From: The SANS Institute (NewsBitessans.org)
Date: Fri Nov 14 2008 - 12:58:53 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If you are thinking of coming to this winter's big national security
training program (SANS Security West, Jan 24-Feb 1, Las Vegas,
http://www.sans.org/securitywest09), a few of the following may prove
useful. They'll help your bosses know that SANS training is worth far
more to your organization than any other training, because SANS provides
up-to-the-minute defensive information you can put to work immediately
upon returning to the office:
"I have taken dozens of training courses, and this is the best training
I have ever received." (William Okula, Suffolk County Police Department)
"If you have any managerial responsibilities in the field of cyber
security, you must take this course to be effective and successful."
(William J. Riegger, IRS)
"SANS courses bring the best of the best to one place to share cutting
edge information. (Jeremy Baca, Sandia National Labs)
"SANS provides the best education you will ever find. (Mike Gauthier,
Heartland Business Systems)
"SANS training is like a catalyst. It not only boosts your knowledge but
also inspires you to learn more. (Tan Koon Yaw, IDA)
"I have attended courses by several of SANS rivals, and SANS blew them
away." (Alton Thompson, US Marines)
"SANS has the highest quality instructors and the most relevant, current
information of any training I have attended." (Melodee McHone, Hallmark)
"Never before has so much useful information been compiled into a single
source that is both accessible and understandable." (Wayne Slocum, PEO
C4I PMW 160)
"This is the only training I've ever attended at which I learned
techniques and found tools I could apply immediately." (Dwight Leo, DLA)
Several thousand students have provided similar written comments. More
information on SANS Security West at http://www.sans.org/securitywest09
                                        Alan

*************************************************************************
SANS NewsBites November 14, 2008 Vol. 10, Num. 90
*************************************************************************
TOP OF THE NEWS
  Spam Levels Drop After Hosting Company Disconnected
  Report Finds ISPs Devoting More Resources to DDoS Defense
  Group Published Guidelines for Anti-Malware Testing
THE REST OF THE WEEK'S NEWS
  LEGAL ISSUES
    NebuAd Sued for Invasion of Privacy
  ARRESTS, CHARGES, CONVICTIONS & SENTENCES
    Former Student Charged with eMail Hacking
    Former Network Admin Pleads Guilty to Multiple Offenses
    NASA, DOE Hacker Gets Suspended Sentence in Romania, May Face Extradition
  UPDATES AND PATCHES
    Mozilla Releases Firefox 3.0.4
    Microsoft Patch Tuesday Includes Fix for Seven-Year-Old Flaw
  ATTACKS
    Express Scripts Offers Reward in Cyber Extortion Case
    Computer Security Breach at U of Florida College of Dentistry Affects
       More Than 300,000
  MISCELLANEOUS
    ICANN Will Revoke EstDomains Registrar Credentials

******************** Sponsored By Norwich University ********************
Norwich University
The Master of Science in Information Assurance program provides you with
the skills to manage and lead an organization-wide information security
program. Graduates will be prepared to assume professional management
responsibilities such as those of CSO's, CISO's and Enterprise Risk
Managers. The NSA and Department of Homeland Security have designated
Norwich University as a Center of Academic Excellence in Information
Assurance.
http://www.sans.org/info/35304
*************************************************************************
TRAINING UPDATE
- - SANS CDI in Washington (12/10-12/16) 30 courses; big security tools
expo; lots of evening sessions: http://www.sans.org/ cdi08/
- - London (12/1-12/9) http://sans.org/london08/
- - Vancouver (11/17-11/22) http://www.sans.org/vancouver08/
- - Las Vegas (1/24-2/01) http://sans.org/securitywest09/
- - Orlando SANS SCADA Security Summit http://www.sans.org/scada09_summit
and in 100 other cites and on line any time: www.sans.org
*************************************************************************

TOP OF THE NEWS
 --Spam Levels Drop After Hosting Company Disconnected
(November 12, 2008)
The amount of spam being sent worldwide dropped noticeably after McColo,
a northern California-based hosting provider identified as hosting
spamming organizations, was cut off by its Internet providers. It is
estimated that McColo hosted the machines responsible for 75 percent of
spam sent worldwide. McColo's upstream service was severed on Tuesday,
November 11; that same afternoon, organizations tracking spam noted a
sharp decrease in the volume being sent. The relief is likely to be
temporary, as operations that send the unsolicited commercial email seek
out other avenues to help them spread their wares.
http://www.washingtonpost.com/wp-dyn/content/article/2008/11/12/AR2008111200658.html?nav=rss_technology
http://www.theregister.co.uk/2008/11/12/mccolo_goes_silent/
http://news.bbc.co.uk/2/hi/technology/7725492.stm
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9119963&source=rss_topic17
http://hostexploit.com/downloads/Hostexploit%20Cyber%20Crime%20USA%20v%202.0%201108.pdf
Internet Storm Center: http://isc.sans.org/diary.html?storyid=5333
[Editor's Note (Ullrich): This story, as well as the story about
EstDomains below, is showing a trend of increased self-policing of
network service providers. Due to the impact these bad players have to
their business, and the attention paid to them by the media, it has
become harder to hide. Compare this to residents of an area shining
bright lights at drug dealers and prostitutes to drive them away. ]

 --Report Finds ISPs Devoting More Resources to DDoS Defense
(November 11 & 12, 2008)
The 2008 Worldwide Infrastructure Security Report from Arbor Networks
covers a 12-month period from August 2007 through July 2008. Among the
report's most significant findings are that Internet service providers
(ISPs) spend the majority of their security resources defending their
systems against distributed denial-of-service (DDoS) attacks and that
the largest DDoS attacks now exceed 40 gigabits-per-second. ISPs also
noted that application-level attacks have resulted in prolonged outages
of Internet services. In addition, more than half of the responding
ISPs are concerned about the possibility of new security threats
accompanying IPv6.
http://asert.arbornetworks.com/2008/11/2008-worldwide-infrastructure-security-report/
http://news.zdnet.co.uk/security/0,1000000189,39549409,00.htm
http://www.vnunet.com/vnunet/news/2230250/isps-fear-ipv6-security-threats
[Editor's Note (Schultz): One study after another has shown that denial
of service attacks have been the most frequent type of attack over the
years. Because the state of the art in defending against denial of
service attacks is currently not all that advanced, this trend is likely
to continue well into the future.]

 --Group Published Guidelines for Anti-Malware Testing
(November 11, 2008)
The Anti-Malware Testing Standard Organization (AMTSO) has published a
pair of documents aimed at standardizing the way antivirus scanners and
malware defense tools are tested. The "Fundamental Principles of
Testing" include "testing must not endanger the public; testing should
be reasonably open and transparent; and testing methodology must be
consistent with the testing purpose." "Best Practices for Dynamic
Testing" addresses issues such as reproducibility, product and sample
selection, testing environment, and logging and auditing. AMTSO was
founded amid rising concern about "inconsistent test regimes" and the
questionable ethics of certain testing schemata.
http://www.securityfocus.com/brief/852
http://www.amtso.org/documents/cat_view/13-amtso-principles-and-guidelines.html
[Editor's Note (Ullrich): I like the focus of the "Dynamic Testing"
document on fresh and relevant malware. Current anti-malware has
significant issues with current relevant threats. The "Fundamental
Principles of Testing" document, while it doesn't say anything wrong,
misses this focus. We have to move away from testing anti-malware using
stale (older then 24hrs) and static malware zoos.]

*************************************************************************
THE REST OF THE WEEK'S NEWS
LEGAL ISSUES
 --NebuAd Sued for Invasion of Privacy
(November 13, 2008)
More than a dozen Internet service subscribers have filed a lawsuit
against NebuAd and six Internet service providers (ISPs) claiming that
NebuAd's web surfing habit tracking technology and the companies that
used it without customers' knowledge violated anti-wiretapping statutes.
The plaintiffs are asking for more than US $5 million in damages and are
seeking class action status for the lawsuit. All of the ISPs named in
the lawsuit stopped using NebuAd technology after just a few months.
NebuAd has paid the ISPs to allow it to install monitoring equipment on
their networks, which examined user habits and delivered targeted
advertising based on their perceived interests.
http://www.mercurynews.com/portal/breakingnews/ci_10976851?_loopback=1
http://blog.wired.com/27bstroke6/2008/11/net-spying-firm.html
[Editor's Note (Northcutt): A copy of the suit is shown below, I would
say this looks bad for NebuAd:
http://www.docstoc.com/docs/document-preview.aspx?doc_id=2497992
There are several of these companies including Phorm and FrontPorch:
http://www.phorm.com/
http://www.frontporch.com/html/index.html
You may recall there was a hullabaloo in the UK in 2006 when it was
announced that Phorm and BT were secretly tracking BT customers:
http://www.theregister.co.uk/2008/04/01/bt_phorm_2006_trial/
There is an interesting paper referenced in the suit by Professor Paul
Olm where he asserts, "Nothing in society poses as grave a threat to
privacy as the Internet Service Provider (ISP). He goes on to say ISPs
have the means and the motive to snoop on their customers:
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1261344# ]

ARRESTS, CHARGES, CONVICTIONS & SENTENCES
 --Former Student Charged with eMail Hacking
(November 13, 2008)
Former University of Maine student James Wieland has been charged with
aggravated criminal invasion of privacy, a felony offense, for allegedly
breaking into hundreds of university email accounts. Wieland allegedly
installed keystroke logging programs on the victims' computers;
authorities do not know his motives. Wieland's surreptitious activity
began to unravel after a student received an email message from a friend
while that friend did not have computer access.
http://www.wcsh6.com/news/breaking/story.aspx?storyid=95880&catid=112
http://www.bangornews.com/detail/93201.html

 --Former Network Admin Pleads Guilty to Multiple Offenses
(November 10 & 12, 2008)
Andrew Madrid has pleaded guilty to charges of hacking, identity theft,
burglary and drug possession in Santa Clara County (California) Superior
Court. Madrid destroyed data on a former employer's computer system
hoping that they would hire him back to fix the problem he had created.
He also placed spyware on computer systems to steal passwords. Madrid
used a neighbor's wireless network to disguise his digital tracks.
Dressed as a security guard, Madrid strolled through various companies
stealing computer equipment. He faces up to 12 years in prison when he
is sentenced.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9119940&source=rss_topic17
http://www.mercurynews.com/business/ci_10949785
http://www.sccgov.org/portal/site/da/agencyarticle?path=%252Fv7%252FDistrict%2520Attorney%252C%2520Office%2520of%2520the%2520%2528DEP%2529&contentId=ae306383d969d110VgnVCM10000048dc4a92____&cpsextcurrchannel=1

 --NASA, DOE Hacker Gets Suspended Sentence in Romania, May Face
Extradition
(November 11, 2008)
A Romanian man received a 16-month suspended prison sentence in his home
country for breaking into computer systems at the US Navy, NASA and
Department of Energy, but still could face extradition to the US. In
2006, Victor Faur was indicted in the US on nine counts of computer
intrusion and one count of conspiracy. Faur's defense included
arguments that his actions were intended to help the US by demonstrating
vulnerabilities in its government and military computer systems; he was
also fined the equivalent of US $238,000.
http://www.theregister.co.uk/2008/11/11/us_navy_hack_sentencing/
http://ap.google.com/article/ALeqM5hfpRlmAltvPNjKBY6nCLqoRg-26AD94C54SG1
http://oig.nasa.gov/press/pr2007-C.pdf

UPDATES AND PATCHES
 --Mozilla Releases Firefox 3.0.4
(November 13, 2008)
Mozilla has released Firefox version 3.0.4 to address a dozen security
flaws, several of which could be exploited to execute code on vulnerable
machines. Six of the flaws have been rated critical; one of these
involved privilege escalation following a session restore. Others could
be exploited to crash vulnerable computers.
http://www.heise-online.co.uk/security/Firefox-3-0-4-closes-nine-security-holes--/news/111952
http://news.cnet.com/8301-17939_109-10096399-2.html
Apple also released Safari 3.2 addressing 11 vulnerabilities in the browser.
http://news.zdnet.co.uk/security/0,1000000189,39551914,00.htm

 --Microsoft Patch Tuesday Includes Fix for Seven-Year-Old Flaw
(November 12 & 13, 2008)
Microsoft has issued two security bulletins to address vulnerabilities
in Windows 2000, XP, Server 2003, Vista, Server 2008 and Office 2003 and
later versions. MS08-069, which has a critical rating, addresses remote
code execution issues in Windows XML Core Services versions 3.0, 4.0 and
6.0. MS08-068 has been given a rating of important by Microsoft; it
involves a vulnerability in Microsoft Server Message Block that could
be exploited to allow remote code execution as well. This particular
flaw has been known since March 2001. A security program manager in the
Microsoft Security Response Center wrote in a blog post that the issue
has not been addressed until now because it would have "render[ed] many
... customers' network-based applications then inoperable."
http://www.heise-online.co.uk/security/Microsoft-closes-critical-hole-in-Windows--/news/111941
http://www.gcn.com/online/vol1_no1/47547-1.html?topic=security
http://www.theregister.co.uk/2008/11/12/ms_patch_tuesday_november/
http://news.cnet.com/8301-1009_3-10096611-83.html?part=rss&subj=news&tag=2547-1009_3-0-20
https://www.microsoft.com/technet/security/bulletin/ms08-nov.mspx
http://isc.sans.org/diary.html?storyid=5330
There is some concern that the patch does not fully address the issue
http://news.zdnet.co.uk/security/0,1000000189,39550710,00.htm

ATTACKS
 --Express Scripts Offers Reward in Cyber Extortion Case
(November 13, 20080
Express Scripts, the prescription benefits provider that was targeted
by data extortionists, has offered US $1 million reward fund for
information leading to the capture and prosecution of those responsible
for a series of attack and extortion threats. In October, Express
Scripts received a letter saying that the senders had breached the
company's computer system and stolen customer information; the letter
included personal details of 75 customers and a demand for money or they
would expose millions of additional records. When the company did not
respond to their demands, the extortionists sent threatening letters to
some of the Express Scripts's clients, prompting the announcement of the
reward fund. Express Scripts is cooperating with the FBI's
investigation.
http://www.securityfocus.com/brief/854
http://www.theregister.co.uk/2008/11/13/express_scripts_extortion/
http://phx.corporate-ir.net/phoenix.zhtml?c=69641&p=irol-newsArticle&ID=1225263&highlight=
[Editor's Note (Honan): Express Scripts should be applauded for the way
they are handling this incident and we could all do well to learn from
them on how to proactively deal with an extortion type breach.]

 --Computer Security Breach at U of Florida College of Dentistry
Affects More Than 300,000
(November 12 & 13, 2008)
More than 300,000 current and former patients at the University of
Florida College of Dentistry have been notified that their personal
information may have been compromised. IT department staff members
found evidence of a breach on October 3, 2008; at that time, they
discovered remotely installed software and cut off the infected server
so the attackers could no longer access it. It has since been put back
online with stronger protection. The patients affected by the data
breach were notified within the 45-day time frame required by Florida
law.
http://www.networkworld.com/news/2008/111208-ufla.html?hpg1=bn
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9120188&source=rss_topic17

MISCELLANEOUS
 --ICANN Will Revoke EstDomains Registrar Credentials
(November 13, 2008)
The Internet Corporation for Assigned Names and Numbers (ICANN) has
decided to revoke the registrar credentials of Estonia-based EstDomains,
which has been the home to domain names associated with malicious
activity. ICANN had intended to revoke the credentials earlier this
month, but allowed for a stay in its decision pending review of appeal
information made by the company. ICANN based its decision in part of
the conviction of EstDomains President Vladimir Tsastsin on charges of
credit card fraud, money laundering and document forgery. After
reviewing the material, ICANN issued a notice that the credentials will
be revoked as of November 24, 2008.
http://www.theregister.co.uk/2008/11/13/estdomains_loses_icann_appeal/
The overview at ICANN:
http://www.icann.org/en/announcements/announcement-12nov08-en.htm
The ICANN letter to EstDomain:
http://www.icann.org/correspondence/burnette-to-poltev-07nov08-en.pdf

*************************************************************************
The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescastore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Ron Dick headed the National Infrastructure Protection Center (NIPC) at
the FBI and is the incoming President of the InfraGard National Members
Alliance - with 22,000 members.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.

Prof. Howard A. Schmidt is the President of the Information Security
Forum (ISF) and author who has served as CSO for Microsoft and eBay and
as Vice-Chair of the President's Critical Infrastructure Protection
Board.

Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Brian Honan is an independent security consultant based in Dublin,
Ireland.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkkdwYkACgkQ+LUG5KFpTkb6fQCeJkwVh31/60HmbU7bMm6zhy6G
6K4An3s+IWjpy52sCI3epC48rGy80LLt
=uI/x
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]