Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

NETSEC Archives

Date Prev | Date Next | Date Index | Author Index | Historical [Netsec] SANS NewsBites Vol. 13 Num. 16 : Hacked Oil Companies Identified, and a Big BIND Flaw

  • From: The SANS Institute
  • Date: Fri Feb 25 14:08:01 2011

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


**************************************************************************
SANS NewsBites             February 25, 2011             Vol. 13, Num. 016
**************************************************************************
TOP OF THE NEWS    
  Hacked Oil Companies Identified
  BIND Flaw
  Dutch Bank Hit by DDoS Attack
THE REST OF THE WEEK'S NEWS 
    Microsoft Patches Malware Scanner Flaw
    Man Admits to Stealing Royalties, Breaking Into NASA Network
    Keystroke Loggers Found on Library Computers
    Guilty Plea in Financial Fraud Case
    Microsoft Releases Windows 7 Service Pack 1
    FTC Seeks Injunction Against Text Message Spammer
    OddJob Trojan Steals Online Banking Session IDs
A Note From Stephen Northcutt

*************************************************************************
TRAINING UPDATE
- -- SANS Phoenix 2011, Phoenix, AZ, February 25-March 2, 2011
6 courses.  Bonus evening presentations and special events include
Indicators of Compromise: ABCs of IOCs and Network Vulnerability
Exploitation, Step By Step From Discovery through to Metasploit Module
http://www.sans.org/phoenix-2011/
- -- SANS AppSec 2011: Summit & Training, San Francisco, CA, March 7-14, 2011
7 courses.  Bonus evening presentations and special events includes
The Road to Sustainable Security
http://www.sans.org/appsec-2011/
- -- SANS 2011, Orlando, FL, March 26-April 4, 2011
40 courses.  Bonus evening presentations and special events include
Hiding in Plain Sight: Forensic Techniques to Counter the Advanced
Persistent Threat; and Law and the Public's Perception of Data
Security
http://www.sans.org/sans-2011/
- --  The National Cybersecurity Innovation Conference, April 18-19, 2011
User-to-user conference featuring outstanding examples of continuous
monitoring and security cloud.
http://www.sans.org/cyber-security-innovations-2011/
- --  "Combating Malware in the Enterprise" course at SANS (SEC569).
How do you fight off malware when you have thousands of hosts?
Learn the answers in Orlando in March:
http://www.sans.org/security-training/combating-malware-enterprise-1482-mid
- -- 2011 Asia Pacific SCADA and Process Control Summit, Sydney,
Australia, March 31-April 7, 2011
http://www.sans.org/sydney-scada-2011/
- -- SANS Northern Virginia 2011, Reston, VA, April 15-23, 2011
11 courses.  Bonus evening presentations include Cyberwar or Business
as Usual?  The State of US Federal CyberSecurity Efforts
http://www.sans.org/northern-virginia-2011/
- --  The National Cybersecurity Innovation Conference, April 18-19, 2011
User-to-user conference featuring outstanding examples of continuous
monitoring and security cloud.
http://www.sans.org/cyber-security-innovations-2011/
- -- SANS Security West 2011, San Diego, CA, May 3-12, 2011
23 courses.  Bonus evening presentations include The Emerging Security
Threat Panel Discussion; and Emerging Trends in Data Law and
Investigation
http://www.sans.org/security-west-2011/
- -- Looking for training in your own community?
http://sans.org/community/
Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current
Plus Singapore, Wellington, Barcelona, Amsterdam and Brisbane all in
the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org

*********************  Sponsored by Adobe Systems *************************

The Adobe Reader X family of products deliver better application
security and protection from PDF-based malware with the introduction of
"Protected Mode" - an always-on protective environment.  This is in
addition to the numerous security enhancements and controls added across
the new Adobe Acrobat X family of products.  Learn more about how Adobe
Acrobat and Reader X are raising the bar on PDF security.

http://www.sans.org/info/71704

****************************************************************************
TOP OF THE NEWS
 --Hacked Oil Companies Identified
(February 24, 2011)
New reports are saying that the attacks on computer networks at
international petrochemical companies targeted Shell, Exxon Mobil, BP,
Marathon Oil, ConocoPhillips and Baker Hughes.  The attacks were
first reported by the Christian Science Monitor in January 2010, and were
mentioned in a report from McAfee earlier this month. The attackers
appear to have been after legal and financial data.  The series of
attacks has been dubbed "Night Dragon," and may have been going on for
as long as four years.  The McAfee report says the attacks were traced
to IP addresses in China.
http://www.v3.co.uk/v3/news/2274971/shell-bp-exxon-mobil
http://www.bloomberg.com/news/2011-02-24/exxon-shell-bp-said-to-have-been-hacked-through-chinese-internet-servers.html
[Editors' Note (Schultz and Paller): The fact that US oil companies'
computers have been owned for some period of time should come to no
surprise to anyone. The shame of it all is that a few of these companies
have truly achieved information security "best practices" status.]

 --BIND Flaw
(February 24, 2011)
According to an advisory from the Internet Systems Consortium (ISC), a
serious flaw in BIND domain name services (DNS) software could be
exploited to crash vulnerable systems.  The vulnerability affects BIND
versions 9.7.1 through 9.7 2-P3.  Users are urged to upgrade to
non-vulnerable versions of BIND.  The vulnerability can be remotely
exploited, but there have been no reports of attacks in the wild.
http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=229219353&subSection=Security
http://www.theregister.co.uk/2011/02/24/dns_bind_vuln/
http://www.h-online.com/security/news/item/The-unintended-kill-switch-in-Bind-1196567.html
https://www.isc.org/software/bind/advisories/cve-2011-0414

 --Dutch Bank Hit by DDoS Attack
(February 23, 2011)
Dutch bank Rabobank experienced a significant distributed
denial-of-service (DDoS) attack that took down both its website and its
ebanking services.  The attack caused collateral damage as well; because
the outage sent so many returned transaction messages to iDeal, a Dutch
PayPal alternative, that system also experienced a partial outage.  The
identity of the attackers is still unknown.
http://news.idg.no/cw/art.cfm?id=3F6822FF-1A64-6A71-CE67724BB606D61C
[Editor's Note (Pescatore): Did you ever notice we don't see news
articles that say "power outage takes down Dutch bank." That's because
years ago we learned ago that data centers without electricity were just
quiet computer museums. Today, data centers without Internet
connectivity are just noisy computer museums. If you depend on Internet
connectivity, denial of service protection should be part of business
continuity planning.]

***************************  Sponsored Links:  *****************************
1) Countdown: SANS Northern Virginia 2011. 5 days left to take advantage
of Early Bird $400 savings.  http://www.sans.org/info/69698

2) SANS Analysts Program Webcast: Managing Insiders (Contractors,
Vendors, and Employees) in SCADA Environments Wednesday, March 23, 2011
Gain key insight from security professionals involved auditing SCADA and
other utility control systems about insider risk in control system
environments, along with the NERC CIPC controls required to protect
against these common insider vulnerabilities. Featuring SANS instructor
and senior analyst, Matthew E. Luallen. To register, go here:
http://www.sans.org/info/71709

3) REGISTER NOW for the Tuesday, March 01, 2011 Webcast:Bullseye on the
Back: Adobe's Product Security Program
FEATURING: Dave Shackleford & Brad Arkin
START TIME: 1:00 PM EST (1800 UTC/GMT)
http://www.sans.org/info/71714

***************************************************************************

THE REST OF THE WEEK'S NEWS
 --Microsoft Patches Malware Scanner Flaw
(February 24, 2011)
Microsoft has released a fix for a privilege elevation vulnerability in
its malware scanner. The flaw could be exploited by attackers changing
a Windows registry key to a certain value.  It is exploitable only by
people who already have valid logon credentials for the vulnerable
system. The patch will be included in an update to the Microsoft Malware
Protection Engine.
http://news.cnet.com/8301-27080_3-20036048-245.html?tag=mncol;title
http://www.h-online.com/security/news/item/Microsoft-s-virus-scanner-causes-security-problem-1196731.html
http://www.microsoft.com/technet/security/advisory/2491888.mspx

 --Man Admits to Stealing Royalties, Breaking Into NASA Network
(February 23 & 24, 2011)
Jeremey Parker, a 26-year old Houston man, has admitted to breaking into
servers at NASA's Goddard Space Flight Center and at SWReg, a company
that manages royalty payments for independent software developers.
Parker admitted to stealing US $275,000 from SWReg accounts and causing
US $43,000 in damage to the NASA system.
http://www.theregister.co.uk/2011/02/24/nasa_hacker_guilty/
http://www.bizjournals.com/twincities/news/2011/02/23/Computer-Hacker-admits-stealing.html

 --Keystroke Loggers Found on Library Computers
(February 24, 2011)
Keystroke logging devices were found plugged in to computers at
libraries in Cheshire, UK.  It is not known how long the devices were
connected to the computers before they were discovered.  Keyboards are
now being plugged in to ports at the front of computers.
http://www.scmagazineuk.com/keyloggers-found-plugged-into-library-computers/article/196936/
http://www.h-online.com/security/news/item/Hardware-keyloggers-found-in-public-libraries-1190097.html
[Editor's Note (Schultz): Computers in Internet cafes and other public
places constitute one of the greatest risks to security.]

 --Guilty Plea in Financial Fraud Case
(February 23, 2011)
Dmitry M. Naskovets has pleaded guilty to conspiracy to commit wire
fraud and credit card fraud for running an identity theft website that
provided specialized language services to help thieves conduct
fraudulent bank transactions.  The site offered the services of German
and English speakers who would call the bank from which the thief was
attempting to steal the funds and pretend to be the account holder.
Naskovets provided dossiers with detailed information about the victims
so the impersonators could be convincing on the phone.
http://www.computerworld.com/s/article/9210980/Belarus_man_pleads_guilty_to_running_identity_theft_site?taxonomyId=17
http://www.theregister.co.uk/2011/02/23/naskovets_guilty/
http://www.fbi.gov/newyork/press-releases/2011/belarusian-proprietor-of-international-identity-theft-website-pleads-guilty-in-manhattan-federal-court
[Editor's Note (Honan): In the light of the hype over cloud computing
could this be a new use of the term SaaS, Scam as a Service?]

 --Microsoft Releases Windows 7 Service Pack 1
(February 23, 2011)
Microsoft has released Service Pack 1 for Windows 7; it includes all
security fixes to date.  A public test release of Windows 7 SP1 took
place in July 2010, and installation difficulties have been reported.
Users running Windows 7 and Linux on the same PC have reported that they
were unable to continue with the installation process due to error
0x800f0a12; Microsoft has posted a fix for that issue.
http://isc.sans.edu/diary/Windows+7+2008+R2+Service+Pack+1+Problems/10453
http://voices.washingtonpost.com/fasterforward/2011/02/microsofts_windows_7_service_p.html
http://www.informationweek.com/news/windows/operatingsystems/showArticle.jhtml?articleID=229219123&subSection=Security
http://www.zdnet.com/blog/bott/quick-fix-for-windows-7-sp1-installation-errors/3040
Important link if you are experiencing problems:
http://blogs.technet.com/b/joscon/archive/2011/02/17/windows-7-2008-r2-service-pack-1-fails-with-0x800f0a12.aspx
[Editor's Comment (Northcutt): it is kind of ironic. Microsoft has
gotten so good at testing and release management for the monthly patches
that we have a tendency not to take a service pack as seriously as we
should. We should always back up before installing a service pack! I ran
into problems myself with a piece of security software, Bit 9, as the
apparent culprit, when we turned it off, the SP1 install succeeded.]

 --FTC Seeks Injunction Against Text Message Spammer
(February 23, 2011)
The US Federal Trade Commission (FTC) wants a judge to shut down a
text-messaging spammer who was sending out unsolicited messages about
home loan modification and other services.  The scheme, allegedly run
by Phillip A, Flora, sent out messages at a rate of 85 every minute
during a 40-day period in late summer of 2009.  Many of the people who
received the messages had to pay fees to their carriers.  Flora
allegedly collected personal information from people who responded to
the messages, even from those who asked him to stop sending them, and
sold that information to marketers. According to the FTC's complaint,
Flora violated the FTC Act by sending unsolicited messages and by
misrepresenting his business as being affiliated with a government
agency. The complaint also alleges that he violated the CAN-SPAM Act.
http://www.computerworld.com/s/article/9210979/FTC_asks_court_to_shut_down_text_spammer?taxonomyId=17
http://www.ftc.gov/opa/2011/02/loan.shtm
http://www.ftc.gov/os/caselist/1023005/110223phillipcmpt.pdf

 --OddJob Trojan Steals Online Banking Session IDs
(February 22, 2011)
The OddJob banking Trojan grabs online banking session ID tokens in real
time, allowing thieves to keep the sessions open longer and make
fraudulent transactions.  The malware is being actively used in the US,
Poland and Denmark.  Researchers have noted that those behind OddJob
have made refinements to the malware over the last few weeks.
http://www.scmagazineus.com/trojan-steals-session-ids-bypasses-logout-requests/article/196816/
http://www.computerworld.com/s/article/9210764/New_bank_Trojan_employs_fresh_tricks_to_steal_account_data?taxonomyId=17
http://www.theregister.co.uk/2011/02/22/oddjob_banking_trojan/
Trusteer posted a good overview of the Oddjob Trojan site at
http://www.trusteer.com/blog/new-financial-trojan-keeps-online-banking-sessions-open-after-users-%E2%80%9Clogout%E2%80%9D

A Note From Stephen Northcutt:
Most of us remember where we were when we heard the news of the attacks
on September 11, 2001.  The National September 11 Memorial and Museum
in New York City has launched an interactive timeline of the September
11 attacks.  The timeline offers recordings and images from a day that
we have a responsibility to remember.
http://www.aolnews.com/2011/02/23/new-york-citys-sept-11-museum-launches-interactive-timeline-of/

************************************************************************
The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and
the author/co-author of books on Unix security, Internet security,
Windows NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's
computer forensic courses (computer-forensics.sans.org) and a Director
at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in
independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Inguardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC)
at the FBI and served as President of the InfraGard National
Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa).  He is leading SANS' global initiative to improve
application security.

David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Institute.

Mark Weatherford, Chief Security Officer, North American Electric
Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAk1n8VoACgkQ+LUG5KFpTkYrwgCfTcrIhYVM/+ulW9OzYK0eFh+P
L2MAn1SYQF6qVQ9q+4eNJo/0JOYTN30d
=KDBE
-----END PGP SIGNATURE-----




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.