|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (NewsBites
sans.org)
Date: Tue May 20 2008 - 13:05:37 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Virtualization and security: Tom Liston compiled a very cool list of
important security issues faced by people using virtual systems
(VMware's GSX Server and ESX Server, Microsoft's Virtual Server, or
others). I was surprised by several of them. I will send you the list
if you don't mind helping us prioritize these issues (and telling us
about any you think Tom missed). Please email apallersans.org with
subject "virtual security."
Alan
*************************************************************************
SANS NewsBites May 20, 2008 Vol. 10, Num. 40
*************************************************************************
TOP OF THE NEWS
Legal Experts Say MySpace Terms of Agreement Violation Charge is Problematic
Tennessee Law Would Require Paper Ballots
Google Takes a Drubbing for Providing Orkut User Info to Indian Authorities
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
38 Charged in Phishing Scheme
Japanese Student Draws Suspended Sentence For Spreading Malware
Alleged Australian Government Hacker Denied Bail
American Arrested in Korea for Alleged Cyber Extortion
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
IRS Employees Charged with Illegal File Access
POLICY & LEGISLATION
Missouri Legislators Approve Measure to Make Cyber Stalking a Crime
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Paypal Patches Cross-Site Scripting Flaw in EV-SSL Page
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Card Skimming Scheme Nets One Million Euro From Irish Bank Accounts
STATISTICS, STUDIES & SURVEYS
Orphaned Accounts Still a Security Problem
LIST OF UPCOMING FREE SANS WEBCASTS
************** Sponsored By RSA, The Security Division of EMC ***********
Start estimating your storage requirements today and develop a cost
effective storage strategy. Access our RSA enVision storage calculator
tool and also download two free White Papers -- Storing More
Intelligently and End-to-End Solutions to Enable Best Practices in Log
Management.
http://www.sans.org/info/29093
*************************************************************************
TRAINING UPDATE
Where can you find the newest Penetration Testing techniques,
Application Pen Testing, Hacker Exploits, Secure Web Application
Development, Security Essentials, Forensics, Wireless, Auditing, both
new Pen Testing courses, CISSP, and SANS' other top-rated courses plus
evening sessions with Internet Storm Center handlers.
- - SANSFIRE 2008 in Washington DC (7/22-7/31) SANS' biggest summer program
with many bonus sessions and a big exhibition of security products:
http://www.sans.org/info/26774
- - London (6/2-6/7) and Amsterdam (6/16-6/21) and Brussels (6/16-6/21)
http://www.sans.org/secureeurope08
- - Denver (6/7-6/13) http://www.sans.org/rockymnt2008/
- - Singapore (6/30-7/5) http://www.sans.org/singapore08/
- - Boston (8/9-8/16) http://www.sans.org/boston08/
- - and in 100 other cites and on line any time: www.sans.org
*************************************************************************
TOP OF THE NEWS
- --Legal Experts Say MySpace Terms of Agreement Violation Charge
is Problematic
(May 16, 2008)
The decision to charge Lori Drew, the woman accused of using a MySpace
page obtained under a fictitious name to trick and torment a 13-year old
neighbor, is causing concern among some legal experts. Investigators in
Drew's home state of Missouri could find no statute under which to
charge her, so federal prosecutors in Los Angeles charged her with
conspiracy and hacking for violating MySpace's terms of service
agreement. The concern lies not in prosecuting Drew, but in the
vagueness of the indictment, which suggests that anyone who has used a
pseudonym on the Internet could be charged with a federal crime. John
Morris, general counsel for the Center for Democracy and Technology
said, "There is nothing in the indictment that differentiates between
what is a serious violation of the terms of service and a trivial
violation of the terms of service."
http://www.securityfocus.com/news/11519/1
--Tennessee Law Would Require Paper Ballots
(May 18, 2008)
The Tennessee State Senate has unanimously approved the Tennessee Voter
Confidence Act. The law, which is expected to go before Governor Phil
Bredesen this week, would require that voting systems purchased and
deployed after January 1, 2009 use precinct based optical scanners. By
2010, all counties will be expected to use voting systems that produce
paper records. In addition, the law would forbid the use of electronic
voting systems that have wireless capabilities, and require that
manufacturers disclose their source code, software, and firmware.
http://www.votetrustusa.org/index.php?option=com_content&task=view&id=2856&Itemid=113
http://www.tennessean.com/apps/pbcs.dll/article?AID=/20080516/NEWS0201/805160421/1009/NEWS01
--Google Takes a Drubbing for Providing Orkut User Info to
Indian Authorities
(May 19, 2008)
Google has been criticized for providing Indian law enforcement
authorities with information that led to the arrest of an Orkut user who
had uploaded derogatory comments about an Indian politician. Google,
which is the parent company of Orkut, says it "supports the free
expression of [its] users," but also complies with local laws, which in
this case meant divulging the man's IP address. Freedom of personal
expression is a protected right in India.
http://www.theregister.co.uk/2008/05/19/google_india_gandhi/print.html
http://www.washingtonpost.com/wp-dyn/content/article/2008/05/18/AR2008051800657_pf.html
http://www.pcworld.com/businesscenter/article/146049/google_defends_helping_police_nab_defamer.html
********************** Sponsored Links: *******************************
1) Where Is Your Confidential Data and How Do You Protect It? A Customer
Success Story
http://www.sans.org/info/29098
*************************************************************************
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
--38 Charged in Phishing Scheme
(May 19, 2008)
Two US federal indictments charge 38 people in the US and Romania in
connection with a phishing scheme designed to steal credit and debit
card numbers. The information was used to manufacture phony credit and
debit cards, which were in turn used to withdraw funds from various
accounts. The charges include conspiracy to violate the Racketeer
Influenced and Corrupt Organizations (RICO) Act, conspiracy in
connection with access devices, unauthorized access to a protected
computer, bank fraud, and aggravated identity theft.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9086678&source=rss_topic17
http://www.informationweek.com/news/security/client/showArticle.jhtml?articleID=207801060
[Editor's Note (Cole): Phishing continues to be a problem, so be very
careful of any emails you receive. One of the best preventive measures
is to turn off HTML embedded email, which will stop many of the tricks
that attackers try.
(Paller): Eric Cole's comment illustrates the reason SANS does not embed
html in NewsBites.]
--Japanese Student Draws Suspended Sentence For Spreading Malware
(May 16, 2008)
Japanese graduate student Masato Nakatsuji has been found guilty in
Kyoto District Court of copyright infringement. Nakatsuji spread
malware called Harada by hiding it in an animation image that he had
copied in violation of copyright law. He claims to have created the
malware to punish illegal downloaders. Nakatsuji received a two-year
sentence suspended for three years. The case illustrates the lack of
existing laws in Japan to prosecute certain computer crimes.
http://news.smh.com.au/technology/japan-uses-copyright-conviction-to-crack-down-on-student-who-allegedly-spread-computer-virus-20080516-2f0y.html
http://www.govtech.com/gt/323943?topic=117671
--Aleged Australian Government Hacker Denied Bail
(May 16, 2008)
An IT contractor from Palmerston, Northern Territory (NT) who allegedly
broke into the computer systems and shut down databases at the NT
Health Department, the Royal Darwin Hospital, Berrimah Prison and the
Supreme Court has been denied bail. David Anthony McIntosh allegedly
deleted the user accounts of more than 10,000 government workers.
Police contested McIntosh's bail application because they were concerned
that he had made copies of the passwords and data he had accessed. Law
enforcement authorities found a file of NT government passwords when
they seized equipment tied to the attack; all Northern Territory public
servants have been instructed to change their passwords. McIntosh
allegedly accessed a virtual private network (VPN) to gain access to the
government system. The alleged attacks on the government databases
occurred on May 5. Estimates for repairing the damage run to the
hundreds of thousands of dollars, and it could take months to fix the
systems.
http://www.ntnews.com.au/article/2008/05/16/4125_ntnews.html
[Editor's Note (Shpantzer): Several NewsBites editors have been saying
for years that an improperly secured and authenticated VPN is merely an
opaque pipe into your organization, rather than a protective measure.]
--American Arrested in Korea for Alleged Cyber Extortion
(May 16, 2008)
Korean police have arrested an American man for allegedly breaking into
a computer system of a Korean savings bank. The man, identified only
by the initial "J," allegedly encrypted the customer database and then
attempted to extort money from the bank to release the information. The
man has been on a work visa in Korea since 2003.
http://english.chosun.com/w21data/html/news/200805/200805160012.html
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
--IRS Employees Charged with Illegal File Access
(May 16, 2008)
Five US Internal Revenue Service (IRS) employees have been charged with
accessing and inspecting the tax return information of individuals
unlawfully and without authorization. The defendants' activity was
caught by the IRS security system. It is not known at this time what
relationship, if any, the employees had with the people whose
information they accessed. One employee is accused of accessing one
file, two are accused of accessing two files, and two of accessing four
files.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9086238&source=rss_topic17
[Editor's Note (Schultz): These incidents once again illustrate that
insider threats almost always constitute the greatest security risk to
organizations. The possibility of a data security breach due to
externally initiated attacks has motivated the IRS to invest a
considerable amount of effort and resources over the years. I wonder,
however, whether the IRS realized the seriousness of insider risk and
acted accordingly.
(Kreitner): This episode serves as a helpful reminder about internal
access control policies, one of those mundane but important areas of
enterprise discipline. It's also a reminder that effective security is
mostly about basic everyday blocking and tackling. The IRS deserves
credit for discovering this internal illicit activity.]
POLICY & LEGISLATION
--Missouri Legislators Approve Measure to Make Cyber Stalking a Crime
(May 19, 2008)
State legislators in Missouri have passed a bill that would add
electronic communications, including computers and text messaging, to
the state's harassment laws. It would also allow felony prosecution of
stalking charges in some cases. Governor Matt Blunt is expected to sign
the bill, which came about in part due to an Internet Harassment Task
Force formed by Governor Blunt in reaction to the MySpace case.
http://www.informationweek.com/news/internet/social_network/showArticle.jhtml?articleID=207801021
http://www.crn.com/networking/207800926
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
--Paypal Patches Cross-Site Scripting Flaw in EV-SSL Page
(May 16 & 19, 2008)
Paypal has fixed a cross-site scripting vulnerability in Paypal that
could be exploited to create spoofed pages that attempt to steal users'
credentials. The flaw existed despite the fact that Paypal uses an
Extended Validation-SSL (EV-SSL) certificate, which is supposed to offer
increased web page security. Browsers that support EV-SSL certificates
turn the address bar green when users are visiting an EV-SSL web page.
Paypal said it does not believe that the flaw has been exploited in any
attacks.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9086700&intsrc=hm_list
http://www.heise-online.co.uk/security/Cross-site-scripting-hole-in-Paypal-casts-doubt-on-EV-SSL--/news/110759
http://www.theregister.co.uk/2008/05/16/paypal_page_succumbs_to_xss/print.html
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
--Card Skimming Scheme Nets One Million Euro From Irish Bank Accounts
(May 18, 2008)
Fraudsters have stolen approximately one million euro (US $1.55 million)
from 300 Irish bank accounts. The thieves apparently worked with store
and restaurant employees in the Dublin area to skim credit cards and
shoulder surf for their associated PINs. The information was then used
to withdraw funds in various countries in mainland Europe.
http://www.independent.ie/breaking-news/national-news/1-million-euro-stolen-in-bank-card-fraud-1379228.html
STATISTICS, STUDIES & SURVEYS
--Orphaned Accounts Still a Security Problem
(May 16, 2008)
A study of 850 IT, security, HR, and C-level executives found that 27
percent reported more than 20 "orphaned" accounts on their systems. More
than 38 percent said they have no way of knowing if terminated employees
have accessed systems through their orphaned accounts; 15 percent said
they have experienced it at least once. About 30 percent of respondents
said it takes more than three days to terminate an account after an
employee leaves; 12 percent said it takes more than a month.
http://www.eweek.com/c/a/Security/Old-User-Accounts-Pose-Current-Security-Risks-for-Enterprises/
[Editor's Note (Weatherford) "Three days to a month to de-provision a
user account? And these are the people with authority to make the
changes. It's OUR job to make OUR organizations understand that this
is unacceptable due to the significant liabilities it subjects us to."
(Shpantzer): Every account should be tied to a role which is tied back
to a person. Person gone, all roles associated with the account are
gone, all accounts are gone. Easier said than done in real life...
(Grefer): Virtually any server operating system and any decent backend
database offers basic functionality to identify when an account was last
used. As such, it is hard to fathom why these companies would not be
able to track this information.]
UPCOMING SANS WEBCAST SCHEDULE
SANS Special Webcast: Understanding and Selecting a Database Activity Monitoring Solution
WHEN: Wednesday, May 21, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Rich Mogull
http://www.sans.org/info/27124
Sponsored by the Following:
Guardium http://www.guardium.com/
Imperva http://www.imperva.com/
Secerno http://www.secerno.com/
Sentrigo http://www.sentrigo.com/
Tizor http://www.tizor.com/
Thanks to increasing compliance requirements and growing security
threats, enterprises must adopt new strategies and techniques to protect
their databases. Security and database administrators are charged with
protecting these essential corporate assets, but are challenged to
improve security and auditing in the least intrusive way possible.
Database Activity Monitoring is emerging as a powerful tool to ensure
compliance while detecting, and sometimes preventing, database attacks
and internal abuse. In this webcast independent consultant Rich Mogull
will review the inner workings of Database Activity Monitoring,
highlight key features, and present a three step selection process.
***
Ask the Expert: Enterprise Incident Management with Security Monitoring
**** Previously scheduled for Thursday, May 8, 2008****
WHEN: Thursday, May 22, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Adrien de Beaupre and A.N. Ananth
http://www.sans.org/info/27104
Sponsored By: Prism MicroSystems
Some of the issues revolving around log management include privacy,
storage requirements, and meeting regulatory or legislative
requirements. Finally, integration of LM into an organization's overall
security dashboard will be the focus of this presentation.
***
SANS Special Webcast: Virtual Roundtable with Eric Cole, Mike Poor, and Ed Skoudis
WHEN: Thursday, May 29, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Dr. Eric Cole, Mike Poor, and Ed Skoudis
http://www.sans.org/info/27139
Sponsored By: Core Security http://www.coresecurity.com/
Ever want to pull a chair up to the SANS lunch table? Here's your chance
to get some virtual face time with three of the "cool kids" from SANS
as they discuss the latest topics on the information security threat
horizon, including new attacks to look out for and what to do about
them.
*******************************************************************
Be sure to check out the following FREE SANS archived webcasts:
Tool Talk Webcast: The ABC's of Dealing with Unique Network Security
Risks in a World of Open Campus Networks
WHEN: Wednesday, March 5, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Brian Mehlman
http://www.sans.org/info/22979
Sponsored By: Q1 Labs
SANS Special Webcast: A Response to the "Cold Boot Attack" Announcement
WHEN: Thursday, March 6, 2008 at 3:00 PM EST (1900 UTC/GMT)
FEATURING: John Strand
https://www.sans.org/webcasts/show.php?webcastid=91884
********************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer
for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkgzAjEACgkQ+LUG5KFpTkZbyQCfeRgeFu8e7S81TlPLPT2UVXse
t1sAn2hbhm0HOHqsJxlf8et0lQDs4lCz
=NkYG
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]