|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (NewsBites
sans.org)
Date: Tue Dec 09 2008 - 17:38:10 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Three important resources - all free:
The top story is about the report just released by the Commission on
Cyber Security for the 44th Presidency. The two Congressional co-chairs
told the press yesterday that they will do everything in their power to
help get the recommendations implemented. The Obama transition team has
already asked for a full briefing. You can get your own copy at
http://www.csis.org/media/csis/pubs/081208_securingcyberspace_44.pdf
In his editorial note below Gartner's John Pescatore calls for better
application security. In an important step in the right direction, the
New York Office of Cyber Security and Critical Infrastructure
Coordination has developed standard procurement language for ensuring
security is baked into applications purchased and developed by the
State. Dozens of other states are reviewing the new procurement language
and several are already implementing it. They have agreed to make their
work available to the broader security community through SANS. CIOs and
CISOs from medium and large organizations may request a copy by emailing
apallersans.org.
Free live-on-line training on the most important new techniques in
penetration testing. Ed Skoudis, the nation's top pen testing and hacker
exploits teacher, is doing a 90 minute briefing called "Secrets of
America's Top Penetration Testers," on Wednesday, December 17, from
1:00pm - 2:30pm EST and again on December 22nd when the 200 seats at the
first one fill up. Great chance to see how good on line, live education
can be. To register, visit
https://www.sans.org/athome/details.php?nid=16889
If you want a seat in Ed's full six-day course (or his one-day update
courses) at SANS 2009 in Orlando - be sure to sign up before the end of
the year - his courses always fill up earlier than the others. Forty
other courses at SANS 2009, too. http://www.sans.org/sans2009
Alan
*************************************************************************
SANS NewsBites December 9, 2008 Vol. 10, Num. 96
*************************************************************************
TOP OF THE NEWS
Report Urges Obama to Create High Level Cyber Security Position
Group Aims to Shift Cyber Security Focus From Compliance to
Effectiveness Against Attacks
Security Fed's Achilles Heel: Need Baked-in Security
European Court Ruling Means Britain Must Destroy Some DNA Evidence
THE REST OF THE WEEK'S NEWS
ARRESTS, CHARGES & CONVICTIONS
Two Arrests in BNP Membership List Leak Case
Three Indicted in Thefts from Online Financial Accounts
POLICY AND LEGISLATION
China Wants to Inspect Imported Computer Security technology
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Microsoft Lawsuits Target Alleged Sellers of Pirated Software
MALWARE
DNSChanger Trojan Variant Detected
UPDATES AND PATCHES
Firefox to Discontinue Anti-Phishing Feature in Version 2 Update
ATTACKS
SSH Brute Force Attack Uses Botnet to Target Specific Servers
STUDIES AND STATISTICS
BitDefender Report Says Phony Anti-Virus Programs Responsible for
Many Windows Infections
*********************** Sponsored By ArcSight, Inc. *********************
Complimentary Whitepaper: Monitoring Data Access by Privileged Users
Data breaches and confidential information theft continue to rise. An
effective SIEM solution can help organizations understand who is on the
network, what data they are seeing, and which actions they are taking
with that data.
This whitepaper outlines how SIEM can provide privileged user monitoring
across all applications, file systems, and databases. The result is
increased security and data protection.
http://www.sans.org/info/36328
*************************************************************************
TRAINING UPDATE
- - SANS 2009 in Orlando in early march - the largest security training
conference and expo in the world. lots of evening sessions:
http://www.sans.org/
- - SANS Security West Las Vegas (1/24-2/01) http://sans.org/securitywest09/
- - Looking for training in your own Community? http://sans.org/community/
For a list of all upcoming events, on-line and live: www.sans.org
*************************************************************************
TOP OF THE NEWS
--Report Urges Obama to Create High Level Cyber Security Position
(December 8, 2008)
In a report titled "Securing Cyberspace for the 44th Presidency," the
CSIS Commission on Cybersecurity for the 44th Presidency urges
President-elect Barack Obama to create the National Office for
Cyberspace, a new White House office headed by an Assistant to the
President for Cyberspace, who would oversee 10-20 employees. The report
also pushes for new legislation that would allow investigations into
cyber crime to proceed more quickly. Among the proposals is the
creation of data warrants in place of search warrants. Commission
member Jerry Dixon said, "We have to have a solid cyber doctrine"
defining when incidents would require military action and when they
would be better addressed through law enforcement or intelligence
community channels. The report makes numerous other recommendations,
including moving the government away from passwords toward strong
authentication for network access.
http://www.securityfocus.com/news/11540
http://www.nextgov.com/nextgov/ng_20081208_8449.php
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9122903&source=rss_topic17
http://online.wsj.com/article/SB122870335556887341.html?mod=googlenews_wsj
http://news.cnet.com/8301-13578_3-10117856-38.html?part=rss&subj=news&tag=2547-1_3-0-20
http://www.nytimes.com/2008/12/09/technology/09security.html?partner=rss&emc=rss&pagewanted=print
http://www.washingtonpost.com/wp-dyn/content/article/2008/12/08/AR2008120801944_pf.html
http://www.csis.org/media/csis/pubs/081208_securingcyberspace_44.pdf
[Editor's Note (Skoudis): US-based infosec pros really should read this
document, as it contains numerous insights that will influence the
evolution of our industry here. Set aside some time this weekend to
flip through it at least. Even if its recommendations aren't adopted,
it will frame the debate, so reading it will help people contribute to
that debate. ]
--Group Aims to Shift Cyber Security Focus From Compliance to
Effectiveness Against Attacks
(December 4, 2008)
A group of security experts, led by ex-Air Force CIO John Gilligan, is
developing cyber security standards it hopes will be endorsed by the
Federal CIO Council, the Inspectors General, and Office of Management
and Budget (OMB). The standards would shift agency focus from checklist
compliance to measuring how ready agencies are to withstand known
attacks and how ready they are to discover and clean up after attacks
that were successful. The new "attack based metrics" takes advantage of
both government and private hacker and forensics knowledge to understand
how systems are being infiltrated and attacked and to measure the
effectiveness of controls meant to counter those attacks. It seeks to
solve the problems caused by NIST guidance that so diffused agency
efforts that they did not focus on the most important controls. The
approach is similar to that used by the US Air Force, which worked with
National Security Agency (NSA) hackers to document the vulnerabilities
in their systems; the project ultimately led to the development of the
Federal Desktop Core Configuration (FDCC). The group helping to shape
the new standards includes experts at the NSA, the Air Force, the US
Computer Emergency Readiness Team (US-CERT) and the Defense Department
Cyber Crime Center, the Government Accountability Office, as well as
leaders in the forensics and penetration testing community outside
government.
http://www.federaltimes.com/index.php?S=3849692
Thursday at 10 AM Eastern Standard Time, Mr. Gilligan will be
interviewed about the project on Federal News Radio. Listen live at
http://www.federalnewsradio.com/?nid=249 or listen to the archive later.
[Editor's Note (Honan): The development of the Federal Desktop Core
Configuration (FDCC) was an excellent piece of work. Let's hope that
this new project can produce results of the same quality which both
Government and industry can apply to enhance the security of our
networks.]
--Security Fed's Achilles Heel: Need Baked-in Security
(December 3, 2008)
Speaking at a conference last week, US Air Force chief information
officer (CIO) Lt. Gen. Michael Peterson called cyber security the US
government's "Achilles heel" and said that best practices need to become
ubiquitous for government agencies to be adequately protected from cyber
threats. Peterson added that he believes that in the future, conflict
will not become solely computer based, but that cyber attacks will be
one strategy among many used by adversaries. Peterson said cyber
security needs to be implemented in agency operations, not added on as
an afterthought.
http://www.nextgov.com/nextgov/ng_20081203_1212.php
[Editor's Note (Pescatore): One good way the DoD could accelerate
"baking in security" (vs. trying to sprinkle it on at the end) is to
accelerate efforts to change the certification and accreditation process
for IT systems from a paper-driven exercise to something that has more
focus both on early design review for inclusion of security capabilities
*and* on actually detecting vulnerabilities in software before approving
systems.
(Northcutt): You have to give the government some credit for moving in
the direction of best practice, but they need to go further - to begin
to shift the focus to be more on detection so they are ready when the
inevitable compromises occur. We need to get better at detecting
collected information being taken and "beamed to the mothership" and
also detecting malware on systems themselves.
(Paller): Few security problems are more challenging than finding the
"persistent presence" of attackers who have burrowed into systems and
networks. The US government has prioritized solving that problem as one
of the 12 key projects of the multi-billion-dollar Comprehensive
National Cyber Initiative (CNCI).]
--European Court Ruling Means Britain Must Destroy Some DNA Evidence
(December 4 & 5, 2008)
The European Court of Human Rights has ruled unanimously that retaining
people's DNA samples and fingerprints when they have not been convicted
of a crime is a violation of privacy. The ruling, which cannot be
appealed, stems from a case in which two people in unrelated incidents
sought to have their information purged from the UK's DNA database; in
one of the instances, the charges were dropped, in the other, the
individual was acquitted of the charges. Britain has until March to
develop a plan for destroying the information it holds or for making a
solid case for keeping some of the information. Britain's DNA database
contains more than 4.5 million samples. More than 850,000 samples are
from individuals with no criminal records. The current policy in
Britain is to retain the information for 100 years or until the person
dies. In Scotland, DNA samples taken for investigations that are
ultimately dropped are destroyed. Finland, Germany and Sweden also
destroy DNA samples when people are acquitted.
http://www.msnbc.msn.com/id/28056833/
http://news.cnet.com/8301-1009_3-10114304-83.html?tag=mncol;title
[Editor's Note (Skoudis): These points of overlap between biology and
IT in areas such as bioinformatics, genetic engineering, and biometrics
are fascinating and very much charged with ethical implications. We're
heading for a lot of controversy in this rapidly expanding and exciting
realm.]
*************** SPONSORED LINK SCADA SECURITY SUMMIT ******************
How to present security investments to public utility commissioners. How
to manage security in a disaster when you have to keep running and let
outsiders in. Where the vulnerabilities are in the new smart meters.
Much more. All at the SCADA and Control Systems Security Summit in New
Orleans, February 2-3. Plus free courses sponsored by DHS and DoE.
http://www.sans.org/scada09_summit/
*************************************************************************
THE REST OF THE WEEK'S NEWS
ARRESTS, CHARGES & CONVICTIONS
--Two Arrests in BNP Membership List Leak Case
(December 5, 2008)
Two people have been arrested in connection with the leak of the British
National Party (BNP) membership list to the Internet. The people have
been charged under the UK Data Protection Act. The list of
approximately 13,500 members of the far-right organization was leaked
to the Internet last month. The information that was exposed includes
names, addresses and email addresses. Membership in the organization
is generally kept secret because of fears of harassment. The list is
believed to hold information of people who had expressed interest in the
BNP as well as official members.
http://www.theregister.co.uk/2008/12/05/bnp_list_arrests/
http://www.guardian.co.uk/politics/2008/dec/05/bnp-leak-arrests
[Editor's Note (Northcutt): On my taxi drive to SANS CDI in Washington
DC, the driver was playing a public radio piece with the history of the
John Birch society which just turned 50. The more I listened, the more
I wondered about the impact of their losing their membership list,
especially in the 60s when they were such a focus. This strategy
(releasing the membership list of a private - secret society) was alive
and well in ancient Rome, but now that you can extract phonebooks from
cell phones with Bluetooth, and database schemas from Internet facing
web sites, it can only become more common.]
--Three Indicted in Thefts from Online Financial Accounts
(December 5, 2008)
Three men have been indicted in connection with a scheme in which
thousands of dollars from online bank and brokerage accounts were
stolen. Authorities believe the mastermind of the scheme was Alexander
Bobnev of Volgograd, Russia who allegedly recruited others in Russia,
to infect machines with Trojan horse programs that stole the account
login credentials. Bobnev also allegedly transferred money from the
accounts into drop accounts in the US. There, Aleksey Volynskiy and
Aleksey Mineev were allegedly responsible for opening the drop accounts
and withdrawing the money. All three men face charges of conspiracy;
Volynskiy faces two additional charges of access device fraud for
allegedly attempting to have stolen credit card numbers made into phony
cards.
http://blog.wired.com/27bstroke6/2008/12/fed-blotter-ame.html
http://blog.wired.com/27bstroke6/files/alexander_bobnev_indictment.pdf
http://blog.wired.com/27bstroke6/files/aleksey_volynskiy_indictment.pdf
POLICY AND LEGISLATION
--China Wants to Inspect Imported Computer Security technology
(December 8, 2008)
As of May 1, 2009, computer security technology that comes from outside
China must be submitted to the government for approval and
certification, raising concerns that companies may have to divulge trade
secrets. According to a statement from the China Certification and
Accreditation Administration, the rules are aimed at protecting national
security and "advanc[ing] industry development." It has not specified
what information the companies must disclose. The rules cover an array
of hardware and software, including database and network security
systems and secure routers.
http://www.washingtonpost.com/wp-dyn/content/article/2008/12/08/AR2008120801333_pf.html
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
--Microsoft Lawsuits Target Alleged Sellers of Pirated Software
(December 5, 2008)
Microsoft has filed 63 lawsuits against people the company believes are
selling pirated copies of its software on Internet auction sites. The
suits name defendants in the UK, the US, France and Germany; most are
accused of selling phony copies of Windows XP, which is reportedly
growing in popularity on the sites "as it is reaching the end of its
commercial sales cycle." PCs sold with preinstalled Microsoft software
after June 2008 come with Windows Vista instead of XP. According to
Microsoft's research, 34 percent of the software sold on the auction
sites does not install properly on PCs, and 43 percent contains altered
code that could make users' PCs susceptible to cyber attacks.
http://news.bbc.co.uk/2/hi/technology/7766607.stm
MALWARE
--DNSChanger Trojan Variant Detected
(December 5, 2008)
A new variant of the DNSChanger Trojan horse program has been
identified. The malware affects a range of devices on local networks
and directs them to phony websites even if the computers are
fully-patched windows machines or are running other operating systems.
Just one infected machine on a local area network (LAN) can change the
DNS settings for many other connected devices. The malware "undermines
the dynamic host configuration protocol (DHCP)." Internet Storm Center
posted the original story reporting this new variant:
http://isc.sans.org/diary.html?storyid=5434
http://www.theregister.co.uk/2008/12/05/new_dnschanger_hijacks/
UPDATES AND PATCHES
--Firefox to Discontinue Anti-Phishing Feature in Version 2 Update
(December 5 & 8, 2008)
Firefox users who are still running Firefox 2 are urged to upgrade to
Firefox 3, as the next (and final) version of Firefox 2, scheduled for
release on December 16, will no longer have the anti-phishing feature.
Google has asked Mozilla to remove the feature from future versions of
Firefox 2 because it still uses Application Programming Interface (API)
version 1; Google plans to stop using that version soon. Users who
choose to update to Firefox 2.0.0.19 instead of upgrading to Firefox 3
will receive a clear warning that the new version will not provide
anti-phishing protection. Mozilla released Firefox 3 in June 2008.
http://www.heise-online.co.uk/security/Mozilla-pulls-anti-phishing-feature-from-Firefox-2--/news/112185
http://news.cnet.com/8301-1009_3-10115852-83.html
ATTACKS
--SSH Brute Force Attack Uses Botnet to Target Specific Servers
(December 5 & 8, 2008)
After noting a spike in failed SSH logins in October, researchers
identified an ongoing brute-force attack that involves multiple machines
that have been compromised with bot software. The attacks target
specific servers. Researchers have not been able to obtain a sample of
the botnet code used in the attack.
http://www.theregister.co.uk/2008/12/08/brute_force_ssh_attack/
http://www.heise-online.co.uk/security/Distributed-SSH-attacks-bypass-blacklists--/news/112174
STUDIES AND STATISTICS
--BitDefender Report Says Phony Anti-Virus Programs Responsible
for Many Windows Infections
(December 6, 2008)
According BitDefender's Top E-Threats Report, more than one-third of
infections of Windows-based computers in the last month are from phony
anti-virus scams. The malware pops up a window that claims to be
scanning for malware. It then pops up a message that it detected
malware on the computer and asks the user to buy a program to get rid
of the offending code. The scam nets the thieves the credit card
information of those who choose to purchase the bogus program and gives
them the opportunity to take control of those computers, because what
is actually downloaded to their computers when they buy the fake program
is malware which could be anything from adware to bot software.
http://www.heise-online.co.uk/security/Most-recent-Windows-infections-result-from-the-same-simple-trick--/news/112176
*************************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescastore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Ron Dick headed the National Infrastructure Protection Center (NIPC) at
the FBI and is the incoming President of the InfraGard National Members
Alliance - with 22,000 members.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Prof. Howard A. Schmidt is the President of the Information Security
Forum (ISF) and author who has served as CSO for Microsoft and eBay and
as Vice-Chair of the President's Critical Infrastructure Protection
Board.
Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Brian Honan is an independent security consultant based in Dublin,
Ireland.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkk+u3QACgkQ+LUG5KFpTka16QCgpZBzyB2WflVCcVJ+PfyMDZvh
xSAAmgPnj+WCZxetG+vt4YQYzn3a2uaS
=GjH9
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]