|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (NewsBites
sans.org)
Date: Tue Jan 06 2009 - 14:18:36 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
A fascinating article: Kevin Poulson's Wired Magazine article tells the
story of Max Butler who tried to corner the black market on stolen
credit card numbers.
http://www.wired.com/techbiz/people/magazine/17-01/ff_max_butler?currentPage=1
We now know have ratings that show the top seven security courses for
people who have to upgrade defenses in light of the new nation-state
attacks:
1. Network penetration Testing
2. Web Application Penetration Testing
3. Hacker Techniques and Exploits
4. Wireless Ethical Hacking, Penetration Testing and Defenses
5. Auditing Networks, Perimeters, and Systems
6. Computer Forensics, Investigation & Response
7. Intrusion Detection In Depth
Best place to take them with the highest rated instructors is SANS2009
in Orlando in early March, where you can also do Security Essentials and
prepare for the CISSP exam. Full course matrix at
http://www.sans.org/sans2009/event.php
Alan
*************************************************************************
SANS NewsBites January 6, 2009 Vol. 11, Num. 1
*************************************************************************
TOP OF THE NEWS
MD5 Hash Algorithm Flaw Allows Fraudulent Certificates
Twitter Hit by Phishing Attack and Account Hijacking
RIAA Switches Companies for Evidence Gathering
THE REST OF THE WEEK'S NEWS
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
UK Government Denies Plans to Expand Remote Warrantless PC Surveillance
Proposed UK Communications Database Could be Managed by Private Company
RFP for Report on China's Cyber Warfare Posture
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Chinese Court Sentences 11 to Prison for Software Piracy
VULNERABILITIES
Microsoft Says Windows Media Player Problems is a Reliability Issue
ATTACKS
Pro-Hamas Attackers Gained Access to Israeli Domain Registration Server
MISCELLANEOUS
Some Banks Want to Know Travel Plans
Japanese Fingerprint Immigration Control System Thwarted by Special
Tape
Attack Can Block SMS and MMS Messages to Nokia Phones
************************* Sponsored By CA *******************************
Web-Based Security for Business Enablement
While "secure" and "Web" were once incompatible notions, they are now
co-elements that support dynamic Web-based commerce. Technologies such
as Web access management, single sign-on, identity management,
federation, and strong authentication - when leveraged together -
represent a more efficient way to conduct IT-enabled business. This IDC
whitepaper explores how competitive advantage can be effectively
realized through secure Web business enablement technologies. Learn more
http://www.sans.org/info/36793
*************************************************************************
TRAINING UPDATE
- - SANS 2009 in Orlando in early March - the largest security training
conference and expo in the world. lots of evening sessions:
http://www.sans.org/
- - SANS Security West Las Vegas (1/24-2/01) http://sans.org/securitywest09/
- - Looking for training in your own Community? http://sans.org/community/
For a list of all upcoming events, on-line and live: www.sans.org
*************************************************************************
TOP OF THE NEWS
--MD5 Hash Algorithm Flaw Allows Fraudulent Certificates
(December 30 & 31, 2008 & January 5, 2009)
A vulnerability in the MD5 hash algorithm used to generate digital
certificates could allow cyber criminals to generate fraudulent
certificates. The phony certificates could be used to create phishing
sites that would appear to browsers to be legitimate. The problem was
the subject of a presentation at the chaos Communications Conference in
Berlin last month. Certificate authorities that use MD5 hashes should
change to SHA1 hashes to protect their certificates' integrity. A number
of certificate authorities are still are using MD5, and some estimates
say that 14 percent of all websites are using certificates generated
with MD5.
http://isc.sans.org/diary.html?storyid=5590&rss
http://gcn.com/Articles/2008/12/31/SSL-certs-busted.aspx?p=1
http://www.securityfocus.com/news/11541
http://www.heise-online.co.uk/security/25C3-MD5-collisions-crack-CA-certificate--/news/112327
http://www.securityfocus.com/brief/880
[Editor's Note (Honan): This attack should not come as a major surprise
as weaknesses in the MD5 hash algorithm have been known since 2004. The
SANS Internet Storm Center has a good write up of the issue with a list
of vendor statements regarding the status of their certificates at
http://isc.sans.org/diary.html?storyid=5590. You can also use this
site http://www.networking4all.com/nl/helpdesk/tools/site+check/ to
check what SSL certificates are being used by a site you are visiting.]
--Twitter Hit by Phishing Attack and Account Hijacking
(January 5, 2009)
Twitter users are the latest targets of phishing attacks. Some users
have reported receiving messages that direct them to phony login pages.
Once the login credentials have been harvested, the accounts are used
to send more phishing messages. Users are advised to login to Twitter
on Twitter.com instead of sites to which they have been directed. In
what Twitter says is an unrelated attack, bogus messages have been sent
from several compromised high profile Twitter accounts. The attacker
apparently hacked into Twitter support team tools that have been taken
off line until the problem can be addressed.
http://voices.washingtonpost.com/securityfix/2009/01/phishers_now_twittering_their.html?wprss=securityfix
http://news.cnet.com/8301-17939_109-10130566-2.html?part=rss&subj=news&tag=2547-1009_3-0-20
http://www.pcmag.com/article2/0,2817,2337833,00.asp
http://blog.wired.com/27bstroke6/2009/01/twits-get-phish.html
http://www.heise-online.co.uk/security/Major-security-problem-for-Twitter--/news/112357
[Editor's Note (Honan): Phishing in Twitter via tweets or direct
messages is easier than in emails as most URLs are converted to the
tinyurl format thus hiding the original URL from the recipient. If in
doubt about a tinyurl link you can preview it by using tinyurl.com's
preview feature at http://tinyurl.com/preview.php.]
--RIAA Switches Companies for Evidence Gathering
(January 4 & 5, 2009)
The Recording Industry Association of America (RIAA) has ended its
business relationship with MediaSentry, the company it employed to
gather information used to establish copyright violation cases.
MediaSentry has faced criticism that their methods are invasive and
excessive. The RIAA now plans to work with DtecNet Software ApS, a
Danish company. The RIAA's legal tactics were dealt a blow last year
when a judge ruled that making files available for download did not
constitute copyright infringement. The RIAA also recently announced
that it will stop filing lawsuits against suspected copyright violators;
instead, the organization has reached agreements with several Internet
service providers (ISPs) to warn chronic filesharers about their illegal
behavior and throttle bandwidth of those who continue to make
copyrighted files available for downloading.
http://news.cnet.com/8301-1023_3-10130785-93.html
http://weblog.infoworld.com/robertxcringely/archives/2009/01/is_the_riaa_adm.html
[Editor's Note (Paller): The type of language used in the Infoworld
article is counterproductive. I mention this because I have seen too
many highly capable security people use hyper-critical and disdainful
language in botched attempts to appear superior. The actual impact of
that language is to make them appear childish and churlish and not
worthy of deference. The net result: their good security ideas do not
get implemented.]
*************************************************************************
THE REST OF THE WEEK'S NEWS
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
--UK Government Denies Plans to Expand Remote Warrantless PC Surveillance
(January 4 & 5, 2009)
The UK Home Office has denied reports in two papers that the government
plans to expand its authority to search citizens' PCs remotely without
a warrant. The Computer Misuse Act of 1990 already allows remote
searches of computers, and the practice is regulated under the
Regulations of Investigatory Powers Act (RIPA). The searches can be
conducted through Trojans sent in emails, WiFi eavesdropping or through
physically installed keystroke loggers. The European Union's Council
of Ministers has decided to adopt a plan that would allow member states
to expand the potential scope of remote warrantless surveillance of PCs;
it would also allow other member nations to request such surveillance
from UK police.
http://www.heise-online.co.uk/security/Government-backs-more-remote-searching-of-private-PCs--/news/112350
http://www.theregister.co.uk/2009/01/05/police_remote_snoop/
http://www.timesonline.co.uk/tol/news/politics/article5439604.ece
http://www.telegraph.co.uk/news/newstopics/politics/lawandorder/4109031/Government-plans-to-extend-powers-to-spy-on-personal-computers.html
[Editor's Note (Schultz): I do not believe the UK Home Office's denial
in the least bit. Whether we like it or not, the ever growing
seriousness of terrorist and other threats makes extensive
government-conducted surveillance, including at-will remote access to
privately owned PCs, an inevitability.]
--Proposed UK Communications Database Could be Managed by Private Company
(December 31, 2008 & January 3 & 5, 2009)
In an effort to save money, the UK government plans to use a private
company to manage a proposed database of all phone calls, text messages,
emails and web surfing details. The database would contain information
about when and where the communications took place, but no content would
be retained; there would be stringent penalties for misusing the
information. The database, which is aimed at helping with criminal
investigations, has met with resistance from privacy advocates.
http://www.vnunet.com/vnunet/news/2233212/uk-government-outsource
http://news.bbc.co.uk/2/hi/uk_news/politics/7805610.stm
[Editor's Note (Ranum): The problem with outsourcing such a project is
that the outsourcers can bid "sure, we can do that!" to virtually any
ridiculous objective, then either fail outright or string the project
along indefinitely.]
--RFP for Report on China's Cyber Warfare Posture
(December 29, 2008)
The US-China Economic and Security Review Commission has issued a
request for proposals to create an unclassified report that analyzes
Chinese cyber warfare capabilities. Submissions are due on or before
January 21, 2008. The Commission was established in 2000; its mission
is "to monitor, investigate, and submit to Congress an annual report of
the national security implications of the bilateral trade and economic
relationship between the United States and the People's Republic of
China, and to provide recommendations, where appropriate, to Congress
for legislative and administrative action."
http://fcw.com/Articles/2008/12/29/Commission-to-fund-research-on-Chinas-cyberwarfare-capabilities.aspx
http://www.uscc.gov/about/overview.php
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
--Chinese Court Sentences 11 to Prison for Software Piracy
(December 31, 2008 & January 1, 2009)
Eleven people in China have been sentenced for their roles in a piracy
scheme that was responsible for manufacturing and distributing more than
US $ 2 billion worth of counterfeit Microsoft software. The sentences
of between 18 and 78 months are the longest to be handed down for piracy
in China. The investigation leading to the convictions involved China's
Public Security Bureau, the US FBI and hundreds of customers and
partners.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9124624&source=rss_topic17
http://www.washingtonpost.com/wp-dyn/content/article/2008/12/31/AR2008123103061.html
VULNERABILITIES
--Microsoft Says Windows Media Player Problems is a Reliability Issue
(December 29 & 30, 2008)
Microsoft has played down reports of a security flaw in Windows Media
Player, saying the problem is a "reliability issue with no security risk
to customers." Researchers maintain the integer overflow vulnerability
could be exploited to inject malicious code, and have published
proof-of-concept code to demonstrate the attack. In a Microsoft blog
post, the company expressed its disappointment with the researcher's
decision to publicize his assertions without first contacting the
company.
http://www.csoonline.com/article/473114/Microsoft_Downplays_Windows_Media_Player_Bug?source=nlt_csonewswatch
http://www.theregister.co.uk/2008/12/30/wmp_bug_spat/
http://news.cnet.com/8301-1009_3-10129682-83.html?part=rss&subj=news&tag=2547-1009_3-0-20
http://blogs.technet.com/msrc/archive/2008/12/29/questions-about-vulnerability-claim-in-windows-media-player.aspx
ATTACKS
--Pro-Hamas Attackers Gained Access to Israeli Domain Registration Server
(January 2 & 5, 2009)
Pro-Hamas hackers based in Morocco managed to break into DomainTheNet,
an Israeli domain registration server. For several hours, Internet
users attempting to visit the Ynet English and Bank Discount websites
were instead directed to a server in Japan that was hosting a site
filled with propaganda. DomainTheNet Technologies CEO Yoav Keren said
the attackers obtained the passwords necessary to access the domain
management system through the online customer service system.
http://www.scmagazineuk.com/Israeli-websites-hit-by-pro-Hamas-hackers/article/123490/
http://www.ynetnews.com/articles/0,7340,L-3649281,00.html
[Editor's Note (Northcutt): A sign of things to come and things of the
past, The Nanking Massacre, Estonia, Georgia, the Muhammad cartoons and
now this. Eleven years ago, I remember there were some brief discussions
between Russia and the US about some form of information warfare dtente.
At the time I thought the term information warfare arms race was a bit
sci fi, but now I wonder what the next couple of years will bring.
http://news.bbc.co.uk/1/hi/world/asia-pacific/618520.stm
http://blog.wired.com/defense/2007/06/cyberwar_panic_.html
http://www.jamestown.org/single/?no_cache=1&tx_ttnews[tt_news]=34178
http://www.nydailynews.com/news/us_world/2007/10/09/2007-10-09_muhammad_cartoon_in_swedish_paper_spurs_.html ]
MISCELLANEOUS
--Some Banks Want to Know Travel Plans
(January 2, 2009)
Some banks in the UK are requiring their credit and debit card customers
to notify them of their travel plans to avoid fraudulent transactions
abroad. Customers have found their accounts frozen when they attempt
to conduct transactions while traveling outside the country.
Computerized systems used by the banks analyze behavior and may trigger
account freezes if the transaction appears to be out of the ordinary.
More than 40 percent of UK payment card fraud incidents took place
overseas; the transactions totaled GBP 301 million (US $439.3 million).
Banks particularly want to know if customers plan to travel outside the
European Union or to Eastern Europe.
http://www.timesonline.co.uk/tol/news/uk/crime/article5429773.ece
--Japanese Fingerprint Immigration Control System Thwarted by
Special Tape
(January 1, 3 & 6, 2009)
A South Korean woman thwarted a biometric immigration control system
when she entered Japan in April 2008 with a phony passport and special
tape on her fingers. The woman had been deported from Japan in 2007 for
overstaying her visa and was prohibited from re-entering the country for
five years. The biometric system was installed in 30 airports in 2007;
it aims to prevent terrorists from entering the country. The government
plans to review the system.
http://www.yomiuri.co.jp/dy/national/20090101TDY01303.htm
http://www.yomiuri.co.jp/dy/national/20090106TDY04303.htm
http://search.japantimes.co.jp/cgi-bin/nn20090103a3.html
http://www.google.com/hostednews/afp/article/ALeqM5jwMl9y-RtlCG0LXfKIF5yX0uxgzg
[Editor's Note (Ranum): Problems with biometric systems have made them
a laughingstock for decades and are well-understood and widely
documented. It's sad that the government has to "review the system" now
that it's been installed; the time for system review is prior to
deciding to buy it.]
--Attack Can Block SMS and MMS Messages to Nokia Phones
(December 31, 2008)
A proof-of-concept attack has demonstrated that a single maliciously
crafted text message can prevent Nokia phones from receiving future SMS
and MMS messages. Certain versions of the phones' software will stop
receiving the messages after just one bad message is received; other
versions fail after receiving 11 such messages. Still other versions
merely warn of memory problems after receiving bad messages. At least
one anti-virus company has released a fix for the problem.
http://www.csoonline.com/article/473270/Security_Vendors_Ready_Fix_for_Curse_of_Silence_SMS_Attack?source=nlt_csonewswatch
*************************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC)
John Pescactore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Ron Dick headed the National Infrastructure Protection Center (NIPC) at
the FBI and is the incoming President of the InfraGard National Members
Alliance - with 22,000 members.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.
Prof. Howard A. Schmidt is the President of the Information Security
Forum (ISF) and author who has served as CSO for Microsoft and eBay and
as Vice-Chair of the President's Critical Infrastructure Protection
Board.
Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Brian Honan is an independent security consultant based in Dublin,
Ireland.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkljsRUACgkQ+LUG5KFpTkZwowCeITCBWz/RvHD3kxkxFoMWHSyD
8wYAoIDNBALMWVLHA5iegmOrF85oqlAu
=2baE
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]