Back to newsletter listDate:
Tue, September 16, 2008 04:02:10 PMFrom:
The SANS Institute
Subject:
SANS NewsBites Vol. 10 Num. 73
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
*************************************************************************
SANS NewsBites September 16, 2008 Vol. 10, Num. 73
*************************************************************************
TOP OF THE NEWS
Virginia Supreme Court Says Anti-Spam Law is Too Broad
Senators Introduce 2008 Federal Information Security Management Act
House Subcommittee Holds Hearing on Increasing FERC Authority
THE REST OF THE WEEK'S NEWS
ARRESTS, CHARGES & CONVICTIONS
First Guilty Plea in TJX Case
Former Intel Employee Charged with Theft of Trade Secrets
VULNERABILITIES
Student Faces Charges in Carleton University Network Intrusion
UPDATES AND PATCHES
Apple Releases OS X 10.5.5
COMPROMISES & BREACHES
Cyber Thieves Hit UAE Bank Accounts
DATA LOSS AND THEFT
Countrywide Notifying Customers of Data Breach
Insurance Office Employee Allegedly Used Customer Data to Open
Accounts
ATTACKS
Hackers Deface Collider Website
******************** Sponsored By ArcSight, Inc. ************************
Complimentary Whitepaper: Mitigating Fraud with the ArcSight SIEM
Platform, 2008 Detecting, investigating and responding to fraudulent
transactions from within and outside an organization is an essential
function of business operations. Unfortunately, most organizations have
inadequate solutions in place to deter fraudsters and lack the support
tools for fraud investigators to quickly identify fraud and respond to
the threats effectively.
This whitepaper will outline the requirements for an effective fraud
mitigation solution.
http://www.sans.org/info/33129
*************************************************************************
TRAINING UPDATE
- - NETWORK SECURITY 2008: Las Vegas (9/28-10/6) 50 courses; big security
tools expo; lots of evening sessions: http://www.sans.org/ns2008/
- - Monterey (10/31-11/6) http://www.sans.org/info/30738
- - Sydney Australia (10/27-11/1) http://www.sans.org/sydney08/
- - Vancouver (11/17-11/22) http://www.sans.org/vancouver08/
and in 100 other cites and on line any time: www.sans.org
*************************************************************************
TOP OF THE NEWS
--Virginia Supreme Court Says Anti-Spam Law is Too Broad
(September 12 & 13, 2008)
The Virginia Supreme Court has overturned a Virginia anti-spam law and
a lower court spam conviction on the grounds that the state's anti-spam
law violates the defendant's First Amendment rights to free speech.
Jeremy Jaynes was sentenced to nine years in prison in 2005. He was
convicted in 2004 on three counts for sending unsolicited commercial
email to tens of thousands of AOL customers. He obtained the AOL
addresses from a stolen database. The court ruled that the 2003
Virginia anti-spam law is overly broad because it does not distinguish
between commercial and political messages and under its purview, the
Federalist Papers sent in a similar manner would constitute a violation
of the law.
http://www.theregister.co.uk/2008/09/13/virginia_overturns_antispam_conviction/
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9114618&source=rss_topic17
--Senators Introduce 2008 Federal Information Security Management Act
(September 12, 2008)
US Senators Tom Carper (D-Delaware) and Joseph Lieberman (I-Connecticut)
have introduced Senate bill 3474, the 2008 Federal Information Security
Management Act. Among the bill's provisions is a requirement that
federal agencies appoint chief information security officers; the CISOs
would have the authority to block network access if established security
policies are not being adhered to. The bill would also require that the
Department of Homeland Security (DHS) conduct annual tests to determine
if attackers could access sensitive government data. Senator Carper
noted that the current Federal Information Security Management Act is
an exercise in paperwork rather than an effective means of determining
the security of federal computer networks.
http://www.nextgov.com/nextgov/ng_20080912_7543.php
http://www.fcw.com/online/news/153773-1.html?type=pf
[Editor's Note (Schultz): Hopefully, the 2002 version of FISMA will soon
become a thing of the past. I suppose that this version of FISMA was at
least a start towards achieving better cybersecurity within US
government agencies and departments. Anyone who has gone through the
exercise of trying to achieve FISMA compliance knows, however, that it
is indeed a paperwork game, one that has little relevance to countering
real-world security risks.
(Pescatore): CISO's with authority is a very good thing, as long as that
authority includes some influence over budgets *and* that the government
actually starts making security funds be included as part of all budget
requests. Having DHS compete with private industry to do security audits
is *not* a good thing - there is a thriving commercial market for
security audits and penetration testing that will be more effective and
more efficient than any government agency.
(Paller): John Pescatore's comment illuminates one of the dirtiest
little secrets of federal cyber security - that federal agencies
promise, in writing, to spend a specific percentage of each IT project
budget on cyber security (usually 4-8%). My best guess, based on
interviews with a lot of federal folks, is that only 35-45% of the
promised funds are spent on security - the rest go for other uses. That
means that when a CIO testifies before Congress that he or she is
spending a certain percent of the IT budget on cyber security (a number
derived from those promised percentages in the budget documents) that
CIO is almost certainly lying to Congress.
On the other hand, the new FISMA 2008 bill solves three of the most
difficult problems caused by OMB and NIST's implementation of the old
law and should be a breath of fresh air to any cyber security
professional who wants to see federal cyber security funds spent on
securing systems rather than on consultants who write reports that do
not improve security.]
--House Subcommittee Holds Hearing on Increasing FERC Authority
(September 11, 12 & 15, 2008)
The US House of Representatives Energy and Commerce Committee's
Subcommittee on Energy and Air Quality is drafting legislation aimed at
giving the Federal Energy Regulatory Commission (FERC) greater authority
over the country's power grids. The move comes in response to increased
concerns about the potential for cyber attacks on the nation's critical
infrastructure, as suggested by testimony from witnesses and legislators
last week. At a hearing later in the week, industry representatives
provided input regarding the process, indicating that while the idea of
strengthening federal authority in the event of an imminent threat would
be welcomed, the government should not be overly broad in expanding its
powers and "legislation must be carefully drawn."
http://www.govexec.com/story_page.cfm?articleid=40940
http://news.cnet.com/8301-13578_3-10040101-38.htmls
http://www.fcw.com/online/news/153769-1.htmls
http://uaelp.pennnet.com/display_article/339577/22/ARTCL/none/none/1/FERC-boss-asks-House-subcommittee-for-more-authority-over-cyber-security-standards/
http://energycommerce.house.gov/cmte_mtgs/110-eaq-hrg.091108.Cybersecurity.shtmls
[Editor's Note (Pescatore): Improvements are definitely needed in
mechanisms that require utilities to demonstrate sufficient
cyber-security, but I will bet that over the next 10 years outages due
to cyber attacks will be less than 1% of those due to other causes. More
centralized oversight of security while the utilities are facing
deregulated commerce markets is not going to change that, let alone make
it better. ]
************************** SPONSORED LINKS: *****************************
1) Visit the SANS Buyers Guide for updated listings and useful
information when selecting the latest in IT security technologies.
http://www.sans.org/info/33134
2) 'Worried about NetFlow overhead? Consult Lancope's NetFlow Bandwidth
Calculator
http://www.sans.org/info/33139
*************************************************************************
THE REST OF THE WEEK'S NEWS
ARRESTS, CHARGES & CONVICTIONS
--First Guilty Plea in TJX Case
(September 12 & 15, 2008)
One of 11 people arrested in connection with the TJX data breach has
pleaded guilty to wire fraud, credit card fraud and aggravated identity
theft. Damon Patrick Toey has also agreed to provide the names of more
people involved in the scheme to prosecutors. The charges stem from
breaches at TJX and other retailers that compromised more than 45
million credit and debit card numbers. The group had members in the US,
Estonia, Ukraine, Belarus and China. Toey faces a maximum prison
sentence of five years and a fine of US $250,000 for each of four felony
counts. He must also forfeit all the money he gained from his
participation in the scheme. The group allegedly broke into the
retailers' payment systems through vulnerabilities in their wireless
networks. The group allegedly broke into the retailers' payment systems
through vulnerabilities in their wireless networks. It is also alleged
that the group stored the stolen data on servers in the US, Latvia and
Ukraine and that the information was sold to other criminals or used to
create fraudulent payment cards. The alleged ringleader of the group,
Albert Gonzalez, has pleaded not guilty to the charges against him.
http://securecomputing.net.au/News/122774,tjx-hacker-pleads-guilty-as-charged.aspx
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=knowledge_center&articleId=9114579&taxonomyId=1&intsrc=kc_top
--Former Intel Employee Charged with Theft of Trade Secrets
(September 12, 2008)
Former Intel Corp. employee Biswamohan Pani has been charged with theft
of trade secrets for allegedly stealing proprietary company data,
including information about the development of new chips. Pani
allegedly accessed an encrypted system at Intel and downloaded 13 top
secret documents. He had resigned from Intel in May and was taking
accrued vacation time through June 11; the intrusions occurred between
June 8 and June 10. Pani had already begun to work for Intel competitor
AMD. The issue was discovered when an employee looked into Pani's
access and download history on the system in question.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9114592&source=rss_topic17
VULNERABILITIES
--Student Faces Charges in Carleton University Network Intrusion
(September 15, 2008)
A student at Carleton University in Ottawa, Ontario is facing charges
of mischief to data and unauthorized use of a computer for allegedly
breaking into a university computer network and then providing
university administrators with a detailed report about the
vulnerabilities he exploited and possible ways to fix them. Mansour
Moufid is cooperating with authorities. Mansour allegedly broke into
the accounts of 32 Carleton University students, but did not access any
sensitive information, instead choosing to send a list of the
compromised accounts along with their passwords and suggested remedies
for the vulnerabilities to school officials.
http://www.securityfocus.com/brief/819
http://www.canada.com/ottawacitizen/news/editorials/story.html?id=0f2b40a0-a005-40b6-971d-571aaad26399
Follow-Up: The student gained access by "installing software that he
wrote on a terminal in a computer lab that was attached to a card
reader."
http://www.cbc.ca/technology/story/2008/09/11/ot-carleton-080911.html
[Editor's Note (Veltsos): Carleton's web site provides additional
updates and goes as far as saying that "A third-party audit of the
university's computer network concluded earlier in the year that the
system had multiple security features and was deemed very secure."
http://www2.carleton.ca/newsroom/news-releases/update-on-carleton-university-email-breach/]
UPDATES AND PATCHES
--Apple Releases OS X 10.5.5
(September 15, 2008)
Apple has released the latest version of its Leopard operating system
to address more than two dozen vulnerabilities, some specific to Apple
and others to a variety of open-source components. Mac OS X 10.5.5
fixes vulnerabilities that could be exploited to allow arbitrary code
execution, create denial-of-service conditions, allow users to log in
without a password or change another user's password, allow DNS cache
poisoning or allow unexpected application termination.
Internet Storm Center:
http://isc.sans.org/diary.html?storyid=5041
http://isc.sans.org/diary.html?storyid=5020
http://isc.sans.org/diary.html?storyid=5032
http://www.pcworld.com/businesscenter/article/151104/apple_update_finally_fixes_important_dns_bug.html
http://news.cnet.com/8300-1009_3-83.html?tag=hdr;snav
http://support.apple.com/kb/HT2405
http://support.apple.com/kb/HT3137
COMPROMISES & BREACHES
--Cyber Thieves Hit UAE Bank Accounts
(September 12, 2008)
Cyber thieves have used cloned bank and credit cards to withdraw funds
from bank customers' accounts in the United Arab Emirates (UAE). It
appears that the criminals placed skimming devices on cash machines that
recorded the cards' essential information, although some are suggesting
that the banks' internal systems were breached. The withdrawals were
made in more than 20 countries outside the UAE. Some of the affected
banks have sent their customers text messages, urging them to change
their PINs. Others have blocked the accounts of customers who have not
changed their PINs, and one bank temporarily blocked access to
international cash machines.
http://business.timesonline.co.uk/tol/business/industry_sectors/banking_and_finance/article4735682.ece
http://www.theregister.co.uk/2008/09/12/uae_atm_hacking_attack/print.html
http://www.gulfnews.com/business/Banking_and_Finance/10244411.html
DATA LOSS AND THEFT
--Countrywide Notifying Customers of Data Breach
(September 13 & 14, 2008)
Personally identifiable information of as many as 2 million Countrywide
customers may have been sold by data thieves, according to the mortgage
company. While there have been no reports of the information being used
to commit identity fraud, Countrywide is offering two years of credit
monitoring to affected customers. The data were allegedly stolen by a
former Countrywide employee who downloaded approximately 20,000 customer
records every week for two years. Each batch was allegedly sold for US
$500, or about US 2.5 cents for each record. It appears that the data
were sold to other mortgage brokers.
http://www.washingtonpost.com/wp-dyn/content/article/2008/09/13/AR2008091300337_pf.html
http://www.miamiherald.com/business/personal-finance/story/684578.html
--Insurance Office Employee Allegedly Used Customer Data to Open Accounts
(September 13, 2008)
Attorneys general in 45 US states have been notified that a State Farm
Insurance employee in Surprise, Arizona used customer information to
obtain credit cards. The compromised data include addresses, Social
Security numbers (SSNs), driver's license numbers and in some cases,
bank account numbers. A company spokesperson did not specify the number
of people affected by the breach. Police are investigating. All
affected customers have been contacted and offered one year of free
credit monitoring.
http://www.azcentral.com/community/westvalley/articles/2008/09/13/20080913gl-nwvstatefarm0913.html
[Editor's Note (Schultz): This and the previous news item once again
show how insidious the insider threat is. I fear that too many
organizations deploy a disproportionate amount of controls against
external attacks at the expense of controls designed to counter insider
attacks.
(Skoudis): This issue of NewsBites has several stories about insider
malfeasance at a variety of commercial and governmental organizations
leading to data breaches. These stories provide excellent examples for
infosec people to cite to management for illustrating the need for good
internal monitoring of traffic and file system access to detect insider
attacks.
(Veltsos): Enforcing need-to-know, least-privilege, and auditing access
logs would have restricted the number of accounts compromised and
provided early warning of such access.]
ATTACKS
--Hackers Deface Collider Website
(September 12 & 13, 2008)
A group of Greek attackers calling itself Greek Security Team managed
to infiltrate and deface the public website of the Large Hadron Collider
(LHC) with text that appeared to be disparaging the site's security. The
compromised server belongs to the European Organization for Nuclear
Research (CERN), which runs the collider. A recent update indicates
that the text on the defaced site is making fun of other hackers in the
Greek Internet underground. The website is no longer publicly
accessible. CERN scientists have expressed concern that the attackers,
whatever their motives, were "one step away" from the computer system
that controls one of the machine's detectors. The attackers indicated
that they have no interest in disrupting LHC activity.
http://www.securityfocus.com/brief/818
http://www.timesonline.co.uk/tol/news/uk/science/article4744329.ece
http://www.telegraph.co.uk/earth/main.jhtml?xml=/earth/2008/09/12/scicern212.xml
http://grayhatforensics.secbible.org/index.php/2008/09/13/greek-hackers-deface-cerns-lhc-related-website/
[Editor's Note (Skoudis): There is some dispute about whether the
attackers were "one step away." Still, if true, it's kind of scary to
contemplate that such elements of the LHC are connected to the Internet.
Converged networks worry me significantly, with many enterprises blindly
putting very sensitive equipment on IP networks and then connecting them
to the Internet. We're seeing such convergence in the electric power
grid, commercial airliners, and possibly even particle accelerators like
the LHC. Very worrisome indeed. If you work in an organization with
such critical infrastructure, make sure you ask a lot of questions about
why such convergence is needed and if you can even reasonably secure it
whenever someone suggests moving parts of your systems to control via
IP networks.]
*************************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescastore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Brian Honan is an independent security consultant based in Dublin,
Ireland.
Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security
courses at Minnesota State University, Mankato. He is the President of
Prudent Security LLC and also serves as the President of the Mankato
Chapter ISSA.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkjP5ekACgkQ+LUG5KFpTkbh5gCgiWtDJJy93swwAqXJUZvjKbSS
uFwAoJmlW9Kxv3CjdtFpcIPSMHakkgfU
=YDOa
-----END PGP SIGNATURE-----
