Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
SANS NewsBites Vol. 11 Num. 80 : Malware alert service a first for a major ISP
- From: The SANS Institute
- Date: Fri Oct 09 15:48:04 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
If you are one of hundreds of organizations trying to start or improve
your application security efforts, there is an interesting new
initiative to help see how you compare to your peers. By seeing what
works (and what doesn't) for others, the results might help you jump
start your efforts. Cigital is collecting the data for the BSIMM Begin
model. If you have a software security program and would like to compare
your organization or see the results of the survey, you can take it
here: http://bsi-mm.com/begin
SANS is backing a program in UK modeled on the US Cyber Challenge, which
aims to identify and nurture the best of the best of emerging cyber
security talent.
http://technology.timesonline.co.uk/tol/news/tech_and_web/article6865432.ece
Alan
************************************************************************
SANS NewsBites October 09, 2009 Vol. 11, Num. 80
************************************************************************
TOP OF THE NEWS
Comcast Testing Malware Alert Service
Japan High Court Acquits Winny Creator of Copyright Violation Charges
Film Companies Take Australian ISP to Court to Failure to Act on
Filesharing Information
THE REST OF THE WEEK'S NEWS
Microsoft Will Issue 13 Bulletins on October 13
Adobe Warns of Limited Targeted Attacks on Reader and Acrobat Vulnerability
Comcast Testing Malware Alert Service
Japan High Court Acquits Winny Creator of Copyright Violation Charges
No More Internet Banking for FBI Director
Convicted Online Trading Hacker Strikes Again
Legislators Seek More Information on JP Morgan Chase Bank Data Breach
Operation Phish Phry Rounds Up 100 Suspects
Stolen Laptop Holds Unencrypted Data of 850,000 Doctors
Microsoft Blocks Hacked Hotmail Accounts; Researcher Says Scope of
Attack Suggests Keystroke Loggers
PayPal Suspends Researcher's Account
SPECIAL NOTICE: Protecting Your Business from Online Banking Fraud
************************** Sponsored By Q1 Labs ************************
** THE SECURITY MANAGEMENT EVOLUTION: WHATS NEXT? **
GET THE WHITE PAPER NOW:
http://www.sans.org/info/49399
Respected industry analyst firm Enterprise Strategy Group (ESG) provides
a unique perspective on the evolution of security information and event
management (SIEM) solutions from niche firewall log analyzers to highly
strategic security management solutions. How can organizations like
yours identify and leverage the newest, most sophisticated tools in the
next phase of the Evolution?
************************************************************************
TRAINING UPDATE
- -- SANS Chicago North Shore, Oct. 26-Nov. 2,
http://www.sans.org/chicago09/
- -- SCADA Security Summit, Stockholm, Oct. 27-30,
http://www.sans.org/euscada09_summit/
- -- SANS San Francisco, November 9-14,
http://www.sans.org/sanfrancisco09
- -- SANS Sydney, Nov.9-14
http://sans.org/sydney09/
- -- SANS London, UK, Nov.28-Dec. 9,
http://sans.org/london09/
- -- SANS CDI, Washington DC, Dec. 11-18,
http://www.sans.org/cyber-defense-initiative-2009
- -- SANS Security East 2010, New Orleans, January 10-18, 2010
19 courses, bonus evening presentations
http://www.sans.org/security-east-2010/
Looking for training in your own community? http://sans.org/community/
Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/spring09.php
Plus Tokyo, Dubai, Hong Kong, and Vancouver, all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org
*************************************************************************
TOP OF THE NEWS
--Comcast Testing Malware Alert Service
(October 8, 2009)
On Thursday, October 8, Comcast began testing a service that alerts its
broadband subscribers with pop-ups if their computers appear to be
infected with malware. Among the indicative behaviors that trigger
alerts are spikes in overnight traffic, suggesting the machine has been
compromised and is being used to send spam. Comcast also uses
information supplied by research groups about IP addresses that appear
to have been infected with malware. The Comcast test program appears
to be the first in which a major Internet service provider (ISP) is
taking measures to alert customers to potential security issues.
Comcast Constant Guard is being piloted in Denver. The alerts will
direct users to Comcast's antivirus center where they can receive help
cleaning their machines of malware.
http://news.cnet.com/8301-27080_3-10370996-245.html?part=rss&subj=news&tag=2547-1009_3-0-20
http://www.pcmag.com/article2/0,2817,2354001,00.asp
[Editor's Note (Schultz): Comcast has taken a big step forward. The
question now is whether users who are warned about having virus
infections will do anything given that over the years they have been
bombarded by pop-up ads, Windows Vista User Access Control warnings, and
more. ]
--Japan High Court Acquits Winny Creator of Copyright Violation Charges
(October 8, 2009)
A Japanese court has ruled that the creator of the Winny filesharing
software is not guilty of helping its users violate copyright law. The
Osaka High Court overturned a lower court ruling, and declared Isamu
Kaneko innocent of the charges levied against him because he did not
promote using the software for illegal purposes. Presiding Judge Masazo
Ogura also noted that Winny "has various uses and the technology should
be considered value neutral." Prosecutors will study the verdict before
deciding whether or not to appeal to the Supreme Court. Kaneko lauded
the ruling, saying it will have a positive impact on software
development.
http://www.asahi.com/english/Herald-asahi/TKY200910080350.html
http://news.smh.com.au/breaking-news-technology/japan-court-acquits-fileshare-software-creator-20091008-goql.html
--Film Companies Take Australian ISP to Court to Failure to Act on
Filesharing Information
(October 7, 2009)
Australian Internet service provider (ISP) iiNet was in court facing
charges that it has not taken action against suspected illegal
filesharers. Movie companies sued the ISP for allegedly not
disconnecting subscribers that the movie companies maintained were
sharing pirated copies of films through BitTorrent. Australia's safe
harbor law allows ISPs immunity from prosecution if they "reasonably
implement" the practice of cutting off subscribers who are "repeat
[copyright] infringers." iiNet stands by its assertion that "allegation
of infringement" and "proof of infringement" are not the same thing, and
that copyright holders who believe their rights have been infringed upon
should seek judgments against the alleged perpetrators in court and
present those judgments to iiNet, which will then disconnect that user.
http://arstechnica.com/tech-policy/news/2009/10/australian-isp-in-court-for-not-disconnecting-users.ars?utm_source=rss&utm_medium=rss&utm_campaign=rss
THE REST OF THE WEEK'S NEWS
--Microsoft Will Issue 13 Bulletins on October 13
(October 8, 2009)
According to its Security Bulletin Advance Notification for October
2009, Microsoft plans to release 13 security bulletins on Tuesday,
October 13 to address vulnerabilities in Internet Explorer (IE),
Microsoft Office, SQL Server, some developer tools, Forefront Security
client software and all supported versions of Windows. Eight of the
bulletins have been rated critical; the remaining five are rated
important. This is the largest number of bulletins Microsoft has issued
at one time since it began its scheduled monthly security updates.
http://www.microsoft.com/technet/security/bulletin/ms09-oct.mspx
http://www.computerworld.com/s/article/9139155/Microsoft_plans_monster_Patch_Tuesday_next_week?taxonomyId=17
--Adobe Warns of Limited Targeted Attacks on Reader and Acrobat Vulnerability
(October 8, 2009)
Adobe is warning that attackers are actively exploiting an unpatched
flaw in Reader and Acrobat 9.1.3 that could allow them to take control
of vulnerable computers. Adobe plans to issue a fix for the
vulnerability on Tuesday, October 13. Attackers can exploit the flaw
by tricking users into opening maliciously crafted PDF files. Once a
computer is compromised, attackers can execute arbitrary code. The
"limited targeted attacks" affect users running the vulnerable programs
on Windows machines.
http://blogs.adobe.com/psirt/2009/10/adobe_reader_and_acrobat_issue_1.html
http://www.theregister.co.uk/2009/10/08/adobe_reader_vuln_under_attack/
[Editor's Note (Pescatore): By their very nature, targeted attacks are
"limited." That actually makes them more dangerous, not less. ]
--No More Internet Banking for FBI Director
(October 7 & 8, 2009)
FBI Director Robert Mueller says he will no longer bank online after he
nearly succumbed to a phishing attack. Mueller received a scam email
that "looked pretty legitimate" that asked him to verify some personal
information; he found himself "just a few clicks away from falling into
a classic Internet phishing scam."
http://www.computerworld.com/s/article/9139106/Citing_cybercrime_FBI_director_doesn_t_bank_online?source=rss_security
http://news.cnet.com/8301-27080_3-10370164-245.html
http://www.theregister.co.uk/2009/10/08/fbi_robert_mueller_commonwealth_club_speech/
http://www.fbi.gov/pressrel/speeches/mueller100709.htm
[Editor's Note (Schultz): For better or worse, a well-proven principle
in information security is that nothing wakes people up to the need to
do something about information security faster than good old-fashioned
fright over an incident or near incident.
(Pescatore): Hmmm, if he avoids every form of communications that
carries fraud, he must not use snail mail, fax, telephone, etc. Must be
tough to run the FBI only using tin cans and strings to communicate. ]
--Convicted Online Trading Hacker Strikes Again
(October 7 & 8, 2009)
Van T. Dinh, who has already served time in prison for a computer fraud
scheme involving stock-trading has pleaded guilty to charges of computer
fraud and identity theft in another cyber crime scheme. Dinh admitted
to breaking into the computer system of a currency exchange service and
stealing US $100,000. The earlier conviction, involving the stocks,
marked the first time the US Securities and Exchange Commission (SEC)
had charged a person with fraud that involved identity theft and
hacking. For that scheme, Dinh was sentenced to 13 months in prison and
three years of supervised release.
http://www.theregister.co.uk/2009/10/08/recidivist_hacker_pleads_guilty/
http://www.wired.com/threatlevel/2009/10/dinh/
http://www.wired.com/images_blogs/threatlevel/2009/10/dinh_complaint.pdf
--Legislators Seek More Information on JP Morgan Chase Bank Data Breach
(October 7, 2009)
US Representatives Joe Barton (R-Texas) and George Radanovich (R-Calif.)
have sent a letter to JP Morgan Chase Bank Chairman and CEO James Dimon
asking for more information about a lost data tape. The tape is
reportedly missing from a JP Morgan Chase offsite storage facility.
While it appears that the bank notified affected customers about the
breach, the legislators have additional questions, including how many
people were affected by the breach; how many people were notified of the
breach; and whether all affected customers have been enrolled in Chase
Identity Protection following the breach. Reps. Barton and Radanovitch
are members of the House Committee on Energy and Commerce, which "has a
long history of examining privacy and data security issues."
http://republicans.energycommerce.house.gov/Media/file/News/100709_Letter%20to_JP_Morgan_Chase_Data_Theft.pdf
--Operation Phish Phry Rounds Up 100 Suspects
(October 7 & 8, 2009)
A two-year international investigation known as Operation Phish Phry has
netted authorities in the US and Egypt 100 suspects. The group stole
information from thousands of people and used the data to defraud US
banks of more than US $1.5 million. An indictment accuses all
defendants of conspiracy to commit wire fraud and bank fraud; some
individuals have also been charged with aggravated identity theft and
conspiracy to commit computer fraud.
http://www.smh.com.au/technology/security/biggest-cybercrime-investigation-in-us-history-fbi-smashes-phishing-ring-20091008-gngq.html
http://www.theregister.co.uk/2009/10/08/100_phishers_netted/
http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=220301571
--Stolen Laptop Holds Unencrypted Data of 850,000 Doctors
(October 6 & 7, 2009)
A laptop computer stolen from the car of a BlueCross BlueShield employee
contains unencrypted personal data of 850,000 physicians. The data
include names, addresses, tax ID numbers and national provider
identification numbers. About 187,000 of the physicians use their
Social Security numbers (SSNs) as their tax ID or national provider
numbers. Company policy dictates that the data be encrypted, but the
unidentified employee downloaded unencrypted data to work on at home;
BlueCross BlueShield is reviewing its security policy in light of the
incident. The theft occurred on August 27, 2009.
http://www.ama-assn.org/amednews/2009/10/05/bisd1006.htm
http://www.scmagazineus.com/Blue-Cross-Blue-Shield-Association-affirms-laptop-breach/article/151740/
[Editor's Note (Schultz): I predict that the fact that this incident put
physicians' data at risk will lead to far greater repercussions than if
the incident had involved only everyday patients' data.
(Ranum): I'm sure there is someone willing to step forward and say that
there was a "pressing business need" for that laptop to carry such data,
or that its user required access to that database 24/7 anywhere, and
hence needed to carry it around with them. Right? ]
--Microsoft Blocks Hacked Hotmail Accounts; Researcher Says Scope of
Attack Suggests Keystroke Loggers
(October 6 & 7, 2009)
Microsoft has blocked access to all the Hotmail accounts that were
recently compromised. Usernames and passwords for several thousand
accounts were posted to the Internet last week. Microsoft has indicated
it believes the data were obtained through a phishing attack, but a
researcher says that because the attack also affected Gmail, Yahoo mail
and other accounts and because so many accounts were compromised
overall, it bears characteristics suggesting the data were stolen
through surreptitiously installed keystroke logging programs.
http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=220301340
http://www.computerworld.com/s/article/9139098/Researcher_refutes_Microsoft_s_account_of_hijacked_Hotmail_passwords?source=rss_security
--PayPal Suspends Researcher's Account
(October 6 & 7, 2009)
PayPal has suspended the account of security researcher Moxie
Marlinspike after someone used research he presented at the Black Hat
security conference this summer to publish a phony PayPal certificate.
The account suspension puts about US $500 in limbo for Marlinspike, who
uses "donate" buttons on his website where he offers free tools he has
developed. PayPal says it will reinstate Marlinspike's account when he
removes the PayPal logo from his website. A PayPal spokesperson said
the company does not allow its services "to be used in the sale or
dissemination of tools which have the sole purpose to attack customers
and illegally obtain individual customer information." Marlinspike
demonstrated a proof-of-concept SSL certificate attack.
http://www.theregister.co.uk/2009/10/06/paypal_banishes_ssl_hacker/
http://www.wired.com/threatlevel/2009/10/marlinspike/
http://www.scmagazineus.com/PayPal-suspends-hackers-account-after-bogus-SSL-post/article/151743/
SPECIAL NOTICE: Protecting Your Business from Online Banking Fraud
One of the big problems in security right now is organized crime
targeting comptroller PCs with malware, collecting online banking
credentials and using them to wire transfer money to accomplices (mules)
in numerous transfers that are below ten thousand dollars each. SANS.edu
graduate students Robert Comella, Greg Farnham and, John Jarocki just
completed a research project on ways to protect an organization against
this threat. Their report can be found at:
http://www.sans.edu/resources/student_projects/200910_05.pdf
**********************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC)
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.
Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Rohit Dhamankar is the Director of Security Research at TippingPoint,
where he leads the Digital Vaccine and ThreatLinQ groups. His group
develops protection filters to address vulnerabilities, viruses, worms,
Trojans, P2P, spyware, and other applications for use in TippingPoint's
Intrusion Prevention Systems.
Prof. Howard A. Schmidt is the President of the Information Security
Forum (ISF) and author who has served as CSO for Microsoft and eBay and
as Vice-Chair of the President's Critical Infrastructure Protection
Board.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Inguardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.
Ron Dick directed the National Infrastructure Protection Center (NIPC)
at the FBI and is the incoming President of the InfraGard National
Members Alliance - with 22,000 members.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of
the State of California.
Alan Paller is director of research at the SANS Institute
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Brian Honan is an independent security consultant based in Dublin,
Ireland.
David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
iEYEARECAAYFAkrPaGIACgkQ+LUG5KFpTka8+wCfWX441EjHCZ6nPSVqeyYsQcBn
VrIAoI0xpja1XFNm8fcMHKFnSeNlLPId
=IsCU
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
To unsubscribe from netsec, send mail to majordomo@merit.edu
with a body consisting of the words "unsubscribe netsec" --
without the quotes. For more help, send a message to majordomo@merit.edu
with the word "help" as the body.
------------------------------------------------------------------------
|
