Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
SANS NewsBites Vol. 11 Num. 73 : New report on top cyber risks shows companies focusing on the wrong defenses
- From: The SANS Institute
- Date: Tue Sep 15 19:32:49 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The 2009 Top Cyber Risks Report came out this morning. Best risk
report ever. Combines attack data (TippingPoint) with vulnerability
data (Qualys), both covering thousands of enterprises, to provide an
authoritative description of the two cyber risks that matter most,
and adds Internet Storm Center analysis and scenarios. Even SANS
faculty said the new report taught them a lot. Offers hard evidence
that companies and agencies are focusing their defensive dollars
in the wrong places. Coverage in New York Times and Business
Week and Slashdot and CSO and 50 other pubs. (To find them,
Google top security risks in the News). Actual report is posted at
http://www.sans.org/top-cyber-security-risks/
Alan
*************************************************************************
SANS NewsBites September 15, 2009 Vol. 11, Num. 73
*************************************************************************
TOP OF THE NEWS
Report Shows Taking Down Small Power Subnetwork Could Cause Significant
Outages
Australia's Internet Industry Association Issues Draft eSecurity Code
Proposed Legislation in California Clarifies Breach Notification
Requirements
THE REST OF TH EWEEK'S NEWS
DoD Analyst Charged With Unauthorized System Access
Ads on New York Times Website Serving Up Scareware
Trojan Horse Program Uses Google Groups as Command and Control
Channel
Microsoft Update Limits AutoRun Functionality
Linux Botnet
Gonzalez Guilty Plea Settles Two of Three Indictments
Attacker Claims to Have Exploited SQL Injection Vulnerability at RBS
WorldPay
Cyber Thieves Stole Payment Card Data From Indiana Bank Customers
Man Draws Six Month Sentence for Unauthorized Background Checks
*************************** Sponsored By HP ***************************
Participate in a 24-hour live hacking challenge! Join application
security experts from around the world at HP's virtual conference
Sept 29-30. Attend live and on-demand sessions, chat with experts
and download the latest information on application security,
cloud security, Web 2.0 and more. "HP Functionality, Performance
& Security Testing in today's application realities." Register
Now. http://www.sans.org/info/48542
*************************************************************************
TRAINING UPDATE
- - -- SANS Chicago North Shore, Oct. 26-Nov. 2,
http://www.sans.org/chicago09/
- - -- SCADA Security Summit, Stockholm, Oct. 27-30,
http://www.sans.org/euscada09_summit/
- - -- SANS San Francisco, November 9-14,
http://www.sans.org/sanfrancisco09
- - -- SANS London, UK, Nov.28-Dec. 9,
http://sans.org/london09/
- - -- SANS Sydney, Nov.9-14
http://sans.org/sydney09/
- - -- SANS CDI, Washington DC, Dec. 11-18,
http://www.sans.org/cyber-defense-initiative-2009
Looking for training in your own community? http://sans.org/community/
Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/spring09.php
Plus Tokyo, Dubai, Hong Kong, and Vancouver, all in the
next 90 days. For a list of all upcoming events, on-line and live:
www.sans.org
*************************************************************************
TOP OF THE NEWS
--Report Shows Taking Down Small Power Subnetwork Could Cause
Significant Outages
(September 14, 2009)
The US Department of Homeland Security (DHS) is taking a close
look at a report from a Chinese research scientist that posits
that "a well-placed attack against a small power subnetwork could
trigger a cascading failure of the entire West Coast power grid."
Cascading failures caused the August 2003 blackout in the northeast US.
The purpose of the study, conducted by Jian-Wei Wang and his colleagues
at Dalian University of Technology in Liaoning, was to uncover
the weak spots in networks that could trigger cascading failures.
The researchers expected to find that highly loaded networks posed
the greatest risk, because if they went offline, the demand put
on smaller networks would be overwhelming. Surprisingly, the team
discovered that in certain conditions, "taking out a lightly loaded
subnetwork first" took out more of the grid.
http://www.newscientist.com/article/mg20327255.900-how-to-shortcircuit-the-us-power-grid.html
http://www.computerworld.com/s/article/9138017/DHS_to_review_report_on_vulnerability_in_West_Coast_power_grid?taxonomyId=17
--Australia's Internet Industry Association Issues Draft eSecurity Code
(September 11 & 14, 2009)
Australia's Internet Industry Association (IIA) has published a
draft of an eSecurity Code aimed at protecting citizens from online
threats. The voluntary code of practice makes numerous suggestions,
including having Internet service providers (ISPs) notify subscribers
whose computers are infected with malware and in some cases, disconnect
those computers from the network. Under the plan as drafted, ISPs
would first notify the subscribers and offer them help cleaning the
malware from their machines. Recommendations to cut off Internet
access would be made only when customers have refused to take action
against known problems or if their computers are being used to conduct
malicious activity that consumes substantial resources.
http://www.securecomputing.net.au/News/155673,isps-asked-to-cut-off-malwareinfected-pcs.aspx
http://iia.net.au/images/resources/pdf/esecurity_code_consultation_version.pdf
[Editor's Note (Schultz): I very much like what the Australian IIA
is proposing. Given that most users are not capable of (or perhaps
better said, are indifferent towards) securing their systems, having
ISPs monitor their systems and provide assistance when systems become
infected with malware makes perfect sense.]
--Proposed Legislation in California Clarifies Breach Notification Requirements
(September 11, 2009)
Legislation awaiting the governor's signature in California
would require that data breach notification letters include specific
information about the incident, including what type of information
was compromised, and entities experiencing breaches that affect 500
or more individuals provide a copy of the notification letter to the
state attorney general's office.
http://www.scmagazineus.com/Bill-to-bolster-California-breach-law-awaits-governor/article/148734/
************************ Sponsored Links: ****************************
1) IBM Security Management Solutions Manage the volume & complexity
of corporate governance regulations. Learn from the Service Management
Resource Center. http://www.sans.org/info/48547
2) NetWitness provides next generation security solutions that
help organizations discover, prioritize and remediate complex IT
risks. http://www.sans.org/info/48552
3) WEBCAST: Defending against Web 2.0 and Browser Hacks &
Attacks. Can SaaS Web Security Deliver Higher Protection
& Lower Cost? Keynote by Peter Firstbrook of Gartner
http://www.sans.org/info/48557
***********************************************************************
THE REST OF THE WEEK'S NEWS
--DoD Analyst Charged With Unauthorized System Access
(September 14, 2009)
A US Defense Department analyst has been charged with gaining
unauthorized access to a protected computer or exceeding authorized
access and obtaining classified information. Brian Keith Montgomery
said he did not notice a warning message "that only authorized
participants of that operation were permitted to access that system"
when he logged on to the system. According to an affidavit from a
Defense Criminal Investigative Service agent, Montgomery caused harm
to the investigation, the US Army and the FBI merely by accessing
the system in question. The system was being used as part of a
terrorism investigation.
http://www.wired.com/threatlevel/2009/09/montgomery/
http://www.wired.com/images_blogs/threatlevel/2009/09/montgomery_affidavit.pdf
[Editor's Note (Skoudis) Saying that you didn't notice the warning
message is a pretty weak excuse, especially if it is succinct and
clearly worded. Also, it's quite disturbing to think of personnel
in that line of work just poking around systems in their environment.
(Northcutt): How many times have you heard a news story and the
root problem was access control?]
--Ads on New York Times Website Serving Up Scareware
(September 14, 2009)
The New York Times has warned that rogue advertisements on its
website were serving scareware over the weekend. The malware creates
pop-up boxes which warn users that their computers are infected and
provides links that lead to pages where they can purchase products
that will allegedly remedy the problem. In fact, the products are
either ineffective or infect users' machines with more malware. As a
result of the incident, The New York Times has changed its policy on
advertisements served directly from advertisers' websites.
http://www.computerworld.com/s/article/9137981/NY_Times_warns_of_rogue_antivirus_on_Web_site?source=CTWNLE_nlt_dailyam_2009-09-14
http://www.theregister.co.uk/2009/09/14/nyt_scareware_ad_hack/
http://www.wired.com/threatlevel/2009/09/nyt-revamps-online-ad-sales-after-malware-scam/
http://www.scmagazineuk.com/New-York-Times-website-hit-by-malicious-adverts-for-scareware/article/148862/
--Trojan Horse Program Uses Google Groups as Command and Control Channel
(September 11 & 14, 2009)
The Grups Trojan horse program uses Google groups as a command
and control channel. Grups requests a page from a certain private
newsgroup to get instructions. Information gathered from examining
the Trojan indicates that it is a prototype in the process of being
tested. While news groups have been used to distribute malware, this
is believed to be the first instance of such a group being used as a
command and control channel, according to Symantec, which discovered
the Grups Trojan.
http://www.theregister.co.uk/2009/09/14/google_groups_control_trojan/
http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=219900032
http://www.itworld.com/security/77545/google-groups-botnet-command-and-control
http://www.eweek.com/c/a/Security/Symantec-Google-Groups-Used-to-Send-Commands-to-Malware-183661/
[Editor's Note (Pescatore): Bot-net generation malware has been
using all kinds of communication channels, from Twitter to news
groups to more generic drop/search/find mechanisms using blog comment
fields, etc. Yet more black list signature approaches (IP address/URL
reputations) will not be sufficient - the executables themselves have
to be dealt with.]
--Microsoft Update Limits AutoRun Functionality
(September 14, 2009)
Last month, Microsoft issued "an update that changes the AutoRun
functionality in Windows XP, Windows Server 2003, Windows Vista,
and Windows Server 2008." The AutoRun feature is often exploited
to install malicious software on computers. The update does not
affect all devices; CD and DVD drives will continue to operate as
they did before.
http://www.theregister.co.uk/2009/09/14/more_microsoft_autorun_fixes/
[Editor's Note (Skoudis): In the aftermath of Conficker, I'm
shocked that Microsoft is still twiddling with the AutoRun feature.
I'm hoping this new update will finally address the problem, but I
won't hold my breath.]
--Linux Botnet
(September 12 & 14, 2009)
A network of infected Linux servers is being used to distribute
malware. All of the compromised machines are serving legitimate
content through the Apache webserver and at the same time are running
the nginx webserver and serving malicious content through port 8080.
The Linux server botnet is connected to a botnet of home computers.
The network is presently believed to comprise approximately 100 nodes.
http://www.h-online.com/security/Botnet-discovered-on-Linux-servers--/news/114225
http://www.theregister.co.uk/2009/09/12/linux_zombies_push_malware/
[Editor's Note (Skoudis): When I first saw this, I thought: "How
cute! A baby bot-net of only 100 nodes." But, then, I started to
consider the damage a determined attacker could do with a network of
highly stable bots on a very flexible underlying platform. It's not
so cute at all.]
--Gonzalez Guilty Plea Settles Two of Three Indictments
(September 11 & 12, 2009)
Albert Gonzalez has pleaded guilty to 20 charges of conspiracy,
computer fraud, wire fraud, access device fraud and aggravated
identity theft in connection to data thefts at TJX, BJ's wholesale
club, OfficeMax, Barnes & Noble and other retailers. The cyber heists
netted Gonzalez and his accomplices tens of millions of credit and
debit card numbers. The plea settles charges from an indictment
handed down in Massachusetts and one handed down in New York. The
deal he agreed to with prosecutors could have him in prison for up
to 25 years. He is still facing charges in New Jersey for allegedly
stealing payment card information from Heartland Payment Systems and
several other companies. A defense attorney maintains that Gonzalez
was not the ringleader in that case.
http://www.washingtonpost.com/wp-dyn/content/article/2009/09/11/AR2009091103773.html
http://www.theregister.co.uk/2009/09/11/albert_gonzalez_enters_plea/
http://www.computerworld.com/s/article/9137900/Gonzalez_pleads_guilty_to_TJX_other_data_heists?taxonomyId=17
http://news.cnet.com/8301-27080_3-10350858-245.html?part=rss&subj=news&tag=2547-1009_3-0-20
http://www.informationweek.com/news/security/intrusion-prevention/showArticle.jhtml?articleID=220000036
--Attacker Claims to Have Exploited SQL Injection Vulnerability at
RBS WorldPay
(September 11, 2009)
A attacker claims to have exploited an SQL injection vulnerability
in a web application to gain access to the RBS WorldPay database.
RBS WorldPay says the attacker accessed a test website with a database
containing dummy data, and that no merchant or consumer information was
ever compromised. The attacker disputes that statement. Nonetheless,
the flaws have been fixed. The same attacker has exposed similar
vulnerabilities on the HSBC France and UK Parliament websites.
http://www.darkreading.com/database_security/security/app-security/showArticle.jhtml?articleID=220000005
--Cyber Thieves Stole Payment Card Data From Indiana Bank Customers
(September 11, 2009)
Investigators say that cyber thieves stole debit card numbers from
customers of People's Saving and Trust Bank in Boonville, Indiana.
The numbers were used in fraudulent transactions across the country.
The bank will reimburse customers for losses incurred as a result of
the data theft if they fill out police reports. The banks' systems
were not breached; the information was stolen from a third-party
company. Customers whose accounts have been compromised are being
urged to close those accounts.
http://www.14wfie.com/Global/story.asp?S=11116573
http://tristatehomepage.com/content/fulltext/?cid=94971
--Man Draws Six Month Sentence for Unauthorized Background Checks
(September 10, 2009)
An Illinois man has been sentenced to six months in jail for
abusing his position as director of a county emergency dispatch agency
to conduct unauthorized background checks. Steven R. Cordes ran the
checks as a favor to his girlfriend, who was concerned about the people
with whom her teenage daughter was spending time. He pleaded guilty
to official misconduct. He will pay US $4,666 in restitution to the
company he worked for and will serve 30 months probation following
his release from jail.
http://www.suntimes.com/news/24-7/1764493,illegal-background-checks-sentence-091109.article
http://www.chicagotribune.com/news/chi-ap-il-911misconduct,0,320856.story
http://www.chicagobreakingnews.com/2009/09/police-dispatch-official-admits-misusing-police-database.html
**********************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and
the author/co-author of books on Unix security, Internet security,
Windows NT/2000 security, incident response, and intrusion detection
and prevention. He was also the co-founder and original project manager
of the Department of Energy's Computer Incident Advisory Capability
(CIAC)
John Pescatore is Vice President at Gartner Inc.; he has worked
in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently
serves as President of the SANS Technology Institute, a post graduate
level IT Security College, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet
Storm Center and Dean of the Faculty of the graduate school at the
SANS Technology Institute.
Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Rohit Dhamankar is the Director of Security Research at
TippingPoint, where he leads the Digital Vaccine and ThreatLinQ
groups. His group develops protection filters to address
vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other
applications for use in TippingPoint's Intrusion Prevention Systems.
Prof. Howard A. Schmidt is the President of the Information
Security Forum (ISF) and author who has served as CSO for Microsoft
and eBay and as Vice-Chair of the President's Critical Infrastructure
Protection Board.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Inguardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and
he is a senior Lockheed Martin Fellow.
Ron Dick directed the National Infrastructure Protection Center
(NIPC) at the FBI and is the incoming President of the InfraGard
National Members Alliance - with 22,000 members.
Mason Brown is one of a very small number of people in the
information security field who have held a top management position in
a Fortune 50 company (Alcoa). He is leading SANS' global initiative
to improve application security.
David Hoelzer is the director of research & principal examiner
for Enclave Forensics and a senior fellow with the SANS Technology
Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security
Officer of the State of California.
Alan Paller is director of research at the SANS Institute
Marcus J. Ranum built the first firewall for the White House and
is widely recognized as a security products designer and industry
innovator.
Clint Kreitner is the founding President and CEO of The Center
for Internet Security.
Brian Honan is an independent security consultant based in Dublin,
Ireland.
David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
iD8DBQFKsCJG+LUG5KFpTkYRAsUYAJ9Flc17pRY8pPP7dTX0G7D5A+43ogCeJ4gr
tndwsEKuL2eKJ+/L3aaNnVM=
=ODUE
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
To unsubscribe from netsec, send mail to majordomo@merit.edu
with a body consisting of the words "unsubscribe netsec" --
without the quotes. For more help, send a message to majordomo@merit.edu
with the word "help" as the body.
------------------------------------------------------------------------
|
