|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (NewsBites
sans.org)
Date: Fri Apr 18 2008 - 14:05:19 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Wireless threats and countermeasures: A free, exhaustive compilation
of all wireless vulnerabilities and exploits (WVE) is being compiled by
Josh Wright, the best wireless security teacher we've ever seen. It
covers WiFi, WiMax & Bluetooth, and is being adopted by the vendor
products. You'll find it at www.wve.org. Josh also made a scary YouTube
video on Bluetooth ear piece hacking:
http://youtube.com/watch?v=1c-jzYAH2gw
And Josh created an extraordinary course on pen testing and securing
wireless networks, that you can take at home or four cities:
SANS Home (May 1-Nuly 24) www.sans.org/athome/details.php?nid=10714
San Diego (5/11-16) www.sans.org/securitywest08/description.php?tid=1637
Brussels (6/16-21) www.sans.org/securebrussels08/description.php?tid=1637
Washington DC (7/24-29) www.sans.org/sansfire08/description.php?tid=1637
Boston (8/11-16) www.sans.org/boston08/description.php?tid=1637
Alan
*************************************************************************
SANS NewsBites April 18, 2008 Vol. 10, Num. 31
*************************************************************************
TOP OF THE NEWS
PayPal to Ban Unsafe Browsers
Man Pleads Guilty in Botnet Wiretapping Case
Proposed Australian Law Would Allow Some Employers to Intercept
Employee Electronic Communications
Latest Major Whaling Attack Uses US District Court Subpoena
THE REST OF THE WEEK'S NEWS
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
NIST Releases Draft Info Systems Risk Management Document for Comments
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Firefox and Safari Browsers Updated
BT Home Hub Wireless Routers Vulnerable in Default Setting
Windows XP SP3 Expected Out Later This Month
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Executable That Infected Thousands of Websites Uncovered
OK Dept. of Corrections Fixes Data Leak
STATISTICS, STUDIES & SURVEYS
Data Breach Can Cost a Business Customers
MISCELLANEOUS
Ships Responsible for Undersea Cable Damage Located With
Satellite Imagery
LIST OF UPCOMING FREE SANS WEBCASTS
************************ Sponsored By SANS ******************************
Is your organization considering a database security solution? Read SANS
latest white paper ("Understanding & Selecting a Database Activity
Monitoring Solution") on the growing D.A.M. market and learn what key
criteria to consider when selecting products. Authored by independent
security consultant Rich Mogull, this report explores how Database
Activity Monitoring gives insight into our most sensitive systems in a
non-intrusive way, and can evolve into a proactive security defense.
It's one of the few tools that can immediately improve security and
http://www.sans.org/info/27868
*************************************************************************
TRAINING UPDATE
Where can you find the newest Penetration Testing techniques,
Application Pen Testing, Hacker Exploits, Secure Web Application
Development, Security Essentials, Forensics, Wireless, Auditing, both
new Pen Testing courses, CISSP, and SANS' other top-rated courses plus
evening sessions with Internet Storm Center handlers.
- - SANSFire 2008 in Washington DC (7/22-7/31) SANS' biggest summer program
with many bonus sessions and a big exhibition of security products:
http://www.sans.org/info/26774
- - London (6/2-6/7) and Amsterdam (6/16-6/21)
http://www.sans.org/secureeurope08
- - San Diego (5/9-5/16) http://www.sans.org/securitywest08
- - Toronto (5/10-5/16) http://www.sans.org/toronto08
- - and in 100 other cites and on line any time: www.sans.org
*************************************************************************
TOP OF THE NEWS
--PayPal to Ban Unsafe Browsers
(April 17, 2008)
PayPal plans to implement a scheme to prevent users from conducting
transactions through browsers that do not have anti-phishing technology.
The web-based payment company likened conducting transactions on unsafe
browsers to selling a car with no seatbelts. The company presently warns
users that they are using unsafe browsers, but allows them to access the
site. In a future phase of the plan, users will not be permitted to
access the site if they are using unsafe browsers.
http://www.eweek.com/c/a/Security/PayPal-Plans-to-Ban-Unsafe-Browsers/
[Editor's Note (Pescatore): IE7 and the latest versions of Firefox, et
al, have the anti-phishing technology, so this is not that big a deal
to PC users. But for many mobile devices it means no PayPal use. PayPal
will surely back off. PayPal would be better off re-energizing its
efforts in moving PayPal users away from reusable passwords.]
--Man Pleads Guilty in Botnet Wiretapping Case
(April 16, 2008)
John Schiefer has pleaded guilty to accessing protected computers to
conduct fraud, disclosing illegally intercepted electronic
communications, wire fraud, and bank fraud. Schiefer used the computers
he infiltrated to create a botnet that he then used to search out other
vulnerable systems. He used spybot malware to harvest sensitive
information such as account user names and passwords that he then used
to steal funds. The case marks the first guilty plea to wiretapping in
connection with botnets. Schiefer also provided the purloined
information to others who used it to commit fraud. He is scheduled for
sentencing on August 20, 2008, when he will face up to 60 years in
prison and a fine of up to US $1.75 million.
http://www.cybercrime.gov/schieferPlea.pdf
[Editor's Note (Schultz): Let's hope that the judge who sentences him
will give Schiefer a sentence that is proportional to the horrendous
crime that he committed.]
--Proposed Australian Law Would Allow Some Employers to
Intercept Employee Electronic Communications
(April 14, 2008)
Proposed legislation in Australia would give employers the power to
intercept employees' email and Internet communications without their
consent. The powers are part of a law aimed at protecting the country's
critical infrastructure from cyber attacks; the law would amend the
Telecommunications (Interception) Act. The powers would apply to
employers who operate elements of the critical infrastructure;
presently, only security agencies have that power. Australian Attorney
General Robert McClelland says he has been told that a major cyber
attack could cause "far greater economic damage than would ... a
physical attack." Civil rights groups are opposed to the proposed
expanded powers, saying they could be abused.
http://www.smh.com.au/news/technology/bosses-power-to-check-email/2008/04/13/1208024990775.html?page=fullpage#contentSwap1
[Editor's Note (Schultz): Allowing employers to monitor employee email
and other Internet activity without consent has become a precedent for
quite a while ago in the US. What disturbs me about the proposed
legislation then is that there appears to be no requirement for
employers to pre-warn employees that such activity is occurring,
something that ought to be done to help employees be aware that they
have no privacy when they are on company-owned computing systems.]
--Latest Major Whaling Attack Uses US District Court Subpoena
(April 16 & 17, 2008)
A spear phishing attack emerged this week targeting high-level
executives at US firms. The emails, which include the executives' names
and other specific information, appear to be subpoenas from the US
District Court in San Diego. The link, which is supposed to be a copy
of the subpoena, actually installs malware on the victim's computer that
is capable of logging keystrokes and sending the harvested information
to the attacker. An additional piece of malware allows the attacker to
take remote control of the victim's computer. Phishing attacks that
target corporate "big fish" have been referred to as "whaling."
http://www.nytimes.com/2008/04/16/technology/16whale.html?_r=1&ei=5088&en=6440ba388ff2ce84&ex=1366084800&oref=slogin&partner=rssnyt&emc=rss&pagewanted=print
http://www.theregister.co.uk/2008/04/16/whaling_expedition_continues/print.html
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9078398&source=rss_topic17
[Editor's Note (Honan): As these "Whaling" attacks are becoming more
prevalent you should ensure you make your senior management on this
threat. Reviewing their profiles on online business networks and
Googling their names is one way of highlighting to them the amount of
personal information they are leaking which could be used against them.]
********************** Sponsored Links: *******************************
1) PacketMotion delivers unprecedented visibility and real-time control
of insider threats. Learn more and first 100 respondents receive a
complementary Elsevier book "Insider Threat" - $35 value.
http://www.sans.org/info/27873
*************************************************************************
THE REST OF THE WEEK'S NEWS
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
--NIST Releases Draft Info Systems Risk Management Document for Comments
(April 16, 2008)
The National Institute for Standards and Technology (NIST) has released
the second public draft of Special Publication 800-39, "Managing Risk
from Information Systems: An Organizational Perspective." NIST is
accepting public comment on the document through April 30. The new
draft includes considerable revisions based on comments on the previous
draft. NIST expects to publish a draft revision of Special Publication
800-30, "Risk Management Guide for IT Systems," in July.
http://www.gcn.com/online/vol1_no1/46131-1.html?topic=security&CMP=OTC-RSS
http://csrc.nist.gov/publications/drafts/800-39/SP800-39-spd-sz.pdf
[Editor's Note (Pescatore): This is not a bad document but the reality
is while risk management frameworks haven't really changed since the
mainframe days (there are only so many ways you can say
Categorize/Select/Implement/Assess/Authorize/Monitor), the actual
processes and mechanisms that business have to use to protect rapidly
changing business processes, that depend on a rapidly changing
technology infrastructure, against a rapidly changing threat have to
change constantly. So, it is always good to have defined and consistent
risk management processes as a starting point, but just think of all the
financial institutions that have just melted down, even though they had
huge, formal risk management processes. The rubber meets the road in
actually protecting critical business systems and information.]
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
--Firefox and Safari Browsers Updated
(April 16 & 17, 2008)
Both Firefox and Safari have been updated to address security flaws. The
Firefox update, which brings the Mozilla browser to version 2.0.0.14,
fixes a flaw in its JavaScript Garbage Collector function that could be
exploited to cause memory corruption and execution of arbitrary code.
Apple released updates for Safari for both Windows and Mac OS X to fix
a number of vulnerabilities - some that affect both versions and some
that affect just the Windows version. One of the flaws addressed was
the one used to crack the MacBook Air at a recent security conference
contest. Safari users running either operating system should update to
version 3.1.1.
http://www.theregister.co.uk/2008/04/17/alt_browser_updates/print.html
http://www.heise.de/english/newsticker/news/106641
http://www.eweek.com/c/a/Security/Apple-Patches-MacBook-Air-Hijack-Flaw/
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9078378&source=rss_topic17
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9078399&source=rss_topic17
[Editor's Note (Grefer): Given the stunt Apple pulled by pushing Safari
onto iTunes customers' computer, there was a dire need to fix some of
Safari's vulnerabilities. ]
--BT Home Hub Wireless Routers Vulnerable in Default Setting
(April 14 & 17, 2008)
Default settings on the BT Home Hub, the wireless router supplied to BT
Broadband customers in the UK, could allow attackers to discover Wired
Equivalent Privacy (WEP) keys in an average of 80 guesses. If someone
were to gain access to another person's wireless router, s/he could be
privy to the owner's Internet activity or even launch attacks on other
systems on the same network. A BT spokesperson says users are
encouraged to change the routers' default settings. Users should also
consider changing from WEP to WPA, or Wi-Fi Protected Access.
http://www.csoonline.com/article/334163/Researcher_BT_Home_Hub_Wi_Fi_Security_Easy_to_Crack
http://www.theregister.co.uk/2008/04/14/bt_home_hub_encryption_weakness/print.html
http://www.vnunet.com/vnunet/news/2214556/hackers-bt-home-hub-security
http://news.zdnet.co.uk/security/0,1000000189,39386034,00.htm
[Editor's Note (Pescatore): Anyone out there in the UK know if the "Mind
the Gap" announcements and t-shirts and the like have reduced the number
of incidents in the Tube where people fall into the gap between the
train and the station platform? Being pessimistic about human nature
changing, I sort of doubt it - but if it actually worked, perhaps the
IT industry can sponsor a similar "Mind the Default" campaign... ]
--Windows XP SP3 Expected Out Later This Month
(April 15, 2008)
Microsoft plans to release Windows XP Service Pack 3 (SP3) later this
month, according to an internal document. SP3 will be available to
computer manufacturers, volume licensing customers and posted to the
TechNet and Microsoft Developer Network on April 21; it will be made
available to all users through Windows Update eight days later, on April
29. SP3 will not be pushed out to users until June 10.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9077958&source=NLT_PM&nlid=8
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
--Executable That Infected Thousands of Websites Uncovered
(April 16 & 17, 2008)
Researchers at the SANS Institute's Internet Storm Center (ISC) have
found the malicious tool responsible for infecting thousands of
legitimate websites earlier this year so that they served malware to
visitors. The tool performs automates SQL injection attacks against
vulnerable web sites and inserts an iFrame that tries to infect website
visitors' computers.
To review the analysis at the source (Internet Storm Center):
http://isc.sans.org/diary.html?storyid=4294
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1310067,00.html
http://www.theregister.co.uk/2008/04/16/mystery_web_compromise_unpicked/
http://www.heise-online.co.uk/news/Mysterious-infection-of-ten-thousand-web-sites-explained--/110556
--OK Dept. of Corrections Fixes Data Leak
(April 16 & 17, 2008)
A coding error on the Oklahoma Department of Corrections website
potentially exposed thousands of records containing sensitive
information on the Internet. The problem, which existed for
approximately three years, has been fixed. The vulnerability affected
personal information, including some Social Security numbers (SSNs) of
individuals listed in Oklahoma's Sexual and Violent Offender Registry
as well as of department employees. The vulnerability could also have
been exploited to alter records' content.
http://www.computerworld.com/action/article.do?command=viewA
http://www.scmagazineus.com/Coding-error-exposes-sex-offender-personal-data/article/109109/
STATISTICS, STUDIES & SURVEYS
--Data Breach Can Cost a Business Customers
(April 15 & 17, 2008)
A study from the Ponemon Institute found that nearly one-third of people
who were notified of a data security breach affecting their personal
information no longer conduct business with the company that suffered
the breach. Fifty-five percent of respondents said they had been
notified of more than one breach of their personal data in the last two
years; eight percent had received four or more breach notifications.
Sixty-three percent of respondents said their notification letters
offered no information about steps to take to protect their data. More
than half of the respondents said they were notified of breaches more
than a month after the fact. Just two percent of respondents said they
had been victims of identity fraud as a result of a data breach.
http://www.darkreading.com/document.asp?doc_id=151378
http://www.marketwire.com/mw/release.do?id=844160
[Editor's Note (Schultz) Finally! Evidence exists that the risk of data
security breaches needs to be taken more seriously by businesses because
if not, they are likely to lose a substantial portion of customers whose
data were compromised.
(Paller): As in all scientific research, confirmation of these results
must be found before relying upon them. However, if they hold true,
they are quite important. Reasons the research needs confirmation:
potential bias in the responders' self selection and potential
mis-informaion in answers. If they were angry, they might have been
more likely to respond, and angry people sometimes say they stopped
using a service when they meant they wanted to stop but the convenience
costs of stopping were too high.]
MISCELLANEOUS
--Ships Responsible for Undersea Cable Damage Located With
Satellite Imagery
(April 7 & 14, 2008)
India-based cable company Reliance Globalcom used satellite imagery to
identify two ships whose anchors damaged the company's undersea cables
earlier this year. The ships were located in the port of Dubai and
impounded. Owners of a Korean-owned ship, the MT Ann, admitted
liability, paid US $60,000, and had the MT Ann released. The other ship
remains impounded. The MV Hounslow, which is believed to be
Iraqi-owned, allegedly abandoned the anchor that caught in the cable and
caused the damage; Reliance is seeking US $350,000 in connection with
the incident.
http://www.hinduonnet.com/thehindu/thscrip/print.pl?file=2008040759181200.htm&date=2008/04/07/&prd=th&
http://www.democraticunderground.com/discuss/duboard.php?az=view_all&address=116x16610
UPCOMING SANS WEBCAST SCHEDULE
SANS Special Webcast: Monthly Series: Security Insights with Dr. Eric Cole
This month's topic: DLP
WHEN: Tuesday, April 22, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Dr. Eric Cole
http://www.sans.org/info/25528
Sponsored By: Code Green Networks http://www.codegreennetworks.com/
Cyber security is all about reducing risk to critical assets. Protecting
and controlling data flow is a critical part of an organizations
security arsenal. Therefore data loss prevention would seem like a
perfect solution for reducing risk. However, just because a product is
called a data loss prevention solution, does not necessarily mean that
it properly reduces risk. Before purchasing or deploying a solution it
is critical to understand the key risks you are trying to reduce and
make sure the solution is the most cost effective way to reduce risk.
This talk will provide insight into what product features are most
valuable and which solutions should be avoided. To accomplish this it
will provide a detail understanding of the landscape and the best way
to protect data at an organization. Register now for this free webcast!
***
Tool Talk Webcast: Log Management for Security Monitoring and IT Operations
WHEN: Wednesday, April 23, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Ansh Patnaik
http://www.sans.org/info/25533
Sponsored By: ArcSight http://www.arcsight.com/
While Log Management investments have primarily focused on compliance,
the right platform can be used for much more - security monitoring,
forensics analysis and IT operations. However, to effectively address
these use cases log management solutions must offer a broader set of
platform capabilities. It's not just about compliance - it's about
analysis optimized data collection, simplicity of ad hoc searches,
flexibility of reporting, personalized dashboards, real time correlation
alerts and more. Most importantly it's about unleashing the value of
logs to a broader set of constituents within the enterprise.
***
Analyst Webcast: Security and Performance on Converged Networks
WHEN: Thursday April 24, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and Karl Schaub
http://www.sans.org/info/25538
Sponsored By: NIKSUN http://www.niksun.com/
Events from security and monitoring devices fire off an unmanageable
number of alarms with no way of telling how they're related, or how they
impact performance. As networks converge their video, voice and data
traffic over IP networks, these alarms will only increase, while
providing less visibility into what set them off. This Webcast discusses
what will be needed of security monitoring tools as these data, voice,
video convergence becomes ubiquitous.
***
SANS Special Webcast: How to Stop Serious Threats from Evading Detection
WHEN: Monday, April 28, 2008 at 1:30PM EDT (1730 UTC/GMT)
FEATURING: Amit Yoran, CEO NetWitness Corporation
http://www.sans.org/info/27094
Sponsored By: NetWitness http://www.netwitness.com/
This Webcast will describe an approach that will enable your
organization to detect and stop designer malware, zero-day attacks, and
non-signature-based threats to improve overall network visibility, and
to detect the leakage and exfiltration of valuable corporate data. We
will employ specific technical case studies and demonstrations to
highlight the value of such an approach.
***
Tool Talk Webcast: Staying on Top of the SANS Top 20 with CORE IMPACT
WHEN: Tuesday, April 29, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Alex Horan
http://www.sans.org/info/25539
Sponsored By: Core Security
The 2007 "SANS Top 20 Internet Security Risks" report makes it clear
that attackers can now circumvent many traditional countermeasures, so
simply implementing countermeasures is no longer enough. In fact, short
of experiencing a breach, the only way to really know your security
posture is by continually testing the defenses you've worked so hard to
put in place.
***
SANS Special Webcast: The Little Hybrid Web Worm That Could
WHEN: Wednesday, April 30, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Billy Hoffman
http://www.sans.org/info/24614
Sponsored By: HP
This webcast examines the possibility of hybrid web worms which use
several methods to overcome the limitations of current web worms.
Specifically the authors examine how a hybrid web worm: mutates itself
to evade defenses; updates itself with new attack vectors while in the
wild; and finds and exploits targets regardless of whether they are
client web browsers or web servers.
*******************************************************************
Be sure to check out the following FREE SANS archived webcasts:
Tool Talk Webcast: The ABC's of Dealing with Unique Network Security
Risks in a World of Open Campus Networks
WHEN: Wednesday, March 5, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Brian Mehlman
http://www.sans.org/info/22979
Sponsored By: Q1 Labs
SANS Special Webcast: A Response to the "Cold Boot Attack" Announcement
WHEN: Thursday, March 6, 2008 at 3:00 PM EST (1900 UTC/GMT)
FEATURING: John Strand
https://www.sans.org/webcasts/show.php?webcastid=91884
********************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer
for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin,
Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkgI4jMACgkQ+LUG5KFpTkbItACZAVzTU3fAj2m1tD/VrUpVjx/D
udoAn0jjg5AzhiEXKCEB+RXoDFPKouVO
=hgAI
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]