From: The SANS Institute (NewsBitessans.org)
Date: Tue Apr 15 2008 - 13:42:34 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

*************************************************************************
SANS NewsBites April 15, 2008 Vol. 10, Num. 30
*************************************************************************
TOP OF THE NEWS
  Targeted Attacks Against Sensitive US Networks on the Rise
  MEPs Say No to Cutting File-Sharers Off from Internet
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
  Bank Call Center Employee Jailed for Data Theft
  Nine-Year Sentence for Data Theft and Fraud
  NY Hospital Employee Arrested for Alleged Patient Data Theft
  Librarian's Suspicions Led to Arrest of Internet Fraudster
POLICY & LEGISLATION
  Australian Privacy Commissioner to Issue Breach Notification Guidelines
SPYWARE, SPAM & PHISHING
  CAPTCHA-Defeating Attacks Spell Headaches for Anti-Spam Vendors
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
  Oracle Quarterly Patch Update to Address 41 Flaws
  Fribet Trojan Detected on Pro-Tibet Websites
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
  High School Students Allegedly Accessed Employee Data
STATISTICS, STUDIES & SURVEYS
  Largest Botnets Control More than One Million Machines
LIST OF UPCOMING FREE SANS WEBCASTS

******************* Sponsored By HP (SPI Dynamics) **********************

Top 4 AJAX Security Dangers - Free White Paper!
Are you ready for AJAX? Hackers definitely are!
With the growth of Web 2.0 and Rich Internet Applications (RIA),
developers are rapidly adopting AJAX and unknowingly exposing serious
security risks.
This free whitepaper, from HP Software, 'AJAX Security Dangers',
provides more information about AJAX and its risks
http://www.sans.org/info/27754
*************************************************************************
TRAINING UPDATE
Where can you find the newest Penetration Testing techniques,
Application Pen Testing, Hacker Exploits, Secure Web Application
Development, Security Essentials, Forensics, Wireless, Auditing, both
new Pen Testing courses, CISSP, and SANS' other top-rated courses plus
evening sessions with Internet Storm Center handlers.
- - SANSFIRE 2008 in Washington DC (7/22-7/31) SANS' biggest summer program
      with many bonus sessions and a big exhibition of security products:
      http://www.sans.org/info/26774
- - London (6/2-6/7) and Amsterdam (6/16-6/21)
      http://www.sans.org/secureeurope08
- - San Diego (5/9-5/16) http://www.sans.org/securitywest08
- - Toronto (5/10-5/16) http://www.sans.org/toronto08
- - and in 100 other cites and on line any time: www.sans.org

*************************************************************************

TOP OF THE NEWS
 --Targeted Attacks Against Sensitive US Networks on the Rise
(April 10, 2008)
BusinessWeek takes a look at the growing number of targeted attacks
against US government and private industry systems. The problem is
serious enough to have prompted the Cyber initiative, signed by
President Bush in January, and reportedly a classified operation known
as Byzantine Foothold, aimed at discovering the source of the attacks
and protecting systems from attacks in the future. The Office of the
National Intelligence Director responded to questions from BusinessWeek
in writing, saying, in part, that "computer intrusions have been
successful against a wide range of government and corporate networks
across the critical infrastructure and defense industrial base." A
Chinese government spokesperson denies the allegations that the attacks
came from China, even though considerable evidence that shows the origin
of the attacks exists. The article also goes into some detail regarding
a targeted email sent to a Booz-Allen executive that contained malware
known as Poison Ivy, a remote administration tool that is capable of
logging keystrokes. Another piece of malware that accompanied the email
is designed to disable security measures.
http://www.businessweek.com/magazine/content/08_16/b4080032218430.htm
Chinese Embassy response to written questions from BusinessWeek:
http://www.businessweek.com/magazine/content/08_16/b4080032243361.htm
[Editor's Note (Schultz): These threats are indeed extremely serious,
so serious that conventional security measures do not appear to be
capable of addressing them. Entirely new strategies for dealing with
them need to be created and considered.]

 --MEPs Say No to Cutting File-Sharers Off from Internet
(April 10 & 11, 2008)
Members of European Parliament (MEPs) have voted against a plan to cut
off the Internet access of habitual illegal filesharers. In a close
vote, MEPs approved an amendment to a report on Europe's Cultural
industries that says banning people from the Internet flies in the face
of "civil liberties and human rights." Several MEPs have expressed the
opinion that while it is appropriate to punish "commercially driven
Internet piracy," punishing individuals by cutting off their Internet
access "is an inappropriate response." The International Federation of
the Phonographic Industry, which favored a three-strikes-and-you're-out
approach, has called the amendment "badly drafted." The report is not
legally binding.
http://euobserver.com/9/25959
http://news.bbc.co.uk/2/hi/technology/7342135.stm
[Editor's Note (Northcutt): You have to give them points for creativity,
but I wonder how you could ever enforce such a law? I guess we will find
out; it appears the French are going to give this idea a go:
http://news.bbc.co.uk/2/hi/technology/7110024.stm ]

********************** Sponsored Links: *******************************
1) IPS White Paper: Protect network from Threats.
SC Magazine Rated Best Buy IPS. Visit SANS Orlando.
http://www.sans.org/info/27759

2) Gain Network Visibility and Internal Security Using NetFlow - Fill
the Gaps Left by Traditional Perimeter Defenses
Read More: http://www.sans.org/info/27764
*************************************************************************

THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
 --Bank Call Center Employee Jailed for Data Theft
(April 14, 2008)
A Royal Bank of Scotland call center employee has been sentenced to one
year in prison for stealing customers' account information that was
later used to make fraudulent transactions totaling GBP 33,585 (US
$66,655). Asman Alyas, who provided the information to others, pleaded
guilty to conspiracy to commit fraud. A spokesperson for the National
Consumer Council said that banks should disclose information about data
breaches so that customers can make informed decisions.
http://www.manchestereveningnews.co.uk/news/s/1045113_call_centre_crook_helped_steal_33000
[Editor's Note (Ranum): Eventually, all interesting computer security
problems boil down to trust. How many banks do you think would allow
call center employees access to the bank's vaults? When are
organizations that hold significant databases going to realize that
there is no difference?
(Weatherford): Not that it would have prevented this incident but it is
also good justification to begin conducting background checks on ALL
personnel who handle sensitive and private information. To use an
over-used word, it's called due diligence.]

 --Nine-Year Sentence for Data Theft and Fraud
(April 14, 2008)
Mario Simbaqueba Bonilla has been sentenced to nine years in prison for
his role in a cyber crime scheme that resulted in losses of US $1.4
million. Simbaqueba Bonilla pleaded guilty earlier this year to charges
of conspiracy, access device fraud, and aggravated identity theft. The
scheme involved placing keystroke-logging software on computers in hotel
business centers and Internet cafes. Bonilla Simbaqueba and an
accomplice used the information gathered to siphon money from various
bank, payroll, brokerage and other online accounts. He was also ordered
to pay US $347,000 in restitution and will serve three years of
supervised release upon completion of his prison sentence.
http://www.vnunet.com/vnunet/news/2214210/colombian-fraudster-jailed-nine
[Editor's Note (Schmidt): At which point will ALL hotels, libraries and
business centers restrict people from installing software on the common
use machines? I have seen some major hotel chains have some common use
computers "secured" but it varies from city to city and who they hire
to manage these computers.
(Weatherford and Paller): One of the longest sentences we have seen;
perhaps the beginning of a welcome trend.]

 --NY Hospital Employee Arrested for Alleged Patient Data Theft
(April 13, 2008)
A former employee at New York-Presbyterian Hospital/Weill Cornell
Medical Center allegedly stole and sold the personal information of
nearly 50,000 patients. Dwight McPherson was arrested and charged with
conspiracy involving computer fraud, identity document fraud,
transmission of stolen property, and sale of stolen property. The
compromised data include names and Social Security numbers (SSNs), but
no medical information. The hospital is attempting to notify the
patients affected by the breach.
http://www.nytimes.com/2008/04/13/nyregion/13arraign.html
http://www.news24.com/News24/World/News/0,,2-10-1462_2304983,00.html
[Editor's Note (Schmidt): This is happening with way too much frequency,
if there is ever a reason for enhanced sentencing this would be one of
the reasons, bad enough someone is in the hospital but to victimize
someone in that situation is about as low as you can get.]

 --Librarian's Suspicions Led to Arrest of Internet Fraudster
(April 11, 2008)
A librarian's attentiveness resulted in the arrest of a man who
allegedly used stolen information to make Internet purchases through
computers at the library. The Collinsville (IL) Public Library
librarian became suspicious when she noticed that the man used a variety
of names and credit card numbers to buy items over the Internet. Jason
David Lingo admitted to buying credit card numbers late last year and
using 20 of those to make fraudulent purchases through library
computers. Lingo has pleaded guilty to charges of possession of
unauthorized devices, mail fraud, and aggravated identity theft. His
sentencing is scheduled for July 10.
http://www.bnd.com/breaking_news/story/307953.html
[Editor's Note (Northcutt): The story mentions that internet fraud often
involves delivery to an empty house or lot. So, if you know a house in
your neighborhood is vacant and you see FedEx pull up for a delivery,
give your local police department a call. In this case Mr. Lingo was
using empty lots, and mail carriers should have known better. Here are
two good links, the second one requires digging down a bit, but if you
scroll down to post number 7, you will get some advice from an obviously
saavy retailer:
http://www.ebizinsider.com/2008/03/14/e-commerce-fraud-sucks-hints-to-reduce-the-rot/
http://mybroadband.co.za/vb/showthread.php?t=79265 ]

POLICY & LEGISLATION
 --Australian Privacy Commissioner to Issue Breach Notification Guidelines
(April 15, 2008)
Australia's privacy commissioner Karen Curtis plans to issue draft
guidelines regarding data breach notification to help companies address
the issue while the details of the Privacy Act revision continue to be
hammered out. Government agencies and businesses have contacted the
privacy commissioner's office with questions about handling data
security breaches. The guidelines will be voluntary; commentary on the
guidelines will be accepted through June 16, 2008. The Australian Law
Reform Commission's review of the 20-year-old Privacy Act is expected
later this year, and it may be some time before new laws are enacted.
http://www.australianit.news.com.au/story/0,24897,23539443-15306,00.html

SPYWARE, SPAM & PHISHING
 --CAPTCHA-Defeating Attacks Spell Headaches for Anti-Spam Vendors
(April 6, 10, 11 & 14, 2008)
There are reports that a new botnet is able to break Hotmail's CAPTCHA
(Completely Automated Public Turing Test to Tell Computers and Humans
Apart) technology within seconds. In addition, researchers in the UK
have published a paper describing a Hotmail CAPTCHA-breaking method that
has a 60 percent success rate, as compared to the 10-15 percent success
rate attained by the bot. CAPTCHA technology is used to prevent
automated creation of email accounts; it requires users to decipher and
retype a distorted set of characters to identify the entity requesting
the account as a real person instead of an automated program. Spammers
are creating accounts with webmail services like Hotmail, Gmail and
Yahoo Mail because using reputable domain names makes it "hard to use
reputation tools" to filter out spam. However, anti-spam vendors have
been throttling email from Gmail and Yahoo! to ensure that the messages
that are sent are legitimate.
http://arstechnica.com/news.ars/post/20080406-gmail-being-throttled-blocked-by-some-anti-spam-vendors.html
http://www.theregister.co.uk/2008/04/10/web_mail_throttled/print.html
http://www.theregister.co.uk/2008/04/14/msn_captcha_breaking/print.html

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
 --Oracle Quarterly Patch Update to Address 41 Flaws
(April 14, 2008)
Oracle has announced that its next quarterly Critical Patch Update
(CPU), scheduled for Tuesday, April 15, will address 41 vulnerabilities
in many of the company's products. Seventeen of the flaws affect Oracle
Database, three affect Oracle Application Server, 11 affect Oracle
E-Business Suite, one affects Oracle Enterprise Manager, three affect
Oracle PeopleSoft Enterprise products and six affect Oracle Siebel
SimBuilder products. Fifteen of the flaws can be exploited remotely
without authentication.
http://www.heise-online.co.uk/security/Oracle-announces-patches-for-41-holes--/news/110525
http://www.eweek.com/c/a/Security/Oracle-Warns-of-Critical-DB-Server-Vulnerabilities/
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=207200472

 --Fribet Trojan Detected on Pro-Tibet Websites
(April 10 & 14, 2008)
A Trojan horse program dubbed Fribet has been detected on two websites
devoted to supporting Tibet. The "malware can attack local or remote
databases linked to the user's computer" as long as they are able to log
on to those databases. Fribet creates a backdoor on compromised systems
and "loads a SQL Native Client ODBC library that's designed to execute
arbitrary SQL statements received from a command and control server."
Attackers are believed to have exploited a known vulnerability to spread
the malware. According to research from F-Secure, a spate of patches
for Microsoft Office issued in 2006 and 2007 is likely related to
attacks on pro-Tibetan websites through the then-unpatched
vulnerabilities. The more recent attacks have been exploiting known
vulnerabilities.
http://www.scmagazine.com/uk/news/article/801701/mcafee-discovers-malware-targets-tibet-supporters/
http://www.theregister.co.uk/2008/04/14/database_trojan/print.html
http://www.wired.com/politics/security/news/2008/04/chinese_hackers?currentPage=all

ATTACKS, INTRUSIONS, DATA THEFT & LOSS
 --High School Students Allegedly Accessed Employee Data
(April 12, 2008)
For the third time in the last month, high school students in the
Buffalo, New York area are believed to have gained unauthorized access
to school computer systems. The most recent incident involves several
current and former Williamsville North High School students who
allegedly copied files that contain school employees' personal
information, including SSNs. The other incidents occurred in the Grand
Island and Seneca districts.
http://www.buffalonews.com/home/story/321395.html

STATISTICS, STUDIES & SURVEYS
 --Largest Botnets Control More than One Million Machines
(April 9, 2008)
Research presented at the RSA conference estimates that the largest
eleven botnets cumulatively control more than one million machines and
are capable of sending out 100 billion spam emails each day. The
largest botnet is believed to be one known as Srizbi, controlling an
estimated 315,000 machines; Bobax claims an estimated 185,000 machines,
and Storm comprises about 85,000 compromised machines. The research
also aims to clarify which botnets are which, as some recent reports
have said that Kraken is the largest botnet, comprising more than
400,000 machines, but Kraken is believed to be another name for Bobax.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9076278&source=NLT_PM&nlid=8

UPCOMING SANS WEBCAST SCHEDULE

Tool Talk Webcast: A Blueprint for Successful NAC Deployments
WHEN: Wednesday, April 16, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: John Curry
http://www.sans.org/info/24618
Sponsored By: StillSecure http://www.stillsecure.com/

This webinar will discuss the challenges associated with NAC deployments
and provide organizations with a blueprint on how to cost-effectively
take advantage of this critical technology. Learn first hand how your
organization can benefit from this ground-breaking technology.

***
SANS Special Webcast: Log Management Part II: Real-Time Event Management
WHEN: Thursday, April 17, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and Sunil Bhargava
http://www.sans.org/info/25523
Sponsored By: Intellitactics, Inc. http://www.intellitactics.com/int/

This Webcast discusses how logs and event correlation should be managed
for compliance purposes and how auditors, working closely with security
and operations teams, can help develop processes that leverage logging
and event data to measure the effectiveness of their controls.

***
SANS Special Webcast: Monthly Series: "Security Insights with Dr. Eric Cole"
This month's topic: DLP
WHEN: Tuesday, April 22, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Dr. Eric Cole
http://www.sans.org/info/25528
Sponsored By: Code Green Networks http://www.codegreennetworks.com/

Cyber security is all about reducing risk to critical assets. Protecting
and controlling data flow is a critical part of an organizations
security arsenal. Therefore data loss prevention would seem like a
perfect solution for reducing risk. However, just because a product is
called a data loss prevention solution, does not necessarily mean that
it properly reduces risk. Before purchasing or deploying a solution it
is critical to understand the key risks you are trying to reduce and
make sure the solution is the most cost effective way to reduce risk.
This talk will provide insight into what product features are most
valuable and which solutions should be avoided. To accomplish this it
will provide a detail understanding of the landscape and the best way
to protect data at an organization. Register now for this free webcast!

***
Analyst Webcast: Security and Performance on Converged Networks
WHEN: Thursday April 24, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and Karl Schaub
http://www.sans.org/info/25538
Sponsored By: NIKSUN http://www.niksun.com/

Events from security and monitoring devices fire off an unmanageable
number of alarms with no way of telling how they're related, or how they
impact performance. As networks converge their video, voice and data
traffic over IP networks, these alarms will only increase, while
providing less visibility into what set them off. This Webcast discusses
what will be needed of security monitoring tools as these data, voice,
video convergence becomes ubiquitous.

*******************************************************************

Be sure to check out the following FREE SANS archived webcasts:

Tool Talk Webcast: The ABC's of Dealing with Unique Network Security
Risks in a World of Open Campus Networks
WHEN: Wednesday, March 5, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Brian Mehlman
http://www.sans.org/info/22979
Sponsored By: Q1 Labs

SANS Special Webcast: A Response to the "Cold Boot Attack" Announcement
WHEN: Thursday, March 6, 2008 at 3:00 PM EST (1900 UTC/GMT)
FEATURING: John Strand
https://www.sans.org/webcasts/show.php?webcastid=91884
********************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer
for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin,
Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkgE7QwACgkQ+LUG5KFpTkZFxQCeLl7U9OWGlkVX72ofzKcYBNEe
6CsAn0X4RZ++etqQClTOSoT9+q04xiV7
=0Vts
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]