Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
SANS NewsBites Vol. 11 Num. 42
- From: The SANS Institute
- Date: Fri May 29 13:52:25 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NEWSBITES FLASH 11:15 AM Today. Washington, DC. The White House
The East Room in the White House is awash in sunlight - amplified by the
klieg lights of TV cameras. More than 100 people who have played a role
in the 60 day review are joined by 50 reporters and camera people. - all
awaiting the arrival of President Obama to deliver the results of the
Cyberspace Policy Review. The mood is appropriately subdued, but the
energy is very high. The President arrives. "A transformational
moment," he says. "Cyberspace is real and so are the risks." "I know
about the problem personally," he continues. "During the general
election, hackers managed to penetrate our campaign computer networks.
They got access to [my] emails and policy papers and travel plans."
The President then laid out the scope of the problem ("one of the most
serious challenges we face as a nation and we are not as prepared as we
need to be") and then introduced his new "Cyberspace Policy Review" that
presents 24 key actions. Most of the actions are policy and strategy
based and won't, in themselves have a huge impact, but two of them will
make all the difference. (1) Naming a single official in the White
House, called the Cyber Security Coordinator, with "regular access to
me" to oversee cyber security across the government (this corrects the
biggest error made in the previous Administration). (2) Using
government procurement to improve market incentives for secure and
resilient hardware (the $70 billion on annual federal IT spending is the
single most powerful weapon the nation has to improve security.)
You'll read hundreds of articles on the 60 day review - but we wanted
Newsbites readers to get a first look. The bottom line is that this was
a huge success for people who care about improving cyber security in the
US.
Alan
PS The New York Times published a really good, related story earlier
this morning outing the new DoD Cyber Command.
http://www.nytimes.com/2009/05/29/us/politics/29cyber.html?hp
*************************************************************************
SANS NewsBites May 29, 2009 Vol. 11, Num. 42
*************************************************************************
TOP OF THE NEWS
Bank Sues Company That Certified CardSystems Solutions Before Breach
Cyber Security Status Report Due Out Friday; President May Announce
Cyber Czar Position
European Commission Suing Sweden for Failing to Implement Data
Retention Law
THE REST OF THE WEEK'S NEWS
ARRESTS, INDICTMENTS & SENTENCES
Phisher Sentenced to Eight-and-a-Half Years in Prison
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
Foreign Hacker Group Targeted Army Servers
Eighteen Percent of Computers at Interior Missing or Lost
DATA PROTECTION & PRIVACY
Information Commissioner Sends Harsh Letter to National Health
Service Over Data Breaches
VULNERABILITIES
RIM Issues Advisory on PDF Vulnerability
DATA LOSS & EXPOSURE
Missing Laptop Holds Pension Data
Aetna Notifies 65,000 Current and Former Employees of Data Breach
ATTACKS & ACTIVE EXPLOITS
Microsoft Offers Workarounds for Zero-Day DirectX Flaw
STUDIES AND STATISTICS
Report: 90 Percent of eMail is Spam
MISCELLANEOUS
Authorities Searching For Man Who Tried to Steal US $9
Million From Former Employer
CORRECTION
*************************************************************************
TRAINING UPDATE
- - SANSFIRE in Baltimore 6/13-6/20 (24 long courses, 12 short courses)
http://www.sans.org/sansfire09/event.php
- - Pen Testing and Web Application Attack Summit - June 1-2
http://www.sans.org/pentesting09_summit
- - Rocky Mountain SANS, July 7-13 (6 full-length hands-on courses)
http://www.sans.org/rockymnt2009/event.php
- - SANS Boston, Aug 2-9 (6 full-length hands-on courses)
https://www.sans.org/boston09/index.php
- - National Forensics Summit, July 6-14
http://www.sans.org/forensics09_summit/
Looking for training in your own community? http://sans.org/community/
Save 25% on all On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/spring09.php
Plus Amsterdam, London, Dubai, Riyahd, Cairo, Melbourne, Canberra, and
Singapore all in the next 90 days. For a list of all upcoming events,
on-line and live: www.sans.org
*************************************************************************
TOP OF THE NEWS
--Bank Sues Company That Certified CardSystems Solutions Before Breach
(May 26 & 27, 2009)
Merrick Bank has filed a lawsuit against Savvis, alleging negligence
because the company certified CardSystems Solutions as compliant with
Visa and MasterCard security requirements less than a year before the
payment processor suffered a massive data security breach. Merrick
claims that fraudulent transactions resulting from the breach cost it
US $16 million in payments to the credit card companies for using a
non-compliant processor, payments to banks affected by the breach and
legal fees. Attackers were able to steal information on 40 million
credit card accounts because CardSystems stored unencrypted card data
on its servers.
http://www.finextra.com/fullstory.asp?id=20067
http://www.digitaltransactions.net/newsstory.cfm?newsid=2221
[Editor's Note (Pescatore): Making this charge stick will require
proving that the non-compliant condition existed at the time of the
audit and should have been discovered with reasonable diligence. But it
will be good to see some external attention focused on the PCI audit
process.
(Schultz): The issue concerning whether an organization is (but probably
more importantly, *was* at the time of a data security breach) PCI-DSS
compliant is becoming increasingly complex. If a bank, merchant, or
other organization has passed a PCI-DSS audit, but then a security
breach involving credit card information occurs sometime later, the PCI
Consortium has increasingly suddenly declared the organization to be
non-compliant. As good as they are, PCI-DSS standards do not require
anything near perfect data security, and no audit is 100 percent
comprehensive. Residual risk will always be present as long as systems
are connected to any network. If PCI-DSS auditors are going to become
legally liable for future data security breaches, the cost to perform
these audits will, unfortunately, most likely skyrocket out of control.
(Hoelzer): While the legal system is an important tool when it comes to
forcing organizations to be responsible, this may mark a dangerous time
for PCI. PCI/DSS isn't perfect but it's a pretty good start. If
lawsuits continue to pile on, however, we could see energy start to
build for the elimination of standards of this kind since they may
appear to be leading toward greater liability rather than reduced
liability.]
--Cyber Security Status Report Due Out Friday; President May
Announce Cyber Czar Position
(May 26, 2009)
The report on the 60-day review of the state of US government cyber
security is scheduled to be released on Friday, May 29; President Obama
will discuss the report at a press conference shortly before 11:00 am
Eastern Time. According to an unnamed senior White House official, the
announcement of a White house-level position in charge of national cyber
security is imminent. While the precise rank and title for the job had
not been decided, the new adviser will likely be a member of the
National Security Council and will report to the National Security
Advisor and senior White House economic advisor.
http://www.washingtonpost.com/wp-dyn/content/article/2009/05/25/AR2009052502104.html
http://www.msnbc.msn.com/id/30947593/
http://gcn.com/Articles/2009/05/27/White-House-cybersecurity-report-coming.aspx
http://fcw.com/Articles/2009/05/26/cybersecurity-review-report-Gibbs.aspx
[Editor's Note (Skoudis): Unfortunately, private industry has not been
able to improve our security stance as rapidly as attackers have ramped
up their own capabilities, leaving us less secure, relatively speaking,
over time. That's one of the major reasons the US Government is
significantly and rapidly increasing its involvement in the information
security space.]
--European Commission Suing Sweden for Failing to Implement Data Retention Law
(May 26 & 27, 2009)
The European Commission is suing Sweden for failing to implement data
retention legislation. The European Union's (EU's) Data Retention
Directive passed in March 2006; it requires member states to implement
data retention laws by March 2009. The Swedish government plans to
introduce the legislation in the next few months. Sweden has had to
comply with the Intellectual Property Rights Enforcement Directive
(IPRED), which requires telecommunications providers to surrender data
in certain legal cases, since April of this year. Some Internet service
providers (ISPs) have made an end-run around the requirement by deleting
user data regularly; data retention legislation would make it illegal
to delete the data too soon. There are some who say that the provisions
of the legislation would be at odds with the European Convention on
Human Rights.
http://arstechnica.com/tech-policy/news/2009/05/eu-sues-sweden-demands-law-requiring-isps-to-retain-data.ars
http://www.networkworld.com/news/2009/052709-swedish-politicians-challenge-eu-data.html
http://www.thelocal.se/19680/20090526/
*************************************************************************
THE REST OF THE WEEK'S NEWS
ARRESTS, INDICTMENTS & SENTENCES
--Phisher Sentenced to Eight-and-a-Half Years in Prison
(May 27, 2009)
US District Court Judge John Tunheim has sentenced Sergiu D. Popa to
eight-and-a-half years in prison for a phishing scheme in which he stole
sensitive personal and financial information from thousands of people.
Popa was originally from Romania but lived in Michigan when he committed
the crime. Popa admitted that he used the stolen information to conduct
approximately US $700,000 worth of fraudulent transactions between June
2000 and February 2007.
http://www.startribune.com/local/46231247.html?elr=KArksLckD8EQDUoaEyqyP4O:DW3ckUiD3aPc:_Yyc:aUUl
[Editor's Note (Schmidt): As more of these criminals are caught and get
serious jail time, I hope many more will get the message that "if you
can't do the time, don't do the crime". ]
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
--Foreign Hacker Group Targeted Army Servers
(May 28, 2009)
A hacking group based in Turkey has allegedly gained access to at least
two sensitive US Army servers. The US Department of Defense (DoD), the
Army's Judge Advocate General's office and the US Computer Emergency
Response Team are investigating the breaches. The first of the two
breaches occurred on September 19, 2007 at the US Army Corps of
Engineers' Transatlantic Center; the second occurred on January 26, 2009
at the Army's McAlester Ammunition Plant. Both attacks redirected
users; the first to a site containing anti-American rhetoric and the
second to a page about climate change. It is unclear if the group also
accessed sensitive information as a result of the attacks. The
attackers appear to have exploited an SQL injection vulnerability.
http://www.informationweek.com/news/government/federal/showArticle.jhtml?articleID=217700619
[Editor's Note (Pescatore): While headlines like to hype up the "who did
it" part, every one of these ends up with the same "how they did it" -
they exploited well known, easy to close vulnerabilities. While this
will surely end up in statistics showing the volume of "foreign attacks"
it should really show up in statistics of lack of operations due
diligence.
(Northcutt): Mosted appears to be quite the active social cause hacking
group, not sure I would want to end up inside a Turkish prison though:
http://world.commongate.com/post/United_Nations_website_breached_by_hackers/
http://www.youtube.com/watch?v=_2dNz2TUhpk
http://m0sted.by.ru/nowar.htm
http://www.metacafe.com/watch/1565412/m0sted_peace_crew_turkish_hackers_cyber_protest/ ]
--Eighteen Percent of Computers at Interior Missing or Lost
(May 28, 2009)
According to a report from the US Department of the Interior's inspector
general (IG), the Department cannot account for the whereabouts of 18
percent of its computers. The vast majority of the missing computers,
450 out of a sample of 2,500, belonged to the Fish and Wildlife Service.
Just two of the department's eight bureaus have kept good records of
their computer inventories, according to the report, and disposal
procedures for machines from bureau to bureau. In addition, the
majority of department's PCs are not encrypted.
http://www.eweek.com/c/a/Security/Department-of-Interior-Computers-Missing-Report-Finds-443176/
[Editor's Note (Skoudis): If you don't know where a computing asset is
or whose control it is under, you cannot secure it. Building and
maintaining an asset inventory is difficult work, to be sure, but it is
vital. An effective inventory maps each system to an employee, a
manager, and an asset owner. Let's learn a lesson from this story, and
double check our own asset inventories to make sure they are being
maintained.
(Northcutt): It's 8 P.M. do you know where your computers are? Critical
security control 1, quick win 1: "QW: Deploy an automated asset
inventory discovery tool and use it to build a preliminary asset
inventory of systems connected to the enterprise network. Both active
tools that scan through network address ranges, and passive tools that
identify hosts based on analyzing their traffic should be employed."
http://www.sans.org/cag/control/1.php]
DATA PROTECTION & PRIVACY
--Information Commissioner Sends Harsh Letter to National Health Service Over Data Breaches
(May 25, 26, 27 & 28, 2009)
The UK Information Commissioner (ICO) has sent a letter to the National
Health Service directing the organization to tighten patient information
security controls in the wake of numerous data security breaches. In the
last four months alone, 140 data security breaches were reported at NHS.
The ICO plans to monitor NHS's security practices with checks at various
hospitals. There have also been reports circulating that HNS will allow
patients to request that their medical records be deleted from the
Summary Care Records (SRC) system, a national medical database. The
rumors appear to be accurate, with the exception of records that have
already been accessed for patient treatment; for legal reasons, those
records will be archived rather than deleted.
http://www.eweekeurope.co.uk/news/nhs-takes-action-over-data-security-988
http://www.independent.co.uk/news/uk/politics/nhs-loses-thousands-of-medical-records-1690398.html
http://news.zdnet.co.uk/security/0,1000000189,39656576,00.htm
http://www.vnunet.com/computing/news/2242940/nhs-backtracks-deleting
http://www.scmagazineuk.com/Information-Commissioner-instructs-NHS-to-improve-data-protection-as-rumours-made-that-patients-may-have-control-over-their-records/article/137578/
VULNERABILITIES
--RIM Issues Advisory on PDF Vulnerability
(May 28, 2009)
Research in Motion (RIM) has issued an advisory warning users that a
vulnerability in the way BlackBerry servers handle malformed PDF files
could be exploited to launch a code injection attack. For the attack
to work, users would need to be tricked into opening an email message
with a maliciously crafted PDF attachment. The flaw affects Blackberry
Enterprise Server software version 4.1 Service Pack 3 (4.1.3) through
5.0 and Blackberry Professional Software 4.1 Service Pack 4 (4.1.4).
While the company has issued an interim update for the vulnerability,
RIM is encouraging customers to disable PDF processing on Blackberry
servers until a more thorough fix is available.
http://www.theregister.co.uk/2009/05/28/blackberry_pdf_peril/
http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB18327
[Editor's Note (Schultz): Once again, RIM deserves considerable credit
for its candidness to users concerning vulnerabilities and solutions in
its products.
(Skoudis): RIM's BES servers have had several vulnerabilities associated
with PDF parsing in the last year, with major vulnerability fixes
released in July 2008, January 2009, and now. Perhaps RIM should really
re-do the code architecture and implementation associated with PDF
parsing in BES servers.]
DATA LOSS & EXPOSURE
--Missing Laptop Holds Pension Data
(May 28, 2009)
A laptop computer stolen from an office of NorthgateArinso, the company
that provides the Pension Trust's computerized administration system,
contains personally identifiable information of 109,000 Pension Trust
members. The compromised data include names, salary information and
bank account details; the data are not encrypted.
http://www.theregister.co.uk/2009/05/28/pension_data_breach_alert/
http://www.matthewhenty.com/blog/?p=228
--Aetna Notifies 65,000 Current and Former Employees of Data Breach
(May 28, 2009)
Aetna has notified 65,000 current and former employees that their Social
Security numbers (SSNs) and email addresses were compromised in a
security breach. The job application website also contained email
addresses of as many as 450,000 job applicants. Aetna became aware of
the breach after people started complaining about phishing emails that
appeared to come from the insurance company. The messages claimed they
were related to job inquiries and asked the recipients for additional
personal information. A computer forensics company is investigating how
the breach was accomplished.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9133621
ATTACKS & ACTIVE EXPLOITS
--Microsoft Offers Workarounds for Zero-Day DirectX Flaw
(May 28, 2009)
Microsoft is investigating reports of a remote code execution
vulnerability in the DirectX Windows component that is being actively
exploited through limited attacks. The exploit involves maliciously
altered QuickTime files and can be exploited to gain control of
vulnerable computers. Microsoft has not yet released a patch for the
vulnerability, but the company has suggested several workarounds to help
users protect their computers.
http://www.theregister.co.uk/2009/05/28/critical_microsoft_directx_vulnerability/
http://news.cnet.com/8301-1009_3-10251544-83.html?part=rss&subj=news&tag=2547-1009_3-0-20
http://www.techweb.com/article/showArticle?articleID=217700719§ion=News
http://www.microsoft.com/technet/security/advisory/971778.mspx
[Editor's Note to self (Northcutt): Open Quicktime files only on your
Vista boxes for the next few weeks, not your XPs! ]
STUDIES AND STATISTICS
--Report: 90 Percent of eMail is Spam
(May 26 & 27, 2009)
According to a report from Symantec, nine out of every 10 emails sent
over the Internet last month were spam messages. The findings mark a
5.1 percent increase over last month's figures. Most of the spam comes
from social networking site profiles that were likely created with
automated CAPTCHA (completely automated public Turing test to tell
computers and humans apart) readers. Because the headers were not
spoofed, filters were unable to detect them as spam. The report also
indicates that spammers are most active during US business hours,
suggesting that either most are based in the US or that spammers have
found those hours to prove most fruitful.
http://www.scmagazineus.com/Spam-accounted-for-90-percent-of-all-email-in-May/article/137486/
http://www.csoonline.com/article/493497/Report_Spammers_Work_by_US_Clocks_and_Target_Facebook_Twitter
MISCELLANEOUS
--Authorities Searching For Man Who Tried to Steal US $9
Million From Former Employer
(May 26, 2009)
State and federal officials are searching for a former California water
utility employee who resigned late last month and hours later, gained
physical access to the facility to transfer more than US $9 million from
his former employer's bank account to accounts in Qatar. Abdirahman
Ismail Abdi is believed to have fled to Canada after putting his wife
and children on a plane to Frankfurt, Germany. Two of the wire
transfers were blocked; funds from the third transfer are believed to
be frozen. The incident illustrates the importance of implementing
access controls.
http://www.theregister.co.uk/2009/05/26/utility_transfer_heist/
Correction:
In Tuesday's NewsBites (Volume 11, Number 41), we ran a story about a
college student whose seized property was returned after a judge granted
his request to quash a search warrant. The school was misidentified;
the student attends Boston College, not Boston University. We apologize
for any confusion this may have caused.
**********************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC)
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Ron Dick directed the National Infrastructure Protection Center (NIPC)
at the FBI and is the incoming President of the InfraGard National
Members Alliance - with 22,000 members.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Rohit Dhamankar is the Director of Security Research at TippingPoint,
where he leads the Digital Vaccine and ThreatLinQ groups. His group
develops protection filters to address vulnerabilities, viruses, worms,
Trojans, P2P, spyware, and other applications for use in TippingPoint's
Intrusion Prevention Systems.
Prof. Howard A. Schmidt is the President of the Information Security
Forum (ISF) and author who has served as CSO for Microsoft and eBay and
as Vice-Chair of the President's Critical Infrastructure Protection
Board.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Inguardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of
the State of California.
Alan Paller is director of research at the SANS Institute
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Brian Honan is an independent security consultant based in Dublin,
Ireland.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
iEYEARECAAYFAkogCZsACgkQ+LUG5KFpTkZEbgCeJwSkcuq+HcT/8FU9ECDM17e/
8LQAoIwOwQAdUXA2gPvSd39ctUmDjzcy
=qj6l
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
To unsubscribe from netsec, send mail to majordomo@merit.edu
with a body consisting of the words "unsubscribe netsec" --
without the quotes. For more help, send a message to majordomo@merit.edu
with the word "help" as the body.
------------------------------------------------------------------------
|
