Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
SANS NewsBites Vol. 11 Num. 85 : FBI Confirms Small Businesses Losing Tens of Millions To Cyber Thieves
- From: The SANS Institute
- Date: Tue Oct 27 14:07:58 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Two new approaches to hard problems in security:
1. Nuclear research labs, operated for the US Department of Energy, have
long been the crucibles that create computer security advances later
adopted by many other organizations. Two of the labs recently
demonstrated a solution to the important problem of enabling and
motivating system administrators to find evidence of malicious action
on their networks. This has become an important challenge because
perimeters are routinely being breached, and attackers are roaming
through networks for weeks or months without discovery. The labs' new
approach is a unique training program for system and network admins that
teaches them how to discover evidence of intruders and provides tools
that they can put to work immediately. It's the first security program
that is tuned to their interests. Participating sysadmins seem to like
it. Here are a few of their comments:
*** "This is training that is long overdue." "Fantastic."
*** "Lets us see what kind of stuff we are up against, and what tools
are available to fight back."
*** "Provides a great overview of tools, strategy, cooperation, and the
future. Focuses on what you can do right now without needing more
training or expensive tools."
Government agencies and defense contractors with 50 or more sysadmins
can participate in the national roll-out for this program and help
ensure it meets the needs of the defense industrial base and government
agencies. Email mbrown@sans.org for scheduling information.
2. Converting compliance to security. The Consensus Audit Guidelines
(Critical Controls) are being updated with specific tests you can run
to determine how well you have automated each of them, and benchmark
your performance. At the same time the user community has identified and
vetted security tools that automate each of the critical controls. The
list of tools that work and the new tests will be unveiled at the
Critical Controls Summit in Washington on November 12-13 run by
Government Computer News and Federal Computer Week.
www.20critcontrols.com
Alan
*************************************************************************
SANS NewsBites October 27, 2009 Vol. 11, Num. 85
*************************************************************************
TOP OF THE NEWS
Cyber Thieves Stole US $40 Million from Small and Mid-Sized Businesses
Chamber of Commerce Press Release Hoax Prompts DMCA Takedown Notice
Operation Eagle Claw Aims to Thwart Nigerian eMail Scammers
DHS Info-Sharing Program Needs to Meet Privacy Standards
THE REST OF THE WEEK'S NEWS
Swiss Foreign Ministry Computer Network Breached
Missing CDs Hold Medical Patient Data
Guardian Breach Exposes Job Hunters' Personal Information
US $14.6 Million Fine in Australian Text Message Scam Case
ATM Hacker Gets Probation
Social Networking Sites Provide Data Thieves With Plenty of Raw
Material
Man Sentenced to Nearly Four-and-a-Half Years in Prison for Selling
Pirated Software
NIST Postpones Proposed IT Lab Reorganization
New Gmail Feature Helps Avoid Some Misdirected Messages
************************ Sponsored By Cenzic ****************************
Website HealthCare Reform is Coming...
Watch Out Nov 9, 2009. Sign up now to be first in line.
http://www.sans.org/info/50019
*************************************************************************
TRAINING UPDATE
- -- SANS Middle East, October 31-November 11,
http://www.sans.org/middleeast09/
-- SANS San Francisco, November 9-14,
http://www.sans.org/sanfrancisco09
-- SANS Sydney, November 9-14
http://sans.org/sydney09/
-- SANS Hong Kong, November 9-14
http://www.sans.org/hong-kong-forensics-2009/
- -- SANS Vancouver, November 14-19
http://www.sans.org/vancouver09/
-- SANS London, UK, November 28-December 9,
http://sans.org/london09/
-- SANS CDI, Washington DC, December 11-18,
http://www.sans.org/cyber-defense-initiative-2009
-- SANS Security East 2010, New Orleans, January 10-18, 2010
19 courses, bonus evening presentations
http://www.sans.org/security-east-2010/
Looking for training in your own community? http://sans.org/community/
Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/spring09.php
Plus Oslo, New Delhi, Geneva and Qatar all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org
*************************************************************************
TOP OF THE NEWS
--Cyber Thieves Stole US $40 Million from Small and Mid-Sized Businesses
(October 26, 2009)
The FBI says that since 2004, cyber thieves believed to be based in
Eastern Europe have stolen US $40 million from small and mid-sized US
businesses. The thieves use spam to infect the companies' computers
with malware that steals online banking credentials, then transfer funds
in amounts below the US $10,000 threshold that triggers alerts. The FBI
is acknowledging the trend in the hope that companies become aware of
the threat and put security safeguards in place. For instance,
companies can protect themselves from cyber thieves by conducting online
banking transactions on dedicated, locked-down machines. Larger banks
have adopted anti-fraud technology to detect anomalous transaction
patterns. The companies hardest hit by the fraud, meaning those least
likely to recover funds, often use small and regional banks that lack
the fraud detection mechanisms of the larger institutions. In some
cases, very small banks have prevented fraudulent transactions because
they know their customers personally and are alert to behavior that
seems out of the character.
http://voices.washingtonpost.com/securityfix/2009/10/fbi_cyber_gangs_stole_40mi.html
************************ Sponsored Links: ****************************
1) DON'T MISS the upcoming webcast: Making Database Security an IT
Security Priority
http://www.sans.org/info/50024
2) REGISTER NOW for the upcoming webcast: Tool Talk Webcast: Network
Control Meets Endpoint Security
Sponsored by: BigFix & ForeScout
http://www.sans.org/info/50029
***********************************************************************
THE REST OF THE WEEK'S NEWS
--Swiss Foreign Ministry Computer Network Breached
(October 26, 2009)
The Swiss Foreign Ministry says that attackers penetrated its computer
system with the intent of stealing data from the network. As soon as
it became aware of the intrusion, the ministry severed the connection
between its network and the Internet; the system remained offline for
several days. The source of the attack and the amount of data stolen
has not yet been determined.
http://www.msnbc.msn.com/id/33482676/ns/technology_and_science-security/
http://www.google.com/hostednews/afp/article/ALeqM5hgxAGXMxiw5_iBql1wtSs8BEuEBQ
--Missing CDs Hold Medical Patient Data
(October 26, 2009)
Personally identifiable information of 68,000 members of a CalOptima,
California Medicaid managed health care plan, has been compromised after
several unencrypted CDs sent through certified mail did not arrive at
their destination. The data include names, addresses, medical procedure
and diagnosis codes and some Social Security numbers (SSNs). The disks
were being sent from a vendor to CalOptima. The company plans to notify
those affected by the breach once it has worked out a credit monitoring
offer.
http://www.computerworld.com/s/article/9139913/CalOptima_says_data_on_68_000_members_may_be_compromised
http://www.healthdatamanagement.com/news/breach-39246-1.html
--Guardian Breach Exposes Job Hunters' Personal Information
(October 25 & 26, 2009)
The Guardian newspaper has notified 500,000 people that their personal
information was compromised during a "deliberate and sophisticated"
attack on the paper's jobs website. The affected data were submitted
by users as part of job applications. Approximately 10,330,000 people
use the site each year. The Guardian said the system was secured as of
Saturday, October 24. Scotland Yard is investigating the incident.
http://www.h-online.com/security/news/item/Guardian-Jobs-web-site-compromised-839188.html
http://www.theregister.co.uk/2009/10/26/guardian_jobs_data/
http://news.bbc.co.uk/2/hi/uk_news/8324630.stm
http://www.v3.co.uk/v3/news/2251964/hackers-hit-guardian-jobs-site
http://www.pcworld.com/businesscenter/article/174330/guardian_jobs_site_falls_victim_to_sophisticated_hack.html
--Chamber of Commerce Press Release Hoax Prompts DMCA Takedown Notice
(October 23, 2009)
California Internet service provider (ISP) Hurricane Electric has
complied with a Digital Millennium Copyright Act (DMCA) takedown notice
to remove a phony press release that was designed to appear as if it
came from the US Chamber of Commerce. The press release and an
accompanying staged press conference were components of a hoax carried
out by a group known as The Yes Men in which they falsely announced,
that the US Chamber of Commerce has reversed its position on greenhouse
gas emission reduction legislation. The takedown notice did not come
in time to prevent the story from leaking to major media outlets. The
phony press release is still visible on the Internet on a new host; the
Chamber of Commerce is mulling over whether or not to seek another
takedown notice.
http://www.wired.com/threatlevel/2009/10/fake-pressrelease-flap/
http://www.theregister.co.uk/2009/10/26/yes_men_hoax_and_the_dmca/
original takedown notice: http://www.eff.org/files/chamber-dmca-notice.pdf
[Editor's Note (Ranum): Is this an appropriate use of DMCA? I thought
that DMCA was for copyright protection - not a general "we don't like
what is on the web - take it down" law. What is the difference between
a phony press release and a parody and how can a court objectively make
a determination of such?]
--US $14.6 Million Fine in Australian Text Message Scam Case
(October 23, 2009)
Australia's Federal Court has fined two organizations and three
individuals a total of AU $15.8 million (US $14.5 million) for violating
the country's Spam Act. The lawsuit was brought by the Australian
Communications and Media Authority against Mobilegate Ltd, Winning Bid
Pty Ltd, Simon Anthony Owen, Tarek Andreas Salcedo, and Glenn
Christopher Maughan for allegedly sending unsolicited and misleading
text messages. The scam perpetrators placed phony profiles on dating
websites to gather mobile phone numbers, which were then used to lure
victims into using high-priced chat services.
http://www.abc.net.au/news/stories/2009/10/23/2722971.htm
http://www.australianit.news.com.au/story/0,25197,26250790-15306,00.html
--Operation Eagle Claw Aims to Thwart Nigerian eMail Scammers
(October 23, 2009)
An initiative dubbed "Operation Eagle Claw" aims to move "Nigeria out
of the top ten list of countries with the highest incidence of
fraudulent emails," according to Farida Waziri, chairwoman of the
country's Economic and Financial Crimes Commission. Though not yet 100
percent operational, Eagle Claw has resulted in 18 arrests and the
closure of more than 800 websites linked to fraud. The initiative
involves scanning all email. Police are working with Microsoft to
calibrate the technology used to scan the email.
http://www.msnbc.msn.com/id/33448866/ns/technology_and_science-security/
http://www.theregister.co.uk/2009/10/23/nigeria_police_success/
http://news.bbc.co.uk/2/hi/africa/8322316.stm
http://arstechnica.com/tech-policy/news/2009/10/nigeria-actually-arrests-shuts-down-online-scammers.ars
--ATM Hacker Gets Probation
(October 23, 2009)
Australian pizza parlor worker and erstwhile hacker Brian Sommer will
not be sent to jail for his role in stealing AU $30,000 (US $27,430)
from ATM machines. Instead, Sommer was sentenced to two years
probation, ordered to complete 100 hours of community service and to pay
a fine of AU $23,000 (US $21,000). Sommer allegedly used information
from ATM repair manuals available for download on the Internet to tinker
with the machines' settings and steal the money. The crime was traced
back to Sommer because he used his own ATM card and those of family
members to make the fraudulent withdrawals. Two accomplices were
sentenced to six months probation in December 2007.
http://www.theregister.co.uk/2009/10/23/oz_atm_hacker/
http://www.finextra.com/fullstory.asp?id=20648
--DHS Info-Sharing Program Needs to Meet Privacy Standards
(October 23, 2009)
The Department of Homeland Security Appropriations Act 2010 (H.R. 2892)
bars the department from using funds to operate the National Immigration
Information Sharing Operation (NIISO) until the project is certified to
be in compliance with privacy and civil liberties laws. For the program
to be deemed for operational funding, NIISO must be certified by the DHS
secretary; that certification must then be reviewed by the comptroller
general. Of particular concern is the potential for inaccurate data in
NIISO's system and the misuse of data in the system.
http://www.nextgov.com/nextgov/ng_20091023_8381.php
http://www.washingtonwatch.com/bills/show/111_HR_2892.html
--Social Networking Sites Provide Data Thieves With Plenty of Raw Material
(October 21 & 23, 2009)
The growing use of social networking sites is proving to be ripe
pickings for identity thieves. On its own, the data may seem innocuous,
but it can be cross-referenced with other data to provide potential data
thieves with enough information to open credit card accounts or obtain
birth certificates. There are also programs available on the Internet
that automate the process of collecting and cross-referencing data.
http://www.irishtimes.com/newspaper/finance/2009/1023/1224257281899.html
http://www.infosecurity-magazine.com/view/4696/rsa-europe-identity-theft-is-too-easy-and-can-even-be-automated-says-it-security-expert/
[Editor's Note (Pescatore): This is as much a problem with the lax
verification processes by the credit card issuers as is too much data
being exposed in social networks.]
(Hoelzer): This will continue to be an evolving problem. On the one
hand people are trying to both market themselves and connect with
friends, most of whom don't give much thought to the information that
they post. On the other we have the identity thieves who are involved
in all-out information warfare. How do you raise awareness when people
- -want- to share sensitive information in unwise ways?]
--Man Sentenced to Nearly Four-and-a-Half Years in Prison for Selling
Pirated Software
(October 22 & 23, 2009)
Gregory William Fair has been sentenced to 41 months in prison for
selling pirated software over the Internet. Between 2001 and 2007,
Fair sold phony software worth an estimated US $1 million on Internet
auction site eBay. Fair has also been ordered to pay US $743,098 in
restitution and to forfeit four expensive cars and US $144,000 cash
seized from a safe deposit box and a residence. Earlier this year,
Fair pleaded guilty to one count of criminal copyright infringement
and one count of mail fraud.
http://www.computerworld.com/s/article/9139823/Virginia_man_to_serve_prison_term_for_selling_counterfeit_software?source=rss_security
http://www.usdoj.gov/opa/pr/2009/October/09-crm-1141.html
--NIST Postpones Proposed IT Lab Reorganization
(October 22 & 23, 2009)
The National Institute of Standards and Technology (NIST) announced last
week that "based on the feedback [they] continue to receive," a planned
reorganization of its Information Technology Laboratory has been
postponed. The impetus for reorganizing the lab comes from the rapidly
changing IT environment and concerns that its present structure may no
longer best serve the lab's purpose. The IT Lab was created in 1996,
and its responsibilities include producing standard encryption
algorithms, cyber security requirement compliance guidance, and
standards for government IT use. One of the proposed changes would be
to move the lab's Computer Security Division director to the IT lab
director's office.
http://gcn.com/Articles/2009/10/23/NIST-IT-lab-reorg-delayed.aspx
http://www.federalnewsradio.com/?nid=35&sid=1792114
--New Gmail Feature Helps Avoid Some Misdirected Messages
(October 21 & 24, 2009)
Gmail has introduced a new optional feature designed to help prevent
sending email to unintended recipients. Dubbed "Got the Wrong Bob?,"
the feature warns users if they have included a contact not usually
associated with the group of recipients to whom they are sending email.
Including unintended recipients often occurs because of the
auto-complete function, which can fill in contact names after only the
first several letters are typed. The feature works only for emails sent
to groups; if the message has one intended recipient, users still need
to double check that they have entered the correct address.
http://www.nytimes.com/2009/10/22/technology/personaltech/22askk-003.html
http://technology.timesonline.co.uk/tol/news/tech_and_web/article6888051.ece
[Editor's Note (Pescatore): Cool. Now please add a few more features:
(1) Making it very, very hard to do a Reply All; (2) Upon seeing the
word "attached" in an outgoing email message that does *not* have an
attachment, ask the sender if they meant to attach something; (3)
Reinstate the 4 line .sig restrictions we had 15 years ago and
automatically delete any email with an HTML .sig.; (4) Make it even
harder to do a Reply All.]
**********************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC)
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.
Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Rohit Dhamankar is the Director of Security Research at TippingPoint,
where he leads the Digital Vaccine and ThreatLinQ groups. His group
develops protection filters to address vulnerabilities, viruses, worms,
Trojans, P2P, spyware, and other applications for use in TippingPoint's
Intrusion Prevention Systems.
Prof. Howard A. Schmidt is the President of the Information Security
Forum (ISF) and author who has served as CSO for Microsoft and eBay and
as Vice-Chair of the President's Critical Infrastructure Protection
Board.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Inguardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.
Ron Dick directed the National Infrastructure Protection Center (NIPC)
at the FBI and is the incoming President of the InfraGard National
Members Alliance - with 22,000 members.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of
the State of California.
Alan Paller is director of research at the SANS Institute
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Brian Honan is an independent security consultant based in Dublin,
Ireland.
David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
iEYEARECAAYFAkrnIf4ACgkQ+LUG5KFpTkbhewCgmXJWgSsnIKb/vbb955DtNo/Q
QM4AmQGM4f1io/DMKOQv7BMptNUTH0yA
=H8BY
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
To unsubscribe from netsec, send mail to majordomo@merit.edu
with a body consisting of the words "unsubscribe netsec" --
without the quotes. For more help, send a message to majordomo@merit.edu
with the word "help" as the body.
------------------------------------------------------------------------
|
