Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
SANS NewsBites Vol. 11 Num. 71
- From: The SANS Institute
- Date: Tue Sep 08 14:49:14 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
FLASH: The Internet Storm Center reported a new Windows zero-day
vulnerability early this morning. This is a critical vulnerability,
even without code execution. A single packet can remotely shut down
a windows host. http://isc.sans.org/diary.html?storyid=7093
The top of the news this week has three stories about useful resources.
Corrected Update on the European SCADA Security Summit (Stockholm
October 27-30): Real-world case studies of smart metering and
virtualization in control systems have just been added, with
insights into the security repercussions of both. Also the US
Department of Homeland Security Control Systems Security Program
is offering free courses and tools. Info and registration at
http://www.sans.org/euscada09_summit/
Alan
*************************************************************************
SANS NewsBites September 8, 2009 Vol. 11, Num. 71
*************************************************************************
TOP OF THE NEWS
Security Company in China Will Make Gigantic Malware Database Available
Apache Issues Incident Report About Recent Attack to Others
H1N1 Pandemic Preparedness Papers from SANS Technology Institute degree
Candidates
THE REST OF THE WEEKS NEWS
Oracle Quarterly Patch Update Delayed One Week; Adobe's Delayed One
Month
Chinese News Sites Requiring Commenters to Log On With True
Identities
Older Versions of WordPress Blogging Software Vulnerable to Worm
Attack
Amazon Offers to Restore Animal Farm and 1984 to Kindle Users'
Devices
Some Web Monitoring Software Collects and Sells Chat Contents
Australian Man Will be Tried for Cyber Crimes
Infected USB Drive Wreaks Havoc on London Area Council IT Systems
Apple Releases Java Update
Canadian Privacy Commissioner Wants Bell Canada to be Forthright
About Data Collection
*************************************************************************
TRAINING UPDATE
--- SANS Network Security, San Diego Sept. 14-22; the Fall's biggest
security training conference, http://www.sans.org/ns2009
--- SCADA Security Summit, Stockholm, Oct. 27-30,
http://www.sans.org/euscada09_summit/
--- SANS Chicago North Shore, Oct. 26-Nov. 2,
http://www.sans.org/chicago09/
--- SANS San Francisco, November 9-14,http://www.sans.org/sanfrancisco09
--- SANS CDI, Washington DC, Dec. 11-18,
http://www.sans.org/cyber-defense-initiative-2009
Looking for training in your own community? http://sans.org/community/
Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/spring09.php
Plus London, Tokyo, Dubai, Sydney Hong Kong, and Vancouver, all in the
next 90 days. For a list of all upcoming events, on-line and live:
www.sans.org
*************************************************************************
TOP OF THE NEWS
--Security Company in China Will Make Gigantic Malware Database Available to
Others
KnownSec, a Chinese security company, has developed a gigantic database
containing information about malware and malware infections in China
available to others. The data are gathered by a crawler that visits
almost two million sites each day. KnownSec keeps a history of events
that occur at each site, a list of all infected sites at any time,
and information about each virus and worm that is discovered. CEO
Zhao Wei has announced that KnownSec will share information in this
database with incident response teams.
http://www.first.org/newsroom/releases/20090703a.html
--Apache Issues Incident Report About Recent Attack
(August 28 & September 3, 2009)
Administrators at Apache Software Foundation have posted a detailed
account of a security breach that forced them to temporarily shut
down their website. The attackers gained root access to a particular
server and destroyed logs, so the admins had to piece together what
happened from other evidence. The attackers appear to have gained
access to the server by exploiting a known vulnerability in the Linux
kernel; the flaw was addressed in a recent release, but it had not
yet been applied to this server. The incident report indicates that
among the problems the incident illuminated were that SSH keys were
not appropriately restricted and bad data backup procedures were
being used. Among the practices that worked well were "redundant
services in two locations allow[ing them] to run services from an
alternate location" and "a non-uniform set of compromised machines
[that] made it difficult for the attackers to escalate privileges on
multiple machines." As a result of the intrusion, Apache plans to
generate new keys with a minimum length of 4096 bits for hosts and
also possibly to introduce centralized logging.
http://www.theregister.co.uk/2009/09/03/apache_website_breach_postmortem/
https://blogs.apache.org/infra/entry/apache_org_downtime_report
http://isc.sans.org/diary.html?storyid=7030
[Editor's Note (Ullrich and Honan): This is an excellent analysis of
how the attack happened and how other systems can be used by attackers
to target your core systems. Thanks Apache. We wish we would see
more reports like this to be able to learn from other's experiences.]
--H1N1 Pandemic Preparedness Papers from SANS Technology Institute degree
Candidates
If you are trying to decide how prepared you and your IT systems are
for an H1N1 pandemic, you'll want to read the mini-thesis submitted
by Jim Beechey and Rob VandenBrink as part of their candidacy for
Master of Science in Security Engineering at the SANS Technology
Institute. It's really well done and has an associated PowerPoint
presentation you will find useful for educating others.
http://www.sans.edu/resources/pandemic-preparedness/
************************ Sponsored Links: ****************************
1) Be sure to register NOW for the Tool Talk Webcast: SIEM and DLP -
Strength in Integration. http://www.sans.org/info/48172
2) ***NEW*** SANS Free Vendor Audio Casts! Visit the SANS Reading
Room http://www.sans.org/info/48177 and click on the Free Vendor
Audio Casts link.
Here is just one of the Audio Casts you can download:
Carlos Solari, former White House CIO, Featured on Application Security
MythBusters Series
***********************************************************************
THE REST OF THE WEEK'S NEWS
--Oracle Quarterly Patch Update Delayed One Week; Adobe's
Delayed One Month
(September 3 & , 2009)
Oracle has said its scheduled quarterly patch releases slated
for October 13 will be delayed. Oracle's delay is due to the
OpenWorld 2009 Oracle conference, which runs from October 11 to
October 15; sticking with the October 13 release date would mean that
administrators would have to choose between attending the conference
and installing the updates in a timely manner. Oracle will issue the
Critical Patch Update (CPU) on October 20. Adobe plans to delay its
scheduled September 8 security update by a month due to the need to
address the vulnerabilities in Microsoft's Active Template Library
(ATL); the update for Adobe Acrobat and Reader currently appears to
be on track for release on October 13.
http://www.h-online.com/security/Adobe-and-Oracle-delay-their-patch-days-Update--/news/114176
http://www.computerworld.com/s/article/9137522/Patch_scramble_throws_Adobe_updates_off_schedule?taxonomyId=85
--Chinese News Sites Requiring Commenters to Log On With True Identities
(September 6, 2009)
Computer users wishing to make comments on Chinese news websites
must log on with their real names and identification numbers; the
sites have imposed the requirement to meet a confidential directive
from China's State Council Information Office. Previously, users
could log in to most news sites anonymously; sites still screened
posts and users could be traced through IP addresses associated
with their comments. Chinese authorities maintain the change will
foster increased "social responsibility" and "civility;" however,
news stories about the requirement have been repressed.
http://www.nytimes.com/2009/09/06/world/asia/06chinanet.html?_r=1&ref=technology&pagewanted=print
[Editor's Note (Northcutt): This seems reasonable to me. We are
learning that the new world of "every person is a journalist" needs
to come with a sense of responsibility for the words that we post.
There are certainly places where anonymous posting needs to be
possible, but not necessarily news outlets.]
--Older Versions of WordPress Blogging Software Vulnerable to Worm Attack
(September 5 & 7, 2009)
Bloggers using older versions of WordPress blogging software are
urged to upgrade to version 2.8.4 as soon as possible to protect
them from a worm. The malware has been exploiting a known and
patched vulnerability to put comment spam and links to malware on
users' blogs. One user who fell prey to the worm lost two months
worth of blog entries. The two most recent releases of WordPress,
issued on August 3 and August 12, are not vulnerable to the worm.
http://www.theregister.co.uk/2009/09/07/wordpress_worm/
http://news.cnet.com/8301-1009_3-10345900-83.html?part=rss&subj=news&tag=2547-1009_3-0-20
http://www.securityfocus.com/brief/1008
[Editor's Note (Ullrich): Wordpress is not alone. Web applications
like wordpress continue to be a problem. Patching them is frequently
hard as they are not covered by regular operating system patch
protocols. Finding solutions to inventory and patch them is critical.]
--Amazon Offers to Restore Animal Farm and 1984 to Kindle Users' Devices
(September 5, 2009)
Amazon is offering Kindle owners whose copies of Animal Farm and 1984
were removed from their devices without notice earlier this summer the
choice of having the books restored or being issued a US $30 credit.
Amazon deleted the books from users' devices after it learned that
the entity making the editions available did not possess the rights
to the works. Amazon chief Jeff Bezos apologized for the way the
matter was handled in July, calling it "stupid, thoughtless, and
painfully out of line with our principles."
http://www.informationweek.com/news/hardware/handheld/showArticle.jhtml?articleID=219501472
[Editor's Note (Northcutt): Amazon demonstrated a powerful form of
censorship. You can buy the book, Amazon can take the book from you
at any time. They can track which books you buy, which books you read,
what page you are on. Kindle all you like my friends, I am sitting
this one out. ]
--Some Web Monitoring Software Collects and Sells Chat Contents
(September 4, 2009)
Certain web monitoring software is collecting the contents of users'
chats and selling the data to companies that use it to fine tune their
marketing strategies. The software in question is called Sentry and
FamilySafe; it is developed by EchoMatrix Inc. While the company
allows families that do not want their children's data collected to
opt out of the arrangement, that choice is not part of the agreement
that accompanies the program when it is downloaded; users must visit
the company web site to select that option.
http://www.msnbc.msn.com/id/32694224/ns/technology_and_science-security/
--Australian Man Will be Tried for Cyber Crimes
(September 4, 2009)
An Australian man has been charged with numerous offenses in
connection with allegedly compromising thousands of computers around
the world with malware designed to steal financial account information.
Anthony Scott Harrison was in the Adelaide Magistrates Court last week,
where prosecutors asked for several months to gather evidence in the
case against him. Harrison faces four counts of modifying computer
data to cause harm or inconvenience, two counts of possession or
control of data to commit serious computer offenses, and one count
of dishonestly manipulating a machine for benefit, all related to
the alleged computer crimes.
http://news.theage.com.au/breaking-news-national/accused-bank-computer-hacker-faces-court-20090904-fatp.html
--Infected USB Drive Wreaks Havoc on London Area Council IT Systems
(September 4, 2009)
One infected USB drive cost the Ealing Council more than GBP 500,000
(US $817,000) in lost revenue and repairs. The drive appears to
have been infected with Conficker, which exploited a Windows Autorun
vulnerability on the council's Windows 2000 machines and spread
throughout the council's IT systems. The infection occurred in May and
took days to clean up. During that time, the council lost an estimated
GBP 90,000 (US $147,000) from parking tickets it was unable to process
and an estimated GBP 25,000 (US $40,850) in library fines and fees.
http://www.theregister.co.uk/2009/09/04/ealing_council_mystery_malware/
http://www.scmagazineuk.com/Ealing-Council-facing-501000-fine-after-its-network-was-hit-by-a-virus-that-crippled-it-for-weeks/article/148144/
[Editor's Note (Pescatore): For this to happen in May 2009, a lot of
patches had to be ignored. This proves that even if you are running
oooold Windows operating systems, if you don't patch you will pay.
(Northcutt): UK friends, I need help. In our Security Leadership
Essentials class we talk about the importance of a smoking gun,
proof that infosec is important and saves money. If you have
evidence this event changes the behavior of the Ealing Council
going forward, I would love to hear from you, stephen@sans.edu
http://www.sans.org/training/description.php?mid=62 ]
--Apple Releases Java Update
(September 3 & 4, 2009)
Apple has released a security update to address vulnerabilities in
Java for Apple that could be exploited to elevate privileges, execute
arbitrary code, or terminate applications. The update applies to
Apple's Leopard OS, Mac OS X 10.5. The problems are already addressed
in version 10.6, which was released last week.
http://www.scmagazineus.com/Apple-issues-security-updates-for-Leopard-OS/article/148185/
http://voices.washingtonpost.com/securityfix/2009/09/apple_updates_java_backdates_f.html
http://www.pcworld.com/businesscenter/article/171426/apple_releases_java_update_for_leopard.html
http://www.h-online.com/security/Apple-release-Java-update-for-Leopard--/news/114166
--Canadian Privacy Commissioner Wants Bell Canada to be
Forthright About Data Collection
(September 3, 2009)
Canada's Privacy Commissioner Jennifer Stoddart is demanding that Bell
Canada inform all of its subscribers that in the process of managing
Internet traffic, it collects some identifying information. Earlier
this year, Stoddart found that Bell's use of deep packet inspection
technology does not comply with the Personal Information Protection
and Electronic Documents Act (PIPEDA). Bell collects the Internet
protocol (IP) addresses associated with subscribers' computers.
While the numbers themselves do not identify individual users, they
can be traced to a user ID. Stoddart determined that IP addresses
are personal information. Bell Canada uses DPI technology to identify
peer-to-peer (P2P) headers on Internet traffic and slow it down.
http://www.itworldcanada.com/a/Security/f8c8388d-1425-4e20-b1d9-c025c9318a4e.html
[Editor's Note (Honan): In 2008 the European Union's
Working Group 11 on Data Privacy also stated that an
IP address should be regarded as personal information.
http://www.washingtonpost.com/wp-dyn/content/article/2008/01/21/AR2008012101340.html]
**********************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and
the author/co-author of books on Unix security, Internet security,
Windows NT/2000 security, incident response, and intrusion detection
and prevention. He was also the co-founder and original project manager
of the Department of Energy's Computer Incident Advisory Capability
(CIAC)
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level
IT Security College, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet
Storm Center and Dean of the Faculty of the graduate school at the
SANS Technology Institute.
Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Rohit Dhamankar is the Director of Security Research at TippingPoint,
where he leads the Digital Vaccine and ThreatLinQ groups. His group
develops protection filters to address vulnerabilities, viruses,
worms, Trojans, P2P, spyware, and other applications for use in
TippingPoint's Intrusion Prevention Systems.
Prof. Howard A. Schmidt is the President of the Information Security
Forum (ISF) and author who has served as CSO for Microsoft and
eBay and as Vice-Chair of the President's Critical Infrastructure
Protection Board.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Inguardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and
he is a senior Lockheed Martin Fellow.
Ron Dick directed the National Infrastructure Protection Center (NIPC)
at the FBI and is the incoming President of the InfraGard National
Members Alliance - with 22,000 members.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune
50 company (Alcoa). He is leading SANS' global initiative to improve
application security.
David Hoelzer is the director of research & principal examiner
for Enclave Forensics and a senior fellow with the SANS Technology
Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer
of the State of California.
Alan Paller is director of research at the SANS Institute
Marcus J. Ranum built the first firewall for the White House and
is widely recognized as a security products designer and industry
innovator.
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Brian Honan is an independent security consultant based in Dublin,
Ireland.
David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
iD8DBQFKpo2x+LUG5KFpTkYRAnXlAKCZqVUTH9ABHm4EEk0asDt78V3NaQCbBi0K
gdl1GSoISpjTB+MIS11yhXU=
=fzWk
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
To unsubscribe from netsec, send mail to majordomo@merit.edu
with a body consisting of the words "unsubscribe netsec" --
without the quotes. For more help, send a message to majordomo@merit.edu
with the word "help" as the body.
------------------------------------------------------------------------
|
