|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (NewsBites
sans.org)
Date: Fri Oct 24 2008 - 14:40:31 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
FLASH: Microsoft's out-of-band announcement requires immediate
attention. As you will read in the first story, at least one NewsBites
editor believes the worms (one has already been released in the wild)
that exploit the newly announced Microsoft vulnerability may have
Blaster-worm-level impact.
Also, unless you use Safari, when you get a chance, uninstall it. The
editors point out the risks in the long editorial note after the story
about Google Chrome (in UPDATES and PATCHES section)
Five more days to the cost-saving deadline for the big security training
program in Washington DC: http://www.sans.org/cdi08
Alan
*************************************************************************
SANS NewsBites October 24, 2008 Vol. 10, Num.
84
*************************************************************************
TOP OF THE NEWS
Microsoft Issues Out-of-Cycle Patch Dutch Judge Orders Google to
Reveal IP Addresses Associated with Suspect Gmail Account
THE REST OF THE WEEK'S NEWS
ARRESTS, CHARGES & CONVICTIONS
Virtual Crime = Real Punishment I: Trouble in Maple Story Virtual
Crime = Real Punishment II: RuneScape Thefts UPenn Student Sentenced
for Role in DDoS Attack
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Microsoft Australia Goes After Resellers Offering Pirated Software
DATA PROTECTION & PRIVACY
Continuing Coverage of Rumored UK Mobile Phone Registry Database
UPDATES AND PATCHES
Opera Update Fixes Three Flaws Google Takes Another Step Toward
Fixing Carpet-Bombing Flaw in Chrome Browser
DATA LOSS & EXPOSURE
Computer Stolen From Risk Management Firm Hold Fresno, CA City
Employee Data
MISCELLANEOUS
Russian Hacker Takes Credit for Attacks on Georgia Parliament
Chinese Users Unhappy With Windows Genuine Advantage Tactics
Researchers Read Electromagnetic Emanations From Wired Keyboards
************************ Sponsored By IBM (ISS) *************************
An important upcoming webcast - The Intelligent Network: Protecting the
Evolving Network and Securing Virtual Environments featuring Stephen
Northcutt.
Sponsored by IBM/ISS, this webcast will cover the evolution of network
components into intelligent convergence equipment, able to deliver
Unified Threat Management from a single, consolidated device. Learn how
these trends can impact your organization's IT security resources.
http://www.sans.org/info/34534
*************************************************************************
TRAINING UPDATE
- - SANS CDI in Washington 30 courses; big security tools expo; lots of
evening sessions: http://www.sans.org/ cdi08/
- - Monterey (10/31-11/6) http://www.sans.org/info/30738
- - Sydney Australia (10/27-11/1) http://www.sans.org/sydney08/
- - Vancouver (11/17-11/22) http://www.sans.org/vancouver08/
and in 100 other cites and on line any time: www.sans.org
*************************************************************************
TOP OF THE NEWS
--Microsoft Issues Out-of-Cycle Patch
(October 22 & 23, 2008)
Microsoft has released an out-of-cycle patch for a critical remote code
execution vulnerability today, October 23, 20008. The flaw could be
exploited to allow a worm to spread without any user interaction. The
flaw affects Windows 2000, XP, Server 2003, Server 2008 and Vista. The
"privately reported" vulnerability in the Server service "could allow
remote code execution if an affected system received a specially crafted
RPC [remote procedure call] request."
http://voices.washingtonpost.com/securityfix/2008/10/microsoft_to_issue_emergency_s_1.html?nav=rss_blog
http://www.securityfocus.com/brief/844
http://www.theregister.co.uk/2008/10/23/windows_emergency_update/
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9117878&source=rss_topic17
http://news.cnet.com/8301-1009_3-10074072-83.html?part=rss&subj=news&tag=2547-1009_3-0-20
http://www.us-cert.gov/cas/techalerts/TA08-297A.html
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
[Editor's Note (Skoudis): This is big, guys... really big. Enterprise
folks should get the patch, test it quickly to make sure it doesn't blow
up your environment, and then push it to their production systems.
Kudos to Microsoft for having the guts to go out of cycle when it's
really important to do so. Thankfully, they don't have to do this very
often. But, now is the time. Patch early and patch often.
(Honan): The first worm to exploit this vulnerability, GIMMIV.A, has
already been discovered in the wild,
http://www.sophos.com/security/analyses/viruses-and-spyware/trojgimmiva.html?_log_from=rss.
This vulnerability affects the RPC service which could lead to a worm
similar to MSBlaster. US-CERT have issued guidelines on how to mitigate
the risk until you test and rollout the patch
http://www.us-cert.gov/cas/techalerts/TA08-297A.html.
(Schultz): The fact that Microsoft has alerted special customers of this
vulnerability indicates that this vulnerability is extremely serious.
The potential urgency will, however, present Microsoft customers with a
tough dilemma--whether to install the patch without the opportunity to
sufficiently test it, or to "bite the bullet" and install the patch
anyway.]
--Dutch Judge Orders Google to Reveal IP Addresses Associated with Suspect Gmail Account
(October 20, 2008)
A judge in the Netherlands has ordered Google to turn over IP addresses
associated with a Gmail account that was used in a case of alleged
industrial espionage. Google had refused to comply with the initial
request from the company, iMerge, because "disclosing the user's
identity violated rulings on the balance between freedom of expression
and a person's right to his reputation." The suspect had been chief
technology officer at iMerge. He allegedly installed a backdoor server
in the hosting center configured to forward messages from a corporate
director's mailbox to the Gmail account in question.
http://www.theregister.co.uk/2008/10/20/dutch_court_orders_google_to_reveal_gmail_user/
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=211201988
************************* SPONSORED LINK ******************************
1) Please sign up for SANS' Analyst Webcast and Whitepaper- Log
Management in the Cloud: A Comparison of Do-it-yourself Versus Cloud
Services sponsored by AlertLogic Thursday, October 30, 2008 at 1 PM EDT
http://www.sans.org/info/34539
*************************************************************************
THE REST OF THE WEEK'S NEWS
ARRESTS, CHARGES & CONVICTIONS
--Virtual Crime = Real Punishment I: Trouble in Maple Story
(October 23, 2008)
A Japanese woman has been jailed for allegedly killing the virtual
persona of her online husband in the Maple Story interactive online
game. The woman apparently became angry when the online character that
her online character was married to in the virtual world divorced her
suddenly. She allegedly used the person's password and ID to access his
account and "kill" the character. The woman has not yet been formally
charged, but it is likely she will face charges of illegally accessing
a computer and manipulating electronic data. She could receive a prison
sentence of up to five years and a fine of US $5,000.
http://www.usatoday.com/tech/news/2008-10-23-avatar-murder_N.htm?loc=interstitialskip
http://technology.timesonline.co.uk/tol/news/tech_and_web/article5002721.ece
--Virtual Crime = Real Punishment II: RuneScape Thefts
(October 22, 2008)
Two Dutch teens have been sentenced to community service for coercing
another teen into transferring virtual items from his RuneScape account
into theirs. The two allegedly physically threatened the victim, but
the court focused on whether or not the theft of virtual items
constituted actual theft. The court determined that "these virtual
goods are goods, so this is theft."
http://www.nzherald.co.nz/games/news/article.cfm?c_id=38&objectid=10538822
http://www.theregister.co.uk/2008/10/22/teens_sentenced_for_runescape_item_theft/
http://www.telegraph.co.uk/connected/main.jhtml?xml=/connected/2008/10/22/dltheft122.xml
http://www.radionetherlands.nl/currentaffairs/region/netherlands/081022-virtual-theft-is-real
[Editor's Note (Skoudis): The application of real-world laws in virtual
worlds is going to be a fascinating trend over the next few years,
providing lots of opportunities for savvy lawyers. Also, the
jurisdictional issues are going to get mighty complicated, given the
cross-border nature of these virtual worlds.]
--UPenn Student Sentenced for Role in DDoS Attack
(October 22 & 23, 2008)
University of Pennsylvania student Ryan Goldstein has been sentenced to
three months in prison, three months in a halfway house, three months
of home confinement and five years on probation, for his role in a
distributed denial-of-service (DDoS) attack that targeted a University
of Pennsylvania server. Goldstein was arrested as part of Operation Bot
Roast II, an FBI initiative. He will also pay a US $30,000 fine and US
$6,100 in restitution. Goldstein could have faced much harsher
penalties because child pornography was found on his computer, but he
was not charged with those offenses in return for his cooperation with
authorities. Goldstein had convinced New Zealand teenager Owen Walker
to launch the attack. Walker was charged in New Zealand; he pleaded
guilty and was fined, but received no prison time.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9117811&source=rss_topic17
http://www.nzherald.co.nz/technology/news/article.cfm?c_id=5&objectid=10539102
http://www.philly.com/inquirer/local/pa/20081022_Penn_student_jailed_90_days_in_hacking_case.html
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
--Microsoft Australia Goes After Resellers Offering Pirated Software
(October 21, 2008)
Microsoft's director of intellectual property in Australia, Vanessa
Hutley, said that the company will never be able to prevent all
instances of piracy; if people are intent on getting unlicensed copies
of software, they will find a way to do it. Instead, Microsoft will
focus its energies on resellers who offer pirated copies of the
company's software that appear to customers to be legitimate. Similar
efforts are taking place in 49 countries around the world. According
to statistics from the Business Software Alliance, 28 percent of
software used in Australia is pirated. Brick-and-mortar enterprises
have already been targeted; Microsoft is now seeking out resellers who
operate over the Internet.
http://www.smh.com.au/cgi-bin/common/popupPrintArticle.pl?path=/articles/2008/10/21/1224351224128.html
DATA PROTECTION & PRIVACY
--Continuing Coverage of Rumored UK Mobile Phone Registry Database
(October 20, 2008)
There are reports that GBP 1 billion has been earmarked to establish a
program wherein people purchasing mobile phones in the UK will be
required to provide positive identification in the form of a passport
or other government-issued ID. That information will reportedly be
entered into a national database in an effort to identify the estimated
40 million people who purchase pay-as-you go plans, which previously
required no identification. The government has neither confirmed nor
denied the rumors. A spokesperson for the Information Commissioner's
office said that "With regards to the database that could contain
details of all mobile users, ... we would expect that this information
would be included in the database proposed in the draft Communications
Data bill." Vodafone has denied that buyers would be required to
provide identification.
http://www.money.co.uk/article/1001726-latest-big-brother-proposal-no-new-mobile-phone-without-a-passport.htm
http://www.computeractive.co.uk/computeractive/news/2228645/vodafone-denies-plans-ask-pay
UPDATES AND PATCHES
--Opera Update Fixes Three Flaws
(October 22, 2008)
Opera has released an updated version of its eponymous browser to
address a trio of security vulnerabilities. The first flaw could be
exploited to gain access to users' browsing histories. The second flaw
is a cross-site scripting vulnerability in fast forward, and the third
involves a problem with news feed subscriptions. Users are urged to
upgrade to Opera version 9.61.
http://www.heise-online.co.uk/news/Security-update-for-Opera--/111769
http://www.opera.com/docs/changelogs/windows/961/
--Google Takes Another Step Toward Fixing Carpet-Bombing Flaw in Chrome Browser
(October 22, 2008)
Google has released a partial security fix for its Chrome browser to
address the carpet-bombing vulnerability that affects an array of other
browsers. The blended threat was disclosed earlier this year; the
problem arises when Apple's Safari browser is installed on computers
along with other browsers. The Chrome fix is not being pushed out as
an automatic update; instead, it is available only through the developer
version of the browser.
http://www.theregister.co.uk/2008/10/22/chrome_carpet_bombing/
[Editor's Note (Northcutt, with Skoudis): This is a bit complicated.
There is increasing evidence that having more than one browser on a
system increases risk:
http://www.theregister.co.uk/2008/04/17/alt_browser_updates/
One browser that has had some security problems in 2008 is Safari. They
have all had vulnerabilities, of course, but apparently Safari
downloaded resources from a web server if the server tells the browser
to do so, and did not prompt the user. Also the default location to
download is the Desktop. It turns out some browsers like, Internet
Explorer, can be directed to take action by files on the desktop and
this is called carpet bombing:
http://www.theregister.co.uk/2008/05/15/apple_safari_carpet_bombing_vuln/
http://www.theregister.co.uk/2008/06/10/apple_safari_carpet_bombing_demo/
Back in May, Apple added Safari to the updater software for iTunes. This
caused the number of Windows systems with Safari to be tripled virtually
overnight, increasing the number of systems at risk because they have
multiple browsers installed:
http://www.theregister.co.uk/2008/05/02/safari_share_triples/
In addition, people who got Safari through iTunes probably still have
the June 2008 patch. Apple released a fix for Safari in June 2008, but
once again, if there are multiple browsers installed on a system, the
fix might fix Safari, but not protect the user who has multiple browsers
installed:
http://www.channelregister.co.uk/2008/06/23/safari_security/
For this latest Chrome bug, Google used Apple WebKit in coding Chrome,
and the code in Chrome still has the older, non-patched caret bomb
vulnerability:
http://www.theregister.co.uk/2008/09/03/google_chrome_vuln/
I think I am going to uninstall Safari. I have been waiting to install
Chrome and think I will keep waiting, perhaps a very long time. I
primarily use Firefox and hope and pray noscript will save me somehow
from this dangerous web world: http://noscript.net/ ]
DATA LOSS & EXPOSURE
--Computer Stolen From Risk Management Firm Hold Fresno, CA
City Employee Data
(October 22 & 23, 2008)
On October 13, 2008, thieves stole more than two dozen computers from
the Fresno, California office of KRM Risk Management. One of the
computers contains personally identifiable information of more than
5,000 Fresno city employees who had filed worker's comp claims as far
back as 1973. KRM was hired by the city to manage its compensation
claims. Police are offering a US $5,000 reward for information leading
to the arrest of those responsible for the theft. Law enforcement
agents are analyzing video from a neighboring business for clues.
http://abclocal.go.com/kfsn/story?section=news/local&id=6462368
http://abclocal.go.com/kfsn/story?section=news/local&id=6465115
http://www.cbs47.tv/news/local/story.aspx?content_id=853f41c4-1055-44a8-b78c-05df4a7c80af
MISCELLANEOUS
--Russian Hacker Takes Credit for Attacks on Georgia Parliament
(October 23, 2008
Leonid "R0id" Stroikov claims he is responsible for attacks on the
Georgia parliament. Reported in the latest edition of Xakep ("Hacker")
magazine, Stroikov describes his attack and why he decided to do it.
http://blog.wired.com/defense/2008/10/government-and.html
[Editor's Note (Paller): Stroikov may be falsely boasting after the
fact, but that's not likely. His thought process is interesting none the
less.]
--Chinese Users Unhappy With Windows Genuine Advantage Tactics
(October 22, 2008)
Chinese computer users are expressing their displeasure with Microsoft's
Windows Genuine Advantage (WGA) program. WGA checks to make sure that
users have valid licenses for the Microsoft software on their computers;
if pirated software is detected, the computer's screen turns black.
There is some concern that Microsoft's actions could "cause serious
functional damage to users' computers."
http://www.msnbc.msn.com/id/27321572/
--Researchers Read Electromagnetic Emanations From Wired Keyboards
(October 20 & 22, 2008)
Swiss researchers have demonstrated that keystrokes from wired keyboards
can be read remotely from distances of up to 20 meters. The keyboards
emit electromagnetic waves. The researchers at Security and
Cryptography Laboratory at Ecole Polytechnique Federale de Lausanne have
described four different methods of eavesdropping on keystrokes on wired
keyboards.
http://news.cnet.com/8301-1009_3-10072967-83.html?tag=mncol;title
http://www.theregister.co.uk/2008/10/20/keyboard_sniffing_attack/
*************************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescastore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Brian Honan is an independent security consultant based in Dublin,
Ireland.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkkCD60ACgkQ+LUG5KFpTkZ08wCfatqOkFl7RkXbbuV+RAfDQcCS
wQwAnRLX84zU+lxW7wvyh2DZwndOjMF8
=ZTr0
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]