From: The SANS Institute (NewsBitessans.org)
Date: Fri Dec 19 2008 - 13:28:25 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hacking the Hill: One of the very best cyber security stories of the
year was published this morning in the National Journal with details
about the hacking of Congress. National Journal is the authoritative
publication read by most executive and legislative branch leaders in the
US government, but it is expensive and rarely posted and usually the
rest of us don't get to see what it contains. This time, for SANS alumni
and NewswBites readers, they made an exception. Written by Shane
Harris, it is at
http://www.nationaljournal.com/njmagazine/cs_20081220_6787.php

                                  Alan

P.S. Five days left for early registration savings for SANS Security
West 2009 (Jan 24-Feb 1) http://www.sans.org/securitywest09
And early registration is still open (save $350) on SANS biggest program
SANS 2009 Orlando (March 1-9) http://www.sans.org/sans2009

*************************************************************************
SANS NewsBites December 19, 2008 Vol. 10, Num. 99
*************************************************************************
TOP OF THE NEWS
  EU and US Agree on Personal Data Sharing Principles
  Research Finds Inadequate Intellectual Property Protection at UK Firms
  Cyber Security Inquiry Simulation Exercise Opens Eyes
THE REST OF THE WEEK'S NEWS
  ATTACKS
    CheckFree Attack Used Variety of Methods
  VULNERABILITIES
    Malicious ActiveX Controls in Word Docs Exploit Critical IE Flaw
    Cross-Site Scripting Flaw on American Express Website
  UPDATES AND PATCHES
    Microsoft Issues out-of-Cycle Patch for Critical IE Vulnerability
    Adobe Releases Updates for Flash Player for Linux
    Mozilla Firefox Updates Include (Next-to-)Last Version of Firefox 2
    Apple Issues Mac OS X Update
  MISCELLANEOUS
    Yahoo! to Limit Data Retention to 90 Days in Most Cases

**************************** Sponsored By SANS **************************

The Log Management Summit April 6-7 is a user-to-user, non-commercial
conference on what works in log management. It is the only place where
you can learn about the strengths and weaknesses of competing
technologies, where users will share the lessons they learned about what
to log and what to keep and what to report.
http://www.sans.org/info/36658
*************************************************************************
TRAINING UPDATE
- - SANS 2009 in Orlando in early march - the largest security training
conference and expo in the world. lots of evening sessions:
http://www.sans.org/
- - SANS Security West Las Vegas (1/24-2/01) http://sans.org/securitywest09/
- - Looking for training in your own Community? http://sans.org/community/
For a list of all upcoming events, on-line and live: www.sans.org
*************************************************************************

TOP OF THE NEWS
 --EU and US Agree on Personal Data Sharing Principles
(December 17, 2008)
The European Union and the US have agreed upon a set of common
principles for data sharing practices and data protection. The impetus
for the Statement on Information Sharing and Personal Data Protection
grew out of the agreement on the handling of EU/US passenger name record
(PNR) data. This agreement establishes protections from punishment for
private companies and other countries that cooperate with data-gathering
projects aimed at fighting terrorism.
http://www.fcw.com/online/news/154709-1.html?topic=privacy
http://www.dhs.gov/xlibrary/assets/usa_statement_data_privacy_protection_eu_12122008.pdf
[Editor's Note (Schultz): The huge discrepancies between personal data
sharing requirements in the US and EU countries have caused almost
insurmountable hurdles to data sharing agreements. The fact that now the
two parties have reached an in principle agreement is thus an extremely
significant development.
(Northcutt): this is pretty impressive if it proves to work out. Europe
tends to be more privacy focused, the US more security focused and it
is good to see the potential for additional cross border cooperation.]

 --Research Finds Inadequate Intellectual Property Protection at UK Firms
(December 17, 2008)
The results of research commissioned by the UK's Intellectual Property
Office's IP Crime Group indicates that while companies are aware of the
importance of protecting intellectual property (IP), they are by and
large not doing enough to protect their own IP or that of others. Forty
percent of the more than 1,000 people interviewed did not have any
practical measures, such as trademark registration or employee training,
in place. More than 25 percent of respondents said employees are not
warned against illegal downloading at work.
http://www.theregister.co.uk/2008/12/17/ip_crime_uk_firms/
http://nds.coi.gov.uk/content/Detail.asp?ReleaseID=387749&NewsAreaID=2
http://www.ipo.gov.uk/report-workplaceresearch.pdf

 --Cyber Security Inquiry Simulation Exercise Opens Eyes
(December 18, 20080
The Cyber Strategy Inquiry held this week in Washington DC involved 230
people from government, industry and civil society. The simulation
exercise was designed to demonstrate the cyber security challenges the
forthcoming administration and Congress will face. Participants learned
that "there were interdependencies that [they] didn't quite understand
or appreciate before." Some of the issues that became evident during
the exercise included regulation vs. incentives for cyber security and
risk management vs. resilience. Challenges that arose included how to
establish rules of engagement for a cyber attack and managing global
aspects of cyber security.
http://www.fcw.com/online/news/154725-1.html?type=pf

*************************************************************************

THE REST OF THE WEEK'S NEWS
ATTACKS
 --CheckFree Attack Used Variety of Methods
(December 16, 2008)
The security breach of the CheckFree online bill paying website was
conducted with a blended attack, using a variety of techniques including
phishing, pharming and drive-by malware downloads. Visitors to the
CheckFree website were redirected to a server located in the Ukraine
that downloaded software onto their computers. However, it has not yet
been determined what the software does if downloaded.
http://www.internetnews.com/security/article.php/3791341/Several+Attacks+Behind+CheckFree+Data+Breach.htm
[Editor's Note (Pescatore): Hmm, just a guess: the software coming from
the server in Ukraine is probably up to no good. I'd like to see web
sites that are found to have easy to avoid vulnerabilities treated like
restaurants that have cockroach infestations: not allow them to do
business for a day or two and have them post a big notice while closed:
"Closed due to unsanitary business practices. Your business is important
to us, though - have a nice day."]

VULNERABILITIES
 --Malicious ActiveX Controls in Word Docs Exploit Critical IE Flaw
(December 18, 2008)
The Internet Explorer (IE) vulnerability for which Microsoft has just
released an out-of-cycle fix (see story below) is being exploited in
another way; attackers are seeding Microsoft Word documents with
malicious ActiveX controls. The embedded controls contain lines of code
that cause the host on which the controls have been downloaded to visit
a site that hosts malware. Users receive the infected Word documents
as email attachments or through maliciously manipulated websites.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9123898&source=rss_topic17

 --Cross-Site Scripting Flaw on American Express Website
(December 16, 2008)
A cross-site scripting vulnerability on the American Express website
could allow attackers to steal users' authentication cookies. The flaw
has been present on the site for more than two weeks; its presence is a
violation of the Payment Card Industry Data Security Standards. The
person who disclosed the flaw did so after two fruitless weeks of trying
to get someone in the company to fix the problem. Shortly after the
story was posted to the Internet, American Express fixed the
vulnerability.
http://www.theregister.co.uk/2008/12/16/american_express_website_bug/
[Editor's Note (SChultz): I wonder what happened to the Amex employee
who discovered and then posted the vulnerability. In the past employees
who have engaged in such actions have been treated quite punitively by
their employers.]

UPDATES AND PATCHES
 --Microsoft Issues out-of-Cycle Patch for Critical IE Vulnerability
(December 17 & 18, 2008)
Microsoft pushed out an out-of-cycle patch (MS08-078) for a critical
remote code execution vulnerability in IE's data binding function. At
least seven separate exploits for the flaw have been detected in the
wild. Malicious JavaScript code exploiting the vulnerability has been
detected on an increasing number of legitimate websites, prompting
Microsoft's decision to patch the problem in the middle of the month.
Most attacks are aimed at stealing gaming passwords, but more malicious
exploits could target more sensitive data. The flaw affects IE versions
5,6, 7 and 8, although the attacks have been aimed at IE 7. This is the
second out-of-cycle patch for Microsoft in the last three months.
http://www.theregister.co.uk/2008/12/17/emergency_microsoft_patch/
http://www.smh.com.au/news/technology/security/microsoft-releases-emergency-patch-for-ie/2008/12/18/1229189775451.html
http://news.bbc.co.uk/2/hi/technology/7788687.stm
http://www.microsoft.com/technet/security/bulletin/ms08-078.mspx

 --Adobe Releases Updates for Flash Player for Linux
(December 17, 2008)
Adobe has made available updated versions of Adobe Flash Player for
Linux to address a critical security flaw that could be exploited to
take control of vulnerable systems. The vulnerability can be exploited
through a specially crafted SWF file. The vulnerability affects Adobe
Flash Player versions 10.0.12.36 and earlier and 9.0.151.0 and earlier;
users are urged to update Adobe Flash Player on their systems to version
10.0.15.3. Users who for technical reasons are unable to upgrade to
10.0.15.3 can update to version 9.0.152.0. The process requires manual
download and installation. The flaw does not affect Adobe for Windows
or Mac OS X.
http://www.heise-online.co.uk/security/Critical-hole-in-Linux-Flash-Player--/news/112282
http://www.adobe.com/support/security/bulletins/apsb08-24.html

 --Mozilla Firefox Updates Include (Next-to-)Last Version of Firefox 2
(December 17, 2008)
Mozilla has released updates for versions 2 and 3 of its Firefox web
browser. Firefox 3.0.5 addresses three critical vulnerabilities, while
Firefox 2.0.0.19 fixes four critical flaws. The flaws could be
exploited to execute arbitrary code and install software without user
interaction. Firefox users who have not done so already are urged to
upgrade to version 3 because this is supposed to be the last planned
update for Firefox 2. However, a "clerical error" has necessitated the
release of Firefox 2.0.0.20, because 2.0.0.19 did not contain one of the
necessary fixes. Mozilla expects to issue Firefox 2.0.0.20 by Monday,
December 22.
http://www.theregister.co.uk/2008/12/17/mozilla_3_0_5_and_2_0_0_1_9_updates/
http://voices.washingtonpost.com/securityfix/2008/12/firefox_2_users_will_get_no_mo.html?nav=rss_blog

 --Apple Issues Mac OS X Update
(December 16, 2008)
Apple has released an update for its Mac OS X operating system to
address more than a score of security flaws. The 21 vulnerabilities lie
in a variety of components, including the Mac OS X kernel, core services
and the Adobe Flash Player plug-in. Some of the flaws could be
exploited to allow remote code execution, information disclosure and
application crashes. Users are urged to upgrade to Mac OS X version
10.5.6, which addresses a number of stability issues in addition to the
security flaws.
http://www.securityfocus.com/brief/872
http://www.vnunet.com/vnunet/news/2232667/gets-update
[Editor's Note (Pescatore): December was one of the busiest months for
patches in a long time, between all the scheduled and unscheduled
Windows vulnerabilities, these from Apple and others from Adobe and the
like. Scarier yet, I think there have been 20 or so security patches for
VMware this year - the layering of vulnerabilities in virtualized data
centers is getting really complicated.]

MISCELLANEOUS
 --Yahoo! to Limit Data Retention to 90 Days in Most Cases
(December 17 & 18, 2008)
Yahoo! has said it will anonymize user data within 90 days. Previously,
Yahoo! held user search data for 13 months. The policy applies to page
views, page clicks, ad views, ad clicks and search log data. Some data
may be retained beyond 90 days for security or legal reasons, such as
fraud investigations. The European Union (EU) has (declared) that data
should be anonymized within six months. Microsoft currently retains data
for 18 months but says it could change its data retention practices to
abide by EU guidelines; Google retains user information for nine months.
http://www.vnunet.com/vnunet/news/2232805/yahoo-cuts-retention-times
http://news.bbc.co.uk/2/hi/technology/7787846.stm
http://www.theregister.co.uk/2008/12/17/yahoo_anonymization_explained/
http://www.nytimes.com/2008/12/18/technology/internet/18yahoo.html?_r=1&partner=rss&emc=rss&pagewanted=print
http://www.eweek.com/c/a/Search-Engines/Microsoft-Zero-Data-Retention-Not-Possible-to-Keep-Search-Engines-Viable/

*************************************************************************
The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescastore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Ron Dick headed the National Infrastructure Protection Center (NIPC) at
the FBI and is the incoming President of the InfraGard National Members
Alliance - with 22,000 members.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Prof. Howard A. Schmidt is the President of the Information Security
Forum (ISF) and author who has served as CSO for Microsoft and eBay and
as Vice-Chair of the President's Critical Infrastructure Protection
Board.

Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Brian Honan is an independent security consultant based in Dublin,
Ireland.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAklL7jQACgkQ+LUG5KFpTkbAeACdE4e4n9YKtJS69y4AhmNwF4op
lPsAoJyG8PU5pzx01pGghU43gzJZ6eqb
=vcxh
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]