|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (NewsBites
sans.org)
Date: Tue Sep 21 2010 - 13:00:55 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
*************************************************************************
SANS NewsBites September 21, 2010 Vol. 12, Num. 75
*************************************************************************
TOP OF THE NEWS
Microsoft Says Millions of ASP.net-Based Web Sites Vulnerable To Major
Attack
Proposed Legislation Would Allow DoJ to Seek Injunctions to Shut Down
Piracy Sites
Intel Says HDCP Master Key Leaked
Some Sites Circumvent IE Cookie Settings
THE REST OF THE WEEK'S NEWS
Stuxnet Virus May Be Aimed at Iranian Nuclear Reactor
Adobe Issues Fix for Zero-Day Flash Flaw Ahead of Schedule
Activists Launch DDoS Attacks Against RIAA, MPAA Sites
Germany Calls for Voluntary Privacy Code
Former Hospital Employee Charged with HIPAA Violations
Two Sentenced in Credit Card Fraud Scheme
New VA Cyber Security Tool
Six Year Sentence for Role in Card Fraud Scheme
FDIC Issues Guidance on Printer, Fax and Copier Data Exposure Risks
*********************** Sponsored By SANS ***************************
The Deputy Director of the United Kingdom's CPNI will kick off the SANS
2010 European SCADA Security Summit. The Summit, titled "changing from
talk to action" will highlight the most sophisticated new attack
patterns and what the most innovative and effective governments and
power companies and other industries are doing to counter the threats.
hhttp://www.sans.org/info/65033
*********************************************************************
TRAINING UPDATE
New "Combating Malware in the Enterprise" course at SANS (SEC569).
How do you fight off malware when you have thousands of hosts?
Course debut in Las Vegas (Sept'10) and Washington DC (Dec'10):
http://www.sans.org/security-training/combating-malware-enterprise-1482-mid
-- SANS Network Security 2010, Las Vegas, September 19-27, 2010
41 courses. Bonus evening presentations include The Return of Command
Line Kung Fu and Cyberwar or Business as Usual? The State of US
Federal CyberSecurity Initiatives
http://www.sans.org/network-security-2010/
-- SOS: SANS October Singapore, October 4-11, 2010
5 courses
http://www.sans.org/singapore-sos-2010/
-- SANS Chicago 2010, Skokie, Illinois, October 25-30, 2010
6 courses. Bonus evening presentations include Weaponizing LISP:
Advancing the Art of Network Security and Examining the Global
Underground of Malicious Actors
http://www.sans.org/chicago-2010/night.php
-- SANS San Francisco 2010, November 5-12, 2010
7 courses. Bonus evening presentations include Weaponizing LISP:
Advancing the Art of Network Security
http://www.sans.org/san-francisco-2010/
-- SANS London 2010, November 27-December 6, 2010
14 courses. Bonus evening presentations include Latest Advances in
Computer Forensics and Continuous Vulnerability Testing and
Remediation: The 20 Critical Security Controls Perspective
http://www.sans.org/london-2010/
-- SANS Cyber Defense Initiative 2010, Washington DC, December 10-17, 2010
24 courses. Bonus evening presentations include Browser Based
Defenses; Continuous Vulnerability Testing and Remediation: the 20
Critical Security Controls Perspective; and Cyberwar or Business as
Usual? The State of US Federal CyberSecurity Efforts
http://www.sans.org/cyber-defense-initiative-2010/
-- Looking for training in your own community? http://sans.org/community/
Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current
Plus London, Dubai, Geneva, Bangalore, San Antonio and Sydney all in the
next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org
********************************************************
TOP OF THE NEWS
--Microsoft Says Millions of ASP.net-Based Web Sites Vulnerable To
Major Attack
(September 20, 201, 2010)
Microsoft confirmed that a vulnerability disclosed at a Buenos Aires
hacker conference is present in "millions of web sites" that rely on the
ASP.Net framework. The researchers showed how attackers can exploit an
error in ASP.Net's encryption to decrypt data on a remote server, and
read and copy files from a site or Web application that relies on the
framework. Especially vulnerable to theft are user names and passwords.
The vulnerability is present on millions of Web sites. Microsoft has
published tool to detect vulnerable ASP.Net applications and established
a dedicated support forum (http://forums.asp.net/1233.aspx) to answer
questions from people building web sites and applications.
http://www.computerworld.com/s/article/9186842/Microsoft_sounds_alert_on_massive_Web_bug
[Editor's Note (Pescatore): When you learn to drive, they always try to
ingrain "defensive driving" into you, as driving is dangerous. Since
software engineering is still an oxymoron, and web sites represent the
"LA Freeway" (Or "LIE" for you East Coasters) of software, defensive web
site techniques are clearly required to protect customer and business
data.]
--Proposed Legislation Would Allow DoJ to Seek Injunctions to Shut Down
Piracy Sites
(September 20, 2010)
Proposed US legislation would allow the US Justice Department (DoJ) to
seek court orders to shut down websites that facilitate piracy anywhere
in the world. The Combating Online Infringement and Counterfeits Act
would allow the DoJ to ask for injunctions that would order US domain
registrars and registries to cease resolving the domain name of piracy
sites.
http://news.cnet.com/8301-31001_3-20016995-261.html
http://www.wired.com/threatlevel/2010/09/justice-department-piracy/
http://www.wired.com/images_blogs/threatlevel/2010/09/CombatingOnlineInfringementAndCounterfeitsAct1.pdf
[Editor's Note (Schultz): This approach seems much more straightforward
than approaches that have been used in the past. At the same time,
however, pirates will simply move from one site to another if and when
this proposed legislation is passed.]
--Intel Says HDCP Master Key Leaked
(September 17, 2010)
Intel has acknowledged that a master key leaked to the Internet unlocks
Blu-ray High-bandwidth Digital Content Protection (HDCP) encryption.
The technology was designed to protect high-definition video content.
The key could be used to remove encryption from HD satellite TV
broadcasts and DVRs. Intel says the hack would prove difficult, and has
said that it will take legal action against anyone who uses the key to
develop hardware that defeats HDCP technology.
http://www.wired.com/threatlevel/2010/09/intel-threatens-consumers/
http://www.theregister.co.uk/2010/09/17/hdcp_copy_protection_crack/
--Some Sites Circumvent IE Cookie Settings
(September 17, 2010)
Researchers from the Carnegie Mellon University School of Engineering's
CyLab say that certain websites exploit a hole on Internet Explorer (IE)
that allows cookies to install on users' computers even if they have set
their privacy controls to block cookies. Twenty-one of the 100
most-visited websites, including Facebook, AOL, Amazon and Hulu, allow
cookies to install even when users have set IE preferences not to allow
cookies. In some cases, the website's configuration is an error; those
sites do not appear to intend to circumvent IE privacy controls. But
in at least half of the sites examined, efforts appear to have been made
to get around the cookie block. The problem lies in the way the browser
and the website exchange information to determine if the site's privacy
policy agrees with the browser's settings.
http://bits.blogs.nytimes.com/2010/09/17/a-loophole-big-enough-for-a-cookie-to-fit-through/
[Editor's Note (Skoudis): This story is an example of why it's vitally
important to actually analyze technology through careful penetration
testing to make sure that it faithfully implements its own
configuration. Just because something is configured "correctly" doesn't
mean that the system is actually secure. We saw this kind of issue a
couple years back with the configuration to disable the Windows USB
autoplay feature that Conficker took advantage of, and we see it in
other technologies as well.
(Pescatore): Another reason why business movement towards opt-in models
would be a very good thing. The old P3P settings on browsers and
websites became the V-Chip of the Internet: overly complex, unusable,
ineffective.]
************************** Sponsored Link: *******************************
1) Uncover new cost reduction and efficiency opportunities. Online IT
Operations Maturity Assessment here: http://www.sans.org/info/65038
****************************************************************************
THE REST OF THE WEEK'S NEWS
--Stuxnet Virus May Be Aimed at Iranian Nuclear Reactor
(September 21, 2010)
A highly sophisticated computer worm that has spread through Iran,
Indonesia and India was built to destroy operations at one target:
possibly Iran's Bushehr nuclear reactor. That's the emerging consensus
of security experts who have examined the Stuxnet worm. In recent weeks,
they've broken the cryptographic code behind the software and taken a
look at how the worm operates in test environments. Researchers studying
the worm all agree that Stuxnet was built by a very sophisticated and
capable attacker, possibly a nation state, and it was designed to
destroy something big.
http://www.computerworlduk.com/news/security/3240458/stuxnet-virus-may-be-aimed-at-iran-nuclear-reactor/
--Adobe Issues Fix for Zero-Day Flash Flaw Ahead of Schedule
(September 20, 2010)
Adobe released a patch for a zero-day vulnerability in Flash Player on
Monday, September 20, a week earlier than the company had planned on
issuing a fix for the flaw. The vulnerability can be exploited to take
control of systems running Flash Player by tricking users into opening
specially crafted Word or PDF documents or visiting websites that have
been laced with malware. The flaw is being actively exploited in
limited, targeted attacks. The flaw was patched in Google's Chrome
browser on Friday, September 17 because of an agreement struck between
Google and Adobe last April. This arrangement bundles Flash with Chrome
and delivers the updates for the plug-in when the browser gets its
silent updates. The flaw affects Adobe Flash player versions 10.1.82.76
and earlier for Windows, Mac OS X, Linux and Solaris and versions
10.1.92.10 for Android handsets. The flaw also affects Adobe Reader
versions 9.3.4 and earlier. There are no reports that the flaw is being
exploited in Reader. Adobe will release an updated version of Reader
on October 4.
http://www.theregister.co.uk/2010/09/20/adobe_flash_vuln_patch/
http://www.computerworld.com/s/article/9186638/Adobe_moves_up_Flash_fix_will_patch_bug_today?taxonomyId=85
http://www.h-online.com/security/news/item/Adobe-to-release-Flash-update-today-1082317.html
http://www.kb.cert.org/vuls/id/275289
--Activists Launch DDoS Attacks Against RIAA, MPAA Sites
(September 20, 2010)
Groups protesting actions taken against The Pirate Bay have launched
distributed denial-of-service (DDoS) attacks against the Motion Picture
Association of America (MPAA) and the Recording Industry Association of
America (RIAA) websites. The attacks were announced on 4chan; the
British Phonographic Industry (BPI) website appears to be next in line
for attacks. The attacks appear to have been prompted by a report that
an Indian software company called Aiplex had been hired by film industry
executives to take measures to stop sites hosting pirated film content;
among the company's arsenal, according to the report, was launching DDoS
attacks against the sites that had refused to comply with takedown
orders. Aiplex was also among the activists' targets.
http://www.bbc.co.uk/news/technology-11371315
http://www.theregister.co.uk/2010/09/20/4chan_ddos_mpaa_riaa/
--Germany Calls for Voluntary Privacy Code
(September 20, 2010)
Following a meeting with Google, Apple and several other companies about
the accessibility of personal information online, the German government
is calling for a voluntary data protection code. Germany wants the
privacy pact to be in place by December 7, 2010. At the same time,
reports indicate that "several hundred thousand" people have opted out
of having their homes visible on Google's Street View online feature.
People in Germany have until October 15 to opt out of the service.
Street View opponents want the service to be entirely opt-in; Google
assumes that if users have not opted out, then they are willing to have
their homes made visible through the service.
http://www.bbc.co.uk/news/technology-11370647
http://www.computerworld.com/s/article/9186719/Germans_flood_Google_with_Street_View_opt_out_requests?taxonomyId=84
http://dns.tmcnet.com/topics/internet-security/articles/103064-germany-asks-google-more-stringent-privacy-standards.htm
[Editor's Note (Pescatore): Imagine if Peeping Toms could just tell the
judge "well, no one said they did *not* want me to peek into their
windows."
(Northcutt): This is very forward thinking. Who can oppose giving people
a say in how their information is used? Hopefully the system will be
simple and painless to use.]
--Former Hospital Employee Charged with HIPAA Violations
(September 16 & 18, 2010)
A former surgical instrument technician at UPMC Shadyside Hospital in
Pittsburgh, Pennsylvania, has been charged with violations of the Health
Insurance Portability and Accountability Act (HIPAA). Paul C. Pepala
allegedly accessed the names, birth dates and Social Security numbers
(SSNs) of UPMC Shadyside Hospital patients in February 2008 and
disclosed the information to other people. The information was used to
file phony tax returns. If convicted of all charges in the 14 count
indictment, Pepala faces up to 80 years in prison and a maximum fine of
US $4.73 million.
http://www.phiprivacy.net/?p=3786
http://www.pittsburghlive.com/x/pittsburghtrib/news/pittsburgh/s_699655.html
--Two Sentenced in Credit Card Fraud Scheme
(September 17, 2010)
Two men involved in a forgery ring that used information stolen from
grocery stores in Florida and New England to make phony credit cards
have been sentenced to prison terms. Jerome Abaquin Gonzales was
sentenced to one year in prison; earlier this month, he pleaded guilty
to felony conspiracy to commit credit card fraud and trafficking and
possessing access card materials. Thomas Michio Taniguchi has been
sentenced to 92 months in prison; he pleaded guilty to 50 counts of
fraudulent possession of access card account information. Taniguchi
used stolen information to make phony credit cards and used them to buy
merchandise and gift cards and to obtain cash at more than 30 stores in
Orange County, California. Gonzales helped to sell some of the
merchandise and gift cards obtained with the phony cards.
http://www.dailynews.com/crime/ci_16105486
http://articles.dailypilot.com/2010-09-18/news/tn-dpt-0919-taniguchi-20100918_1_credit-card-bogus-cards-access-card
--New VA Cyber Security Tool
(September 17, 2010)
Department of Veterans Affairs (VA) assistant secretary for information
and technology Roger Baker said that his agency expects to have a new
security tool up and running by the end of the month. Once fully
deployed, the tool will allow information security officials access to
real-time security status information of nearly one million computers,
printers and other devices on the VA's network. The tool will allow the
VA to identify and remove unauthorized and unencrypted devices that are
connected to the network. Information that will be accessible includes
operating systems and when and where devices last connected to the
network.
http://fcw.com/articles/2010/09/17/va-installs-cybersecurity-software-on-its-network.aspx?admgarea=TC_SECCYBERSEC
--Six Year Sentence for Role in Card Fraud Scheme
(September 16 & 17, 2010)
Cesar Carranza has been sentenced to six years in prison for his
participation in a stolen credit card cash laundering scheme. Carranza
pleaded guilty in December to one count of conspiring to launder
unlawful proceeds. Prosecutors allege Carranza was part of a group of
cyber criminals who operated through websites that traded in stolen
credit card information. Carranza appears to have been involved in
laundering cash obtained from ATMs using stolen credit information. He
also appears to have sold technology to those who stole the card
information that allowed them to encode blank cards with the stolen
data.
http://www.theregister.co.uk/2010/09/17/ubuywerush_sentenced/
http://www.wired.com/threatlevel/2010/09/ubuywerush/
--FDIC Issues Guidance on Printer, Fax and Copier Data Exposure Risks
(September 15, 2010)
The US Federal Deposit Insurance Corporation (FDIC) has issued a
document for financial institutions titled "Guidance on Mitigating Risk
Posed by Information Stored on Photocopiers, Fax Machines and Printers."
The document describes the risks inherent in the use of the devices
because they may contain hard drives or flash memory that retains
information transmitted by the devices. Many financial institutions
lease these devices and return them at the end of the lease period. The
guidance recommends that financial institutions establish and enforce
"written policies and procedures to identity devices that store digital
images of business documents and ensure their hard drive or flash memory
is erased, encrypted or destroyed prior to being returned to the leasing
company, sold to a third party or otherwise disposed of." The guidance
was issued because field examiners "felt the vast majority of bankers
that they dealt with ... were completely unaware of the problem."
http://www.fdic.gov/news/news/financial/2010/fil10056.pdf
http://searchfinancialsecurity.techtarget.com/news/article/0,289142,sid185_gci1520280,00.html
[Editor's Note (Pescatore): good advice for just about everything you
use today that has either a power cord or a battery, since pretty much
anything that has power stores something.
(Honan): The European Network and Information Security Agency (ENISA)
has also published a whitepaper on "Secure Printing" and the risks
associated with document printing and copying. It is available free
from
http://www.enisa.europa.eu/act/ar/deliverables/2008/secure-printing]
**********************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC)
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Prof. Howard A. Schmidt is the Cyber Coordinator for the President of
the United States
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.
Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Rob Lee is the curriculum lead instructor for the SANS Institute's
computer forensic courses (computer-forensics.sans.org) and a Director
at the incident response company Mandiant.
Rohit Dhamankar is the Director of Security Research at TippingPoint,
where he leads the Digital Vaccine and ThreatLinQ groups. His group
develops protection filters to address vulnerabilities, viruses, worms,
Trojans, P2P, spyware, and other applications for use in TippingPoint's
Intrusion Prevention Systems.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Inguardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.
Ron Dick directed the National Infrastructure Protection Center (NIPC)
at the FBI and is the incoming President of the InfraGard National
Members Alliance - with 22,000 members.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer at
the North American Energy Reliability Commission (NERC).
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
iEYEARECAAYFAkyY61AACgkQ+LUG5KFpTkbw/ACeIiutSMDA/4fJYyyc39/ird1M
64oAoIn8E2Wd65hGGvM7tFF7R4ZZkzp2
=4U9o
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]