/ComputraceOne-used-by-Nottingham-police-to-reduce-laptop-theft/article/119491/

*************************************************************************
The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and
the author/co-author of books on Unix security, Internet security,
Windows NT/2000 security, incident response, and intrusion detection
and prevention. He was also the co-founder and original project manager
of the Department of Energy's Computer Incident Advisory Capability
(CIAC).

John Pescastore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level
IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as
Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and
he is a senior Lockheed Martin Fellow.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune
50 company (Alcoa). He is leading SANS' global initiative to improve
application security.

Marcus J. Ranum built the first firewall for the White House and
is widely recognized as a security products designer and industry
innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Brian Honan is an independent security consultant based in Dublin,
Ireland.

Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security
courses at Minnesota State University, Mankato. He is the President of
Prudent Security LLC and also serves as the President of the Mankato
Chapter ISSA.

Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFI+Mmw+LUG5KFpTkYRAu2LAJ95zn9h6Lz0ENDUTk7wq92mO5xEYgCcDLD8
qNU4WaCZ6sngtx6pEN2D0kQ=
=p4qd
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]