NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SANS> 2008

SANS NewsBites Vol. 10 Num. 94

From: The SANS Institute (NewsBitessans.org)
Date: Tue Dec 02 2008 - 12:12:12 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SANS 2009 Annual Conference and Training Program will be held in Orlando
in early March. It includes the largest selection of SANS courses ever
held, and all taught by our top rated teachers. SANS 2009 also includes
the largest security tools expo and extensive networking programs
through evening sessions, lunch & learns, and more. This is the one
program for which you need to register early because courses fill up
quicker than for any other training conference.
http://www.sans.org/sans2009
                                           Alan
*************************************************************************
SANS NewsBites December 2, 2008 Vol. 10, Num. 94
*************************************************************************
TOP OF THE NEWS
  Classified US Systems Breached: Attacks on US War Zone Computers
     Prompts Security Crackdown
  UK Government Will Not Establish Breach Notification Law for Private
     Sector
  MySpace Suicide Case Verdict: Three Misdemeanor Convictions
THE REST OF THE WEEK'S NEWS
  ARRESTS, CHARGES & CONVICTIONS
    Arrests and Charges in Home Equity Line of Credit Thefts
  POLICY AND LEGISLATION
    EU Council's Five-Year Plan to Tackle Cyber Crime Includes Remote
       Searches
  MALWARE
    London Hospitals' Computer Systems Almost Back to Normal Srizbi Bots
    Seek Alternate Command-and-Control Servers
  ACTIVE EXPLOITS, WORMS & VIRUSES
    Worm Actively Exploiting Vulnerability Addressed in MS08-067
  ATTACKS
    Cyber Thieves Hit Massachusetts Town Banks Accounts
  MISCELLANEOUS
    Group Raises Privacy Concerns About RFID Chips in Identification
    Docs
       at Borders
    World Bank CIO Duties Change Hands in Wake of Attacks Iran Executes
    IT Specialist for Spying for Israel

************************** Sponsored By CA ******************************

Server Resource Protection: A Critical Element of IT Security.

Protecting server resources from internal and external access abuse and
attacks is critical to maintaining a strong security posture. Incessant
threats and attacks on enterprise security continue to challenge IT. A
recent $7 billion French banking fraud case clearly illustrates the
problem at hand. This IDC whitepaper analyzes common vulnerabilities in
protecting server resources. Learn more
http://www.sans.org/info/36058

*************************************************************************
TRAINING UPDATE
- - SANS CDI in Washington (12/10-12/16) 30 courses; big security tools
expo; lots of evening sessions: http://www.sans.org/ cdi08/
- - Las Vegas (1/24-2/01) http://sans.org/securitywest09/
- - Looking for training in your own Community? http://sans.org/community/
For a list of all upcoming events, on-line and live: www.sans.org
*************************************************************************

TOP OF THE NEWS
--Classified US Systems Breached: Attacks on US War Zone Computers
Prompts Security Crackdown
(November 28, 2008)
The Los Angeles Times is reporting that the US Department of Defense's
decision to ban the use of USB drives and other removable data storage
devices was prompted by a significant attack on combat zone computers
and the US Central Command that oversees Iraq and Afghanistan. The
attack is believed to have originated in Russia. While no specific
details about the attack were provided, it is known that at least one
highly protected classified network was affected.
http://www.latimes.com/news/nationworld/nation/la-na-cyberattack28-2008nov28,0,6441140.story

--UK Government Will Not Establish Breach Notification Law for Private Sector
(November 26 & December 1, 2008)
Last week, the UK government announced in a report that it will allow
the Information Commissioner's Office (ICO) to impose increased fines
for "deliberate or reckless loss of data," but stopped short of calling
for a law, instead allowing the ICO to establish rules for breach
disclosure. The "Response to the Data Sharing Review Report" says that
private sector organizations should disclose data breaches "as a matter
of good practice," and that the Information Commissioner's office (ICO)
should consider whether or not such organizations did disclose breaches
when taking enforcement action against the company. Public sector
organizations are already subject to requirements that they report any
data security incidents to the ICO.
http://news.zdnet.co.uk/itmanagement/0,1000000308,39563446,00.htm
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=330437&source=rss_topic17
[Editor's Note (Pescatore): This report makes some erroneous conclusions
based on another study done by a policy group in a law firm that says
breach notifications don't have an impact on security. I think being
forced to tell customers "we have screwed you" with all the attendant
press coverage has had a major impact of boards of directors paying
attention to security - orders of magnitude more than reporting regimes
like GLB and Sarbanese Oxley.
(Honan): This is a disappointing development and one I hope will be
rectified sooner rather than later. The UK may have no choice but to
introduce breach disclosure laws if the EU decide to issue such a
directive, as has been recommended by ENISA
http://www.csoonline.com/article/376817/Security_Agency_Calls_For_EU_Laws_on_Breach_Disclosure]

--MySpace Suicide Case Verdict: Three Misdemeanor Convictions
(November 26 & 28, 2008)
Lori Drew, the Missouri woman who perpetrated an Internet hoax that
prompted a 13-year old neighbor to kill herself, was convicted of three
misdemeanor offenses of accessing computers without authorization; a
federal jury acquitted Drew of three felony counts of accessing
computers without authorization to inflict emotional harm. The
misdemeanor offenses are each punishable by up to one year in prison and
a fine of US $100,000. If she had been convicted of the additional
charges, Drew could have faced 20 years in prison. Drew was tried under
the US Computer Fraud and Abuse Act for violating the MySpace terms of
agreement by establishing a phony identity and harassing another MySpace
member. The case was tried in Los Angeles because that is where MySpace
servers are housed; there was no applicable Missouri law that could be
used to prosecute Drew.
http://www.msnbc.msn.com/id/27928608/
http://www.securityfocus.com/brief/863
http://www.washingtonpost.com/wp-dyn/content/article/2008/11/26/AR2008112600629_pf.html
[Editor's Note (Schultz): This is an extremely important ruling. I was
disappointed that Drew evaded more serious charges. At the same time,
however, the fact that she was tried and convicted on the basis that she
accessed computers without authorization because she used a false
MySpace identity sets a precedent for extending the scope of the
Computer Fraud and Abuse Act well beyond cases in which individuals have
simply broken into systems.]

************************* SPONSORED LINK ******************************
1) "USB Security Software -> Auditing, Encryption, and Control -> Download Now"
http://www.sans.org/info/36063
*************************************************************************

THE REST OF THE WEEK'S NEWS
ARRESTS, CHARGES & CONVICTIONS
--Arrests and Charges in Home Equity Line of Credit Thefts
(November 28, 2008)
Four people have been arrested and an additional three have pleaded
guilty to charges stemming from activities of an identity theft. The
group stole more than US $12 million by illegally accessing untapped
home equity lines of credit. The thieves used documents available
online for a fee to find the necessary information, then contacted the
financial institutions and asked them to wire large chunks of the
available credit to banks in Canada and Asia. In some cases, they
changed the victims' home phone numbers to lines they controlled so they
could answer the calls verifying the transfer requests.
http://www.washingtonpost.com/wp-dyn/content/article/2008/11/27/AR2008112702027_pf.html
http://www.cybercrime.gov/polkCharge.pdf
http://www.cybercrime.gov/matthewsPlea.pdf

POLICY AND LEGISLATION
--EU Council's Five-Year Plan to Tackle Cyber Crime Includes
Remote Searches
(December 1, 2008)
The EU Council of Ministers has approved a five year plan to tackle
cyber crime. Among the tactics proposed are remote searches of
computers suspected of being used in criminal activity; the
investigations will be coordinated by Europol. The plan also aims to
improve information sharing among European law enforcement agencies of
member nations and private companies to help prosecute criminals.
Europol has been granted 300,000 Euros (US $379,000) to develop a system
to consolidate crime reports and issue warnings about emergent threats.
http://www.theregister.co.uk/2008/12/01/eu_cybercrime_strategy/
http://news.bbc.co.uk/2/hi/technology/7758127.stm
[Editor's Note (Schultz): Given the complexity of the problem with which
Europol is faced, 300,000 Euros worth of funding seems like a pittance.
(Honan): Given that the EU Council of Ministers has only granted
_300,000 to Interpol to develop this system one wonders how serious they
actually are taking the issue of cyber crime.]

MALWARE
--London Hospitals' Computer Systems Almost Back to Normal
(December 1, 2008)
Two weeks after the Mytob worm caused computer networks at three London
hospitals to be shut down, things are nearly back to normal. St.
Bartholomew's, the Royal London Hospital in Whitechapel and the London
Chest Hospital in Bethnal Green together make up the Barts and the
London NHS Trust, which said in a statement last week that 97 percent
of the computers have been scanned and are malware-free. The infection
prompted a disaster recovery plan that quarantined the Trust's PCs. The
source of the infection is still unknown.
http://www.theregister.co.uk/2008/12/01/barts_malware_infection_clean_up/

--Srizbi Bots Seek Alternate Command-and-Control Servers
(November 26 & 27, 2008)
The Srizbi botnet, which was disabled by the shutdown of web hosting
company McColo several weeks ago, appeared to be back online early last
week. Srizbi includes an algorithm that attempts to establish new
domain names that the malware could contact for instructions should the
initial connection be severed. The botnet suffered another setback when
the Estonian Internet service provider (ISP) that had hosted its command
and control servers for a short period of time also cut off service to
those servers. Srizbi is estimated to comprise more than 450,000 PCs,
and it is believed that half of all spam generated worldwide comes
through the Srizbi botnet. The reason Srizbi was kept at bay for
several weeks was that researchers reverse engineered the Srizbi code
and figured out what domains the bots would be searching for, then
created and seized them so the bot masters could not regain control of
the army of infected machines.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9121758&source=rss_topic17
http://www.theregister.co.uk/2008/11/26/srizbi_returns_from_dead/
[Editor's Note (Pesactore): The bot client strategies for finding
command and control centers has gotten increasingly devious. New
techniques used mechanisms that are very similar to old style spycraft,
the cyber equivalent of spy numbers stations and chalk Xs on mailboxes.
The needed security breakthrough here is being able to tell automated
actions from user-driven actions from the network, rather than relying
on blocking communications to command and control centers. ]

ACTIVE EXPLOITS, WORMS & VIRUSES
--Worm Actively Exploiting Vulnerability Addressed in MS08-067
(November 26 & 27 & December 1, 2008)
Researchers at Microsoft have noted a recent spike in attacks exploiting
the vulnerability patched in the company's MS08-067 bulletin, which was
released as an out-of-cycle fix in late October 2008. The remote code
execution flaw lies in the RPC (remote procedure call) functions of the
Server Service. One of the culprits is a worm called Conficker.A;
infections have been reported in corporate environments and by "several
hundred" home users as well. Once this particular worm infects a
computer, it "patches the vulnerable API in memory" so other malware
cannot take control of the machine. The worm appears to be creating a
sizeable botnet.
http://www.theregister.co.uk/2008/11/26/conficker_attacks_windows/s
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9121660&source=rss_topic17s
http://news.cnet.com/8301-1009_3-10109080-83.html?part=rss&subj=news&tag=2547-1009_3-0-20
http://www.securityfocus.com/brief/862
http://www.heise-online.co.uk/security/Windows-worm-infection-accelerates--/news/112077
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9121958&source=rss_topic17
http://blogs.technet.com/mmpc/archive/2008/11/25/more-ms08-067-exploits.aspx
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspxs

ATTACKS
--Cyber Thieves Hit Massachusetts Town Banks Accounts
(November 26, 2008)
A computer at the Sandwich, Massachusetts treasurer's office was
infected with keystroke-logging software, allowing attackers to harvest
access credentials that they used to steal approximately US $50,000 from
town bank accounts. The cyber thieves transferred the stolen funds to
accounts in Florida and Georgia. Sandwich Police Chief Michael J.
Miller plans to ask the FBI to help with the investigation. Law
enforcement authorities in Florida have questioned a man who opened one
of the accounts; he said he had answered an ad that offered payment for
opening an account. After the thieves transferred the money to that
account, he was allegedly to wire it to Russia. The thieves were careful
to keep the amounts transferred under US $10,000, the threshold that
triggers FBI notification.
http://www.boston.com/news/local/massachusetts/articles/2008/11/26/sandwich_loses_nearly_50k_to_hacker/

MISCELLANEOUS
--Group Raises Privacy Concerns About RFID Chips in Identification Docs at Borders
(December 1, 2008)
The Association of Corporate Travel Executives (ACTE) wants the US to
stop using a system that reads RFID tags in government issued
identification documents at border crossings, pending a review of the
security issues the system poses. ACTE is concerned specifically with
the possibility that people could eavesdrop on the RFID chips at the
border or even at other locations. Presently, the only information
contained in the chips is a unique identification number, but there is
concern that this number alone is enough to track an individual's
travel. A paper published last summer examined security concerns raised
by the use of RFID tags in passport cards and driver's licenses.
http://www.theregister.co.uk/2008/12/01/rfid_scanning_under_fire/
http://www.rsa.com/rsalabs/node.asp?id=3557

--World Bank CIO Duties Change Hands in Wake of Attacks
(November 26 & 27, 2008)
The World Bank has made some personnel changes following attacks on the
organization's computer systems last summer. World Bank Vice President
and Chief Information Officer Guy-Pierre De Poerck has been relieved of
duties; they are now in the hands of Head of General Services Robert Van
Pulley. A World Bank spokesperson did not say if the shift in
responsibilities indicated that De Poerck was being blamed for the
attacks. The World Bank has also commissioned "a comprehensive external
review" of its information systems.
http://www.ft.com/cms/s/0/f0b4e6ac-bc9e-11dd-9efc-0000779fd18c.html
http://www.foxnews.com/story/0,2933,458085,00.html

--Iran Executes IT Specialist for Spying for Israel
(November 22, 25 & 30, 2008)
Last month, Iran executed an Iranian IT specialist after he confessed
to working for the Israeli intelligence service, Mossad. Ali Ashtari
traveled overseas to purchase equipment, including computers, necessary
for Iran's nuclear program. Ashtari allegedly allowed the equipment to
be altered so that Mossad could keep tabs on and even interfere with
Iranian weapons development. Iran claims to have broken another Mossad
spy ring and plans to seek the death penalty for those suspects as well.
http://www.timesonline.co.uk/tol/news/world/middle_east/article5258057.ece
http://www.nytimes.com/2008/11/26/world/middleeast/26iran.html?ref=world
http://latimesblogs.latimes.com/babylonbeyond/2008/11/an-iranian-busi.html

*************************************************************************
The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescastore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Ron Dick headed the National Infrastructure Protection Center (NIPC) at
the FBI and is the incoming President of the InfraGard National Members
Alliance - with 22,000 members.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Prof. Howard A. Schmidt is the President of the Information Security
Forum (ISF) and author who has served as CSO for Microsoft and eBay and
as Vice-Chair of the President's Critical Infrastructure Protection
Board.

Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkk1cDgACgkQ+LUG5KFpTkYcjgCfZZL94UcUFnLsbeWIZ5USvLp5
xp0An3/UBLXWTKE+L67AXbCzcIxHxG3r
=aZHi
-----END PGP SIGNATURE-----

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]