Ooops: A lot more people than we expected have signed up for the Penetration Testing Summit (Las Vegas -March 17-18). More than 75% so far are actual penetration testers, but the Summit will be even more valuable to security managers who buy penetration testing, because they will learn what works and what doesn't. Without this knowledge they are at the mercy of testers with often out-of-date processes and tools. Please let the person who oversees penetration testing in your organization know about this program so he/she can get a seat before it fills up. Ed Skoudis has put together an impressively up-to-the-minute program for this Summit. http://www.sans.org/pentesting08_summit/
One of the very popular new areas on SANS' website is Stephen Northcutt's Thought Leadership interview series. We would love your feedback on it - other people to interview - ways to make it better. In the latest installment. Stephen interviews Pari Networks' Kishore Kumar on the convergence and challenges in managing network operations/configuration, security assessments/remediation and regulatory/corporate compliance. http://www.sans.edu/resources/securitylab/pari_networks_kumar.php Email comments to Stephen@sans.edu Alan
************************************************************************* SANS NewsBites January 25, 2008 Volume: X, Issue: 7 *************************************************************************
Are you vulnerable to a SQL Injection attack? SQL Injection can deliver total control of your server to a hacker giving them the ability to read, write and manipulate all data stored in your backend systems! Download this HP Software white paper and learn how to protect your applications today. http://www.sans.org/info/22909
White House Wants Immunity for Telecoms in Government Surveillance Cases (January 24, 2008)
Telecommunications companies that help federal investigations with Network surveillance will be granted liability protection, if the White House has its way. A White House news release says that granting the companies "liability protection is critical to the ongoing effort to protect the nation from another catastrophic attack." The concern is that without liability protection, telecoms would be reluctant to help the government with its surveillance requests. The companies would not be required to make sure the government's requests are legal. -http://www.informationweek.com/shared/printableArticle.jhtml?articleID=205918006 [Editor's Note (Ranum): The rule of law means nothing if the king can grant immunity to those he has asked to break the law in his behalf. (Liston): The only reason to want immunity is if you're worried something is going to come back to haunt you. The underlying message here is that the Telcos don't trust that what the Government is doing is proper or legal. Doesn't that say something very important? (Paller): I don't think this is about the rule of law or about acting illegally. It is about the difficulty of interpreting personal privacy rights. Fascinating studies show that individuals often place wildly different values on their personal privacy, based on the context. With that level of uncertainty, if government asks a company to process information about individuals, that government must protect the processor from lawsuits based on umbrage someone takes or the distrust someone feels for government. The long term solution is to get Congress to establish an unequivocal definition of privacy rights and the government's rights with respect to processing personal information; I don't see it happening. ]
Harada Trojan Writers Charged with Copyright Violations (January 24, 2008)
Police in Japan have arrested three people who allegedly created a Trojan horse program known as Harada and distributed it over the Winny filesharing network. There are no applicable cyber crime laws in Japan, so the three were arrested for copyright violations; the Trojan allegedly used images of a known anime character to lure users into downloading the Trojan, which erases MP3 and movie files from infected machines. -http://www.news.com/8301-10789_3-9857568-57.html -http://www.theregister.co.uk/2008/01/24/japanese_vxer_arrests/print.html [Editor's Note (Skoudis): This sounds like the cyber equivalent of going after Al Capone for tax evasion. I'm sure we'll see more clever applications of older legal concepts in cyber crime prosecution in the near future. (Liston): When the best violation of law you can come up with for a distributing a Trojan that deletes files is "Copyright Violation," some might see that as a wake-up call for some new legislation. ]
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
DoE IG Looks to Unify Cyber Security Practices (January 22, 2008)
In fiscal 2006, the US Department of Energy (DoE) experienced 132 security breaches serious enough to be reported to law enforcement agencies. That marked a 22 percent increase over the figure for the previous year. The 69 organizations within the department use a variety of incident reporting formats, and important data about the attacks are not always stored. A report from DoE Inspector General (IG) Gregory Friedman recommends that all organizations within DoE use a common cyber incident management strategy; that cyber security policies are consistently developed and revised across the department; and DoE cyber security incidents response be tested and evaluated. -http://www.fcw.com/online/news/151398-1.html?type=pf [Editor's Note (Kreitner): When we have a commercial airliner incident, an NTSB team is deployed to the accident scene to conduct a thorough investigation with a causality and feedback-for-improvement orientation, so that lessons learned about the cause of the incident can be fed back into aircraft design and airline operations to reduce the probability of recurrence of an incident from the same cause. Federal cybersecurity policy guidance in the National Infrastructure Protection Plan and the supporting IT Sector Specific Plan could use strengthening by way of a commitment to the same methodology. Most current cybersecurity policy guidance relating to incidents focuses mainly on recovery/reconstitution. Although that focus is important, I fear much valuable learning from incidents is not occurring, or when it is, not being shared widely enough. ]
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Flaw in Firefox Exposes System Information (January 23 & 24, 2008)
MSN Trojan Adapts Language to Dupe Users (January 23, 2008)
A Trojan horse program spreading through MSN messenger changes the language of the message lure to match the language of the operating system of the targeted computer. The message tries to get users to visit maliciously crafted sites. The message pretends to be directing recipients to MySpace or Facebook pages. -http://www.channelregister.co.uk/2008/01/23/polyglot_msn_worm/print.html
Vulnerability in HP Virtual Rooms (January 22, 2008)
OmniAmerican Bank Customer Data Stolen, Used Fraudulently (January 24, 2008)
OmniAmerican Bank president Tim Carter has acknowledged that attackers broke into the bank's computer system and stole sensitive customer account data. Armed with the information, they created phony debit cards, established new PINs, and used the phony cards to make cash withdrawals from ATMs in Eastern Europe, the UK, Canada, and the US. Fewer than 100 accounts were affected by the data theft and subsequent fraud. Carter said that no depositor will lose money. Once the Fort Worth, Texas-based bank learned of the fraud, it put limits on certain card transactions and limited ATM withdrawals to within Texas. -http://www.star-telegram.com/business/story/429367.html
A woman who suspected she was going to be fired from her job at an architectural firm has been accused of deleting seven years' worth of blueprints and drawings estimated to be worth US $2.5 million. Marie Lupe Cooley is the only person besides her boss who has full access to the files on the system. She has been arrested and charged with causing damage to computer files in excess of US $1,000, which is a felony. The owner of the firm says he was able to recover the files with the help of a consultant. The woman believed she was going to lose her job because she read a job description in the help wanted section of a paper that matched her duties and contained her employer's email address. However, her employer's wife was seeking an assistant for her business. -http://www.foxnews.com/story/0,2933,325285,00.html -http://news.jacksonville.com/justin/2008/01/22/help-wanted-ad-plus-paranoia-plus -spite-equals-sabotage/ -http://www.channelregister.co.uk/2008/01/24/disgruntled_employee_silent_rampage/ [Editor's Note (Kreitner): This scenario illustrates the need for broad application of the separation of duties principle--not granting any one person access to both online files and the backups of those files? (Liston): $2.5 million worth of data and no off-site backup? Perhaps the firm should put Marie's replacement in charge of setting that up. ]
UK Ministry of Justice Data on Missing CDs (January 23, 2008)
The UK Ministry of Justice is the latest Department to report a data loss. Four CDs sent by mail contain information about 55 defendants in magistrate court cases who had failed to turn up for their court dates. The disks may also hold information about crime victims and witnesses. The information was on the disks because the Ministry of Justice is investigating claims that magistrates were dropping cases when defendants failed to show. The disks were mailed in mid-December but never arrived at their intended destination. -http://www.dailymail.co.uk/pages/live/articles/news/news.html?in_article_id=5098 17&in_page_id=1770
Futures Trader at French Bank Causes Billions in Losses (January 24, 2008)
A futures trader at the French bank Societe Generale allegedly bypassed established computer control systems to generate fictitious financial transactions that caused 4.9 billion Euros (US $7.2 billion) in losses for the bank. The bank has lodged a complaint against Jerome Kerviel with French prosecutors. The complaint against him alleges falsification of banking records, fraudulent use of the falsified records, and computer fraud. He began working at Socit Gnrale in August 2000. There will also be an investigation at the bank to determine how the alleged perpetrator circumvented established internal controls. -http://online.wsj.com/article/SB120115814649013033.html?mod=djemalertNEWS [Editor's Note (Pescatore): This is a nice example of the authorized user doing authorized stuff to commit pretty impressive fraud. The patterns of activity seem to be similar in many of these large fraud cases - case-based reasoning systems have been effective in other environments in detecting such patterns but a lot of work still needs to be done to apply such techniques to internal transactions. (Honan): This is a prime example of how trusted insiders can circumvent controls and cause damage. Ensure you regularly review and check the effectiveness of your internal controls. (Northcutt): The really chilling statement is that this trader, Kerviel, had intimate knowledge of the bank's controls which allowed him to avoid them. Apparently, the loss of his father took him over the edge: -http://www.telegraph.co.uk/money/main.jhtml?xml=/money/2008/01/25/bcnkerviel325. xml]
GUEST EDITOR CRAIG WRIGHT ON CRYPTO KEY APPEAL
Northcutt: Since so many of us depend on crypto keys for so many things, I asked Craig Wright GIAC GSE, an academic attorney in Australia, and a guy who really knows security -- he holds almost every GIAC certification -- to weigh in. Needless to say, NewsBites does not offer legal advice, but we strive to give you the information to prepare you to ask your legal departments the right questions. I think this story impacts all of us in two dimensions: the crypto key we use for our personal stuff and the cryptography we use in our organizations. In either case, the argument for strong passphrases keeps getting more persuasive for a number of reasons. Here is the original NewsBites story:
Federal Government Appeals Judge's Decryption Key Decision (January 16, 2008) The federal government has appealed a decision by a judge in Vermont that has prevented a man from divulging the password necessary to decrypt his computer. Magistrate Judge Jerome J. Niedermeier said that to force an individual to enter the password into his computer is a violation of the Fifth Amendment, which grants protection from self-incrimination. The case involves a Canadian citizen with legal residency in the US whose computer was found to contain child pornography. The computer was seized, but the government has been unable to access data in drive Z because it is protected by PGP encryption. (please note this site requires free registration) -http://www.washingtonpost.com/wp-dyn/content/article/2008/01/15/AR2008011503663_ pf.html -http://www.heise-security.co.uk/news/101935
Guest Editor Comment (Wright): The US Federal Government decision to appeal the Vermont "Decryption Key Decision" of Judge Niedermeier (January 16, 2008) really hinges on two issues, the key and the passphrase. PGP drive encryption is protected using a private key and a passphrase protects the key. These are both issues that are analogous to existing case law.
The issues come from the courts prior decision that by unlocking the combination lock of a suitcase a defendant consented to a search [United States v. Cox, 762 F. Supp. 145 (E.D. Tex. 1991) ] . In the initial search, the Canadian man handed investigators the system unlocked. This in effect mitigated his US 4th Amendment protections. Further, the Supreme Court explicitly stated that their opinion does not apply to private papers, leaving open the question of whether a person could be bound to turn over a journal or diary if there were mere evidence of a crime [425 U.S. 391 (1976) at 414. ] and this could be extended to the PC.
At this point the need to do forensic captures on live systems and use memory forensics to find previously entered passphrases is amply demonstrated.
The issue in dispute comes from Doe v. United States [487 U.S. 201 (1988) ] . The court determined the issue of a comparison between being compelled to surrender a key to a strongbox containing incriminating documents and being compelled to reveal the combination to a wall safe. It was decided that forcing the combination to the wall safe would be a testimonial act, surrendering the key to a strongbox would not be a testimonial act. As such, the US government can force the surrender of a key, but not the surrender of a combination.
To align this with the current case we can see the private PGP key as being functionally equivalent to the strongbox and the PGP passphrase to be analogous to the wall safe combination. What this in effect means is that the US government investigators have the right to the PGP Private Key but not to the passphrase that protects the key. If the PGP Passphrase is strong, it will resist efforts to crack it. If it is a simple password, the key MAY be enough.
It was stated in Doe v. United States that "A defendant can be compelled to produce material evidence that is incriminating. Fingerprints, blood samples, voice exemplars, handwriting specimens, or other items of physical evidence may be extracted from a defendant against his will. But can he be compelled to use his mind to assist the prosecution in convicting him of a crime? I think not. He may in some cases be forced to surrender a key to a strongbox containing incriminating documents, but I do not believe he can be compelled to reveal the combination to his wall safe -- by word or deed." [487 U.S. 201 (1988) at 210 n.9 ] .
The problems in the case have come from the interchanging use of password and key by the attorney's. The US Government has the right to the private key without the password (or passphrase) but has no right to force the passphrase to the key. A further key point highlighted by this case is the need to train lawyers in the correct use of technical terms.
LIST OF UPCOMING FREE SANS WEBCASTS
WhatWorks in Firewalls and Anti-Malware Gateways: Flexible Firewalling at Harris Corporation WHEN: Wednesday, January 30, 2008 at 1:00 PM EST (1800 UTC/GMT) FEATURED SPEAKERS: Alan Paller and Ronda Henning -http://www.sans.org/info/21659 Sponsored By: Secure Computing
The company that handles information security for major broadcast networks and such government agencies as the FAA, needed a very robust, very secure and very flexible firewall platform that could be tailored and customized to address both new and ancient legacy protocols and applications. Denial of service was a significant concern for Harris Corp. clients so the company turned to a solution that provided a highly available and high performance firewall.
How many organizations really understand their data privacy rules well enough to know where and how to protect their regulated data with proper audit? What are their perceptions of data privacy regulations, and how are they integrating compliance into their data management practices, starting at the database? These and other questions will be answered when, on Feb. 5, SANS analyst Barbara Filkins uncovers the findings in the SANS Database Auditing and Compliance Survey. Conducted over three months, 348 respondents answered a variety of questions ranging from their perceptions of compliance issues to security frameworks and roles and responsibilities for data privacy protection inside their organizations.
We will also be announcing the $250 American Express card winner from among nearly 200 respondents who signed up for our drawing.
Quick quiz: What do Phreaking, Captain Crunch, Blue boxes, LoD and MoD have in common? Answer: They were all milestones in the evolution of hacking and information security.
Please join Dave Shackleford, CTO at the Center for Internet Security and SANS certified instructor, for a look at the evolution of hacking and hackers. You'll hear Dave's take on lessons learned from hacking milestones, including: The early days of phone phreaks and bulletin boards The growth of hacker gangs and 2600: The Hacker Quarterly The 75-cent accounting error that led to an international crime investigation Bill Cheswick's evening with "Berferd" The first malware and Trojan horse programs At the same time, Dave will give his predictions for the coming year of hacking - and discuss which hacker movies are most realistic (if any)!
WhatWorks Webcast: WhatWorks in Intrusion Detection and Prevention: Improving Network Visibility at GraceKennedy WHEN: Tuesday, February 12, 2008 at 1:00 PM EST (1800 UTC/GMT) FEATURED SPEAKERS: Alan Paller and Gregory Henry -http://www.sans.org/info/22559 Sponsored By: Sourcefire
A need for increased visibility into its diverse network prompted GraceKennedy's security team to seek an intrusion detection system. They found a solution that met all their needs and offered great tech support, as well as a component that could establish a network activity baseline and another that included a top vulnerability scanner for the same price as other solutions they tried. GraceKennedy is one of the Caribbean's largest and most dynamic corporate entities. The company started in Jamaica in 1922 as a small trading establishment and wharf founder. It has expanded and diversified over the years, changing from a privately-owned enterprise to a public company listed on the stock exchanges of Jamaica, Trinidad, Barbados and the Eastern Caribbean. Today, the GraceKennedy Group comprises a varied network of some 60 subsidiaries and associated companies located across the Caribbean, in North and Central America and the United Kingdom. The group's operations span the food distribution, financial services, insurance, remittance, hardware retailing and food-processing industries.
This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.
SANS Special Webcast: Pinpointing and Proving Web Application Vulnerabilities with Eric Cole WHEN: Monday, December 10, 2007 at 1:00 PM EST (1800 UTC/GMT) FEATURED SPEAKER: Dr. Eric Cole -http://www.sans.org/info/20057 Sponsored By: Core Security
The September "Internet Security Threat Report" from Symantec reported that 61% of all vulnerabilities disclosed in the first half of 2007 were web application vulnerabilities. It's no wonder, since web apps are often highly customized and can be rife with potential security holes. Fortunately, recent advances in penetration testing products can help you to pinpoint and prove web application security weaknesses - even in customized apps.
SANS Special Webcast: Analyzing a Traffic Analyzer: NIKSUN NetDetector/NetVCR 2005 WHEN: Wednesday, December 5, 2007 at 1:00 PM EST (1800 UTC/GMT) FEATURED SPEAKER: Jerry Shenk -http://www.sans.org/info/20052 Sponsored By: NIKSUN
How deep can traffic inspection reach without hindering data flow and how much data should it store for post-mortem analysis? Join this Webcast to hear senior SANS Analyst Jerry Shenk go over his test results on the NetDectector/NetVCR 2005 and features such as full packet inspection and the ability to call up and review raw data in its native format.
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/