Your Ad Here

Friday, February 27, 2009

Free GIAC Certification with SANS OnDemand Training

Sign up for any SANS OnDemand course before Friday, March 13, 2009, and
you'll receive the corresponding GIAC certification attempt for free (a
$499 value)! To register for this offer, simply go to
http://www.sans.org/info/38839 and use the discount code OD_GIAC.

Also for this limited time, receive the corresponding GIAC
Certification/S.T.A.R. attempts free with any OnDemand Flex Pass! Go to
http://www.sans.org/info/38844 for information on our OnDemand Flex
Passes.

According to student feedback, SANS OnDemand - Online Training and
Assessments is simply one of the best tools to prepare for the GIAC
exams.

"I have several GIAC certs. My highest exam scores are from when I use
OnDemand training." - Brad Fulton, SMS Data Products

Not sure online training is for you? Try any of our OnDemand course
demos at http://www.sans.org/info/38839
.

With SANS OnDemand, students receive:
* 4-months access to our comprehensive 24/7 online training and
assessment system
* A full set of course books and hands-on CDs and/or downloadable .mp3
audio files - all for you to keep even when your online access expires
* Synchronized online courseware and lectures
* Integrated assessment quizzes throughout the course
* Access to OnDemand Virtual Mentors
* Labs & hands--on exercises
* Progress Reports

Sometimes the realities of limited travel budgets or the difficulty of
being out of the office or home for a week make it impossible to attend
a live training event. With SANS OnDemand online training and assessment
program, you have access to SANS' high quality, intensive, immersion
training at your convenience - anytime, anywhere.

If you have any questions about SANS OnDemand, write to
ondemand@sans.org or call us at (301)654-7267 [Monday - Friday, 9:00
a.m. - 8:00 p.m. Eastern Standard Time].

And remember that every SANS OnDemand purchase earns you points towards
future OnDemand training! http://www.sans.org/info/38834

Be sure to tell your friends and colleagues about this great opportunity!


Kind Regards,

Kimie Cabreira
Director
SANS OnDemand

**************************

SANS is pleased to announce our new Training and Events Calendar - an
easy way to see what opportunities are available to you during the
coming month! The current calendars are now available for download from
http://www.sans.org/info/7926. For another option, consider SANS' seven
ways to Train Without Travel at: http://www.sans.org/info/28689.

SANS' Webcasts are free live Web broadcasts that allow you to hear a
knowledgeable speaker while viewing presentation slides that you
download in advance. To learn more or to subscribe to our Webcast
calendar go to http://www.sans.org/info/13271.

Tuesday, February 24, 2009

Crimeware

Crimeware is malicious software used to initiate a crime that is typically Internet-based. During the past two years, crimeware attacks have increased at a far greater rate than the normal virus. International gangs of virus writers, hackers and spammers are joining forces to steal information and collect huge profits illegally.

A classic example of crimeware is a backdoor keylogger trojan that collects keystroke information and transmits it back to an attacker.

For example, a bank login ID and password may be collected and sent back to an attacker. The attacker typically will use this information in order to collect illegal profits.

Ransomware is another form of crimeware. In this case, a malicious Trojan encrypts files on an unsuspecting user's hard drive. Once the files are encrypted the Trojan then displays a message, or leaves behind a ransom note demanding money from the user for the decryption key.

Given the newness of this threat type, and the potential of how it might evolve in the future, further clarification and dissection of the definition of crimeware will likely be required.

SANS NewsBites Vol. 11 Num. 15

Cool new gift to the security community from the folks at the Internet
Storm Center: a daily summary of information security events as a 5-10
minute "stormcast". See: isc.sans.org/podcast.html , or search iTunes
for "Stormcast". Each Stormcast is made available between 0 and 3am GMT
so it is ready for many readers for a morning commute)

The sleeper story of the year is the first one. The CAG will
revolutionize first federal and defense industrial base cyber security,
then security product procurement, and then (very quickly) banking
security and critical infrastructure security. If you work in any place
with data that really matters, test your current controls against what
is published in the CAG (don't check whether you have policies, rather
use the measures of effectiveness in the CAG to test the quality of your
controls.) For consultants, the biggest new business opportunities will
go to the large consulting companies who are first to make the
transition from FISMA reporting or ISO auditing to CAG implementation
and testing.

Alan
*************************************************************************
SANS NewsBites February 24, 2009 Vol. 11, Num. 15
*************************************************************************
TOP OF THE NEWS
US Consortium Releases Consensus Security Audit Guidelines
Nevada Bill Will Be Amended to Avoid Criminalizing RFID Research
Proposed Legislation Would Require Retention of Internet Use Data for Two Years
Another Payment Processor Security Breach
THE REST OF THE WEEK'S NEWS
LEGAL ISSUES
Starbucks Facing Lawsuit Over Laptop Theft
POLICY AND LEGISLATION
Pending NZ Copyright Law Put On Hold
VULNERABILITIES
US-CERT Warns of Proxy Server Flaw
DATA BREACHES, LOSS & EXPOSURE
Three Breaches at Univ. of Florida Gainesville in as Many Months
ATTACKS & ACTIVE EXPLOITS
Targeted Attacks Exploit Unpatched Adobe Flaw
Unauthorized Patch Posted for Adobe Flaw
STUDIES AND STATISTICS
More Than Half of Former Employees Took Company Data

************************* Sponsored By Q1 Labs **************************

Leverage Log Management to Boost Your Enterprise IT Security: Collect
and manage event logs from your entire IT infrastructure; Effectively
reduce and prioritize millions of network and security events; Quickly
and easily search and report on events in real time and over an extended
period of time. A COMPLIMENTARY WHITE PAPER FOR SANS READERS:
http://www.sans.org/info/38964
*************************************************************************
TRAINING UPDATE
- - SANS 2009 in Orlando in early March - the largest security training
conference and expo in the world. lots of evening sessions:
http://www.sans.org/

- - Looking for training in your own Community? http://sans.org/community/
For a list of all upcoming events, on-line and live: www.sans.org
*************************************************************************

TOP OF THE NEWS
--US Consortium Releases Consensus Security Audit Guidelines
(February 23, 2009)
A consortium of security experts from government and industry has
released the Consensus Audit Guidelines (CAG), a list of 20 controls
that government and private industry organizations must implement to
protect against and mitigate the effects of cyber attacks. For each
control, the CAG details attacks that it stops or mitigates, how to
implement and automate the control, and how to determine whether the
control is implemented effectively. The CAG consortium includes the
organizations that know how actual attacks are being executed (NSA Red
and Blue teams,US-CERT, DC3, DoE Nuclear labs, and more.) The CAG is
available for public comment through March 23, 2009. The full guidelines
may be found at: http://www.sans.org/cag/
http://www.theregister.co.uk/2009/02/23/cybersecurity_gold_standard/ http://news.cnet.com/8301-1009_3-10169583-83.html?part=rss&subj=news&tag=2547-1009_3-0-20
http://fcw.com/Articles/2009/02/23/cyber-controls.aspx
http://federaltimes.com/index.php?S=3957648
http://www.informationweek.com/news/security/government/showArticle.jhtml?articleID=214502467&subSection=News
[Editor's Note (Northcutt): I hope you will take a few minutes out of
your busy day and take a look at these. You are going to see some
initials to the left of the controls. QW stands for Quick Win. The big
suggestion I have is to look over the quick wins and see if you can get
a few of those in place. Great job on these and I hope we start to see
thought leaders take advantage of this.]

--Nevada Bill Will Be Amended to Avoid Criminalizing RFID Research
(February 20, 2009)
A bill currently before the Nevada state legislature would effectively
criminalize the activity of people researching radio frequency
identification (RFID) security threats. The bill's sponsor plans to
introduce amendments to ensure it will not affect people conducting
legitimate research. Currently, the bill makes it a felony to "possess,
read or capture another person's personal identifying information
through radio frequency identification." Nevada hosts two well-known
conferences, Defcon and Black Hat, at which demonstrations of RFID
weaknesses are likely events.
http://www.theregister.co.uk/2009/02/20/nevada_rfid_skimming_bill/
http://news.cnet.com/8301-1009_3-10168749-83.html?part=rss&subj=news&tag=2547-1009_3-0-20
http://www.leg.state.nv.us/75th2009/Bills/SB/SB125.pdf

--Proposed Legislation Would Require Retention of Internet Use
Data for Two Years
(February 20, 2009)
US legislators have introduced a bill that would require extensive
logging of Internet use. The proposed legislation aims to help police
with investigations. All ISPs and wireless access point operators would
be required to retain logs of users' activity for a minimum of two
years. The law would apply not only to large ISPs, but also to private
homes that have wireless access points or wired routers that use the
Dynamic Host Configuration Protocol as well as small businesses,
libraries, schools and government agencies.
http://www.cnn.com/2009/TECH/02/20/internet.records.bill/index.html?eref=rss_tech
[Editor's Note (Northcutt): That is really nifty, an economic stimulus
package for disk drive manufacturers! Seriously, this is a dumb idea,
fraught with problems, how are we going to collect that volume of
information, then how do we protect it and what do we do when it is
misused.
(Ranum): Absurd. Basically, they are proposing to require extensive
logging of usage patterns for every single internet access point in the
US. It amounts to an enormous unfunded mandate to home users,
cybercafes, airport wireless terminals, hotels, etc. The malefactors
targeted by this law - presumably child porn traders and terrorists and
whatnot - would be able to easily hide their actions anyway.
(Ullrich): At the ISC, this issue has been the focus of our reader
comments this week. I would like to quote one of them, provided by Jerry
Rose: "This is like the difference between policies and procedures. The
law needs to be like policies. It must be worded to stand the test of
time - independent of changing technologies. Procedures must change
often in order to keep up with technological changes. This would be
represented by the method of prosecution of a defendant.]

--Another Payment Processor Security Breach
(February 23, 2009)
Advisories on the websites of several financial institutions suggest
that a cyber security breach has occurred at an as yet unnamed card
payment processor; this incident is separate from the Heartland Payment
Systems breach. The Tuscaloosa Federal Credit Union issued a statement
saying that "while it has been confirmed that malicious software was
placed on the processor's platform, there is no evidence that accounts
were viewed or taken by the hackers." The compromised data in this
breach include account numbers and expiration dates of payment cards
used in card-not-present transactions over the course of the last 12
months. Visa and MasterCard have started notifying banks affected by
the breach.
http://www.securityfocus.com/brief/913
http://www.databreaches.net/?p=1686
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9128429&source=rss_topic17
http://www.alabamacu.com/moreServices/idTheft.html
http://www.tvacu.com/tvacu/News.asp?111

********************* SPONSORED LINKS *********************************
1) What are the ten technical tips most penetration tester don't know
but should. Penetration Testing and Ethical Hacking Summit June 1-2.
http://www.sans.org/info/38969

2) Read Stephen Northcutt's interview with John Pirc of IBM on the topic
of Securing the Intelligent Network.
http://www.sans.org/info/38974
*************************************************************************

THE REST OF THE WEEK'S NEWS
LEGAL ISSUES
--Starbucks Facing Lawsuit Over Laptop Theft
(February 23, 2009)
A Starbucks employee has filed a class action lawsuit against the
company in response to a data security breach that occurred on October
2008. A laptop containing the names, addresses and Social Security
numbers (SSNs) of approximately 97,000 Starbucks employees was stolen
last fall; the suit alleges fraud and negligence, and seeks an extension
of the one year of credit monitoring the company offered as well as
unspecified damages and assurances that Starbucks will be required to
undergo regular third party security audits.
http://www.networkworld.com/news/2009/022309-starbucks-sued-after-laptop-data.html

POLICY AND LEGISLATION
--Pending NZ Copyright Law Put On Hold
(February 20 & 23, 2009)
New Zealand Prime Minister John Key has delayed the effective date of
an impending copyright law by one month due to physical and digital
protests that the proposed legislation goes too far. The law would
require Internet service providers (ISPs) to sever the connections of
individuals suspected of repeat copyright infringement. Prime Minister
Key is hopeful that by March 27 a "voluntary code of practice' can be
worked out; if not, Section 92A, as the amendment to the Copyright Act
is known, will be suspended.
http://news.cnet.com/8301-1023_3-10169519-93.html
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9128330&source=rss_topic17

VULNERABILITIES
--US-CERT Warns of Proxy Server Flaw
(February 23, 2009)
The US Computer Emergency Readiness Team (US-CERT) has issued a warning
about an architectural flaw in some proxy servers that could be
exploited by attackers to connect "to any website or resource the proxy
can connect to," including Intranets that should be off limits. Several
dozen products have been updated; administrators should ensure they have
installed the most recent versions to secure their networks.
http://www.kb.cert.org/vuls/id/435052
http://www.theregister.co.uk/2009/02/23/serious_proxy_server_flaw/

DATA BREACHES, LOSS & EXPOSURE
--Three Breaches at Univ. of Florida Gainesville in as Many Months
(February 22, 2009)
The University of Florida in Gainesville has reportedly experienced
three data security breaches in a three month period. The most recent
incident involved a server that allowed faculty to host online course
material and exposed personally identifiable information of 97,200
faculty, staff and students who were active at the university between
1996 and 2009. A breach in January of this year involved an LDAP
Directory Server configuration error and exposed personally identifiable
information of about 100 people. Finally, in November 2008, an
intrusion compromised personally identifiable information of more than
330,000 current and former College of Dentistry patients who had been
seen at the school since 1990.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=knowledge_center&articleId=9128398&taxonomyId=1&intsrc=kc_top

ATTACKS & ACTIVE EXPLOITS
--Targeted Attacks Exploit Unpatched Adobe Flaw
(February 19 & 20, 2009)
Targeted attacks exploiting an unpatched critical vulnerability in Adobe
Reader have been detected. The flaw is known to affect Adobe Reader
versions 8.1.3 and 9.0.0 running on Windows XP SP3; other versions of
Windows are likely to be vulnerable as well. Adobe reader running on
OS X and Linux machines was not tested. Adobe has issued an advisory
warning of a critical buffer overflow vulnerability in both Reader and
Acrobat. Adobe plans to have patches ready for version 9 of the
programs by March 11, with patches for versions 8 and 7 to follow
shortly thereafter.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9128278&source=rss_topic17
http://www.theregister.co.uk/2009/02/20/adobe_reader_exploit/
http://gcn.com/Articles/2009/02/20/PDF-zero-day-exploit.aspx
http://news.cnet.com/8301-1009_3-10168266-83.html?part=rss&subj=news&tag=2547-1009_3-0-20
http://www.adobe.com/support/security/advisories/apsa09-01.html
http://www.us-cert.gov/cas/techalerts/TA09-051A.html

--Unauthorized Patch Posted for Adobe Flaw
(February 23, 2009)
A vulnerability researcher has posted an unauthorized patch for a
critical buffer overflow flaw in Adobe Reader that is being actively
exploited. Adobe acknowledged the vulnerability last week and said it
would have a fix prepared by March 11. The homemade patch, a
replacement .dll, addresses only the Windows version of Adobe 9.0 and
offers no guarantees. The flaw affects versions 7, 8 and 9 of both
Adobe Reader and Adobe Acrobat. Users can also protect themselves from
attacks by disabling JavaScript.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9128428&source=NLT_PM
[Editor's Note (Ullrich): Aside from the patch, a number of sources
posted scripts to disable javascript processing in PDFs. These scripts
may be a safer method to mitigate this exploit and some can be
implemented via group policy.
(Northcutt): This could be a very good time to try Firefox and NoScript:
http://noscript.net/ ]

STUDIES AND STATISTICS
--More Than Half of Former Employees Took Company Data
(February 23, 2009)
The Ponemon Institute interviewed 945 US adults who had been laid-off,
fired, or changed jobs within the last year and found that more than
half took company information with them when they left their former
positions. The rationales for taking the data included help getting
another job, help starting their own business, or simple revenge. All
of the participants in the survey had access to proprietary information,
including customer data, employee information, financial reports,
software tools and confidential business documents. The survey also
found that just 15 percent of the companies examined the paper and/or
electronic documents their former employees took with them when they
left.
http://news.bbc.co.uk/2/hi/technology/7902989.stm
http://www.theregister.co.uk/2009/02/23/insider_threat_survey/
http://news.cnet.com/8301-1009_3-10170006-83.html?part=rss&subj=news&tag=2547-1009_3-0-20
[Editor's Note (Schultz): What the Ponemon Institute's study did not
show is just how bad ex-employee activity can get after a company folds.
I have heard numerous accounts about computer crimes (including brazen
thefts of servers) by ex-employees that ostensibly occurred after High
Tower Software collapsed. Sadly, despite all the reported illegal
activity, no complaints have been filed with law enforcement, nor has
anyone been charged with any crime. ]

**********************************************************************
The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Ron Dick headed the National Infrastructure Protection Center (NIPC) at
the FBI and is the incoming President of the InfraGard National Members
Alliance - with 22,000 members.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.

Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Rohit Dhamankar is the Director of Security Research at TippingPoint,
where he leads the Digital Vaccine and ThreatLinQ groups. His group
develops protection filters to address vulnerabilities, viruses, worms,
Trojans, P2P, spyware, and other applications for use in TippingPoint's
Intrusion Prevention Systems.

Prof. Howard A. Schmidt is the President of the Information Security
Forum (ISF) and author who has served as CSO for Microsoft and eBay and
as Vice-Chair of the President's Critical Infrastructure Protection
Board.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Inguardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Brian Honan is an independent security consultant based in Dublin,
Ireland.

David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Institute.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

Top 3 IT Security Certifications

SecurityCerts.org, an organization that provides security certification information to security professionals, has chosen its top three security certifications for 2009.

The Certified Information Systems Security Professional (CISSP) came out on top. Offered by the International Information Systems Security Certification Consortium (ISC(2)), the well-known certification covers a wide area of information security.

Coming in at No. 2 was the SANS Institute Security Essentials Certification (GSEC). This certification focuses on security skills that can be leveraged in a security environment.

The Security+ certification came in at No. 3, and is considered to be for entry-level security professionals.

Upcoming Security Events

Security Events

Black Hat

CanSecWest

CarolinaCon

CSI

Notacon

Security Opus

The Security Standard

ShmooCon

SOURCE Conference (Boston & Barcelona)

ToorCon

SANSFIRE 2009 in Baltimore, MD

SANS will be in Baltimore, MD for SANSFIRE 2009 on June 13-22 - once
again powered by the Internet Storm Center! We are assembling a program
that will surpass all past SANSFIRE events in terms of courses, talks,
vendor demonstrations, and opportunities for career advancement. At
SANSFIRE 2009 you will be provided with new information about new
threats, and you can acquire the solid foundation in InfoSec that you
need to stay on top of them. Why not choose SANSFIRE 2009 and Baltimore
as the backdrop for your training this summer?
(http://www.sans.org/info/38869)

The course schedule for SANSFIRE 2009 features a full lineup of SANS
classics in the disciplines of audit, security, management, and legal.

"SANS offers the real-world experience that other training venues
can't." - Tom Boyd, Medco

Turbo-charge your career! Consider one of these BRAND NEW cutting-edge
courses:
- IT Security Audit Essentials Bootcamp (AUD429)
- ITIL Essentials for Security Management (MGT435)
- Log Management In-Depth: Compliance, Security, Forensics, and Troubleshooting (SEC434)
- Secure Code Review for Java Web Apps (DEV534)
- Secure Coding in .NET: Developing Defensible Applications (DEV544)
- Developing Exploits for Penetration Testers and Security Researchers (SEC709)

Three NEW Forensics Courses!

- Computer Forensic and E-discovery Essentials (SEC408)
- Network Forensics (SEC558)
- Drive and Data Recovery Forensics (SEC606)

Register early for these best selling courses below to ensure you'll get
a seat!

- Security 401: SANS Security Essentials Bootcamp Style
- Security 504: Hacker Techniques, Exploits & Incident Handling
- Security 560: Network Penetration Testing and Ethical Hacking
- Security 508: Computer Forensics, Investigation, and Response
- Management 512: SANS Security Leadership Essentials for Managers with Knowledge Compression(tm)
- Management 414: SANS(r) +S(tm) Training Program for the CISSP(r) Certification Exam
- Audit 507: Auditing Networks, Perimeters & Systems
- Security 503: Intrusion Detection In-Depth
- Security 610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques
- Security 301: Intro to Information Security
- Security 501: Advanced Security Essentials - Enterprise Defender - NEW
- Management 525: Project Management and Effective Communications for Security Professionals and Managers

To learn more about all the courses being offered at SANSFIRE 2009,
please visit http://www.sans.org/info/38874
. There you will find a large
selection of classic and new courses.

Complete your SANS training experience with a GIAC certification
attempt! Many of our five- and six-day courses offered at SANSFIRE 2009
are associated with a GIAC Certification. Put the skills you'll learn
to practical use and join the thousands of GIAC certified professionals
who make the info sec industry safe! Visit
http://www.giac.org/info/38659 for more information and register for
your certification attempt today!

SANS training is well-known for being relevant and pragmatic. All SANS
instructors are industry leaders and experts who understand the
challenges you face on a daily basis. Their real-world experience
increases the practical value of the course material. Here are some
comments from SANSFIRE 2008 alumni:

"SANS is great about giving me both the knowledge and hands-on
experience needed to truly expand my security abilities and bring that
back to my job." - Brad Moore, A. Teichert & Son, Inc.

In addition to SANS courses held during the day, we offer you evening
events where you can learn about the new Web application honeynet. Come
and discover how to secure your service-oriented architectures and how
to deal with new forms of malware. At the evening talks the Internet
Storm Center incident handlers will provide extraordinary insights into
actual attacks that have taken place over the past year. These special
presentations are free to all registered attendees. You'll learn about
current threats and how the SANS Internet Storm Center can help you in
your fight against these threats. Nothing fosters information sharing
and trust building better than face-to-face meetings like SANSFIRE 2009.
Most of our volunteer incident handlers will be present at this event,
giving you unprecedented opportunities to get to know these fantastic
people.

"This was very good. There is a reason I come to SANS -- to really
learn something. Especially now that you guys do things for the
non-technical." - Pat Reddic, DTRA, another SANSFIRE 2008 alumnus

Classes will be held at the Hilton Baltimore. This full-service, upscale
hotel places you within walking distance of Baltimore's Inner Harbor,
Harborplace and the Gallery, Oriole Park at Camden Yards, and the
National Aquarium in Baltimore. Discounted rates are available for SANS
students, and they include complimentary high-speed Internet in your
guest room. The SANS rate of $197 S/D is available through June 13, so
take advantage of this special offer and make your reservations today!
http://www.sans.org/info/38879

"Getting hands-on experience with the latest tools and having fun
learning gives SANS an edge no other training organization has yet
mastered." - Jason Fowler, UBC

Get the training you need to work better and faster as a security
professional. Start making your training and travel plans now to join
us for SANSFIRE 2009! (http://www.sans.org/info/38869)

Kind regards,
Stephen Northcutt
President
The SANS Technology Institute, a postgraduate computer security college

**************************

SANS is pleased to announce our new Training and Events Calendar - an
easy way to see what opportunities are available to you during the
coming month! The current calendars are now available for download from
http://www.sans.org/info/7926. For another option, consider SANS' seven
ways to Train Without Travel at: http://www.sans.org/info/28689.

SANS' Webcasts are free live Web broadcasts that allow you to hear a
knowledgeable speaker while viewing presentation slides that you
download in advance. To learn more or to subscribe to our Webcast
calendar go to http://www.sans.org/info/13271.

Microsoft Security Advisory Notification - February 24, 2009

********************************************************************
Title: Microsoft Security Advisory Notification
Issued: February 24, 2009
********************************************************************

Security Advisories Updated or Released Today
==============================================

* Microsoft Security Advisory (968272)
- Title: Vulnerability in Microsoft Office Excel
Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/968272.mspx
- Revision Note: Advisory published
* Microsoft Security Advisory (967940)
- Title: Update for Windows Autorun
- http://www.microsoft.com/technet/security/advisory/967940.mspx
- Revision Note: Advisory published


Other Information
=================

Recognize and avoid fraudulent e-mail to Microsoft customers:
=============================================================
If you receive an e-mail message that claims to be distributing
a Microsoft security update, it is a hoax that may contain
malware or pointers to malicious Web sites. Microsoft does
not distribute security updates via e-mail.

The Microsoft Security Response Center (MSRC) uses PGP to digitally
sign all security notifications. However, it is not required to read
security notifications, security bulletins, security advisories, or
install security updates. You can obtain the MSRC public PGP key at
https://www.microsoft.com/technet/security/bulletin/pgp.mspx.

To receive automatic notifications whenever Microsoft Security
Bulletins and Microsoft Security Advisories are issued or revised,
subscribe to Microsoft Technical Security Notifications on
http://www.microsoft.com/technet/security/bulletin/notify.mspx.

(IN)SECURE Magazine Available for Download...

(IN)SECURE Magazine is a freely available digital security magazine discussing some of the hottest information security topics.

This issue was very interesting, I was typically taken to the topics discussing BackTrack4 and President Obama's vision of government information technology.

Enjoy, I know I did...

Issue 20 has just been released. Download it from:
http://www.insecuremag.com

The covered topics include:

- Improving network discovery mechanisms
- Building a bootable BackTrack 4 thumb drive with persistent changes and Nessus
- Review: SanDisk Cruzer Enterprise
- Forgotten document of American history offers a model for President Obama's vision of government information technology
- Security standpoint by Sandro Gauci: The year that Internet security failed
- What you need to know about tokenization
- Q&A: Vincenzo Iozzo on Mac OS X security
- Book review - Hacking VoIP: Protocols, Attacks and Countermeasures
- A framework for quantitative privacy measurement
- Why fail? Secure your virtual assets
- Q&A: Scott Henderson on the Chinese underground
- iPhone security software review: Data Guardian
- Phased deployment of Network Access Control
- Playing with authenticode and MD5 collisions
- Web 2.0 case studies: challenges, approaches and vulnerabilities
- Q&A: Jason King, CEO of Lavasoft
- Book review - Making Things Happen: Mastering Project Management
- ISP level malware filtering
- The impact of the consumerization of IT on IT security management

Monday, February 23, 2009

Netbooks are killing Microsoft and Apple

PC sales are in free fall as the weak demand for Windows desktops and full-size notebooks in a poorly performing global economy is being compounded by an influx of low cost netbooks, which are gobbling up the remains of profitability in the PC industry.

Source: Infoworld.com

Source: AppleInsider.com

Source: ibtimes.com

SecurityOrb.com Security Bulletin: Adobe Reader PDF Vulnerability

A recently discovered vulnerability in Adobe Reader allows an attacker to compromise the system with the privileges of the user running Reader. The vulnerability occurs because of the way Reader parses PDF files. Opening a malicious PDF file may trigger the bug, causing exploitation.

Attacks using this vulnerability have been seen in the wild. There are reports that adversaries are actively targeting a number of users, for exploitation.

The only known workaround to date is to disable Acrobat JavaScript. Any user can disable Adobe JavaScript by following these simple steps:

1. Start Adobe Reader.

2. Select Edit, then Preferences from the menu. The Preferences dialog box opens.

3. Select JavaScript from the list of Categories to the left.

4. Click to uncheck the option “Enable Acrobat JavaScript.”

5. Click OK.

For more details about this vulnerability and a video demonstration of the steps to disable Adobe JavaScript, please visit the following posting on SecurityOrb.com: http://www.securityorb.com/


Monday, February 16, 2009

Microsoft puts $250,000 bounty on conficker authors

Microsoft 'Posse' puts $250,000 bounty on conficker authors - Creators of Conficker/Downadup worm now carry a price on their heads


Source: Darkreading.com

FAA Data Breach - Personal Data Of 45,000 Exposed

Personal data of 45,000 exposed in FAA data breach, agency warns employees of potential threat, but isn't saying how the breach occurred

Source: Dark Reading.com

Thursday, February 12, 2009

Valentine's Day Malware Attack

Valentine's Day is not just for lovers; it's for malware writers, too. At the center of the recent surge in spam related to Valentine's Day is the Waledac botnet, successor to the Storm botnet, but other botnets have joined the fray as well, security researchers warn.

Source: eweek.com

Wednesday, February 11, 2009

President Barack Obama has ordered a 60-day review of the nation’s cybersecurity

President Barack Obama has ordered a 60-day review of the nation’s cybersecurity to examine how well the U.S. federal agencies use technology to protect data, thwarting spies and malicious hackers.

In President Obama’s effort to scrutinize all U.S. government plans, program and activities relating to the management of massive amounts of data, he will call upon Melissa Hathaway, a former Bush administration aide to head the program as Acting Senior Director for Cyberspace in both the National Security and Homeland Security Councils – a sort of “cyber czar”. Hathaway, an expert on cybersecurity, led former President Bush’s $6 billion-a-year Comprehensive National Cybersecurity Initiative. Her cybersecurity review will include an inventory of what was already being done and recommendations on how processes, policies and procedures can be improved.
No one knows if this Hathaway’s cyber czar position will become permanent after the 60-day review is completed.

Tuesday, February 10, 2009

Back Track 4 is Coming

Back Track 4 is coming, check out the blog posting on it:

http://backtrack4.blogspot.com/2009/02/release-in-321.html

Thursday, February 5, 2009

Microsoft Security Bulletin Advance Notification for February 2009 Issued: February 5, 2009

********************************************************************
Microsoft Security Bulletin Advance Notification for February 2009
Issued: February 5, 2009
********************************************************************

This is an advance notification of security bulletins that
Microsoft is intending to release on February 10, 2009.

The full version of the Microsoft Security Bulletin Advance
Notification for February 2009 can be found at
http://www.microsoft.com/technet/security/bulletin/ms09-feb.mspx.

This bulletin advance notification will be replaced with the
February bulletin summary on February 10, 2009. For more information
about the bulletin advance notification service, see
http://www.microsoft.com/technet/security/Bulletin/advance.mspx.

To receive automatic notifications whenever Microsoft Security
Bulletins are issued, subscribe to Microsoft Technical Security
Notifications on
http://www.microsoft.com/technet/security/bulletin/notify.mspx.

Microsoft will host a webcast to address customer questions on
these bulletins on Wednesday, February 11, 2009,
at 11:00 AM Pacific Time (US & Canada). Register for the February
Security Bulletin Webcast at
http://www.microsoft.com/technet/security/bulletin/summary.mspx.

Microsoft also provides information to help customers prioritize
monthly security updates with any non-security, high-priority
updates that are being released on the same day as the monthly
security updates. Please see the section, Other Information.

This advance notification provides the software subject as the
bulletin identifier, because the official Microsoft Security
Bulletin numbers are not issued until release. The bulletin summary
that replaces this advance notification will have the proper
Microsoft Security Bulletin numbers (in the MSyy-xxx format) as the
bulletin identifier. The security bulletins for this month are as
follows, in order of severity:


Critical Security Bulletins
============================

IE Bulletin

- Affected Software:
- Internet Explorer 7 for
Windows XP Service Pack 2 and
Windows XP Service Pack 3
- Internet Explorer 7 for
Windows XP Professional x64 Edition and
Windows XP Professional x64 Edition Service Pack 2
- Internet Explorer 7 for
Windows Server 2003 Service Pack 1 and
Windows Server 2003 Service Pack 2
- Internet Explorer 7 for
Windows Server 2003 x64 Edition and
Windows Server 2003 x64 Edition Service Pack 2
- Internet Explorer 7 for
Windows Server 2003 with SP1 for Itanium-based Systems and
Windows Server 2003 with SP2 for Itanium-based Systems
- Internet Explorer 7 in
Windows Vista and
Windows Vista Service Pack 1
- Internet Explorer 7 in
Windows Vista x64 Edition and
Windows Vista x64 Edition Service Pack 1
- Internet Explorer 7 in
Windows Server 2008 for 32-bit Systems
(Windows Server 2008 Server Core installation not affected)
- Internet Explorer 7 in
Windows Server 2008 for x64-based Systems
(Windows Server 2008 Server Core installation not affected)
- Internet Explorer 7 in
Windows Server 2008 for Itanium-based Systems

- Impact: Remote Code Execution
- Version Number: 1.0


Exchange Bulletin

- Affected Software:
- Microsoft Exchange 2000 Server Service Pack 3 with the Update
Rollup of August 2004
- Microsoft Exchange Server 2003 Service Pack 2
- Microsoft Exchange Server 2007 Service Pack 1
(Includes 32-bit and x64-based editions)

- Impact: Remote Code Execution
- Version Number: 1.0


Important Security Bulletins
============================

SQL Bulletin

- Affected Software:
- Microsoft SQL Server 2000 Desktop Engine (WMSDE) on
Microsoft Windows 2000 Service Pack 4
- Microsoft SQL Server 2000 Desktop Engine (WMSDE) on
Windows Server 2003 Service Pack 1 and
Windows Server 2003 Service Pack 2
- Windows Internal Database (WYukon) Service Pack 2 on
Windows Server 2003 Service Pack 1 and
Windows Server 2003 Service Pack 2
- Microsoft SQL Server 2000 Desktop Engine (WMSDE) on
Windows Server 2003 x64 Edition and
Windows Server 2003 x64 Edition Service Pack 2
- Windows Internal Database (WYukon) x64 Edition Service Pack 2
on Windows Server 2003 x64 Edition and
Windows Server 2003 x64 Edition Service Pack 2
- Windows Internal Database (WYukon) Service Pack 2
on Windows Server 2008 for 32-bit Systems
(Windows Server 2008 Server Core installation affected)
- Windows Internal Database (WYukon) x64 Edition Service Pack 2
on Windows Server 2008 for x64-based Systems
(Windows Server 2008 Server Core installation affected)
- GDR update for SQL Server 2000 Service Pack 4
- QFE update for SQL Server 2000 Service Pack 4
- GDR update for SQL Server 2000
Itanium-based Edition Service Pack 4
- QFE update for SQL Server 2000
Itanium-based Edition Service Pack 4
- GDR update for SQL Server 2005 Service Pack 2
- QFE update for SQL Server 2005 Service Pack 2
- GDR update for SQL Server 2005 x64 Edition Service Pack 2
- QFE update for SQL Server 2005 x64 Edition Service Pack 2
- GDR update for SQL Server 2005 with SP2 for
Itanium-based Systems
- QFE update for SQL Server 2005 with SP2 for
Itanium-based Systems
- GDR update for Microsoft SQL Server 2000
Desktop Engine (MSDE 2000) Service Pack 4
- QFE update for Microsoft SQL Server 2000
Desktop Engine (MSDE 2000) Service Pack 4
- GDR update for SQL Server 2005
Express Edition Service Pack 2
- QFE update for SQL Server 2005
Express Edition Service Pack 2
- GDR update for SQL Server 2005
Express Edition with Advanced Services Service Pack 2
- QFE update for SQL Server 2005
Express Edition with Advanced Services Service Pack 2

- Impact: Remote Code Execution
- Version Number: 1.0


Visio Bulletin

- Affected Software:
- Microsoft Office Visio 2002 Service Pack 2
- Microsoft Office Visio 2003 Service Pack 3
- Microsoft Office Visio 2007 Service Pack 1

- Impact: Remote Code Execution
- Version Number: 1.0


Other Information
=================

Microsoft Windows Malicious Software Removal Tool:
==================================================
Microsoft will release an updated version of the Microsoft Windows
Malicious Software Removal Tool on Windows Update, Microsoft Update,
Windows Server Update Services, and the Download Center.

Non-Security, High-Priority Updates on MU, WU, and WSUS:
========================================================
For information about non-security releases on Windows Update and Microsoft
update, please see:
* http://support.microsoft.com/kb/894199: Microsoft Knowledge Base
Article 894199, Description of Software Update Services and
Windows Server Update Services changes in content.
Includes all Windows content.
* http://technet.microsoft.com/en-us/wsus/bb466214.aspx: New,
Revised, and Released Updates for Microsoft Products Other Than
Microsoft Windows

Microsoft Active Protections Program (MAPP)
===========================================
To improve security protections for customers, Microsoft provides
vulnerability information to major security software providers in
advance of each monthly security update release. Security software
providers can then use this vulnerability information to provide
updated protections to customers via their security software or
devices, such as antivirus, network-based intrusion detection
systems, or host-based intrusion prevention systems. To determine
whether active protections are available from security software
providers, please visit the active protections Web sites provided by
program partners, listed at
http://www.microsoft.com/security/msrc/mapp/partners.mspx.

Recognize and avoid fraudulent e-mail to Microsoft customers:
=============================================================
If you receive an e-mail message that claims to be distributing
a Microsoft security update, it is a hoax that may contain
malware or pointers to malicious Web sites. Microsoft does
not distribute security updates via e-mail.

The Microsoft Security Response Center (MSRC) uses PGP to digitally
sign all security notifications. However, PGP is not required for
reading security notifications, reading security bulletins, or
installing security updates. You can obtain the MSRC public PGP key
at
https://www.microsoft.com/technet/security/bulletin/pgp.mspx.

To receive automatic notifications whenever
Microsoft Security Bulletins are issued, subscribe to Microsoft
Technical Security Notifications on
http://www.microsoft.com/technet/security/bulletin/notify.mspx.

********************************************************************
THE INFORMATION PROVIDED IN THIS MICROSOFT COMMUNICATION IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT
DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING
THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE
LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL
DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY
FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING
LIMITATION MAY NOT APPLY.
********************************************************************

Wednesday, February 4, 2009

Firefox update to 3.0.6 is out...


The Firefox update to 3.0.6 is out. It fixes a couple of vulnerabilities, one of them labeled critical.

Fixed in Firefox 3.0.6
MFSA 2009-06 Directives to not cache pages ignored
MFSA 2009-05 XMLHttpRequest allows reading HTTPOnly cookies
MFSA 2009-04 Chrome privilege escalation via local .desktop files
MFSA 2009-03 Local file stealing with SessionStore
MFSA 2009-02 XSS using a chrome XBL method and window.eval
MFSA 2009-01 Crashes with evidence of memory corruption (rv:1.9.0.6)

See http://www.mozilla.org/security/known-vulnerabilities/firefox30.html#firefox3.0.6