SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume X - Issue #80
October 10, 2008
* Update on The Coolest Jobs in Cyber Security. Even if you reviewed the jobs list earlier this week and offered commentary, please take 2 minutes to add your ratings of which jobs you think are coolest. http://www.surveymethods.com/EndUser.aspx?98BCD0CF99DECFC2
* Valuable new web page. The job that is coming out on top in the "coolest jobs" competition is forensics. Rob Lee and the other top guns in forensics have put together a wonderful new web page for people interested in the leading edge of forensics at http://forensics.sans.org/ Those leaders will also be discussing the lessons they have been learning from the nation-state attacks and more at next week's Forensics summit http://www.sans.org/info/34088
* Research question. Has anyone done a comparison showing what IPSonar does that cannot be done with nmap? Email apaller@sans.org if you have. Thanks in advance.
Alan
TOP OF THE NEWS
US Army Program Seeks Out Unauthorized ApplicationsClickjacking Proof-of-Concept Demos Posted
Quantum Encryption-Protected Network Debuted at Conference
THE REST OF THE WEEK'S NEWS
ARRESTS, CHARGES & CONVICTIONSMan Admits Role in Phishing Scheme
Alleged Palin eMail Hacker Indicted
SPAM, PHISHING & ONLINE SCAMS
Temporary Drop in Spam Volume Linked to Atrivo Going Offline
Spammers Ordered to Pay US $236 Million
ACTIVE EXPLOITS, WORMS & VIRUSES
Asus Acknowledges That Malware Shipped on Eee Box Computers
UPDATES AND PATCHES
Microsoft to Issue Eleven Security Bulletin On October 14
DATA LOSS & EXPOSURE
Contractor Allegedly Accessed Shell Oil Employee Database
MISCELLANEOUS
Missing MOD Hard Disk Contains 1.5m Pieces of Personal Information
*************************************************************************
TRAINING UPDATE
- - SANS CDI in Washington 30 courses; big security tools expo; lots of evening sessions: http://www.sans.org/ cdi08/
- - Monterey (10/31-11/6) http://www.sans.org/info/30738
- - Sydney Australia (10/27-11/1) http://www.sans.org/sydney08/
- - Vancouver (11/17-11/22) http://www.sans.org/vancouver08/
and in 100 other cites and on line any time: www.sans.org
*************************************************************************
TOP OF THE NEWS
US Army Program Seeks Out Unauthorized Applications (October 7, 2008)
The US Army Information Management Support Center has put software on 11,000 desktop computers that will detect unauthorized applications. Any ones discovered are reported to the Configuration Control Board, which also lets the user know what has occurred. In some cases, users have the opportunity to explain why the application is on the computer. If the application is deemed unnecessary, it can be removed remotely.-http://www.networkworld.com/news/2008/100708-army-desktop-software.html?fsrc=net
flash-rss
[Editor's Note (Ulrich): This is a great attempt to finally make "whitelists" work. I hope the US Army staff will share the lessons they learn. In my opinion, we should all focus more on lists of software we want to see on our systems, vs. the classic anti-malware approach of using incomplete lists of software we do not want.
(Pescatore): This can be a very effective approach to providing balance between strict security (lockdown) and letting users install whatever they want (chaos) but a responsive process to deal with discovered applications rapidly requires a high level of staffing. Backing it up with an "uber-whitelist" of applications that are known to be safe (not just known to be owned by the enterprise) and don't require rapid removal is key, but in today's world the "grey list" of unknown applications that users install is growing larger and larger.
(Weatherford): If the Army Information Management Support Center can determine what "unauthorized" software is, they've obviously already identified the "authorized" software category. So why let users install "unauthorized" software at all? I envision a weekly Configuration Control Board "Captains Mast" where users are hauled before a panel of judges in funny wigs and given "the opportunity to explain why the software is on their desktop." Wouldn't it be easier to just not allow users to install software in the first place, with a process for gaing official permission? ]
Clickjacking Proof-of-Concept Demos Posted (October 7, 8 & 9, 2008)
More information about clickjacking vulnerabilities has been released. Two researchers had planned to talk about the attack technique several weeks ago, but decided to postpone the greater part of their talk to allow vendors time to address the flaws in their products. This week, proof-of-concept demonstrations of the attack technique were posted to the Internet. The most recent version of NoScript, the Firefox add-on, protects users from being tricked by clickjacking attacks.-http://blogs.zdnet.com/security/?p=2005&tag=nl.e539
-http://news.zdnet.co.uk/security/0,1000000189,39500483,00.htm
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9116638&source=rss_topic17
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9116800
-http://www.vnunet.com/vnunet/news/2227827/adobe-warns-clickjacking
[Editor's Note (Northcutt): I love NoScript,the plugin for Firefox that allows you to choose whether to run scripts from a given web site, but am not sure that it protects fully against clickjacking. Some web sites simply require that you run scripts. If you want the information or services from those websites, you have to allow scripts, and at that point I expect you are vulnerable.
(Honan): More details of this problem can be found at Jeremiah Grossman's blog
-http://jeremiahgrossman.blogspot.com/2008/10/clickjacking-web-pages-can-see-and-
hear.html.
As Jeremiah points out in his post this vulnerability can be used to eavesdrop on peoples conversations using their PC microphones which could have ramifications for industrial espionage and national security. Kudos to Adobe, Jeremiah and R-Snake on how they handled this issue. ]
Quantum Encryption-Protected Network Debuted at Conference (October 9, 2008)
Scientists at the SECOQC conference in Vienna, Austria demonstrated the first computer network protected by quantum key distribution. The six nodes of the network are connected by fiber optic cables. The essence of quantum key distribution relies on the Heisenberg Uncertainty Principle, which says that quantum information cannot be measured without disturbing it; therefore, if someone were to eavesdrop on communication protected by quantum encryption, the key would be altered, alerting the recipient that the communication had been intercepted.-http://news.bbc.co.uk/2/hi/science/nature/7661311.stm
[Editor's Note (Northcutt): I think they are talking about quantum key distribution which has been around for a while. NIST has a neat writeup:
-http://www.nist.gov/public_affairs/releases/quantumkeys_background.htm
Here is the description from the conference:
-http://www.secoqc.net/html/conference/
And here is a paper from 2007:
-http://w3.antd.nist.gov/pubs/892-papers/Quantum%20Key%20Distribution%20Network.p
df]
************************* SPONSORED LINK ******************************
1) Attend the Forensics and Incident Response Summit October 13-14 in Las Vegas to learn about the latest tools and techniques. http://www.sans.org/info/34088
*************************************************************************
THE REST OF THE WEEK'S NEWS
ARRESTS, CHARGES & CONVICTIONS
Man Admits Role in Phishing Scheme (October 7 & 9, 2008)
Sergiu Daniel Popa of Romania has admitted that he was part of a phishing scheme that stole US $700,000 over a three-year period. He pleaded guilty to possession of unauthorized access devices and aggravated identity theft. Popa lived in the US for nearly seven years; he was extradited from Spain in June to face the charges. Popa faces up to 10 years in prison and a US $500,000 fine. According to his plea agreement, Popa stole identities of more than 7,000 people.-http://www.theregister.co.uk/2008/10/09/romanian_phishing_guilty_plea/
-http://www.startribune.com/local/30566739.html?elr=KArksLckD8EQDUoaEyqyP4O:DW3ck
UiD3aPc:_Yyc:aU7EaDiaMDCiUT
Alleged Palin eMail Hacker Indicted (October 8 & 9, 2008)
A federal grand jury has indicted Tennessee college student David Kernell on one count of accessing a computer without authorization for allegedly breaking into Alaska Governor Sarah Palin's Yahoo! email account. Kernell has pleaded not guilty; if he is convicted, he could face up to five years in prison and a US $250,000 fine. The attacker used the password reset feature to gain access to Governor Palin's account and posted several of the email messages online. Information from a proxy service used by the attacker linked the suspicious activity to Kernell through an IP address.-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9116606&source=rss_topic17
-http://news.bbc.co.uk/2/hi/americas/7661117.stm
-http://knoxville.fbi.gov/dojpressrel/2008/kxhacking100808.htm
[Editor's Note (Veltsos): As hacker feats go, this was no rocket science. Most web-based email provider use the same weak authentication mechanisms when processing a reset password request: they ask for account details that are easily obtainable for anyone with a public personae (in Palin's case, birthday, zip code, where she met her spouse). Anyone using a web-based email account is vulnerable to the same kind of account hijacking. ]
SPAM, PHISHING & ONLINE SCAMS
Temporary Drop in Spam Volume Linked to Atrivo Going Offline (October 9, 2008)
According to a report from Message Labs, when upstream providers cut off service to California-based Internet service provider (ISP) Atrivo, the amount of detected spam and botnet activity dropped significantly for several days. Atrivo was notorious for providing service to numerous scammers and cyber criminals. The decline will likely be short-lived as the scammers search out alternate providers, but the temporary downward spike indicates that the charges leveled at Atrivo were on the mark.-http://voices.washingtonpost.com/securityfix/2008/10/spam_volumes_plummet_after_
atr.html?nav=rss_blog
[Editor's Note (Honan): The Altrivo case demonstrates how the community can act together to make the Internet a safer place for all. In the real world businesses with bad reputations or unethical business practises are ostracised, we should apply the same standards to businesses on the Internet.]
Spammers Ordered to Pay US $236 Million (October 8, 2008)
A US District Judge in Iowa has ordered Henry Perez and Suzanne Bartok of Arizona to pay US $236 million for sending millions of unsolicited commercial emails. Robert Kramer the owner of Iowa-based CIS Internet Services, sued Perez and Bartok, who ran a company called AMP Dollar Savings, for inundating his network with spam. Perez and Bartok used a program called "Bulk Mailing 4 Dummies" to send out messages that advertised home mortgage refinancing.-http://www.theregister.co.uk/2008/10/08/mom_and_pop_spammer_judgement/
ACTIVE EXPLOITS, WORMS & VIRUSES
Asus Acknowledges That Malware Shipped on Eee Box Computers (October 9, 2008)
Asus is warning its customers in Japan of malware on recently shipped Eee Box desktop computers running Windows. The virus resides on the D drive in a file called recycled.exe. When the D drive is opened, the virus starts copying itself onto the C drive and all connected USB media. Asus has not said how the malware came to be on the drive. The malware is old enough that it should be detected by most anti-virus programs.-http://www.heise-online.co.uk/security/Asus-warns-of-a-virus-infection-in-shippi
ng-Eee-Boxes--/news/111691
-http://blogs.zdnet.com/security/?p=2016
-http://www.vnunet.com/vnunet/news/2227855/asus-warns-infected-eee-box-pcs
UPDATES AND PATCHES
Microsoft to Issue Eleven Security Bulletin On October 14 (October 9, 2008)
Microsoft plans to release 11 security bulletins on Tuesday, October 14. The updates will address vulnerabilities in Windows, Active Directory, Internet Explorer, Office and Host Integration Server. Four of the bulletins have maximum severity ratings of critical, six are rated important and one is rated moderate. The vulnerabilities include remote code execution, elevation of privileges and information disclosure.-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9116818&source=rss_topic17
-http://www.microsoft.com/technet/security/Bulletin/MS08-oct.mspx
DATA LOSS & EXPOSURE
Contractor Allegedly Accessed Shell Oil Employee Database (October 6, 7 & 8, 2008)
Shell Oil has warned its employees that their personal information may have been compromised. An employee of a third-party contractor working on-site for Shell was escorted off the premises after it emerged that the individual had allegedly accessed a database containing personally identifiable information of most current and former Shell employees. Shell has noted that in four instances, employee's Social security numbers (SSNs) were used to file phony unemployment claims. Shell has terminated its contract with the third-party company.-http://www.theregister.co.uk/2008/10/07/shell_oil_database_breach/
-http://news.zdnet.co.uk/security/0,1000000189,39499984,00.htm
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=cybercrime_and_hacking&articleId=9116421&taxonomyId=82&ints
rc=kc_top
[Editor's Note (Schultz): Although no organization savors the thought of an incident of this nature occurring, it appears that to its credit, Shell Oil at least had sufficient monitoring procedures to be able to detect such incidents.
(Pescatore): This appears to be an authorized user (it has no real bearing that it was a contractor) with legitimate access rights doing unauthorized things with some of the sensitive data. This is where access controls don't help and when such small quantities of data are being retrieved, data base activity monitoring and data loss prevention alerts may not have been effective, either. The most likely approach to reducing this type of thing (elimination is not realistic) is having employee agreements and vendor contracts that have financial liability clauses that go beyond termination of employment or contract. ]
MISCELLANEOUS
Missing MOD Hard Disk Contains 1.5m Pieces of Personal Information (October 11, 2008)
The UK's Ministry Of Defense has admitted to losing a portable hard drive which contained the personal details of up to 1.5 million pieces of information including details of over 100,000 active service personnel and 600,000 recruits. The missing disk was not encrypted. Of particular concern is the missing data include details on personnel who served in Northern Ireland and may be terrorist targets. The lost information includes details such as individuals' passport numbers, addresses, date of birth and in some cases banking details. The portable disk was being held by the main IT contractor for the MOD, EDS. EDS reported the drive missing after a priority report was carried out on October the 8th. Over the past four years over 658 laptops have gone missing from the MOS with 26 memory sticks containing sensitive information missing since January 2008.-http://news.bbc.co.uk/2/hi/uk_news/7662604.stm
-http://www.theregister.co.uk/2008/10/10/mod_data_loss/
*************************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescastore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security courses at Minnesota State University, Mankato. He is the President of Prudent Security LLC and also serves as the President of the Mankato Chapter ISSA.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/
