SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume X - Issue #58
July 25, 2008
TOP OF THE NEWS
DNS Exploits ReleasedSix ISPs Sign Piracy-Fighting Memorandum
Study: Banks Use Unsecure Practices on Websites
THE REST OF THE WEEK'S NEWS
LEGAL MATTERSFour-Year Sentence for Selling Counterfeit Software
Appeals Court Says Credit Union May Seek Damages From Credit Card Processor
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
NIST Publishes Revised Performance Measurement Guide for Information Security
SPYWARE, SPAM & PHISHING
Prolific Spammer Sentenced to Prison
Accused Phisher Pleads Guilty
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Mozilla Updates Thunderbird
UK Computers Infected with Asprox
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Airline Check-in Kiosks Suspected in Card Fraud
MISCELLANEOUS
Rogue SF Network Admin Gives Up Passwords
Spam King Kills His Wife and Child
*************************************************************************
TRAINING UPDATE
- - Las Vegas (9/28-10/6) http://www.sans.org/ns2008 NETWORK SECURITY 2008)
- - Boston (8/9-8/16) http://www.sans.org/boston08/
- - Virginia Beach (8/21-8/29): http://www.sans.org/vabeach08/
- - Chicago (9/3-9/10) http://www.sans.org/chicago08 AUDIT & COMPLIANCE
- - and in 100 other cites and on line any time: www.sans.org
*************************************************************************
TOP OF THE NEWS
DNS Exploits Released (July 24, 2008)
Two exploits for the recently disclosed DNS security flaw have surfaced this week. Initially, details of the flaw were going to be kept under wraps until the Black Hat conference in Las Vegas next month, but earlier this week a researcher made some educated guesses as to the nature of the flaw and his speculations were confirmed. The discussion was inadvertently posted to a blog that has since been taken down. The flaw was discovered several months ago and vendors were alerted so they could prepare patches before the vulnerability became public knowledge.-http://www.heise-online.co.uk/security/DNS-vulnerability-exploits-released--/new
s/111168
-http://www.eweek.com/c/a/Security/DNS-Flaw-Details-Leaked-Accidentally/?kc=rss
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9110622&intsrc=hm_list
[Editor's note (Ullrich): This vulnerability is already being exploited and easy to-use-exploit tools have been released. ]
Six ISPs Sign Piracy-Fighting Memorandum (July 24 & 25, 2008)
A half dozen UK Internet service providers (ISPs) have signed a Memorandum of Understanding (MOU), agreeing to work with the BPI (British Phonographic Industry) to help stop illegal music file sharing. The ISPs will send warning letters to customers suspected of using their Internet connections to share pirated music files. The MOU covers users who upload and who download the files. It also commits the ISPs to developing legitimate music services. The Motion Picture Association of America (MPAA) has also signed the agreement. Virgin and BT have already sent letters to some of their users identified by BPI as persistent file sharers. BPI is pushing for a three-strikes system that would cut off the Internet connections of those who persist in illegal file sharing, but ISPs are reluctant to adopt the practice.-http://news.bbc.co.uk/2/hi/technology/7522334.stm
-http://news.smh.com.au/technology/british-internet-service-providers-agree-to-wo
rk-together-against-illegal-downloading-20080724-3kfq.html
-http://news.zdnet.co.uk/communications/0,1000000085,39452072,00.htm
Study: Banks Use Unsecure Practices on Websites (July 22, 23 & 24, 2008)
Researchers at the University of Michigan found, in a 2006 study, that 76 percent of US banking websites have design flaws that could put customers at risk for data theft and fraud. The research did not discover vulnerabilities in the websites, but instead focused on the practices banks use that inure customers to potential online dangers by reinforcing bad security habits. The problems lie in the fact that many banks are "condition[ing ]
customers to ignore potential clues about whether the banking site they're visiting is real" or phony. For example, many banks redirect online customers to third-party sites without informing the customers, place secure login boxes on unsecure pages, or use email addresses or Social Security numbers (SSNs) as default user names. Researchers plan to present their findings at a conference on Friday, July 25. The research was conducted on the online websites of 214 US banks of all sizes.
-http://www.msnbc.msn.com/id/25819973/
-http://www.zdnetasia.com/news/security/0,39044215,62044110,00.htm
-http://www.ns.umich.edu/htdocs/releases/story.php?id=6652
-http://www.eecs.umich.edu/~laura/webusability/websites.html
-http://cups.cs.cmu.edu/soups/2008/program.html
-http://cups.cs.cmu.edu/soups/2008/proceedings/p117Falk.pdf
[Editor's Note (Schultz): The proof is in the pudding, so to speak. Whether or not banks use secure Web site practices should thus be determined by the Web sites' resistance to attacks, not by design flaws found by outsiders. ]
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
Four-Year Sentence for Selling Counterfeit Software (July 23 & 24, 2008)
Jeremiah Joseph Mondello has been sentenced to four years in prison for selling counterfeit software on eBay. Mondello was found guilty of aggravated identity theft, criminal copyright infringement and mail fraud. He was also ordered to forfeit US $225,000 in profits and to serve 450 hours of community service upon completion of his prison sentence. Mondello used information obtained through a keystroke logger to set up the eBay and PayPal accounts he used to sell the counterfeit software, which included pirated copies of Symantec, Adobe and Intuit software.-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9110621&source=rss_topic17
-http://www.theregister.co.uk/2008/07/24/ebay_auction_fraudster/print.html
Appeals Court Says Credit Union May Seek Damages From Credit Card Processor (July 21, 2008)
A US Court of Appeals has reinstated a damages claim dismissed two years ago by a US District Court judge. The claim regarding credit card processor Fifth Third Bancorp's obligation to pay a portion of damages incurred by a Pennsylvania credit union as a result of the 2004 BJ's Wholesale Club data security breach. The original complaint was brought by the Pennsylvania State Employee's Credit Union, which spent US $100,000 to cancel and reissue cards for its customers whose data were compromised in the breach. The case now goes back to district court.-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=209400073
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
NIST Publishes Revised Performance Measurement Guide for Information Security (July 22, 2008)
The National Institute of Standards and Technology (NIST) has issued Special Publication 800-55, Revision 1, "Performance Measurement Guide for Information Security." The document is designed to provide practical guidance for government agencies on how to conduct required security evaluations of IT systems specified in several laws, including the Clinger-Cohen Act and the Federal Information Security Management Act (FISMA). The document replaces the original version, which was published five years ago.-http://www.gcn.com/online/vol1_no1/46698-1.html
-http://csrc.nist.gov/publications/nistpubs/800-55-Rev1/SP800-55-rev1.pdf
[Editor's Note (Honan): Industry standard based ISMS (Information Security Management System), such as ISO 27001, require you to measure how effective your ISMS is so that areas of improvements can be identified. This publication provides a number of useful guidelines in helping you to meet that requirement. (Veltsos): Revision 1 provides quantifiable information security metrics to gauge and analyze the implementation, the efficiency, and the effectiveness of security controls and their value to the organization. In particular, Appendix A contains nineteen sample measures that every CISO should be aware of. ]
SPYWARE, SPAM & PHISHING
Prolific Spammer Sentenced to Prison (July 23, 2008)
Robert Alan Soloway has been sentenced to nearly four years in federal prison for sending millions of spam emails. Soloway was also ordered to forfeit more than US $700,000 he made from his scheme. He has previously been sued in civil court for spamming, and owes civil penalties totaling more than US $17 million. Soloway used a program called Dark Mailer to send out the spam that promoted his business selling spamming software.-http://www.theregister.co.uk/2008/07/23/soloway_sentenced/print.html
Accused Phisher Pleads Guilty (July 23, 2008)
Ovidiu-Ionut Nicola-Roman has pleaded guilty to one count of conspiracy to commit fraud. Nicola-Roman, who is Romanian, was located in Bulgaria and extradited to the US in September 2007. He is allegedly part of a phishing ring. In one case, the group sent emails to certain bank's customers, telling them their accounts were inaccessible because administrators were upgrading the system and asking them to verify their account details at a secure online database. The group hit the banking site with a distributed denial of service (DDoS) attack at the same time to lend their claim legitimacy.-http://www.theregister.co.uk/2008/07/23/romanian_phisher_guilty_plea/print.html
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Mozilla Updates Thunderbird (July 24, 2008)
Mozilla has issued Thunderbird version 2.0.0.16 to address nine security flaws. All of the flaws have already been patched in Firefox - eight in the browser's most recent update (version 2.0.0.15) and one that was patched last week. None of the vulnerabilities fixed was deemed critical; Mozilla has assigned all nine flaws severity ratings of moderate or low.-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9110643&intsrc=hm_list
UK Computers Infected with Asprox (July 23, 2008)
Numerous UK government and commercial websites have recently become infected with malware called Asprox. The malware infects visitors' computers without their knowledge and collects their personal information. Users became aware of the malware only after discovering that their personal data had been used to commit fraud, including unauthorized account withdrawals.-http://technology.timesonline.co.uk/tol/news/tech_and_web/the_web/article4381034
.ece
[Editor's Note (Veltsos): Asprox is only the latest in a series of rapidly growing attacks on legitimate web sites. The latest Sophos Security Threat Report reported 90% of infected web pages are hosted on legitimate sites; a new infected web site was detected every five seconds. In addition to US and UK government sites, other major web sites such as Google's Blogspot.com, and Sony Playstation were found to be hosting malware as well, much of it due to SQL injection attacks. ]
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Airline Check-in Kiosks Suspected in Card Fraud (July 24, 2008)
WestJet Airlines Ltd. has placed a temporary ban on the use of credit cards to identify fliers at self-service check-in kiosks at all airports in Canada. The move comes amid surfacing reports of investigations into instances of credit card fraud that have a strong correlation with air travel at one airport in particular, believed to be Toronto's Pearson International Airport. Visa and MasterCard have both issued statements indicating that they are investigating reported fraud. Passengers may check in at the self-service kiosks with passports, reservation numbers, frequent flier cards, or by entering their last names.-http://www.theglobeandmail.com/servlet/story/LAC.20080724.RCREDITCARDS24/TPStory
/National
[Editor's Note (Schultz): If this turns out to be true, this will not be the last case where this happens. While many of us find the airline's kiosks of great value they are often placed in locations where they are not in plain view and able to be tampered with. The same thing applies to many of the card readers at gas stations that are out of sight. ]
MISCELLANEOUS
Rogue SF Network Admin Gives Up Passwords (July 23 & 24, 2008)
Terry Childs, the network administrator accused of hijacking the city of San Francisco's computer network, has surrendered the access passwords he created that locked users out of the system. Childs had refused to give up the passwords, but a visit from San Francisco Mayor Gavin Newsom convinced him to reveal them. In addition to allegations of hijacking, Childs has been accused of installing software to allow remote access to the system and planting a program to delete files during scheduled system maintenance. The judge denied a request to lower Childs's bail.-http://www.theregister.co.uk/2008/07/23/sf_admin_gives_passwords/print.html
-http://www.theregister.co.uk/2008/07/23/sf_admin_stays_jailed/print.html
-http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?a
rticleID=209600496
[Editor's Note (Honan): You should never rely on only one person having complete administrative access to your systems or networks as not all DR plans can rely on the local mayor to recover the passwords. So ask yourself whether your network is owned by the business or 0wned by IT and react accordingly. ]
Spam King Kills His Wife and Child (July 25 2008)
"Spam King" Edward "Eddie" Davidson, a convicted spammer, fatally shot his wife and young daughter in an apparent murder-suicide Thursday while being sought after escaping prison last weekend, authorities said.-http://www.usatoday.com/tech/2008-07-25-spam-king-slaying_N.htm?csp=34
=========================================================================
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescastore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security courses at Minnesota State University, Mankato. He is the President of Prudent Security LLC and also serves as the President of the Mankato Chapter ISSA.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/