NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SANS> 2008

SANS NewsBites Vol. 10 Num. 93

From: The SANS Institute (NewsBitessans.org)
Date: Tue Nov 25 2008 - 13:42:50 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If you have ever been frustrated by security auditors who focused on
unimportant flaws while ignoring important problems, or bothered that
two security assessors reached totally different conclusions, you'll
find the first story this week refreshing.

Separately, the top software security experts around the world have
gotten together to work toward consensus on selecting the 25 most
dangerous programming errors. Their goal is to help CIOs measure the
security of the software they are buying and building and help schools
ensure they are teaching secure coding effectively. For more on the top
25, see http://www.sans.org/resources/top25/

                                      Alan
*************************************************************************
SANS NewsBites November 25, 2008 Vol. 10, Num. 93
*************************************************************************
TOP OF THE NEWS
  Security Audit Guidelines Will Call on Agencies to Focus Attention on
     Frequently Exploited Flaws
  NASA Internal Memo Addresses Removable Media Security Policy
  NASA is Target of Ongoing Cyber Espionage
  Symantec Report on Underground Economy
THE REST OF THE WEEK'S NEWS
  LEGAL ISSUES
    Conn. Teacher Cleared of Felony Endangerment in Pop-Up Case
  DATA PROTECTION & PRIVACY
    Verizon Fires Employees Who Accessed Obama's Phone Records
       Without Authorization
  SPAM, PHISHING & ONLINE SCAMS
    Facebook Wins Record Judgment in Spam Case
  VULNERABILITIES
    Buffer Overflow Flaw in Windows Vista TCP/IP Stack
  MALWARE
    Microsoft Reports Tool Cleared Phony Security Software
      from 1 Million PCs
  UPDATES AND PATCHES
    Apple Issues Update for iPhone, iPod Touch
  ATTACKS
    London Hospital Computer Systems on Road to Recovery

************************* Sponsored By CA *******************************
Server Resource Protection: A Critical Element of IT Security Protecting
server resources from internal and external access abuse and attacks is
critical to maintaining a strong security posture. Incessant threats and
attacks on enterprise security continue to challenge IT. A recent $7
billion French banking fraud case clearly illustrates the problem at
hand. This IDC whitepaper analyzes common vulnerabilities in protecting
server resources. Learn more
http://www.sans.org/info/35873
*************************************************************************
TRAINING UPDATE
- - SANS CDI in Washington (12/10-12/16) 30 courses; big security tools
expo; lots of evening sessions: http://www.sans.org/ cdi08/
- - London (12/1-12/9) http://sans.org/london08/
- - Las Vegas (1/24-2/01) http://sans.org/securitywest09/
- - Looking for training in your own Community? http://sans.org/community/
For a list of all upcoming events, on-line and live: www.sans.org
*************************************************************************

TOP OF THE NEWS
--Security Audit Guidelines Will Call on Agencies to Focus Attention
on Frequently Exploited Flaws
(November 21, 2008)
The Consensus Audit Guidelines (CAG) will enable federal agencies to
focus their security expenditures on fixing the vulnerabilities that are
most frequently exploited, before addressing those that are more
hypothetical, and to enable agency inspectors general to verify that the
most important problems are fixed first. Concentrating resources on
known security flaws will improve the value of the current certification
and accreditation process mandated by the Federal Information Security
Management Act (FISMA) by ensuring the right things are being measured.
The group developing the CAG, led by John Gilligan, who served as CIO
of both the Department of Energy and of the US Air Force, is composed
of experts from the key federal agencies involved in computer network
attack and cyber intrusion investigations as well as their counterparts
in the commercial world who do penetration testing and incident response
for banks and other victims. The idea behind the initiative - one that
also led to the Federal Desktop Core Configuration - is that "defense
should be informed by offense."
http://www.nextgov.com/nextgov/ng_20081121_8289.php
[Editor's Note (Skoudis): Focusing defenses on the most widely used
attack vectors is a good idea, one that can allow organizations with
resource constraints to focus their energies on the most salient attack
vectors. Of course, eventually the bad guys will innovate and use other
vectors, but such guidelines can be updated as the attacks evolve.
(Paller): As Tom Donahue, the CIA's top cyber security threat analyst,
is fond of saying "you have to manage the known bads." This is the
first time government experts have worked together, across agency line,
with the private sector, to define those "known bads," so they *can *be
managed. The federal CIOs who know about this initiative expressed
confidence that the CAG would allow them to more rationally allocate
their security expenditures. One of them said it clearest, "It's just
common sense."]

--NASA Internal Memo Addresses Removable Media Security Policy
(November 21 & 24, 2008)
NASA Chief Information Officer Jonathan Pettus last week issued a memo
clarifying agency policy on the use of removable media. The memo
instructs employees not to use personally owned USB drives or other
removable media on government computer systems; not to use
government-owned removable media devices on personal machines or
machines that do not belong to the agency, department or organization;
not to put unknown devices into any systems; and to ensure that systems
are fully patched and anti-virus software is updated. The directive is
not as sweeping as that imposed by the US Defense Department, which
temporarily forbids the use of USB drives and other removable media
devices of all types. The DoD instruction was issued to mitigate the
spread of detected malware.
http://www.nextgov.com/nextgov/ng_20081124_5509.php
http://www.spaceref.com/news/viewsr.html?pid=29884
[Editor's Note (Skoudis): I'm surprised it has taken this long for some
organizations to act on this attack vector. Windows ships with autorun
for CDs enabled, and USBs with U3 technology look just like a CD to a
Windows box, making compromise trivial. Enterprises should address this
threat with clear policy and instructions for employees, shored up with
technical implementations that turn off autorun via Group Policy.
Microsoft describes how to do the latter here:
http://support.microsoft.com/kb/953252]

--NASA is Target of Ongoing Cyber Espionage
(November 20, 2008)
An in-depth look at cyber attacks directed at NASA finds that the agency
has been the target of computer network intrusions for at least a
decade. Some of the problems can be attributed to the fact that NASA
systems are designed to be accessible to outside researchers and
contractors. A year ago, NASA Inspector General Robert W. Cobb issued
a report that noted, "Our criminal investigative efforts over the last
five years confirm that the threats to NASA's information are broad in
scope, sophisticated, and sustained."
http://www.businessweek.com/print/magazine/content/08_48/b4110072404167.htm

--Symantec Report on Underground Economy
(November 24, 2008)
Symantec's "Report on Underground Economy" says that some cyber
criminals are breaking into companies' computer systems for one very
specific reason: to check if stolen credit card information is valid.
The intruders in these cases apparently do not steal any company data;
they just want access to the companies' credit card payment processing
systems. These services charge as much as US $10 a card to test
validity for others who are not certain that the information is being
sold on the Internet underground is useful. Of course, there are still
cyber criminals plundering companies' databases for information as well.
http://www.msnbc.msn.com/id/27888970/

************************* SPONSORED LINK ******************************
1) Hear what major government labs have implemented for Control Systems
security at the SCADA & Process Control Security Summit February 2-3.
http://www.sans.org/info/35878
*************************************************************************

THE REST OF THE WEEK'S NEWS
LEGAL ISSUES
--Conn. Teacher Cleared of Felony Endangerment in Pop-Up Case
(November 21 & 24, 2008)
The case against Connecticut substitute teacher Julie Amero has finally
come to a close. Prosecutors dropped the felony charges against her,
but the agreement called for a guilty plea to a misdemeanor charge of
disorderly conduct and surrender of her state teaching credential.
Amero had previously been convicted of endangering minors and faced 40
years in prison. Prosecutors alleged that in 2004 she had surfed to
dubious websites that displayed pornographic pop-ups on a computer in
the classroom; when security specialists caught wind of the case, they
pushed to examine the computer in question and found that the school
district had inadequate anti-malware protection on that computer and the
pop-ups were not Amero's fault.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9121218&source=rss_topic17
http://www.securityfocus.com/brief/860
http://blogs.courant.com/rick_green/2008/11/connecticut-drops-felony-charg.html
[Editor's Note (Schultz): I feel terrible that this teacher pleaded
guilty to even a lesser charge. We are truly in the dark ages when it
comes to understanding what constitues computer crime.]

DATA PROTECTION & PRIVACY
--Verizon Fires Employees Who Accessed Obama's Phone Records
Without Authorization
(November 22 & 24, 3008)
Verizon Wireless has fired an unspecified number of employees for
looking at President-elect Barack Obama's cell phone records. The
breaches occurred earlier this year. The employees would not have been
able to access the contents of text or voice messages. The account they
accessed was inactive. As soon as the problem was detected, all
employees who looked at the records, even those who had the
authorization to do so were put on paid leave.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9121346&source=rss_topic17
[Editor's Note (Skoudis): I'm happy to see some high-profile firing
associated with these cases. In many organizations, IT employees are
trusted to be stewards of very sensitive information, including call
records, tax information, e-mail, etc. If they abuse this trust,
whether for celebrities, high-profile politicians, or even just random
members of the public, they should be canned.]

SPAM, PHISHING & ONLINE SCAMS
--Facebook Wins Record Judgment in Spam Case
(November 24, 2008)
Last week, the US District court for the Northern District of California
ruled in favor of Facebook in a spam case, saying that Adam Guerbuez and
his company Atlantic Blue Capital were guilty of violations of the
CAN-SPAM Act. Guerbuez phished for Facebook log-in credentials and then
used compromised accounts to send more than four million spam messages
to friends associated with the accounts. The court also ruled that the
defendants must pay Facebook damages of US $873 million; Guerbuez and
his co-defendants are forbidden from accessing Facebook data in the
future.
http://news.cnet.com/8301-1009_3-10106932-83.html?part=rss&subj=news&tag=2547-1009_3-0-20

VULNERABILITIES
--Buffer Overflow Flaw in Windows Vista TCP/IP Stack
(November 21 & 24, 2008)
A buffer overflow flaw in the Windows Vista TCP/IP Stack could be
exploited to hide rootkits on vulnerable computers or cause
denial-of-service conditions. The researcher who found the
vulnerability notified Microsoft in October; he was told that it would
be fixed in the next Vista service pack.
http://news.zdnet.co.uk/security/0,1000000189,39559185,00.htm?r=1
http://www.heise-online.co.uk/security/Buffer-overflow-in-Vista-s-TCP-IP-stack--/news/112040

MALWARE
--Microsoft Reports Tool Cleared Phony Security Software from 1
Million PCs
(November 21, 2008)
Microsoft said that the November version of its Malicious Software
Removal Tool cleaned phony security software from almost one million
computers in just nine days. The malicious software gets onto PCs
either by stealth, or by users who are duped through misleading pop-ups
into downloading the rogue products.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9121161&source=rss_topic17
http://www.washingtonpost.com/wp-dyn/content/article/2008/11/21/AR2008112103500_pf.html

UPDATES AND PATCHES
--Apple Issues Update for iPhone, iPod Touch
(November 22, 2008)
Apple has released an update for the iPhone and the iPod touch. In
addition to new features, the update incorporates security patches for
a dozen vulnerabilities, including two iPhone data exposure problems.
The first of these was noted in August and allows someone with physical
access to a passcode-locked device to launch applications without
needing to know the passcode. The second is a vulnerability that
exposes incoming SMS messages if the iPhone is set to emergency call
mode. Other vulnerabilities addressed in the update include remote code
execution flaws in the way the device handles image files and web pages.
http://www.vnunet.com/vnunet/news/2231088/apple-releases-iphone-update
http://news.cnet.com/8301-1009_3-10105450-83.html

ATTACKS
--London Hospital Computer Systems on Road to Recovery
(November 21, 2008)
IT staff are beginning to restore access to computer systems at three
London hospitals that were hit with a malware attack last week. The
problem was detected on Monday, November 17; by Friday, November 21,
Internet and email access were available "across key areas." Medical
services were largely unaffected apart from a temporary return to
handwritten medical charts and a short period of time during which
ambulances were diverted.
http://www.theregister.co.uk/2008/11/21/barts_mytob_recovery/
[Editor's Note (Honan): An interesting lesson observed from this
incident is to ensure that your information security incident response
plan is tied into your business continuity plan and under what
circumstances it can be invoked.]

*************************************************************************
The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescastore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Ron Dick headed the National Infrastructure Protection Center (NIPC) at
the FBI and is the incoming President of the InfraGard National Members
Alliance - with 22,000 members.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.

Prof. Howard A. Schmidt is the President of the Information Security
Forum (ISF) and author who has served as CSO for Microsoft and eBay and
as Vice-Chair of the President's Critical Infrastructure Protection
Board.

Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Brian Honan is an independent security consultant based in Dublin,
Ireland.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkksSUcACgkQ+LUG5KFpTkaEkwCeIPWh/17g4Ocz+m7Z1KkuMWGQ
B2kAn3kmgphZpc5TuMmTiEpRpkvLR7iq
=Nslh
-----END PGP SIGNATURE-----

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]