|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (NewsBites
sans.org)
Date: Tue Jul 07 2009 - 11:47:40 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Boston in August, San Diego and Washington DC in September, and Chicago
in October all host major SANS security training events. www.sans.org
*************************************************************************
SANS NewsBites July 7, 2009 Vol. 11, Num. 53
*************************************************************************
TOP OF THE NEWS
Revised Rockefeller-Snowe Cybersecurity Bill To Move Forward in July
THE REST OF THE WEEK'S NEWS
ARRESTS, INDICTMENTS & SENTENCES
Former Employee Arrested for Alleged Code Theft
Woman Sentenced for Identity Fraud
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
MI6 Chief's Information Exposed on Wife's Facebook Page
DISASTER RECOVERY
Seattle Data Center Fire Hobbles Bing's Travel Section and Other Sites
UPDATES AND PATCHES
Microsoft No Longer Supporting Java Virtual Machine
DATA LOSS & EXPOSURE
Bord Gais Data Breach Affects more Than 100,000 Customers
ATTACKS & ACTIVE EXPLOITS
Microsoft Warns of Unpatched Flaw in Video Access Control
Twitter Increasingly Used for Questionable Purposes
Cold Fusion Attacks
Malware Targets Latin American Best Buy Website Customers
Online Game Bank Manager Stole Billions
MISCELLANEOUS
BT Puts Phorm On Hold
Older Versions of McAfee Virus Scan Generate False Positives
******************* Sponsored By Catbird & McAfee, Inc. *******************
Top Security Mistakes in Virtualization (and How to Avoid Them)
Sponsored by Catbird and McAfee
Failure to separate duties, securely segment networks, and to recognize
where the virtual meets the physical network are but some of the
security mistakes organizations make when deploying virtual machine
technology. Senior SANS Analyst, Jim D. Hietala, describes how to avoid
these and other security mistakes in order to prevent security incidents
and exposures.
http://www.sans.org/info/45453
*************************************************************************
TRAINING UPDATE
- - SANS Network Security, San Diego Sept. 14-22;
the Fall's biggest security training conference-- 20 full length
courses and 16 short courses plus a big exhibition
http://www.sans.org/ns2009
- - SANS Boston, Aug 2-9 (6 full-length hands-on courses)
https://www.sans.org/boston09/index.php
- - The Forensics Summit starts on July 9, and has four
courses http://www.sans.org/forensics09_summit/event.php:
- - The Virtualization and Cloud Security Summit on August 17-18 in
Washington; courses in the following days
http://www.sans.org/info/43118
Looking for training in your own community? http://sans.org/community/
Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/spring09.php
Plus Amsterdam, London, Dubai, Riyahd, Cairo, Melbourne, Canberra, and
Singapore all in the next 90 days. For a list of all upcoming events,
on-line and live: www.sans.org
*************************************************************************
TOP OF THE NEWS
--Revised Rockefeller-Snowe Cybersecurity Bill To Move Forward in July
(June 26 2009)
The most far-reaching US legislative proposal on Cybersecurity is being
modified to eliminate problematic language (such as the language that
gave the government the right to "shut-off the Internet" during a
national emergency) and will be moving ahead during July with a major
rewrite and an additional hearing followed by a full-committee vote.
Among many other far-reaching provisions, the Rockefeller-Snowe bill
extends federal cyber security regulatory reach to federal contractors
and grantees and calls for licensing of cyber security professionals.
http://www.nextgov.com/nextgov/ng_20090626_2244.php
[Editor's Note (Paller): The White House has a sound plan for cyber
security and the President gave a great speech five weeks ago, but the
White House does not appear to be acting fast enough, and Congress will
step in. Once the Senate Intelligence Committee approves the redrafted
Rockefeller-Snowe legislation in July, look for a coming together of
Senators Carper (author of the draft 'FISMA 2.0' bill and chairman on
the key Senate Subcommittee on cyber security in government), Senators
Lieberman and Collins (chairman and ranking member of the Senate
Homeland Security and Government Affairs Committee), and Senators
Rockefeller and Snowe (chairman and ranking member of the Senate
Intelligence Committee). If they all reach agreement on the contentious
issue of the White House cyber coordinator's role, they could launch a
reshaping of US cyber security policy.]
*************************** Sponsored Link: *****************************
1) InstantSecurityPolicy.com - Professional IT Security Policies,
created and delivered online with innovative wizard, free samples
available.
http://www.sans.org/info/45458
*************************************************************************
THE REST OF THE WEEK'S NEWS
ARRESTS, INDICTMENTS & SENTENCES
--Former Employee Arrested for Alleged Code Theft
(July 6, 2009)
A former Goldman Sachs employee has been arrested for allegedly stealing
code from the company. Sergey Aleynikov worked for the company from
2007 until 2009; his responsibilities included "the development of a
real time co-located high frequency trading platform." An affidavit
alleges that after Aleynikov gave notice at Goldman Sachs, he copied,
compressed and encrypted 32 MB of data and moved them to a server in
Germany. Aleynikov maintains he intended to copy only open source files
that he had worked on, but included the proprietary information by
mistake. The affidavit alleges that his use of encryption and the fact
that he deleted the software used to perform the tasks suggest his
motives were less than honorable. Aleynikov is being held pending his
posting of US $750,000 bail; he has also been ordered to surrender his
passport.
http://www.washingtonpost.com/wp-dyn/content/article/2009/07/06/AR2009070601654.html
http://www.h-online.com/security/Ex-Goldman-Sachs-developer-arrested-for-code-theft--/news/113691
http://static.reuters.com/resources/media/editorial/20090706/Complaint%20--%20Aleynikov.pdf
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9135216
http://www.wired.com/threatlevel/2009/07/aleynikov/
[Editor's Note (Ranum): The age of internet news makes "innocent until
proven guilty" rather pointless, doesn't it? From now on, if someone
Googles "Sergey Aleynikov" they will get allegations of a crime,
regardless of whether or not he is subsequently acquitted. I predict
that there will eventually be some very interesting lawsuits over this
kind of thing. The US Department of Justice, for example, settled with
Stephen Hatfill and Wen-Ho Lee to the tune of millions of dollars, for
declaring Hatfill a "person of interest" and ruining his life, and
implying that Lee was a Chinese Government spy and failing to present
evidence for any of fifty nine indictments except for one: a trivial
instance of mishandling classified material. Every case where an
alleged criminal's name is leaked to the press is a multimillion dollar
lawsuit waiting to happen if the alleged criminal is actually innocent.
Wen Ho Lee's suit included 5 major media outlets and, at $1.6+ million
in settlements, it's not over yet. Perhaps SANS NewsBites should not
publish names of "alleged" wrongdoers until/if they are convicted?]
--Woman Sentenced for Identity Fraud
(July 6, 2009)
Labiska Gibbs has been sentenced to two-and-a-half years in prison for
her role in an identity fraud scam that compromised personal information
of Library of Congress employees and defrauded Target and other
retailers of US $30,000. Gibbs asked her cousin, William Sinclair Jr.,
who worked at the Library of Congress, to obtain the names, birth dates
and Social Security numbers (SSNs) of the employees; she then used the
information to purchase gift cards. Sinclair was sentenced to three
years probation for his participation in the scheme.
http://www.nextgov.com/nextgov/ng_20090706_4406.php
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
--MI6 Chief's Information Exposed on Wife's Facebook Page
(July 5 & 6, 2009)
Personal information about Sir John Sawers posted on his wife's Facebook
account does not constitute a security breach, according to Foreign
Secretary David Miliband. Sir Sawers is poised to assume his new role
as head of MI6 in November. Lady Sawers's Facebook page was protected
by lax security measures; any Facebook member in the London network
could view photographs of her family and information about the location
of their London home, the whereabouts of their children, and information
about their friends and relatives. The content has been removed from the
Internet.
http://www.theregister.co.uk/2009/07/06/mi6_facebook_doh/
http://technology.timesonline.co.uk/tol/news/tech_and_web/article6644199.ece
http://www.cnn.com/2009/WORLD/europe/07/05/uk.spy.chief.facebook/index.html
http://www.dailymail.co.uk/news/article-1197562/MI6-chief-blows-cover-wifes-Facebook-account-reveals-family-holidays-showbiz-friends-links-David-Irving.html
http://www.v3.co.uk/v3/news/2245492/spies-should-stay-away-social
http://news.bbc.co.uk/2/hi/uk_news/8135070.stm
[Editor's Note (Pescatore): Back in the day, watching the Dominos pizza
delivery office closest to the White House in Washington DC was an
information leakage path. Social network sites are the same thing - lots
of worry in the military about loss of Operations Security because of
all the tweeting and Facebook posting going on by active military and
their families.]
DISASTER RECOVERY
--Seattle Data Center Fire Hobbles Bing's Travel Section and Other Sites
(July 6, 2009)
Hundreds of websites were unavailable for as long as 36 hours over the
US holiday weekend after an electrical fire damaged a Seattle data
center late last week. The fire took out the center's backup generator.
The outage affected the Travel section of Microsoft's Bing search engine
and Authorize.net, a credit card transaction processing site.
http://www.techweb.com/article/showArticle?articleID=218400512§ion=News
http://seattletimes.nwsource.com/html/microsoftpri0/2009425303_seattledatacenterfireknockedoutbingtravelatmicrosoft.html
http://www.eweek.com/c/a/Windows/Microsoft-Bing-Travel-Back-Online-After-Fire-543751/
UPDATES AND PATCHES
--Microsoft No Longer Supporting Java Virtual Machine
(July 1 & 6, 2009)
Microsoft has ended support for Microsoft Java Virtual Machine (MSJVM)
as of June 30, 2009. Ten patches have been removed from the Microsoft
website; all of the patches addressed vulnerabilities in older operating
systems and browsers, including Internet Explorer 5 and Windows 95. The
most recent of the patches was released in 2003. "Customers are urged
to take proactive measures to stay informed about obsolete software and
move away from the MSJVM in a timely fashion." Microsoft's site suggests
several alternative Java technology options.
http://www.h-online.com/security/Microsoft-ends-support-for-Java-Virtual-Machine--/news/113692
http://www.microsoft.com/mscorp/java/default.mspx
DATA LOSS & EXPOSURE
--Bord Gais Data Breach Affects more Than 100,000 Customers
(July 5, 2009)
The laptop stolen from a Bord Gais office in Dublin affects more
customers than was first believed. According to a report from the Data
Protection Commissioner, the security breach affects the personal
information of more than 100,000 customers; when the incident was first
disclosed, the number of affected customers was estimated to be 75,000.
In all, four laptops were stolen in early June; at least one contained
unencrypted data, including bank account information, of people who had
switched to the Bord Gais electricity supply service in recent months.
http://www.sbpost.ie/post/pages/p/story.aspx-qqqt=IRELAND-qqqm=news-qqqid=42906-qqqx=1.asp
ATTACKS & ACTIVE EXPLOITS
--Microsoft Warns of Unpatched Flaw in Video Access Control
(July 6, 2009)
Microsoft is warning of a vulnerability for which no patch is currently
available that can be exploited to take control of users' machines.
Users can become infected simply by visiting a website that has been
seeded with malware. The flaw affects customers using Internet Explorer
(IE) on machines running Windows XP or Windows Server 2003. The flaw
has been actively exploited for about a week; thousands of sites have
been hacked. Users are directed to these sites by clicking on links in
spam email. The flaw lies in the way Microsoft Video ActiveX Control
interacts with IE. Until a patch is made available, users are urged to
take steps, described in Microsoft's security advisory, to prevent
Microsoft Video Access Control from running in IE.
Internet Storm Center: http://isc.sans.org/diary.html?storyid=6733
http://isc.sans.org/diary.html?storyid=6739
http://www.msnbc.msn.com/id/31766751/ns/technology_and_science-security/
http://www.securityfocus.com/brief/984
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9135210
http://voices.washingtonpost.com/securityfix/2009/07/microsoft_internet_explorer_ex.html
http://www.microsoft.com/technet/security/advisory/972890.mspx
--Twitter Increasingly Used for Questionable Purposes
(July 6, 2009)
Twitter is being used increasingly as a vector of attack, owing to the
ease with which accounts are obtainable. For the time being, Twitter
is being used to redirect users to sites that are selling typical spam
items - pornography, pharmaceuticals, and phony anti-virus subscription.
Of particular concern is Twitter's use of shortened URLs, which can
disguise the site to which a user is being taken.
http://www.usatoday.com/tech/news/2009-07-05-hackers-internet-twitter_N.htm
[Editor's Note (Pescatore): I'm trying to think of any technology that
*hasn't* been "increasingly used for questionable purposes." Maybe
marshmallow Peeps?]
--Cold Fusion Attacks
(July 2, 3 & 6, 2009)
Attackers appear to be targeting websites with old installations of
certain Cold Fusion applications; a large number of websites have
reportedly been compromised in the last several days. Most of the
attacks exploit a vulnerable version of FCKEditor that comes installed
by default with Cold Fusion 8.0.1 or Ajax file manager CKFinder.
Internet Storm Center: http://isc.sans.org/diary.html?storyid=6730
http://www.theregister.co.uk/2009/07/03/coldfusion_compromise/
http://www.v3.co.uk/v3/news/2245329/hackers-aim-cold-fusion
http://www.securecomputing.net.au/News/149160,hackers-take-aim-at-cold-fusion.aspx
http://www.h-online.com/security/Hole-in-ColdFusion-8-threatens-web-site-security--/news/113698
http://blogs.adobe.com/psirt/2009/07/potential_coldfusion_security.html
http://isc.sans.org/diary.html?storyid=6715
--Malware Targets Latin American Best Buy Website Customers
(July 3, 2009)
Latin American visitors to the Best Buy website have been targeted with
malware. Site visitors are redirected to another site that uses an
iFrame vulnerability to infect users' machines with the Luckysploit kit.
The website used in the attacks was registered on June 4 by the same
group believed to be responsible for Gumblar.
http://www.theregister.co.uk/2009/07/03/best_buy_luckysploit_attack/
--Online Game Bank Manager Stole Billions
(July 3 & 6, 2009)
An Australian man who was one of the controllers of the virtual bank for
the Eve Online game has admitted to stealing 200 billion credits, or
eight percent of the bank's assets, and selling them for real world
money. The man says he took the money to pay his son's medical bills
and put a down payment on a home. The man has been kicked out of the
game for violating its terms of agreement. Eve Online has approximately
300,000 players.
http://www.theregister.co.uk/2009/07/03/eve_banker_does_a_runner/
http://news.bbc.co.uk/2/hi/technology/8132547.stm
http://www.geek.com/articles/games/eve-online-player-pays-real-debts-with-stolen-virtual-cash-2009076/
MISCELLANEOUS
--BT Puts Phorm On Hold
(July 6, 2009)
Shares of Phorm, the online targeted advertising company, have fallen
more than 43 percent after BT announced that it did not envision using
the company's technology in the immediate future. Targeted advertising
technology has come under scrutiny for violating users' privacy. BT is
being especially careful about employing the technology because it was
criticized for running a pilot of the technology several years ago
without customers' consent. BT says it is interested in targeted
advertising, but "resources and priority" have placed it on the back
burner. A handful of US Internet service providers (ISPs) started
testing similar technology but stopped after testimony at congressional
hearings made it clear that the public had some serious concerns about
the practice.
http://news.bbc.co.uk/2/hi/technology/8135850.stm
http://bits.blogs.nytimes.com/2009/07/06/bt-backs-off-from-tracking-internet-customers/?ref=technology
http://www.scmagazineuk.com/BT-scraps-plans-to-use-the-Phorm-Webwise-habit-tracking-system/article/139519/
http://business.timesonline.co.uk/tol/business/industry_sectors/telecoms/article6649622.ece
--Older Versions of McAfee Virus Scan Generate False Positives
(July 3, 4 & 6, 2009)
Computer users running certain unsupported versions of McAfee's
VirusScan engine found their computers crashing after downloading an
update that identified legitimate files as malware and quarantined them.
Users running current, supported versions of the software were not
affected.
http://www.eweek.com/c/a/Security/McAfee-Update-a-Headache-for-Enterprises-With-Old-Software-842314/
http://www.h-online.com/security/McAfee-update-brings-systems-down-again-Update--/news/113689
http://www.v3.co.uk/v3/news/2245491/mcafee-update-glitch-causes
http://www.theregister.co.uk/2009/07/03/mcafee_false_positive_glitch/
**********************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC)
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Ron Dick directed the National Infrastructure Protection Center (NIPC)
at the FBI and is the incoming President of the InfraGard National
Members Alliance - with 22,000 members.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Rohit Dhamankar is the Director of Security Research at TippingPoint,
where he leads the Digital Vaccine and ThreatLinQ groups. His group
develops protection filters to address vulnerabilities, viruses, worms,
Trojans, P2P, spyware, and other applications for use in TippingPoint's
Intrusion Prevention Systems.
Prof. Howard A. Schmidt is the President of the Information Security
Forum (ISF) and author who has served as CSO for Microsoft and eBay and
as Vice-Chair of the President's Critical Infrastructure Protection
Board.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Inguardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of
the State of California.
Alan Paller is director of research at the SANS Institute
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Brian Honan is an independent security consultant based in Dublin,
Ireland.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
iEYEARECAAYFAkpTbrAACgkQ+LUG5KFpTka0jQCfb7mpI3H1qu7SZi7qcKqmrgmb
HzAAn09PQR2/PySb7N6WZp36GSiRWNMW
=yTNn
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]