|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (NewsBites
sans.org)
Date: Tue Mar 10 2009 - 14:42:43 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Interesting (and troubling) disclosures at a meeting this morning of
DHS, DoD, NIST and other US government and industry security leaders.
First NIST said that it was working closely with the DoD and the
Intelligence Community (IC) that will make the NIST 800-53 guidance, now
mandatory for civilian federal agencies, also mandatory for use by the
IC and DoD. Then one of the nation's top government defenders reported
that neither of the two main attack vectors, the two that account for
the vast majority of successful exploits against US civilian government
computers, is adequately addressed in NIST's 800-53 guidance (the words
used were "you would be hard pressed to find [the needed controls]" in
the guidance.) If the second disclosure is true, and it appears that it
is because no one at the meeting refuted it, then the decision to apply
800-53 to our most critical national government computers needs to be
reconsidered.
New free resource: Application security papers in the SANS Reading Room.
The first paper: "Protecting Your Web Apps: Two Big Mistakes and 12
Practical Steps to Avoid Them"
http://www.sans.org/reading_room/application_security/
Alan
*************************************************************************
SANS NewsBites March 10, 2009 Vol. 11, Num. 19
*************************************************************************
TOP OF THE NEWS
Australian Police Could be Granted Remote Computer Investigation
Privileges
California Legislation Would Require Specific Information in Data
Breach Notifications
Verizon Offers Customers Chance to Opt Out of Data Sharing Arrangement
THE REST OF THE WEEK'S NEWS
LEGAL ISSUES
UK ICO Will Prosecute Company That Sold Building Worker Data
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
Lost Memory Stick Holds Police Investigation Data DHS Cyber Security
Director Beckstrom Resigns
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Swedish Police Seize Server in Illegal Filesharing Bust
VULNERABILITIES
Unpatched Adobe Flaw Can be Exploited Without JavaScript Google
Fixes Google Docs Unintentional File Sharing Flaw
UPDATES AND PATCHES
Next Generation of Windows Will Allow Users to Turn off Certain
Programs
DATA BREACHES, LOSS & EXPOSURE
Bottle Domains Data Breach Exposes 60,000 Payment Cards
ACTIVE EXPLOITS, WORMS & VIRUSES
Worm Infects Scottish Hospital Computers Conficker Update Includes
Vast Expansion of Phone Home Domains
********************** Sponsored By PureWire ****************************
Learn how hackers are exploiting your employees' Web surfing to gain
entry into your network. New technologies such as AJAX and Silverlight
are fueling attack methods such as; Clickjacking, XSS and Request
Forgery. Recent research shows that 70% of Web sites serving malware are
actually legitimate sites. Download this white paper now!
http://www.sans.org/info/40063
*************************************************************************
TRAINING UPDATE
- - Phoenix 3/23-3/30 (5 courses) http://www.sans.org/phoenix09/
- - Washington DC (Tyson's Corner) 4/14-4/22 (5 long courses and 8 short
courses) http://www.sans.org/tysonscorner09/event.php
- - Log Management Summit in Washington 4/5-4/7 http://www.sans.org/logmgtsummit09/
- - Plus Calgary, New Orleans, San Diego and more...
- - Looking for training in your own Community? http://sans.org/community/
For a list of all upcoming events, on-line and live: www.sans.org
*************************************************************************
TOP OF THE NEWS
--Australian Police Could be Granted Remote Computer
Investigation Privileges
(March 9, 2009)
Proposed legislation in the Australian state of New South Wales would
give police the authority to remotely break into certain crime suspects'
computers to conduct investigations. Those targeted by the
investigation could be prevented from learning of the investigation for
up to three years. The permission would be given only in cases in which
the alleged crime is punishable by seven or more years in prison.
http://news.cnet.com/8301-1009_3-10191514-83.html?tag=mncol;title
http://www.zdnet.com.au/news/security/soa/NSW-Police-to-get-hacking-powers/0,130061744,339295354,00.htm ]
[Editor's Note (Northcutt): This is a bad idea: police hackers.]
--California Legislation Would Require Specific Information in Data
Breach Notifications
(March 6, 2009)
California State Senator Joe Simitian has introduced legislation that
would require organizations that experience data security breaches to
provide a specific set of information in their disclosure letters.
Presently, California law requires organizations to notify affected
individuals if their personal data have been compromised in a security
breach, but the letters often leave the recipients with more questions
than answers. The bill would also require that state authorities be
notified at the same time as affected residents.
http://news.cnet.com/8301-1009_3-10190978-83.html?part=rss&subj=news&tag=2547-1009_3-0-20
http://blog.wired.com/27bstroke6/2009/03/ca-looks-to-exp.html
http://info.sen.ca.gov/pub/09-10/bill/sen/sb_0001-0050/sb_20_bill_20081201_introduced.html
[Editor's Note (Schultz): Sound legal statutes evolve over time, as
shown by this follow-up legislation for California SB-1386. When this
statute was originally passed in 2002, it had numerous loopholes that
were closed by subsequent legislation. If this new legislation passes,
it will once again make California a leader in the data security breach
notification area.
(Ranum): As long as the burden of clean-up remains on the consumer, the
risk equation is still not balanced. As long as it's not balanced we'll
continue to see hemorrhaging personal information.]
--Verizon Offers Customers Chance to Opt Out of Data Sharing Arrangement
(March 8, 2009)
Verizon is reportedly sending letters to its customers, allowing them
the opportunity to opt out of an arrangement to share their personal
data with the company's "affiliates, agents, and parent companies." The
data covered by the agreement would include, but are not limited to:
"services purchases (including specific calls you make and receive),
billing info, technical info and location info." Customers who receive
their Verizon statements online will not receive the letter; instead,
they may access their accounts and view their messages to get the
information.
http://yro.slashdot.org/article.pl?sid=09/03/08/196242
[Editor's Note )Pescatore): It is really time these sort of things
started coming out saying "Company X is sending letters to its
customers, informing them that no personal data will be shared unless
the customer opts in." ]
************************** SPONSORED LINKS ******************************
1) Join professionals to learn about Log Management tools at the Log
Management Summit April 6-7.
http://www.sans.org/info/40068
2) What are the ten technical tips most penetration tester don't know
but should. Penetration Testing and Ethical Hacking Summit June 1-2.
http://www.sans.org/info/40073
3) Brady Bunch Boondoggle - Hacking Challenge
SANS wireless master Josh Wright created an awesome new edition to the
Skillz Hck1ng Challenges hosted by Ed Skoudis. Help Peter and the gang
plant a rogue AP in their Dad's architectural office at Phillips Design
to help him get a raise, so they can stay in the house. Is your Fu good
enough or will you too get a lecture on life by Mike Brady? All entries
are due by March 16, 2009.
http://www.ethicalhacker.net/content/view/234/2/
*************************************************************************
THE REST OF THE WEEK'S NEWS
LEGAL ISSUES
--UK ICO Will Prosecute Company That Sold Building Worker Data
(March 2009)
The UK Information Commissioner's Office (ICO) plans to prosecute a
company under the Data Protection Act for allegedly selling details from
a clandestine database of building workers' information. The company,
called the Consulting Association, allegedly provided information to
subscribing building companies that sent in lists of prospective
employees and received information about them, including their personal
relationships, whether they were deemed a safety risk or had union ties.
The information in the database was gathered and retained without the
workers' consent. Some building companies are adamant that they do not
condone the practice of blacklisting. An investigation determined that
the Consulting Association had compiled a database with information
about 3,213 building workers.
http://news.bbc.co.uk/2/hi/uk_news/7928807.stm
[Editor's Note (Honan): Companies collecting personally identifiable
data about individuals within the UK are legally obliged to ensure they
do so in line with the eight principles of the Data Protection Act. In
this case it appears the relevant principles are the information must
be "Fairly and lawfully processed", "Adequate, relevant and not
excessive" and "Processed in line with your rights".]
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
--Lost Memory Stick Holds Police Investigation Data
(March 9, 2009)
A memory stick containing unencrypted details about hundreds of Scottish
police investigations is missing. The device was lost at the end of
last year at Lothian and Borders Police headquarters. The memory stick
was believed to have been being moved within a secure area when it was
lost, but the incident serves to demonstrate the need to encrypt
sensitive data at all times.
http://www.scmagazineuk.com/Unencrypted-police-memory-stick-lost/article/128429/
[Editor's Note (Ranum): When are enterprises going to learn? The way to
prevent this kind of thing from happening is to NOT make it possible.
Let people copy critical data around, and critical data will leak; it's
that simple. Encryption is not a panacea, because of the prevalence of
keylogging trojans and the fact that people will have to have the data
unencrypted, at some point, in order to use it. The answer to data
leakage is data control. There is no "plan B".
(Pelgrin): One should consider encrypting all mobile devices. In this
digital era it leaves to much to human error to decide whether sensitive
or confidential data is or has ever been on the mobile device. Surveys
have shown that end users don't always know what is stored on these
devices. We need to make it easy to protect our data -- therefore
encryption all mobile device leaves the guess work out of the equation. ]
--DHS Cyber Security Director Beckstrom Resigns
(March 6, 7 & 8, 2009)
The US Department of Homeland Security's (DHS) National Cyber Security
Center director Rod Beckstrom has resigned his position effective
Friday, March 13. Beckstrom is quoted as saying in a letter to DHS
Secretary Janet Napolitano that allowing the National Security Agency
(NSA) to control national cyber security efforts is "a bad strategy on
multiple grounds." Beckstrom also said that his organization was
insufficiently supported by the previous administration.
http://lastwatchdog.com/cybersecurity-official-resigns-smothering-nsa/
http://www.scmagazineus.com/DHS-National-Cybersecurity-Center-director-resigns/article/128396/
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9129218&source=rss_topic17
http://fcw.com/Articles/2009/03/06/DHS-cybersecurity-chief-resigns.aspx
http://blog.wired.com/defense/2009/03/breaking-cyber.html
http://www.securityfocus.com/brief/922
http://www.msnbc.msn.com/id/29557432/
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
--Swedish Police Seize Server in Illegal Filesharing Bust
(March 6 & 7, 2009)
Police in Brandbergen, Sweden, near Stockholm, raided an apartment and
seized a server containing 65 terabytes of allegedly pirated files. The
raid was part of an effort to crack down on illegal filesharing.
Sixty-five terabytes translates to approximately 16,000 full-length
films. The raid was conducted on February 9 but made public only last
week. The equipment's alleged owner has been questioned and released,
but remains the subject of an investigation.
http://www.msnbc.msn.com/id/29566891/
http://news.cnet.com/8301-1023_3-10190977-93.html?part=rss&subj=news&tag=2547-1009_3-0-20
VULNERABILITIES
--Unpatched Adobe Flaw Can be Exploited Without JavaScript
(March 6, 2009)
A promised patch for a flaw in Adobe Reader and Acrobat is being even
more eagerly anticipated following the revelation that the flaw it will
fix is more serious than first believed. Adobe has been aware of the
problem since January and said it would have a patch to fix it on March
11. Adobe publicly acknowledged the vulnerability several weeks ago and
recommended that users disable JavaScript in Acrobat and Reader until
the patch is issued. The vulnerability has been deemed critical and
reports emerged that it had been being exploited in the wild since early
this year. Researchers now say they have developed exploits for the
flaw that do not rely on JavaScript for their execution.
This story was broken by the Internet Storm Center at
http://isc.sans.org/diary.html?storyid=5902 but pulled the story until
it was reported elsewhere so as not to exacerbate the risk. The
follow-up story is posted at http://isc.sans.org/diary.html?storyid=5926
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9129163&source=rss_topic17
[Editor's Note (Honan): Some people have recommended that users move to
other PDF readers but appears this vulnerability may impact those
readers as well.]
--Google Fixes Google Docs Unintentional File Sharing Flaw
(March 9, 2009)
Google has fixed a security flaw in its Google Docs document sharing
program that could allow files to be shared inadvertently. Google said
the vulnerability affected only a small percentage of documents. To
address the problem, Google removed sharing privileges from documents
affected by the flaw; users have been provided with instructions on how
to share those documents again if they wish. According to Google, the
flaw does not affect spreadsheets.
http://www.theregister.co.uk/2009/03/09/google_docs_serious_security_breach/
http://www.eweek.com/c/a/Security/Google-Fixes-Document-Sharing-Privacy-Issue/
http://www.informationweek.com/news/services/storage/showArticle.jhtml?articleID=215801317&subSection=News
http://googledocs.blogspot.com/2009/03/on-yesterdays-email.html
UPDATES AND PATCHES
--Next Generation of Windows Will Allow Users to Turn off Certain Programs
(March 6 & 9, 2009)
Microsoft's new operating system, Windows 7, will have modular features,
allowing users to turn off various applications, including Internet
Explorer (IE). The change will be a boon to competition; Microsoft has
dealt with claims of anti-trust violations in the past.
A 2004 European ruling required Microsoft to disclose proprietary
information about its software with competitors; it was also fined 497
million Euros (US $627.9 million) and required to unbundle certain
products from standard Windows installations. Windows 7 is expected to
be released commercially in 2010.
http://news.bbc.co.uk/2/hi/technology/7932149.stm
http://www.informationweek.com/news/windows/operatingsystems/showArticle.jhtml?articleID=215801222&subSection=News
http://blogs.zdnet.com/gadgetreviews/?p=1927
http://www.msnbc.msn.com/id/29596703/
[Editor's Note (Guest editor Frantzen): The EU ruling did not require
MS to unbundle certain products from standard Windows installations. It
required MSFT to make available alternate versions that did not contain
the bundled products. They were allowed to continue to offer the bundled
versions.
(Pescatore): In general, this should be a security positive. Right now,
the 30% of the users who aren't using IE often have it pop-up
unexpectedly and they end up having multiple browsers running and paths
to malicious ActiveX controls that they didn't realized were open. ]
DATA BREACHES, LOSS & EXPOSURE
--Bottle Domains Data Breach Exposes 60,000 Payment Cards
(March 6, 2009)
As many as 60,000 credit cards may be at risk for fraud due to a data
security breach at Australian domain name registrar Bottle Domains.
National Australia Bank (NAB) and Commonwealth bank both acknowledged
receiving lists of potentially compromised payment cards; NAB said that
an undisclosed number of cards on the list has been used in fraudulent
transactions. Bottle Domains has not yet notified its customers of the
breach, although Australian domain name industry regulator au Domain
Administration Ltd. has informed all Bottle Domains customers of the
breach by email. The breach came to light when the stolen information
was offered for sale on the Internet earlier this year; one man has been
arrested in connection with the data theft. Bottle Domains maintains
that it is compliant with the payment card industry data security
standard (PCI DSS).
http://www.thesheet.com/nl05_news_selected.php?act=2&stream=1&selkey=7963&hlc=2&hlw=
ACTIVE EXPLOITS, WORMS & VIRUSES
--Worm Infects Scottish Hospital Computers
(March 9, 2009)
A computer worm infected computers at two Scottish hospitals last week.
Laboratory computers at the Stobhill and Gartnavel General hospitals
were infected, forcing a dozen patients at the Beatson West of Scotland
Cancer Care Centre to reschedule their appointments. Computer systems
at the hospitals were taken down for two days while technicians cleared
up the infection. While it has not been definitively determined, a
description of the infection at the Glasgow-area hospitals is consistent
with the effects of the Conficker worm.
http://www.theregister.co.uk/2009/03/09/scot_hostpitals_malware_infection/
--Conficker Update Includes Vast Expansion of Phone Home Domains
(March 7 & 9, 2009)
The Conficker worm has been updated; some infected computers are
receiving new information that appears to try to protect the malware
from efforts by researchers to stop its spread and effects. The update
prevents antivirus and security analysis software from removing
Conficker from the machines it has infected. The update also increases
by a factor of 200 the number of domains the worm contacts daily; the
researchers had been working to predict the domains infected machines
would attempt to contact and control them to stymie Conficker's spread.
Before the update, machines infected by Conficker contacted 250 domains
each day; that number has increased to 50,000.
http://www.theregister.co.uk/2009/03/07/conficker_upgrade/
http://www.securityfocus.com/brief/923
**********************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC)
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Ron Dick headed the National Infrastructure Protection Center (NIPC) at
the FBI and is the incoming President of the InfraGard National Members
Alliance - with 22,000 members.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Rohit Dhamankar is the Director of Security Research at TippingPoint,
where he leads the Digital Vaccine and ThreatLinQ groups. His group
develops protection filters to address vulnerabilities, viruses, worms,
Trojans, P2P, spyware, and other applications for use in TippingPoint's
Intrusion Prevention Systems.
Prof. Howard A. Schmidt is the President of the Information Security
Forum (ISF) and author who has served as CSO for Microsoft and eBay and
as Vice-Chair of the President's Critical Infrastructure Protection
Board.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Inguardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of
the State of California.
Alan Paller is director of research at the SANS Institute
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkm2vFYACgkQ+LUG5KFpTkaEdACgm7YYMT4JFWZbleNKHRPbt+38
F1QAoJ28o5HGcna0V6/JcwFR2zBnb5Qd
=Y3S5
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]