Your daily source of Pwnage, Policy and Politics.

Episode 285 – 0-Day, Breach Response, Gawker, SAS, CitySights NY Breach & UofW Breach

Play

ISDPodcast Episode 285 for December 23, 2010.  Tonight’s podcast is hosted by  Rick Hayes, Keith Pachulski, Adrian Crenshaw and Varun Sharma.

Announcements:

SANS Community:

Jason Lawrence, Management 414: SANS +S Training Program for the CISSP Certification Exam:  http://www.sans.org/mentor/details.php?nid=23493

Wednesday, February 23, 2011 – Wednesday, April 27, 2011

Use the Discount Code: isdpod15 for a 15% discount.

Appalachian Institute of Digital Evidence (AIDE):

AIDE Winter Meeting, Marshall University Forensic Science Center, Huntington, WV

When: February 17 – 18, 2011

http://aide.marshall.edu/default.htm

Intro/Outro Music provided by JimmyZ (
http://soundcloud.com/jimmyz)
Stories:News: http://www.microsoft.com/technet/security/advisory/2488013.mspxMicrosoft is investigating new, public reports of a vulnerability in all supported versions of Internet Explorer. The main impact of the vulnerability is remote code execution. This advisory contains workarounds and mitigation’s for this issue.The vulnerability exists due to the creation of uninitialized memory during a CSS function within Internet Explorer. It is possible under certain conditions for the memory to be leveraged by an attacker using a specially crafted Web page to gain remote code execution.On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs. Currently, Microsoft is unaware of any active exploitation of this vulnerability.We are actively working with partners in our Microsoft Active Protections Program (MAPP) and our Microsoft Security Response Alliance (MSRA) programs to provide information that they can use to provide broader protections to customers. In addition, we are actively working with partners to monitor the threat landscape and take action against malicious sites that attempt to exploit this vulnerability.Microsoft continues to encourage customers to follow the “Protect Your Computer” guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. Additional information can be found at Security at home.Mitigating Factors:

  • Protected Mode in Internet Explorer on Windows Vista and later Windows operating systems helps to limit the impact of currently known exploits. An attacker who successfully exploits this vulnerability would have very limited rights on the system.
  • By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone. See also Managing Internet Explorer Enhanced Security Configuration.
  • By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML e-mail messages in the Restricted sites zone, which disables script and ActiveX controls, reducing the risk of an attacker being able to use this vulnerability to execute malicious code. If a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario.

Exploit code: http://www.exploit-db.com/exploits/15746

News: http://www.infosecurity-us.com/view/14840/va-facilities-violate-prohibition-on-using-online-tools-to-share-patient-data/

The most recent incident involved the posting of patient information on Yahoo Calendar by the Chicago Health Care System’s Orthopedics Department, according to the VA’s monthly report to Congress.

According to the November report, the full names of over 1000 patients, along with their dates of surgery, types of surgery, and last four numbers of their social security numbers were placed on the Yahoo Calendar.

So…where is this fabulous EINSTEIN 2 that Janet Napolitano is praising so
News: http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=228800744No one likes to think about database breaches, but the fact is, they happen. Rather than cross your fingers and hope for the best, create an incident response plan ahead of time. Without a plan, you may destroy critical evidence that could be used to prosecute the offender. You might also overlook just how the incident occurred, leaving you exposed to future breaches.
Log analysis is an essential component of an incident response plan.  You’ll want to review logs from the compromised machine or machines and from other sources, including network devices and access control systems.
A number of log types–transaction, server access, application server, and OS–can all provide valuable information to retrace what occurred.  If your database administrator has enabled transaction logs–and it’s a big if–start there because they’re a rich source of information.  Your first goal is to understand what data has been extracted, which will help you gauge the current risk to the company. Then examine what else the attacker may have tried to do. As you review logs, look for queries that would match the data known to be exported. If you don’t have any evidence to match against, gather up the database administrator, application developer, and anyone else who knows normal application and database activity. Get a conference room, display the logs on a projector, and have them help you look for anomalies such as unusual queries that applications or administrators wouldn’t normally make.

Keith: Shameless plug of OSSEC for database log monitoring

News: http://www.theregister.co.uk/2010/12/18/gawker_hack_aftermathGawker Media plans to overhaul its web infrastructure and require employees to use two-factor authentication when accessing sensitive documents stored online, following an embarrassing attack that completely rooted the publisher’s servers. The publisher of Gawker, Gizmodo, and seven other popular websites also plans to, gasp, mandate the use of secure sockets layer encryption for all users with Gawker Media accounts on Google Apps, according to a memo written by Gawker tech boss Tom Plunkett and published Friday by The Next Web. The company-wide message conceded a point first made by the perpetrators of the hack: That Gawker Media’s security was utter crap.
“It is clear that the Gawker tech team did not adequately secure our platform from an attack of this nature,” Plunkett wrote. “We were also not prepared to respond when it was necessary.”
Indeed, security researchers who examined the web platform’s source code were amazed as just how poorly the site was put together.
News: http://www.independent.co.uk/news/media/online/sas-man-to-take-charge-of-cyberwarfare-defences-2164842.htmlA former chief of the SAS has been appointed to head the military’s cyber-warfare operations amid rising concern about the risk of attacks on official websites endangering Britain’s defences.

Major General Jonathan Shaw will lead a unit combating internet assaults on vital strategic installations, including nuclear facilities and communications networks, The Independent has learnt. The Strategic Defence and Security Review identified cyber-warfare as “tier one” in a league table of threats facing the UK. Last week Sir Peter Ricketts, the National Security Advisor, asked government departments to take precautions over hackers promising revenge attacks over the WikiLeaks affair. The director of GCHQ, Iain Lobban, has stated that cyber warfare, some orchestrated by foreign governments, is one of the biggest challenges faced by the intelligence services.  But it is the WikiLeaks threats which have become the most pressing in the field, according to Whitehall sources. “Hacktivist” supporters of the website have hit companies that withdrew services from WikiLeaks such as Visa, Mastercard and PayPal. Some supporters of WikiLeaks blame the UK for what they see as complicity in a campaign against its founder, Julian Assange.
News: http://www.computerworld.com/s/article/9201822/Hackers_hit_New_York_tour_firm_access_110_00_bank_cardsHackers have broken into the website of the New York tour company CitySights NY and stolen about 110,000 bank card numbers.  They broke in using a SQL Injection attack on the company’s Web server, CitySights NY said in a Dec. 9 breach notification letter published by New Hampshire’s attorney general. The company learned of the problem in late October, when, “a web programmer discovered [an] unauthorized script that appears to have been uploaded to the company’s web server, which is believed to have compromised the security of the database on that server,” the letter said.
CitySights NY believes that the SQL injection compromise occurred about a month earlier, on Sept. 26. In a SQL injection attack, hackers find ways to sneak real database commands into the server using the Web. They do this by adding specially crafted text into Web-based forms or search boxes that are used to query the back-end database.
This was one of the techniques used by Albert Gonzalez, who in March received the longest-ever U.S. federal sentence related to hacking the systems of Heartland Payment Systems, TJX and other companies.

News: http://www.darkreading.com/database-security/167901020/security/attacks-breaches/228800912/university-of-wisconsin-madison-leaves-60-000-ssns-unprotected-for-two-years.htmlA recent database breach that potentially exposed the Social Security Numbers of 60,000 former students and staff at the University of Wisconsin is bringing attention to the way higher education institutions store and protect SSNs — even after they’ve been discontinued as a student identification number.
The breach came to light earlier in the month when affected victims were informed by a letter from the university that their data might have been breached after sitting in an unsecure database for more than two years.  Like many universities around the nation, University of Wisconsin had discontinued the use of SSNs in student identification numbers in 2008 to better protect student identities. Unfortunately, the university retained information about affected individuals within the poorly protected database even after their IDs were deactivated.
University officials say they were made aware of an intrusion into the database in October and have not found the individuals responsible for the hack. Though sensitive data was stored within the database, it claims its forensic investigation didn’t provide evidence that former student data was accessed.
“During our investigation and examination, we reviewed the available logs dating back to January 2008 and discovered the system suffered unauthorized accesses a number of times. However, supplemental logs available for a shorter time period did not show any evidence of file transfers consistent with the size of the database file that contained your personal information. Further, our investigation found no evidence that the unauthorized individuals were aware of your personal data in the database or that it has been retrieved or misused,” the University of Wisconsin wrote in its letter to potential victims.