Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
SANS NewsBites Vol. 11 Num. 76 : Bank Sued for Relying on One-Factor Authentication
- From: The SANS Institute
- Date: Fri Sep 25 14:39:26 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
*************************************************************************
SANS NewsBites September 25, 2009 Vol. 11, Num. 76
*************************************************************************
TOP OF THE NEWS
Construction Company Sues Bank for Money Lost in Cyber Scam
Demand Up for Technical Security Skills; Demand Fading for Security
Policy/Compliance Skills
PCI DSS Compliance Survey
"Chat-in-the-Middle" Attack Preys on Online Banking Customers
THE REST OF THE WEEK'S NEWS
Cisco Releases 11 Security Advisories
Former Employee Pleads Guilty to SCADA Intrusion and Damage
DOD IG Audit Finds Data Sanitization Problems for Decommissioned IT
Equipment
NIST Issues Smart Grid Interoperability Standards Draft
Apple Releases iTunes Update
New Cyber Security Research Center Opens in Belfast
DOD to Lift USB Ban With Restrictions
**************** Sponsored By IBM Rational AppScan *********************
IBM Security Management Solutions
The average cost of security breaches is estimated to be $6.6 million.
Prepare at the Service Management Resource Center.
http://www.sans.org/info/49108
*************************************************************************
TRAINING UPDATE
-- SANS Chicago North Shore, Oct. 26-Nov. 2,
http://www.sans.org/chicago09/
-- SCADA Security Summit, Stockholm, Oct. 27-30,
http://www.sans.org/euscada09_summit/
-- SANS San Francisco, November 9-14,
http://www.sans.org/sanfrancisco09
-- SANS Sydney, Nov.9-14
http://sans.org/sydney09/
-- SANS London, UK, Nov.28-Dec. 9,
http://sans.org/london09/
-- SANS CDI, Washington DC, Dec. 11-18,
http://www.sans.org/cyber-defense-initiative-2009
- --- SANS Security East 2010, New Orleans, January 10-18, 2010
19 courses, bonus evening presentations
http://www.sans.org/security-east-2010/
Looking for training in your own community? http://sans.org/community/
Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/spring09.php
Plus Tokyo, Dubai, Hong Kong, and Vancouver, all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org
*************************************************************************
TOP OF THE NEWS
--Construction Company Sues Bank for Money Lost in Cyber Scam
(September 23 & 24, 2009)
A Maine construction company is suing a bank for not taking adequate
precautions that could have prevented cyber thieves from stealing more
than half-a-million dollars from the company's account. The lawsuit was
filed by Patco Construction Co. against Ocean Bank, a division of
Bridgeport, Connecticut-based People's United Bank. It alleges that
numerous fraudulent transactions totaling US $588,000 took place over
an eight-day period in May, that they notified the bank of the situation
when they discovered the transactions and that the bank did not stop
subsequent fraudulent transactions. The bank did not offer two-factor
authentication, relying instead on a pair of challenge security
questions for transactions over US $1,000. Because most transactions
exceeded this amount, the information was used often, and the attackers
could have grabbed it through keystroke loggers or other malware. Patco
also says that Ocean Bank failed to take note of suspicious or anomalous
behavior, including the fact that all of the transfers were initiated
through IP addresses that Patco had never before used to conduct
transactions. While consumers often have a grace period after receiving
bank statements to identify fraudulent transactions and alert the bank,
businesses are often required to notify the bank of fraudulent
transactions the day they occur.
http://voices.washingtonpost.com/securityfix/2009/09/construction_firm_sues_bank_af.html
http://www.computerworld.com/s/article/9138467/Construction_firm_sues_after_588_000_online_theft?source=rss_security
[Editor's Note: (Northcutt): This is a lawsuit I have been expecting for
a long time. Asking the name of your pet really does not meet the spirit
of two factor authentication. There are several companies positioned
well for this, they call your mobile phone. Since most people that do
online transactions over $1,000.00 have a mobile phone, this probably
makes sense and falls into the realm of true two factor authentication,
something you know (password) and something you have (mobile phone).
(Ranum): This may be how it's all going to get sorted out, eventually.
Lots of litigation (which will make lawyers happy) ending in more lines
of fine print on every bank/credit contract. Ultimately, people will be
forced to realize that end-point security is important, too, and - maybe
- - we'll have some serious re-examination of how society at large does
end-point computing.]
- --Demand Up for Technical Security Skills; Demand Fading for Security
Policy and Compliance Skills
(September 25, 2009)
GovInfoSecurity published a certification review today that highlights
the changing character of hiring interest in security people. Technical
certifications have passed the management certifications as most in
demand. Technical certifications from SANS/GIAC, Cisco, and Checkpoint
dominated the list of those most in demand. Neither of the two
certifications most often associated with management and policy were in
the top ten.
http://www.govinfosecurity.com/articles.php?art_id=1807&opg=1
--PCI DSS Compliance Survey
(September 23, 2009)
According to the PCI DSS (Payment Card Industry Data Security Standard)
Compliance survey, commissioned by Imperva and conducted by the Ponemon
Institute, approximately 70 percent of entities that handle payment card
transactions view compliance as a box checking exercise rather than as
central to their operations. Companies that implement PCI DSS as part
of their strategic approach are less likely to experience breaches.
Nearly 80 percent of those surveyed said their organizations had
experienced a data security breach. Fifty-five percent of responding
organizations said they protected payment card data but not other
customer data, like Social Security numbers (SSNs), driver's license
numbers and financial account information. Of the small businesses (501
to 1,000 employees), 28 percent are PCI DSS compliant; of large
businesses (75,000 or more employees), 70 percent are PCI DSS compliant.
The top reason for non-compliance is the cost associated with
implementing new security programs.
http://www.darkreading.com/security/attacks/showArticle.jhtml;?articleID=220100919&subSection=Attacks/breaches
http://www.computerworld.com/s/article/9138427/PCI_survey_finds_some_merchants_don_t_use_antivirus_software?source=rss_security
http://www.theregister.co.uk/2009/09/23/data_security_survey/
http://lastwatchdog.com/pci-compliance-ineffective-stopping-data-thieves/
[Editor's Note (Schultz): The "checkbox mentality" approach to
compliance is by no means limited to PCI-DSS compliance. And it is
little surprise to hear once again that cost is the major reason for
failure to comply.]
--"Chat-in-the-Middle" Attack Preys on Online Banking Customers
(September 18 & 24, 2009)
In a new twist on phishing, cyber thieves are posing as employees in a
bank's fraud detection department in a live chat. Users are directed
to the site through a phishing email and are asked to type in their
login credentials. The chat window then opens, and the attackers tell
the victims that the fraud department of the bank is requiring
additional information, including challenge questions, to validate their
accounts. The cyber criminals are using the Jabber IM protocol to
conduct their online conversations with the victims; the attack is being
hosted on a fast-flux network.
http://software.silicon.com/security/0,39024655,39527467,00.htm
http://www.securecomputing.net.au/News/156603,rsa-warns-of-new-chatinthemiddle-attacks.aspx
************************ Sponsored Links: ****************************
1) Register Today and receive 10% off for SANS vLive course SEC542, Web
App Penetration Testing and Ethical Hacking, November 2nd - November
9th. Please use the code @Risk542 when registering.
http://www.sans.org/info/49113
2) REGISTER NOW for the Ask The Expert Webcast: Offense and Defense:
Better Correlation
http://www.sans.org/info/49118
3) UPCOMING WEBCAST: WhatWorks in Firewalls, Enterprise Antivirus and
Unified Threat Management: Virtualizing Server Security with the U.S.
Army Human Resource Command
http://www.sans.org/info/49123
***********************************************************************
THE REST OF THE WEEK'S NEWS
--Cisco Releases 11 Security Advisories
(September 23 & 24, 2009)
Cisco has issued eleven security advisories to address vulnerabilities
in its IOS router operating system and Unified Communications Manager;
seven of the advisories address denial of service issues in the IOS.
Cisco has provided updates for all the vulnerabilities.
http://www.h-online.com/security/Flood-of-patches-from-Cisco--/news/114314
http://www.computerworld.com/s/article/9138434/Cisco_patches_a_dozen_router_bugs?source=rss_security
http://www.v3.co.uk/v3/news/2250082/cisco-patches-flaws
http://www.cisco.com/warp/public/707/cisco-sa-20090923-bundle.shtml
--Former Employee Pleads Guilty to SCADA Intrusion and Damage
(September 23, 2009)
Mario Azar has pleaded guilty to one count of damaging computer systems
for tampering with the Supervisory Control and Data Acquisition (SCADA)
system of Pacific Energy Resources in Long Beach, California, after
learning he was not going to be offered a permanent position with the
company. The intrusion caused the company to "lose control" of its
computer systems in spring of 2008. Azar has helped set up the SCADA
system, which is used for company communications between headquarters
and oil platforms and for detecting leaks on the platforms. The
intrusion did not cause any leaks, but did cost the company thousands
of dollars to repair. He faces up to 10 years in prison when he is
sentenced later this year.
http://www.networkworld.com/news/2009/092309-contractor-pleads-guilty-to-scada.html
[Editor's Note (Pescatore): I don't think this caused them to "lose
control," it sounds like they never really had control. Control would
have meant have some forms of superuser privilege management on critical
systems.]
--DOD IG Audit Finds Data Sanitization Problems for
Decommissioned IT Equipment
(September 21 & 23, 2009)
According to an audit report from the US Defense Department (DOD)
Inspector General, some organizations within the Department are still
disposing of information technology equipment without first scrubbing
the data it contains. In addition, the report notes that some DOD
guidance for equipment disposal was so out of date that it could not
deal with certain newer data storage technologies.
http://fcw.com/articles/2009/09/23/inspector-general-audit.aspx
http://www.dodig.mil/Audit/reports/fy09/09-104.pdf
--NIST Issues Smart Grid Interoperability Standards Draft
(September 24, 2009)
The National Institute of Standards and Technology (NIST) has issued a
draft report, the NIST Framework and Roadmap Smart Grid Interoperability
Standards. The report lists 77 smart grid standards to help "achieve
interoperability of Smart Grid devices and systems."
http://www.nytimes.com/gwire/2009/09/24/24greenwire-obama-admin-releases-initial-smart-grid-standa-98180.html
http://www.nextgov.com/nextgov/ng_20090924_3288.php?oref=topnews
http://www.nist.gov/public_affairs/releases/smartgrid_interoperability.pdf
--Apple Releases iTunes Update
(September 23 & 24, 2009)
Apple has issued a security update for iTunes that protects the music
player against certain maliciously crafted playlists. The flaw can be
exploited on Mac OS X or Windows systems. iTunes 9.0.1 addresses the
buffer overflow vulnerability in the handling of .pls files as well as
other issues that can cause iTunes to become unresponsive or quit
unexpectedly. The update comes just two weeks after iTunes 9.0 was
released on September 9.
http://news.zdnet.co.uk/security/0,1000000189,39763722,00.htm
http://www.securityfocus.com/brief/1015
http://www.h-online.com/security/Apple-plugs-critical-vulnerability-in-iTunes--/news/114301
http://support.apple.com/kb/HT3884
--New Cyber Security Research Center Opens in Belfast
(September 24, 2009)
The Centre for Secure Information Technologies (CSIT) opened this week
in Belfast, Northern Ireland. The security research center will develop
technologies both to protect data and to protect people's physical
security. Although the center was officially launched this week, it has
been operational for the last six months. Among the center's projects
is the development of processors powerful enough to screen vast
quantities of data for malicious content and suspicious behavior.
http://www.theregister.co.uk/2009/09/24/csit_queens_opens/
http://news.zdnet.co.uk/security/0,1000000189,39762142,00.htm
http://news.bbc.co.uk/2/hi/uk_news/northern_ireland/8271301.stm
--DOD to Lift USB Ban With Restrictions
(September 21 & 22, 2009)
The US DOD plans to lift its ban on USB drives in a very restricted way.
Only USB drives that have been both approved and procured by DOD will
be permitted to be used on department computers. The ban was imposed
late last year after a worm spread across DOD networks. "The days of
using personally owned flash media or using flash media collected at
conferences or trade shows is long gone," according to the blog of Navy
CIO Robert Carey.
http://www.darkreading.com/insiderthreat/security/storage/showArticle.jhtml?articleID=220100601
http://www.govinfosecurity.com/articles.php?art_id=1797
[Editor's Note (Pescatore): This is a good step forward - something the
Navy had been looking at several years ago. But, malware will get on
approved USB devices, too. They also need to fix the root problem of why
the worm succeeded.]
**********************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC)
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.
Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Rohit Dhamankar is the Director of Security Research at TippingPoint,
where he leads the Digital Vaccine and ThreatLinQ groups. His group
develops protection filters to address vulnerabilities, viruses, worms,
Trojans, P2P, spyware, and other applications for use in TippingPoint's
Intrusion Prevention Systems.
Prof. Howard A. Schmidt is the President of the Information Security
Forum (ISF) and author who has served as CSO for Microsoft and eBay and
as Vice-Chair of the President's Critical Infrastructure Protection
Board.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Inguardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.
Ron Dick directed the National Infrastructure Protection Center (NIPC)
at the FBI and is the incoming President of the InfraGard National
Members Alliance - with 22,000 members.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of
the State of California.
Alan Paller is director of research at the SANS Institute
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Brian Honan is an independent security consultant based in Dublin,
Ireland.
David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
iEYEARECAAYFAkq89b4ACgkQ+LUG5KFpTkbYLQCgmbcMvDLNvRLdm8ymvIdzuVlI
StUAoJNpMHAd7oZciN1+Xv4l6dIpiozg
=9jcw
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
To unsubscribe from netsec, send mail to majordomo@merit.edu
with a body consisting of the words "unsubscribe netsec" --
without the quotes. For more help, send a message to majordomo@merit.edu
with the word "help" as the body.
------------------------------------------------------------------------
|
