|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (NewsBites
sans.org)
Date: Fri Dec 12 2008 - 13:49:48 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
A bonus exclusively for those of you may attend SANS2009 in Orlando or
SANS Security West in Las Vegas (something you can offer to all of your
co-workers at no cost): Three two-part, live-on-line, pre-conference
training programs by SANS top instructors (the newest, most effective
pen testing techniques, forensics, and application security.) We'll give
you more data in mid-January, but wanted you to know early in case a
gift like this to your co-workers helps you use end-of-year funds to
register for either of those programs.
SANS Security West: http://www.sans.org/securitywest09/
SANS 2009: http://www.sans.org/sans2009/
Alan
*************************************************************************
SANS NewsBites December 12, 2008 Vol. 10, Num. 97
*************************************************************************
TOP OF THE NEWS
Sony Will Pay Penalties for COPPA Violations
McAfee's Virtual Criminology Report
Mumbai Terrorists Used VoIP, Satellite Images and GPS to Help Plan and
Carry Out Attacks
THE REST OF THE WEEK'S NEWS
LEGAL ISSUES
T-Mobile and AT&T Will No Longer Advertise Their Voice Mail Systems
as Secure
Judge Grants TRO to Shut Down Scareware operation
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
Chertoff Wary of Moving Cyber Security Oversight from DHS to White
House
Possible Candidates for Cyber Czar
Federal CISOs Discuss Possible FISMA Changes
VULNERABILITIES UPDATES AND PATCHES
Zero-Day Flaws Detected in Internet Explorer and WordPad
December's Patch Tuesday Comprises Eight Security Bulletins
STUDIES AND STATISTICS
Irish Cybercrime Survey
Firefox Tops List of Most Known Vulnerabilities in Applications
******************* Sponsored By Sourcefire, Inc. ***********************
SANS Real-time Adaptive Security White Paper
Real-time Adaptive Security is the next step beyond an IPS
implementation. It gives you full network visibility, provides context
around events so you know which ones to investigate first, reduces your
false positives dramatically, offers automated impact assessment,
introduces automated IPS tuning, and more. Let SANS tell you how.
http://www.sans.org/info/36414
*************************************************************************
TRAINING UPDATE
- - SANS 2009 in Orlando in early march - the largest security training
conference and expo in the world. lots of evening sessions:
http://www.sans.org/
- - SANS Security West Las Vegas (1/24-2/01) http://sans.org/securitywest09/
- - Looking for training in your own Community? http://sans.org/community/
For a list of all upcoming events, on-line and live: www.sans.org
*************************************************************************
TOP OF THE NEWS
--Sony Will Pay Penalties for COPPA Violations
(December 11, 2008)
The US Federal Trade Commission (FTC) has announced that Sony BMG Music
Entertainment will pay penalties of US $1 million for violations of the
Children's Online Privacy Protection Act (COPPA). Sony BMG collected
data from more than 30,000 children under the age of 13 without their
parents' consent, which is required under COPPA. The FTC says that Sony
BMG allowed children to interact with other visitors to some of their
sites, including adults, again without parental consent. Sony BMG's
privacy policy stated that site users under the age of 13 would be
restricted from certain activities on the site, but the underage
registrations were accepted.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9123219&source=rss_topic17
[Editor's Note (Ranum): This is a very interesting problem for social
networking sites. Many attempt to control what minors can do/see but
have no real way of reliably differentiating a minor from an adult. I
participate in an online arts site that has blocks to prevent minors
from seeing "mature content" but everyone knows that minors create
profiles with inaccurate ages. At what point does the site become
liable? Personally, I think this should be the parents' problem, not the
Internet's; COPPA is fundamentally deeply flawed legislation.]
--McAfee's Virtual Criminology Report
(December 2008)
McAfee's annual Virtual Criminology Report arrived at three key
findings. First, cyber crime is not a priority of governments around the
world; the low priority is compounded by other pressing international
concerns such as terrorism and the economy. Second, because the cyber
world knows no borders, prosecution for cyber crime often proves
difficult. Finally, law enforcement organizations lack adequate
training in all aspects of cyber crime, from forensics to court
proceedings. The report makes a number of recommendations to mitigate
the problems it describes: increasing training for law enforcement
officers, prosecutors and judges; incentives for Internet service
providers (ISPs) to adhere to best practices for network design and
operation; mandatory security breach disclosure; legal responsibilities
for organizations in both the private and public sectors for
Internet-related data breach or loss; consumer education; limited
liability for software vendors that do not abide by best practices for
security in design and operation; and "the use of government procurement
power to demand significantly higher standards of security in software
and services."
http://www.mcafee.com/us/local_content/reports/mcafee_vcr_08.pdf
http://voices.washingtonpost.com/securityfix/2008/12/report_cybercrime_is_winning_t.html
--Mumbai Terrorists Used VoIP, Satellite Images and GPS to Help
Plan and Carry Out Attacks
(December 10, 2008)
The terrorists who perpetrated the deadly attacks in Mumbai, India used
Voice over Internet Protocol (VoIP) telephones during the three days of
violence to maintain contact with their leaders. The attackers used the
mode of communication to evade attempts to monitor their communications.
The terrorists in the Mumbai attacks were also believed to have used GPS
devices to travel to Mumbai by sea. It is also believed that they
learned the layout of the city by studying satellite images. There has
been a petition filed in court in India to ban the use of Google Earth
and similar services. Taliban members in Afghanistan reportedly use
Skype to guard against eavesdroppers on their communications, and other
attackers have been known to use information gleaned from Google Earth
to launch attacks.
http://www.timesonline.co.uk/tol/news/world/asia/article5317075.ece
[Editor's Note (Schultz): The terrorists' use of these technologies in
carrying out their sordid deeds once again shows that technological
advances are truly a two-edged sword. In time, this problem is only
likely to become worse.
(Ranum): On the other hand, these are all common technologies, so it
would be surprising if they didn't use them.
(Pescatore): This is kind of silly. The attackers also used TV to
monitor news reports. I took my family on vacation to Italy last year
and we used GPS, laptops, cell phones, Google Earth and Skype. I bet a
good percentage of tourists did - and also cell phone cameras and all
kinds of other technology. The police forces also took advantage of the
same technology to *respond* faster to the terrorist attack. The problem
wasn't technology - the most effective technology the attackers used was
gunpowder and that was invented over a thousand years ago.]
*************** SPONSORED LINK SCADA SECURITY SUMMIT ******************
1) ALERT: Hackers Announce Open Season on Web 2.0 Users and Browsers-
Purewire White Paper
http://www.sans.org/info/36419
*************************************************************************
THE REST OF THE WEEK'S NEWS
LEGAL ISSUES
--T-Mobile and AT&T Will No Longer Advertise Their Voice Mail
Systems as Secure
(December 11, 2008)
T-Mobile and AT&T have agreed to permanent injunctions in a Los Angeles
court that prohibit them from claiming that their voice-mail systems are
protected from sabotage. The Los Angeles District Attorney's Office
says the two mobile service providers advertised that their systems were
secure when they were not. An investigation revealed that their voice
mail could be easily broken into changed or deleted.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9123242&source=rss_topic17
[Editor's Note (Honan): If only we could get a similar ruling against
IT security vendors who promise their products will make your systems
compliant against whatever the latest popular standard. ]
--Judge Grants TRO to Shut Down Scareware operation
(December 10 & 11, 2008)
A federal judge has issued a temporary restraining order that closes
down operations of two companies involved in the marketing and
distribution of phony malware protection software, often known as
scareware. The product was advertised and sold by making false claims
that illegal pornography had been detected on the users' computers and
urging them to buy the phony products. The order was prompted by a
lawsuit filed by the FTC. Companies that initially accepted the
advertisements on their sites eventually became aware of the problem and
began rejecting the ads. The malware purveyors then established phony
advertising agencies that placed the ads, which were programmed to
display images to people based on their IP addresses. The order also
freezes the assets of the defendants. The defendants named are Kristy
Ross, James Reno, Sam Jain, Daniel Sundin, Marc D'Souza and Maurice
D'Souza.
http://www.theregister.co.uk/2008/12/10/scareware_group_shuttered/
http://www.heise-online.co.uk/security/US-court-halts-the-sale-of-scareware--/news/112228
http://voices.washingtonpost.com/securityfix/2008/12/court_freezes_assets_of_allege.html
http://ftc.gov/os/caselist/0723137/081202innovativemrktgcmplt.pdf
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
--Chertoff Wary of Moving Cyber Security Oversight from DHS to White House
(December 10, 2008)
US Department of Homeland Security (DHS) Secretary Michael Chertoff has
expressed concerns about moving cyber security operations oversight from
DHS to the White House, as was recommended in a recent report from the
Center for Strategic and International Studies (CSIS) Commission on
Cybersecurity for the 44th Presidency. Chertoff said that "to get the
White House involved in operational activity ... pulls the White House
into areas where it's exposed to legal and oversight issues."
http://www.nextgov.com/nextgov/ng_20081210_6108.php
[Editor's Note (Weatherford): From a political perspective, Secretary
Chertoff's point may be valid and the White House office might create
some unusual problems...but nothing that hasn't been dealt with before.
On the other hand, the visibility of a White House appointment would
speak volumes about how seriously the new administration takes the
national cyber security problem and it would provide the inherent and
organic horsepower needed to make changes. This is what those of us in
the security business should be praying for.]
--Possible Candidates for Cyber Czar
(December 9, 2008)
The CSIS Commission on Cybersecurity for the 44th Presidency recently
released a report in which it recommended that president-elect Barack
Obama create a new office within the White House to oversee cyber
security. ChannelWeb has listed several people it believes could be on
a short list to head up the national cyber security effort, including
such luminaries as Richard Clarke, Colin Powell, and Patrick Fitzgerald,
plus some more conventional choices.
http://www.crn.com/security/212300531
--Federal CISOs Discuss Possible FISMA Changes
(December 9, 2008)
Federal Chief Information Security Officers (CISO) speaking at a panel
discussion at a Government Technology Research Alliance conference
discussed how potential changes to the Federal Information Security
Management Act (FISMA) would affect their organizations. The greatest
concern is that the new requirements would be piled on top of all the
wasted effort they expend to meet increasingly discredited NIST
guidance. The CISOs see the focus on attack based metrics as essential,
but only if they don't have to waste most of their security budgets on
paper exercises. The Senate Homeland Security and Governmental Affairs
Committee earlier this year approved legislation to amend FISMA. The
proposed changes include expanded responsibilities for the CISO,
required annual third-party audits for government agencies and mandated
standard contract language throughout the government.
http://www.fcw.com/online/news/154609-1.html?topic=security
VULNERABILITIES, UPDATES AND PATCHES
--Zero-Day Flaws Detected in Internet Explorer and WordPad
(December 9, 10 & 11, 2008)
Despite Microsoft's security update that addresses 28 vulnerabilities
(see story below), two zero-day vulnerabilities that are being exploited
in targeted attacks remain unpatched. The flaws in question affect
Internet Explorer (IE) and WordPad. The flaws require user interaction
for exploits to be successful. Microsoft is looking into reports of the
attacks, which it says are "limited and targeted." Exploit code for the
IE flaw was released in China by researchers who believed the problem
had been patched.
http://isc.sans.org/diary.html?storyid=5458&rss
http://www.theregister.co.uk/2008/12/11/wordpad_zero_day/
http://www.theregister.co.uk/2008/12/09/zero_day_ie_flaw_exploited/
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9123100&source=rss_topic17
http://voices.washingtonpost.com/securityfix/2008/12/exploit_for_unpatched_internet.html
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9123118&source=rss_topic17
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9123179&source=rss_topic17
http://www.gcn.com/online/vol1_no1/47709-1.html?topic=security
--December's Patch Tuesday Comprises Eight Security Bulletins
(December 9 & 10, 2008)
Microsoft's monthly software security update for December included eight
bulletins that address a total of 28 vulnerabilities. Of those, 23 are
rated critical. The fixes cover a range of the company's products,
including Windows, Internet Explorer, Office, SharePoint, Windows Media
and the Visual Basic and Visual Studio development tools. Most of the
security flaws are remote code execution vulnerabilities; one bulletin
also addresses a privilege elevation vulnerability.
ISC: http://isc.sans.org/diary.html?storyid=5449
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9123042&source=NLT_PM&nlid=8
http://www.theregister.co.uk/2008/12/10/ms_patch_tuesday_december/
http://news.cnet.com/8301-1009_3-10119227-83.html?part=rss&subj=news&tag=2547-1009_3-0-20
http://voices.washingtonpost.com/securityfix/2008/12/microsoft_plugs_at_least_28_se.html
http://www.securityfocus.com/brief/868
http://www.microsoft.com/technet/security/bulletin/ms08-dec.mspx
STUDIES AND STATISTICS
--Irish Cybercrime Survey
(December 11, 2008)
The Irish chapter of the Information Systems Security Association (ISSA)
and University College Dublin's Centre for Cybercrime have released the
second Irish Cybercrime Survey, which looks at attacks and intrusions
at both public and private organizations during the course of 2007.
Thirty percent of companies experienced denial-of-service (DoS) attacks
and 25 percent experienced external intrusion attempts. Eighteen
percent of companies experienced instances of internal unauthorized
access and 10 percent reported internal financial fraud. Sixty-one
percent of the time, companies chose to deal with internal incidents
through internal disciplinary procedures; of those cases, 37 percent
resulted in job loss, 16 percent resulted in resignation, and four
percent resulted in criminal prosecution.
http://www.siliconrepublic.com/news/article/11929/cio/irish-firms-are-suckers-for-cybercrime-and-punishment
[Editor's Note (Weatherford): Though the sample set is small,but these
are very actionable metrics. Numbers matter!
(Honan): An interesting statistic is that despite the high number of
internal security breaches, only 14% of the companies surveyed were
concerned about employees accessing data they should not, and only 8%
rated internal intrusions in their top three security concerns.
Companies need to wake up that one of the biggest threats to their
security is their own staff, remember those that you trust the most are
the ones that can hurt you the most.]
--Firefox Tops List of Most Known Vulnerabilities in Applications
(December 11, 2008)
Whitelisting company Bit9 has compiled statistics on the applications
with the most security vulnerabilities reported over the last year.
Mozilla's Firefox web browser versions 2 and 3 top the list with 40
reported flaws. Adobe Acrobat versions 8.1.1 and 8.1.2 follow with 31
reported flaws. Windows Live (MSN) Messenger versions 4.7 and 5.1 came
in third with 19 flaws. Fourth and fifth place were taken by Apple
iTunes versions 3.2 and 3.1.2 and Skype version 3.5.0.248, respectively.
http://www.vnunet.com/vnunet/news/2232492/firefox-tops-app-vulnerability
http://www.bit9.com/news-events/press-release-details.php?id=102
*************************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescastore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Ron Dick headed the National Infrastructure Protection Center (NIPC) at
the FBI and is the incoming President of the InfraGard National Members
Alliance - with 22,000 members.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.
Prof. Howard A. Schmidt is the President of the Information Security
Forum (ISF) and author who has served as CSO for Microsoft and eBay and
as Vice-Chair of the President's Critical Infrastructure Protection
Board.
Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Brian Honan is an independent security consultant based in Dublin,
Ireland.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAklCrwIACgkQ+LUG5KFpTkYJZQCgmCs5GiddZc5/VQqDJ1yOx8M2
scgAoJPV5BWjtDNTMT0R5gT3tIeT3+mj
=8pM/
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]