Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
SANS NewsBites Vol. 11 Num. 75 : Justice Department says Einstein 2 OK on Privacy
- From: The SANS Institute
- Date: Tue Sep 22 15:38:41 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
*************************************************************************
SANS NewsBites September 22, 2009 Vol. 11, Num. 75
*************************************************************************
TOP OF THE NEWS
FCC Chair Introduces Proposed Net Neutrality Rules
Justice Dept. Review Says Einstein 2 Does Not Violate Users' Privacy
THE REST OF THE WEEK'S NEWS
Microsoft Issues Workaround for SMB Vulnerability
Bank Suing Google to Discover Identity of Accidental eMail Recipient
Facebook Will Shutter Beacon as Part of Lawsuit Settlement
Jail Time for Test Deposit Scammer
Microsoft Files Five Suits Against Malvertisers
Malware Purveyors Monkey Around with PBS Show Site
Attackers Exploit Web Application Flaw to Hijack Yahoo Mail Accounts
Software Company Fined for Trading with the Enemy
India Wants Internet Telephony Ban
Maine Heating Company Loses US $150,000 Through Social Engineering Attack
************************ Sponsored By HP *******************************
Participate in a 24-hour live hacking challenge! Join application
security experts from around the world at HP's virtual conference Sept
29-30.
Attend live and on-demand sessions, chat with experts and download the
latest information on application security, cloud security, Web 2.0 and
more. "HP Functionality, Performance & Security Testing in today's
application realities." Register Now.
http://www.sans.org/info/48863
*************************************************************************
TRAINING UPDATE
-- SANS Chicago North Shore, Oct. 26-Nov. 2,
http://www.sans.org/chicago09/
-- SCADA Security Summit, Stockholm, Oct. 27-30,
http://www.sans.org/euscada09_summit/
-- SANS San Francisco, November 9-14,
http://www.sans.org/sanfrancisco09
-- SANS Sydney, Nov.9-14
http://sans.org/sydney09/
-- SANS London, UK, Nov.28-Dec. 9,
http://sans.org/london09/
-- SANS CDI, Washington DC, Dec. 11-18,
http://www.sans.org/cyber-defense-initiative-2009
Looking for training in your own community? http://sans.org/community/
Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/spring09.php
Plus Tokyo, Dubai, Hong Kong, and Vancouver, all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org
*************************************************************************
TOP OF THE NEWS
--FCC Chair Introduces Proposed Net Neutrality Rules
(September 21, 2009)
In a speech at the Brookings Institution on Monday, September 21,
Federal Communications Commission (FCC) Chairman Julius Genachowski
proposed a set of rules that would prohibit Internet service providers
from slowing down competitors' Internet traffic on their networks.
Genachowski is proposing starting the rulemaking process to codify
neutrality principles introduced in 2005 while incorporating the
additional proposed rules. The impact for consumers would be that
providers could block access to or slow down traffic from video and
phone services. Companies could potentially charge subscribers for
using excessive amounts of bandwidth. Providers would also need to have
transparent network management policies. The proposed rules have a
broader reach than expected, as they would apply to all broadband
connections, including smartphone data connections. Some providers
believe that the government should not decide how they run their
networks. US Senator Kay Bailey Hutchinson (R-Texas) has already
introduced legislation to block net neutrality rules.
http://online.wsj.com/article/SB125354032776727741.html
http://www.wired.com/epicenter/2009/09/net-neutrality-announcement/
http://www.wired.com/epicenter/2009/09/republican-net-neutratlity-amendment/
http://www.nytimes.com/external/readwriteweb/2009/09/21/21readwriteweb-fcc-proposes-new-rules-to-ensure-net-neutra-38727.html
http://voices.washingtonpost.com/posttech/2009/09/fcc_wants_to_be_smart_cop_of_i.html
http://voices.washingtonpost.com/posttech/2009/09/senate_republicans_to_push_aga.html
[Editor's Note (Pescatore): The old principles made it clear that ISPs
could block access to or carriage of "non-lawful" content and could
block devices that might "harm the network". While those are squishy
term, it does provide justification for blocking access to malware sites
and in-bound attacks - as long as there is an acceptable definition of
"non-lawful" and "harm."]
--Justice Dept. Review Says Einstein 2 Does Not Violate Users' Privacy
(September 18, 2009)
A US Justice Department (DOJ) review of Einstein 2 surveillance program
concluded that the program, which monitors federal workers' Internet
traffic, does not violate their privacy rights or those of the people
who communicate with them. Einstein 2's purpose is to detect attacks
on government networks. Employees are warned when they log in that
their activity will be monitored, thereby "eliminat[ing their]
legitimate expectations of privacy." A privacy advocacy group has
expressed concern that the report does not go far enough into explaining
how Einstein 2 works.
http://www.msnbc.msn.com/id/32920337/ns/technology_and_science-security/
[Editor's Note (Pescatore): The ability of employers in the US to
monitor employee Internet, and the lack of "reasonable expectations of
privacy" for employees using the corporate network have long been
established.]
************************ Sponsored Links: ****************************
1) IBM Security Management & Compliance Solutions In the US nearly
114,000 regulations have been introduced since 1981.Learn more at the
Service Management Resource Center.
http://www.sans.org/info/48868
2) WEBCAST: Defending against Web 2.0 and Browser Hacks & Attacks. Can
SaaS Web Security Deliver Higher Protection & Lower Cost? Keynote by
Peter Firstbrook of Gartner
http://www.sans.org/info/48873
3) View new Top Layer Security Intrusion Prevention System Demo and
learn about Free IPS Program
http://www.sans.org/info/48878
***********************************************************************
THE REST OF THE WEEK'S NEWS
--Microsoft Issues Workaround for SMB Vulnerability
(September 21, 2009)
Microsoft has issued a workaround to protect users from a critical
vulnerability in Server Message Block (SMB) version 2. The remote code
execution flaw was disclosed earlier this month. The workaround
disables the network print and file sharing protocol to protect users
until a fix is released. The flaw affects Microsoft Windows Vista,
Windows Server 2008 and Windows 7 release candidates. The original
security advisory (975497, originally issued September 7, 2009) includes
a link to the workaround.
http://www.eweek.com/c/a/Security/Microsoft-Issues-New-Security-Workaround-for-SMB-Vulnerability-796669/
http://www.securecomputing.net.au/News/156276,microsoft-rushes-out-quick-fix-for-smb-flaw.aspx
http://www.microsoft.com/technet/security/advisory/975497.mspx
[Editor's Note (Ullrich): It is important to note that the "FixIt"
released by Microsoft does not actually fix the problem. It just turns
off the vulnerable feature (SMBv2). Affected systems will still be able
to share files using SMBv1.]
--Bank Suing Google to Discover Identity of Accidental eMail Recipient
(September 21, 2009)
A Wyoming bank is suing Google to discover the identity of a Gmail user
to whom the bank accidentally sent confidential information. A Rocky
Mountain Bank customer asked the bank to send loan documents to a third
party, but a bank employee sent the email to the wrong Gmail address.
To compound the situation, the employee also inadvertently attached a
document containing sensitive information that should never have been
sent at all. The attachment contained the names, addresses, tax
identification or Social Security numbers (SSNs) and loan data of 1,325
businesses and individuals. Upon realizing the mistake, the employee
emailed the unknown Gmail user, asking that the previous email be
destroyed and that the recipient contact the bank, but no return
communication has been received. The court is considering a request
from the bank to issue an order requiring Google to disclose the
recipient's identity.
http://www.wired.com/threatlevel/2009/09/bank-sues-google/
http://www.wired.com/images_blogs/threatlevel/2009/09/rocky-mountan-bank-v-google.pdf
--Facebook Will Shutter Beacon as Part of Lawsuit Settlement
(September 19, 2009)
Facebook will close down its Beacon advertising system as part of a
settlement of a class action lawsuit. Beacon notified Facebook users'
friends of their activities and purchases on other websites. The
lawsuit filed just over a year ago alleged that the actions of Facebook
and its Beacon affiliates violated the Electronic Communications Privacy
Act, the Video Privacy Protection Act and several other laws. The
settlement also mandates the establishment of a foundation to promote
online privacy, safety and security. A Facebook executive noted that
"the Beacon experience ... underscored how critical it is to provide
extensive user control over how information is shared."
http://www.computerworld.com/s/article/9138271/Facebook_will_shut_down_Beacon_to_settle_lawsuit?taxonomyId=17
http://www.siliconrepublic.com/news/article/13898/digital-life/facebook-switches-off-beacon-in-response-to-lawsuit
http://spamnotes.com/files/31236-29497/BeaconSettlement.pdf
http://spamnotes.com/files/31236-29497/MotionSettlement.pdf
[Editor's Note (Pescatore): Unfortunately, for consumer oriented sites
"extensive user control" always translates to "extensive, hard to find
user controls that default to lack of user control unless the user is
really, really, really motivated." All the consumer-oriented sides need
to take advantage of user data to justify high enough advertising rates
to have any chance of ever making a profit.]
--Jail Time for Test Deposit Scammer
(September 18, 2009)
Michael Largent, 22, of Plumas Lake, CA, was sentenced to 15 months in
prison for an online brokerage scam that netted him US $50,000. Largent
opened thousands of accounts with phony information to take advantage
of the brokerages' practice of making very small deposits of between
$0.01 and US $2 in customers' accounts to test their validity. Largent
was also ordered to pay US $200,000 in restitution to the banks he
defrauded.
http://www.theregister.co.uk/2009/09/18/brokerage_scam_sentencing/
http://www.computerworld.com/s/article/9138217/Man_gets_15_months_for_E_Trade_skimming_scam?source=rss_security
--Microsoft Files Five Suits Against Malvertisers
(September 17 & 18, 2009)
Microsoft has filed five civil lawsuits against alleged malvertisers,
entities that use maliciously crafted advertisements to spread malware.
The lawsuits allege that the defendants sent malware that appeared to
be legitimate advertisements over Microsoft's AdCenter network. The
malware, known as scareware, tells users their computers are infected
with malware and directs them to sites where they can purchase products
that will purportedly remove the malicious software. The lawsuits have
been filed against John Does; Microsoft hopes to use subpoenas to
uncover the identities of those responsible for the malware.
http://www.scmagazineus.com/Microsoft-sues-five-companies-over-malware-laden-ads/article/149248/
http://bits.blogs.nytimes.com/2009/09/18/microsoft-chases-unknown-scammers-through-the-courts/?ref=technology
http://www.msnbc.msn.com/id/32916067/ns/technology_and_science-security/
http://www.computerworld.com/s/article/9138211/Microsoft_sues_scareware_scammers?taxonomyId=17
http://www.theregister.co.uk/2009/09/18/microsoft_legalaction_malvertising/
--Malware Purveyors Monkey Around with PBS Show Site
(September 18, 2009)
The PBS.org website says it has fixed a security problem that allowed
attackers to compromise the website for the Curious George television
show and possibly serve malware to site visitors. The site popped up a
phony authentication page; when the login failed, an error page
containing malicious JavaScript was served. The attack targeted
vulnerabilities in Adobe Acrobat Reader, Apple QuickTime and other.
http://www.scmagazineus.com/PBS-Curious-George-site-hacked-to-serve-malware/article/149244/
http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2009/09/18/urnidgns852573C40069388000257635007E09DB.DTL
http://news.idg.no/cw/art.cfm?id=C9A21787-1A64-6A71-CEC6F1FD140D4037
--Attackers Exploit Web Application Flaw to Hijack Yahoo Mail Accounts
(September 18, 2009)
Attackers are exploiting a known vulnerability in Yahoo's network to
launch brute force attacks against users' Yahoo mail accounts. The
attackers are using hijacked mail accounts to send spam. The main Yahoo
login page has mechanisms in place that protect accounts from brute
force attacks, but the recent attacks have been exploiting a web
application that automates the authentication process and does not have
the attack protection in place.
http://www.theregister.co.uk/2009/09/18/ongoing_yahoo_mail_attacks/
http://www.scmagazineus.com/Rampant-brute-force-attack-against-Yahoo-Mail/article/149373/
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1368227,00.html#
[Editor's Note (Ullrich): The attackers are taking advantage of an all
too common flaw. The web application will block repeat login attempts
using CAPTCHAS, while the web service does not implement similar
protections.]
--Software Company Fined for Trading with the Enemy
(September 17, 2009)
A Colorado software company has been fined US $14,500 for selling oil
and gas exploration software to a company that intended to use it for
exploration in Cuban waters. The company pleaded guilty to trading with
the enemy. The US has had a trade embargo against Cuba since the 1960s.
The software was purchased by a Spanish company. An employee from the
Spanish firm arrived in Colorado with data to be used in training.
Platte River Associates president Jay Leonard has been sentenced to 12
months of supervised release on an unrelated charge of unauthorized
access of a protected computer.
http://www.theregister.co.uk/2009/09/18/platte_river_associates_sentenced_for_trading_with_enemy/
http://www.computerworld.com/s/article/9138221/Software_company_fined_for_trading_with_the_enemy?taxonomyId=17
--India Wants Internet Telephony Ban
(September 17, 2009)
Indian security officials are calling for a ban on international
Internet telephony until they have the capability to trace calls on such
systems. The move comes in response to the November 2008 attacks in
Mumbai in which 166 people were killed. The attackers used satellite
phones and Internet telephony to communicate with each other.
http://www.straitstimes.com/Breaking%2BNews/Tech%2Band%2BScience/Story/STIStory_431179.html
--Maine Heating Company Loses US $150,000 Through Social
Engineering Attack
(September 15, 2009)
Downeast Energy and Building Supply in Brunswick, Maine has notified 800
of its customers that some of their sensitive information was
compromised in a security breach. The breach affected customers who had
signed up for the company's checking account electronic payment option.
A company employee received what was apparently a spear phishing message
that appeared to come from the company's bank. After clicking on the
provided link, the employee entered the company's account access
credentials, which the attackers then used to steal US $150,000 from the
company's account. Downeast Energy views the incident as "the result
of human error," not a computer security problem.
http://pressherald.mainetoday.com/story.php?id=283383&ac=PHnws
[Editor's Note (Schultz): Regardless of whether Downeast Energy and
Building Supply's claim is truthful, this incident once again highlights
the disproportionate amount of risk that human error introduces.
Numerous studies show that financial loss due to human error is far
greater than loss due to security-related risk, yet organizations too
often devote few resources to mitigating error-related risk.
(Honan); Sorry Downeast Energy but staff not trained to identify
phishing emails or verify source of unsolicited communications before
responding IS a security problem and not just "the result of human
error."]
**********************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC)
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.
Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Rohit Dhamankar is the Director of Security Research at TippingPoint,
where he leads the Digital Vaccine and ThreatLinQ groups. His group
develops protection filters to address vulnerabilities, viruses, worms,
Trojans, P2P, spyware, and other applications for use in TippingPoint's
Intrusion Prevention Systems.
Prof. Howard A. Schmidt is the President of the Information Security
Forum (ISF) and author who has served as CSO for Microsoft and eBay and
as Vice-Chair of the President's Critical Infrastructure Protection
Board.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Inguardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.
Ron Dick directed the National Infrastructure Protection Center (NIPC)
at the FBI and is the incoming President of the InfraGard National
Members Alliance - with 22,000 members.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of
the State of California.
Alan Paller is director of research at the SANS Institute
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Brian Honan is an independent security consultant based in Dublin,
Ireland.
David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
iEYEARECAAYFAkq5GN4ACgkQ+LUG5KFpTkY72QCfSIQ6VKe/UukYc0vUYCVHuRRK
YcgAn27Add3SM+3LrXkI3L1hAJ7P2CJ9
=2JrD
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
To unsubscribe from netsec, send mail to majordomo@merit.edu
with a body consisting of the words "unsubscribe netsec" --
without the quotes. For more help, send a message to majordomo@merit.edu
with the word "help" as the body.
------------------------------------------------------------------------
|
