|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (NewsBites
sans.org)
Date: Tue Dec 30 2008 - 11:09:33 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The January 2009 OUCH! (the monthly security newsletter for end users)
has some great material. If you want to distribute it to your users
(as more than 6,000 companies and agencies do every month) just
subscribe at http://www.sans.org/newsletters/#ouch . There is no
charge and redistribution is allowed within organizations. In 2009
the goal of OUCH! is changing a little. Beginning in February, it
will start to help end users know how to look for security breaches
of their systems and, when they find something, what to tell the
security people at their organizations or their ISPs.
Alan
*************************************************************************
SANS NewsBites December
29, 2008 Vol. 10, Num. 101
*************************************************************************
TOP OF THE NEWS
Maryland Seeks Reimbursement From Voting Machine Company for Fixing
Security Holes
Report Finds DHS Intelligence Fusion Centers Present Privacy Concerns
THE REST OF THE WEEK'S NEWS
ARRESTS, CHARGES, CONVICTIONS & SENTENCES
Computer Engineer Will Stand Trial for Allegedly Holding City
Network Hostage
Software Company President Sentenced for Hacking and Proprietary
Data Theft
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
FEMA Investigating Evacuee Data Exposed on Internet
VULNERABILITIES
Microsoft Warns of SQL Flaw
MALWARE
Samsung Digital Picture Frame Software Disk Infected with Keystroke
Logging Malware
DATA THEFT, LOSS & EXPOSURE
RBS WorldPay Data Breach Affects More than 1 Million Customers
Cedars-Sinai Medical Center Notifies Patients of Data Theft
MISCELLANEOUS
CastleCops Raises the Drawbridge
Microsoft Malicious Software Removal Tool Cleaned Phony Security Apps
From 400,000 PCs
Bank Info Security's Top 10 Security Breaches
********** WHAT'S HAPPENING IN CONTROL SYSTEMS SECURITY? ***************
Last year the CIA chose the SCADA Security Summit to release the
explosive data about multi-city power outages caused by remote
hackers/extortionists. This year the FBI will be sharing data about
what's happening in this arena, the chair of the NY Public Service
Commission will focus on the new many-billion dollar smart grid and
panelists will discuss security concerns in the smart grid. Chairman
Brown will also help security people learn to talk security with public
service commissioners. The new CSO at NERC will explain what changes
are coming in the CIP standards and you'll also find out which vendors
are doing the best job and how the standard procurement specs have
changed for buying security baked in. Plus 20 more critical sessions.
This is to one conference to attend in 2009 if you work in control
systems security. And you can attend free SCADA security courses
sponsored by DHS on the same trip. February 2-3 (courses on the 3rd),
Orlando: http://www.sans.org/scada09_summit/
*************************************************************************
TRAINING UPDATE
- - SANS 2009 in Orlando in early March - the largest security
training conference and expo in the world. lots of evening sessions:
http://www.sans.org/
- - SANS Security West Las Vegas (1/24-2/01) http://sans.org/securitywest09/
- - Looking for training in your own Community? http://sans.org/community/
For a list of all upcoming events, on-line and live: www.sans.org
*************************************************************************
TOP OF THE NEWS
--Maryland Seeks Reimbursement From Voting Machine Company for
Fixing Security Holes
(December 25, 2008)
The state of Maryland has filed a claim against Premier Election
Systems (formerly known as Diebold) to recover US $8.5 million
in costs associated numerous security issues with the company's
touch-screen voting machines. The state decided to make changes to
the machines based on information from independent sources to ensure
smooth elections. Diebold attorneys maintain that the allegations made
in the lawsuit are vague, "inaccurate and unfounded." The claim will
be considered by the Maryland Board of Contract Appeals. Maryland is
not the only state involved in legal disputes with Premier/Diebold
over security issues in its voting products; Ohio has a lawsuit pending
and the company settled claims made by California several years ago.
http://www.washingtonpost.com/wp-dyn/content/article/2008/12/24/AR2008122401449_pf.html
http://news.slashdot.org/article.pl?sid=08/12/25/135240
[Editor's Note (Northcutt): Maryland has had numerous problems with
voting machines, many covered in NewsBites. That leads me to believe
they have a good chance of getting some money:
http://www.bradblog.com/?p=3719
http://www.johnbonifaz.com/blog/20060914-maryland
http://en.wikipedia.org/wiki/Premier_Election_Solutions
http://www.computerworld.com/governmenttopics/government/legislation/story/0,10801,109436,00.html ]
--Report Finds DHS Intelligence Fusion Centers Present Privacy Concerns
(December 23 & 29, 2008)
According to a Privacy Impact Assessment (PIA) from US Department
of Homeland Security (DHS) chief privacy officer Hugo Teufel III,
the agency's intelligence fusion centers pose significant privacy
concerns. The centers were created to comply with the Implementing
Recommendations of the 9/11 Commission Act of 2007. The Act also
requires that PIAs be performed. The PIA found several areas of
concern, including ambiguous lines of authority rules and oversight;
participation of the military and the private sector; and mission
creep.
http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_ia_slrfci.pdf
http://www.fcw.com/online/news/154752-1.html?type=pf
http://www.nextgov.com/nextgov/ng_20081229_7913.php
*************************************************************************
THE REST OF THE WEEK'S NEWS
ARRESTS, CHARGES, CONVICTIONS & SENTENCES
--Computer Engineer Will Stand Trial for Allegedly Holding City Network Hostage
(December 27 & 28, 2008)
The computer engineer who allegedly hijacked the city of San
Francisco's computer network, a network he created and ran, will stand
trial on four felony charges. Terry Childs allegedly held the network
hostage for several days until the city's mayor convinced him to reveal
the codes that would allow system access. He allegedly tampered with
the network after he was disciplined for poor performance. Childs's
attorney maintains his client was trying to protect the network from
incompetent co-workers who had already caused problems on the system.
http://news.cnet.com/8301-1009_3-10129313-83.html?part=rss&subj=news&tag=2547-1009_3-0-20
http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/12/27/BA1F14VJG3.DTL&type=printable
--Software Company President Sentenced for Hacking and Proprietary Data Theft
(December 19 & 23, 2008)
The president of a Boulder, Colorado-based software development company
has pleaded guilty to stealing protected files from a competitor's
website. Jay E. Leonard was sentenced to 12 months of probation
and ordered to pay a US $2,500 fine for breaking into the computer
system of ZetaWare and stealing proprietary information to gain a
competitive advantage. In a separate case, Leonard's company has
been accused of violating a US trade embargo for allegedly providing
Cuba with oil and gas drilling software technology.
http://www.dailycamera.com/news/2008/dec/19/executive-boulder-software-firm-sentenced-probatio/
http://www.eweek.com/c/a/Mobile-and-Wireless/Software-Exec-Takes-Fall-for-Hacking/
http://www.theregister.co.uk/2008/12/23/software_exec_hacking_charges/
[Editor's Note (Schultz): The probation sentence and the USD 2,500
fine are so tiny that they will send a message to potential computer
criminals in the US that they really do not have to fear much as far
as court-ordered potential punishment goes.]
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
--FEMA Investigating Evacuee Data Exposed on Internet
(December 24, 2008)
The US Federal Emergency Management Agency (FEMA) is investigating how
personally identifiable information of some Hurricane Katrina evacuees
was exposed on the Internet. The compromised data include names,
addresses and Social Security numbers (SSNs). FEMA had provided
a state agency with the information but had not authorized its
publication on the Internet. The data appeared on two separate sites;
FEMA has worked with both to remove the information. The state agency
in question is cooperating with the investigation. FEMA is contacting
all those affected by the breach.
http://www.fcw.com/online/news/154757-1.html?type=pf
VULNERABILITIES
--Microsoft Warns of SQL Flaw
(December 22, 23 & 24, 2008)
Microsoft has issued a warning about a remote code execution flaw
in older versions of SQL Server. Exploit code for the flaw has
been released. There is currently no patch available to fix the
vulnerability, but Microsoft has provided a workaround users can apply
until a patch becomes available. An Austrian security consulting firm,
SEC Consult, reported the flaw to Microsoft in April. SEC maintains
Microsoft has had a fix available since late September; on December 9,
the company disclosed the flaw and released proof-of-concept exploit
code. Microsoft has acknowledged that it has been working on the SQL
problem for eight months, but would not confirm SEC's allegations that
a patch has been ready for several months. The vulnerability affects
certain configurations of Microsoft SQL Server 2000, Microsoft SQL
Server 2005 and Windows Internal Database.
http://www.microsoft.com/technet/security/advisory/961040.mspx
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9124222
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9124351&intsrc=hm_list
http://www.theregister.co.uk/2008/12/23/sql_server_0day_latest/
MALWARE
--Samsung Digital Picture Frame Software Disk Infected with Keystroke Logging Malware
(December 22 & 29, 2008)
Amazon has warned that certain versions of Samsung's SPF-85H 8-inch
digital photo frames pose a security threat to users. The frames
come with a disk containing software that is necessary to be able to
use the frame as a USB monitor on Windows XP machines. The disk is
infected with the W32.Sality.AE worm, which installs keystroke logging
malware on the machines it infects. Amazon has provided instructions
for cleaning systems that have already been infected by the worm.
http://www.theregister.co.uk/2008/12/29/photo_frame_malware/
http://www.amazon.com/gp/forum/cd/discussion.html?ie=UTF8&cdForum=Fx20DX5GEB7TUX8&cdThread=Tx2LOAXBDR3N47W
http://www.samsung.com/us/support/news/supportNewsAlerts.do?group=&type=&subtype=&model_nm=&spp_news_seq=761&page=
[Editor's Note (Skouids): It seems that we have a new ritual that will
be repeated annually right around New Year's day. Interspersed with
discussions of the Times Square ball dropping, the baby New Year, and
noisemakers each year at this time, we'll see articles about the new
malware that infected consumer devices people received for Christmas.
Happy New Year!]
DATA THEFT, LOSS & EXPOSURE
--RBS WorldPay Data Breach Affects More than 1 Million Customers
(December 23, 24 & 29, 2008)
Attackers broke into the computer system at RBS WorldPay, a payment
processing services provider, compromising personally identifiable
information of more than one million customers. The compromised
data include financial account information and Social Security
numbers (SSNs). The intrusion, which has been described as "highly
sophisticated," was detected on November 10, 2008. There are reports
that approximately 100 pre-paid payroll cards, one of RBS WorldPay's
products, have been used in fraudulent transactions. RBS WorldPay has
begun notifying individuals affected by the breach and has brought
in specialists to help improve the system's security. The company
is also resetting the PINs associated with pre-paid payroll cards.
http://www.internetnews.com/security/article.php/3793386
http://www.theregister.co.uk/2008/12/29/rbs_worldpay_breach/
http://www.digitaltransactions.net/newsstory.cfm?newsid=2025
http://www.rbsworldpay.us/RBS_WorldPay_Press_Release_Dec_23.pdf
--Cedars-Sinai Medical Center Notifies Patients of Data Theft
(December 23, 2008)
More than 1,000 patients of Cedars-Sinai Medical Center have received
letters informing them that their personal data were stolen by a former
hospital billing department employee. The information was used to
make fraudulent insurance claims. James Allen Wilson was arrested
on November 6, 2008; he was employed at Cedars-Sinai from January
2003 through March 2007. At that time, he was authorized to access
patient information. He did not have authorization to bring the data
to his home, which is where they were found. Investigators believe
Wilson earned more than US $69,000 through his fraud scheme.
http://www.latimes.com/business/careers/work/la-me-cedars-sinai23-2008dec23,0,5508589.story
MISCELLANEOUS
--CastleCops Raises the Drawbridge
(December 29, 2008)
CastleCops, the volunteer cyber security organization, has shut
down operations. CastleCops investigated malware and phishing
schemes, provided training programs and helped computer users
clean their computers of malware. The CastleCops website weathered
numerous denial-of-service attacks and other attempts to harm its
reputation. The organization was started in 2002, when it was known
as ComputerCops.
http://www.theregister.co.uk/2008/12/29/castlecops_closes/
http://news.softpedia.com/news/Security-Board-CastleCops-Closes-Operations-100981.shtml
http://www.castlecops.com/
--Microsoft Malicious Software Removal Tool Cleaned Phony Security Apps From 400,000 PCs
(December 24, 2008)
Microsoft says that the December version of its Malicious Software
Removal Tool (MSRT) has removed the "Antivirus 2009" phony security
application from nearly 400,000 PCs. The revised MSRT was released
on December 9; the statistics gathered represent the tool's activity
during the first nine days of its release. Cyber criminals are
reportedly making significant amounts of money by installing their
programs on PCs, then inundating the machines with pop-ups warnings of
infections until users pay to purchase their clean-up applications,
which are usually priced around US $40 to US $50 and are generally
useless.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9124346&intsrc=hm_list
[Editor's Note (Skoudis): I see these pop-ups rather often myself, and
it is a little goofy to see a pop-up purposely designed to look like a
Windows XP warning message on my Mac. Still, this is a very insidious
threat for the average user, and we need to educate our co-workers,
friends, and family about it so that they don't fall victim. Work this
one into conversations with your loved ones over the holidays.]
--Bank Info Security's Top 10 Security Breaches
(December 22, 2008)
A top 10 list of the year's security breaches compiled by Bank Info
Security (bankinfosecurity.com) includes the start of the resolution
of the TJX breach, as well as breaches at Bank of New York Mellon,
Hannaford, Countrywide, and the New York City Citibank ATM breach. Each
listing includes a "Lesson Learned" section.
http://www.bankinfosecurity.com/articles.php?art_id=1120&opg=1
*************************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and
the author/co-author of books on Unix security, Internet security,
Windows NT/2000 security, incident response, and intrusion detection
and prevention. He was also the co-founder and original project manager
of the Department of Energy's Computer Incident Advisory Capability
(CIAC)
John Pescastore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Ron Dick headed the National Infrastructure Protection Center (NIPC)
at the FBI and is the incoming President of the InfraGard National
Members Alliance - with 22,000 members.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level
IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.
Prof. Howard A. Schmidt is the President of the Information Security
Forum (ISF) and author who has served as CSO for Microsoft and
eBay and as Vice-Chair of the President's Critical Infrastructure
Protection Board.
Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and
he is a senior Lockheed Martin Fellow.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune
50 company (Alcoa). He is leading SANS' global initiative to improve
application security.
Marcus J. Ranum built the first firewall for the White House and
is widely recognized as a security products designer and industry
innovator.
Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Brian Honan is an independent security consultant based in Dublin,
Ireland.
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
iD8DBQFJWktu+LUG5KFpTkYRAtdsAJ94ZBXO2WSVxWPqavkT32r7VciuKgCeMKeh
nWVFo+AwgiKpwPfkm57AkF0=
=2ZJ3
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]