From: The SANS Institute (NewsBitessans.org)
Date: Tue Dec 23 2008 - 13:18:24 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Three interesting and important stories in Top of the News this week: a
window into banking cyber crime, RIAA changing tactics, and the World
Bank banning (for nine years) a vendor that made millions writing
applications for the Bank that were later found to enable data breaches.
Software buyers? patience has run out. Any company that develops code
for a living is flirting with economic disaster if it fails to (1) test
the software using a suite of the most effective tools source code and
black box tools, and (2) ensure that each developer who touches the code
has mastered secure coding skills (GSSP assessment is the most common
method of proving that www.sans.org/gssp <http://www.sans.org/gssp>.)

Organizations that develop applications using .NET languages can now use
GSSP assessments to help their programmers find the gaps in their secure
coding knowledge. GSSP tests for Java and C/C++ are already being
widely used, but the .NET tests were just released. The first 50 medium
and large organizations that reach out, can get up to 100 developers
through the assessment for free. Email spasans.org for access to any
of them.

                                Alan

P.S. Tomorrow is the last day for early registration savings for SANS
Security West 2009 (Jan 24-Feb 1) http://www.sans.org/securitywest09
And early registration is still open (save $350) on SANS biggest program
SANS 2009 Orlando (March 1-9) http://www.sans.org/sans2009

*************************************************************************
SANS NewsBites December 23, 2008 Vol. 10, Num. 100
*************************************************************************
TOP OF THE NEWS
  Trojan and Keystroke Logger Dropzone Study
  RIAA Changes Tactics
  World Bank Vendor Barred for Eight Years
THE REST OF THE WEEK'S NEWS
  LEGAL ISSUES
    MIT Students Will Work With MBTA to Improve Payment System Security
    Judge Will Not Divulge Location of Computers Used to Alter Wikipedia Pages
  ARRESTS, CHARGES & CONVICTIONS
    Spammer Fined in New Zealand; Still Faces Charges in US
  POLICY AND LEGISLATION
    New Law in Ireland Increases Fines for Spammers
  ATTACKS
    Ohio College Servers Compromised
    Phone Hacker Sticks Computer Company with CA $52,000 Bill
  MISCELLANEOUS
    Repair Mission Underway on Damaged Mediterranean Undersea Cables
    Why Did Microsoft Developers Miss the Internet Explorer Flaw?

**************************** Sponsored By SANS **************************

The Log Management Summit April 6-7 is a user-to-user, non-commercial
conference on what works in log management. It is the only place where
you can learn about the strengths and weaknesses of competing
technologies, where users will share the lessons they learned about what
to log and what to keep and what to report.
http://www.sans.org/info/36658
*************************************************************************
TRAINING UPDATE
- - SANS 2009 in Orlando in early March - the largest security training
conference and expo in the world. lots of evening sessions:
http://www.sans.org/
- - SANS Security West Las Vegas (1/24-2/01) http://sans.org/securitywest09/
- - Looking for training in your own Community? http://sans.org/community/
For a list of all upcoming events, on-line and live: www.sans.org
*************************************************************************

TOP OF THE NEWS
 --Trojan and Keystroke Logger Dropzone Study
(December 18, 2008)
A research team assembled by Thorsten Holz from the University of
Mannheim (Germany) examined banking Trojans, keystroke loggers and
dropzones for both types of malware. Their study found more than 33 GB
of log files in the dropzones of 70 separate pieces of malware. The
files contain personal information of more than 170,000 individuals; the
collected data include passwords, PINs, user names and other crucial
information for committing fraud. The study also examined the resale
value of stolen data; a bank account goes for between US $10 and US
$1,000, while credit card account data are sold for as little as US
$0.40 per account. eMail passwords were being sold for between US $4
and US $30.
http://www.heise-online.co.uk/security/Keyloggers-under-the-microscope--/news/112288

 --World Bank Vendor Barred for Eight Years
(December 22, 2008)
The World Bank has acknowledged that it imposed strict sanctions against
an India-based computer software service provider that has been linked
to data breaches and financial malfeasance at the international
institution. For months, World Bank had been denying FOX news reports
regarding these issues, but now it has been confirmed that Satyam
Computer Services has been barred from working with World Bank for eight
years. Satyam was employed by the World Bank from 2003 through 2008 in
the capacity of writing and maintaining all of the bank's software;
Satyam was paid hundreds of millions of dollars for its services.
http://www.myfoxspokane.com/myfox/pages/News/Detail?contentId=8124450&version=1&locale=EN-US&layoutCode=TSTY&pageId=3.1.1
[Editor's Note (Pescatore): There are a lot of sourcing decisions that
are done without having security as a highly rated evaluation criteria.
Also, a lot of outsourcing contracts are so large that they really
deserve high level governance and oversight by boards of directors, just
like mergers and acquisitions.
(Schmidt): I see this as a very effective way to convince business
partners and supply chain to do security better. Nothing gets a
business attention quicker than to lose the ability to do business with
a major client.
[Editor's Note (Pescatore): There will be a lot of speculation about
whether this was sabotage or just an accident, but the effect is way
more important than the cause. A lot of data centers boast dual fiber
optic feeds (on different sides of the building) from multiple carriers,
but then you find they both go through a common choke point. Redundant
connections help when a local backhoe takes out a cable but what is
really needed is redundant bandwidth - either have SLAs that cover this
type of outage or require hosters/outsourcers to demonstrate reliable
bandwidth, not just connectivity. ]

 --RIAA Changes Tactics
(December 19, 2008)
The Recording Industry Association of America (RIAA) said it will stop
filing numerous lawsuits against suspected copyright violators. Instead,
the RIAA will work with Internet service providers (ISPs) to target
people it believes are violating copyright laws and convince them to
change their ways. Under the new plan the RIAA will notify ISPs of
suspected violators and the ISPs will either notify the suspected
offenders themselves or forward the messages from the RIAA. Repeat
offenders would be subject to increasing sanctions, including network
speed throttling and termination of Internet service. The RIAA has not
entirely ruled out the possibility of lawsuits; people who appear to be
committing gross violations of copyright law could still find themselves
being sued by the RIAA.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9124097&intsrc=hm_list
RIAA Letter to ISPs:
http://news.cnet.com/8301-1023_3-10127050-93.html?part=rss&subj=news&tag=2547-1_3-0-5
[Editor's Note (Schultz): RIAA's approach in pursuing those who engage in music swapping has been incredibly unsuccessful. A change in strategy has been long overdue, and apparently it is now forthcoming.]

*************************************************************************

THE REST OF THE WEEK'S NEWS
LEGAL ISSUES
 --MIT Students Will Work With MBTA to Improve Payment System Security
(December 22, 2008)
The three Massachusetts Institute of Technology (MIT) students who
earlier this year faced legal action from the Massachusetts Bay Transit
Authority (MBTA) are now working with the MBTA to improve the security
of its electronic fare system. Zack Anderson, RJ Ryan and Alessandro
Chiesa had planned to present their findings about weaknesses in the
MBTA's Charlie Card system at a conference last summer. The MBTA
obtained a gag order preventing them from making their presentation, but
a judge threw out the order several days later, and the case was settled
in early October.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9124183&source=rss_topic17
http://www.theregister.co.uk/2008/12/22/mbta_dismisses_lawsuit/
[Editor's Note (Skoudis): Maybe I'm just growing into an old softie, but
I view this as a happy hacker holiday story. Although a difficult and
ugly process, this story seems to have ended pretty well, in my
estimation.]

 --Judge Will Not Divulge Location of Computers Used to Alter
Wikipedia Pages
(December 19, 2008)
A judge in Arkansas has ruled that the locations of computers used to
make changes to the Wikipedia pages of former Governor Mike Huckabee,
current Governor Mike Beebe and other state officials will not be
disclosed. The information was being sought by journalists under the
state's Freedom of Information Act, but the judge, siding with state's
attorneys, said to divulge the information would threaten the security
of the state's computer network. The reporters had uncovered several
IP (Internet protocol) addresses that had been used to make the changes
and wanted to know at which agencies the particular computers were
located.
http://www.nwanews.com/adg/News/247038/print/
http://news.smh.com.au/technology/judge-no-order-to-state-to-reveal-computer-sites-20081219-727r.html
[Editor's Note (Skoudis): According to this article, the judge's logic
rests on the argument that "...public disclosure [of the agency
associated with the IP addresses] could open 'vast holes' in network
security for hackers". If that's the case, they've got _huge_
architecture problems. Plus, a single client-side exploit followed by
some clever pivoting would likely let a real bad guy map their internal
network anyway. Perhaps there is a lot more to this story than these
news articles reveal, but the argument as presented is cause for
significant concern.
(Weatherford): 'Transparency in government is essential to good order
and discipline but publicly revealing even minor technical details that
could be used against you by those who would do you harm is simply not
a good idea. While the public sector is obviously required to be more
open about issues due to Freedom of Information laws and Public Records
Acts, turn the question around and ask how a private company would
respond to a request like this? While IP's aren't the keys to the
kingdom, they are a vector that gives insight into the network
environment. The judge made the right decision."]

ARRESTS, CHARGES & CONVICTIONS
 --Spammer Fined in New Zealand; Still Faces Charges in US
(December 22, 2008)
Lance Atkinson has agreed to pay fines of NZ $110,000 (US $62,842) for
his role in an international spam operation. Atkinson is also facing
charges in the US; his assets there have been frozen. The spam
operation is believed to be responsible for more than 2 million
unsolicited messages sent to computers in New Zealand over a four-month
period in late 2007.
http://www.theage.com.au/news/technology/security/kiwis-nail-a-mr-big-of-the-spam-world/2008/12/22/1229794316883.html
http://www.nzherald.co.nz/technology/news/article.cfm?c_id=5&objectid=10549355
http://computerworld.co.nz/news.nsf/scrt/51E464D9C8D31326CC257527002029BD
http://www.news.com.au/couriermail/story/0,27574,24835398-3102,00.html

POLICY AND LEGISLATION
 --New Law in Ireland Increases Fines for Spammers
(December 21 & 22, 2008)
Irish Communications Minister Eamon Ryan has signed legislation that
increases fines for spammers. Companies convicted of sending
unsolicited commercial email or text messages could be required to pay
fines of up to 250,000 Euros (US $349,000) or 10 percent of their
turnover, whichever is greater. Previously, spammers could be
prosecuted only in the District Court with a maximum fine of 3,000 Euros
(US $4,191). Offenders can now be prosecuted in the Circuit or High
Court.
http://www.siliconrepublic.com/news/article/12028/government/spammers-will-face-fines-up-to-250-000
http://www.timesonline.co.uk/tol/news/world/ireland/article5375673.ece

ATTACKS
 --Ohio College Servers Compromised
(December 20, 2008)
An attacker broke into two Lorain County (Ohio) Community College
servers in November, compromising the security of the data they hold,
which include the records and Social Security numbers (SSNs) of
approximately 22,000 students, employees, and community users. College
vice-president of strategic and institutional development Marcia
Ballinger said they the attacker appeared to be looking for available
storage space rather than data; nonetheless, forensics experts and the
FBI are conducting investigations. The college has notified those
affected by the breach through letters sent last week.
http://www.chroniclet.com/2008/12/20/hackers-strikes-lccc-system_122/

 --Phone Hacker Sticks Computer Company with CA $52,000 Bill
(December 19, 2008)
Manitoba (Canada) Telecom Services is insisting that a Winnipeg-based
company is responsible for the cost of phone calls a hacker made to
Bulgaria through its phone system. Someone broke into the HUB Computer
Solutions system in late November and over a period of two-and-a-half
weeks made calls totaling CA $52,360 (US $43,023). MTS said it should
have been contacted as soon as the volume of outbound international
calls began to exceed normal levels.
http://www.scmagazineuk.com/IT-company-hit-with-52000-bill-after-hacker-used-system/article/123156/
http://www.theregister.co.uk/2008/12/19/voice_mail_breach/
[Editor's Note (Schultz): A potential downstream liability lawsuit
exists here. These types of cases are not commonplace in the information
security arena, yet the likelihood that they will result in huge
financial losses and reputational damage is enormous.
(Pescatore): Gee, back to the future with PBX hacking. We'll see more
of this as more and more IP PBXs get in use by smaller businesses. While
most of VoIP security hype has been around eavesdropping, I think theft
of service will be the first wave.
(Schmidt): This definitely sounds like the classic war dialing and
phreaking that has been used against PBX systems since the early days
of their existence. This is another example that some insecurities just
never go away. After the coverage that was given to the FEMA event a
few months ago you would think every PBX owner would do a security
assessment of their systems.]

MISCELLANEOUS
 --Repair Mission Underway on Damaged Mediterranean Undersea Cables
(December 19, 21 & 22, 2008)
A pair of undersea telecommunications cables in the Mediterranean was
damaged late last week, causing serious disruptions in connectivity to
users in the Middle East and Asia. Egypt and India were especially hard
hit, with the countries experiencing 70 percent and 60 percent of web
services disrupted, respectively. The damage may have been caused by a
trawler net. Repair work on the cables has begun, but it is not known
when it will be complete. A submarine robot has been deployed to find
the ends of the severed cables.
http://technology.timesonline.co.uk/tol/news/tech_and_web/the_web/article5372294.ece
http://news.bbc.co.uk/2/hi/technology/7795320.stm
http://news.smh.com.au/technology/repair-crews-reach-damaged-cables-in-mediterranean-20081221-7322.html

 --Why Did Microsoft Developers Miss the Internet Explorer Flaw?
(December 22, 2008)
In a posting to Microsoft's Security Development Lifecycle blog,
Microsoft principal security manager Michael Howard said the Internet
Explorer (IE) flaw for which the company released an out-of-cycle fix
last week went undetected because programmers had not been trained to
look for such problems. The flaw in question was a memory-related
time-of-check-time-of-use bug. Microsoft developer training will be
updated to take into account this sort of flaw in the future.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9124174&source=rss_topic17
[Editor's Note (Skoudis): This is a fascinating read. It also
illustrates that there are many classes of vulnerabilities beyond the
traditional buffer overflow exploit. We'll be busy for many, many years
(and perhaps for the rest of our lifetimes) stomping out all of these
different classes of security bugs. Frustrating? Yes. Job security?
Yes, that too.
(Northcutt): This was a tricky one, but I do not see it so much as life
cycle bug as Michael's blog claims. Somehow, someone found the bug,
possibly with an advanced fuzzer. 6000 sites were doctored; check the
following site to see whether you were infected and what to do about it.
http://www.groovypost.com/howto/microsoft/ie/microsoft-releases-security-update-ms08-078-kb960714/
The crafted web pages put a cookie on the client computer. You can see
the cookie and its decoded representation here:
http://isc.sans.org/diary.html?storyid=5464
By the way, whenever you want to view the contents of an encoded cookie,
one free tool, CookieView, you can use on windows is here (It is a good
Saturday afternoon play toy and worth having in your toolset):
http://www.digital-detective.co.uk/freetools/cookieview.asp
The ISC posting shows it is SQL injection pointing the browser to a
malicious script:
<script src=http:// 17gamo [dot] com/1.js></script>
(hint, downloading the script is not highly recommended )
The source information for the Computerworld article is here:
http://blogs.msdn.com/sdl/archive/2008/12/18/ms08-078-and-the-sdl.aspx
And I feel the original blog is worth reading even if you do not
understand everything, you will be able to see why the bug was so hard
to spot. The important thing is that Microsoft is making process
corrections to keep this from happening again.]

*************************************************************************
The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescastore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Ron Dick headed the National Infrastructure Protection Center (NIPC) at
the FBI and is the incoming President of the InfraGard National Members
Alliance - with 22,000 members.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.

Prof. Howard A. Schmidt is the President of the Information Security
Forum (ISF) and author who has served as CSO for Microsoft and eBay and
as Vice-Chair of the President's Critical Infrastructure Protection
Board.

Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Brian Honan is an independent security consultant based in Dublin,
Ireland.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAklRLUAACgkQ+LUG5KFpTkZTvQCfTAY4ohmeNp+QGdFO0jSJawnT
fsoAn3rJEnHN11VVsB/i5Fwp0ST87CPl
=Rt6v
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]