Back to newsletter listDate:
Tue, August 26, 2008 04:05:57 PMFrom:
The SANS Institute
Subject:
SANS NewsBites Vol. 10 Num. 67
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
September 3 (next Wednesday) is the last date for discounted attendance
at SANS big Network Security conference in Las Vegas.
http://www.sans.org/info/29439
*************************************************************************
SANS NewsBites August 26, 2008 Vol. 10, Num. 67
*************************************************************************
TOP OF THE NEWS
OMB Issues DNSSEC Directive For US Government Agencies
Judge Says Law Barring Woman from Posting SSNs on Internet is
Unconstitutional
TV News Anchor Admits Accessing Co-Worker's eMail Accounts
eVoting Vendor Says Dropped Votes Due to Code Error
THE REST OF THE WEEK'S NEWS
ARRESTS, CHARGES & CONVICTIONS
Four Arrested in Connection With Credit Card Fraud Scheme
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
Lost Memory Stick Prompts Investigation; Consultancy Contract
Suspended
VULNERABILITIES
Nokia Acknowledges Java Flaws in Series 40 Handsets
UPDATES AND PATCHES
Microsoft Re-issues Incomplete Update Posted to Microsoft Download
Center
ATTACKS
Cyber Thieves Steal Best Western Customer Data
Red Hat and Fedora Servers Attacked
MISCEL***OUS
CT Gov. Wants Investigation Into Credit Monitoring Company
Faulty Hardware Component Blamed for Recent Netflix Problems
Australia Chief Justice Sees Concept of Privacy Shifting
SANS Top Internet Security Risks 2007
Software Security Moves From Want To Need
************************ Sponsored By NitroSecurity *********************
NitroSecurity is the leading supplier of Unified Information Security
solutions that provide Edge-to-Core network security for over 500
enterprises. Leveraging decades of R&D and patented data management
technology, NitroSecurity delivers a highly integrated, cost effective
network security product suite for security information & event
management, log management, database activity monitoring, network
analysis and intrusion prevention.
http://www.sans.org/info/32159
*************************************************************************
TRAINING UPDATE
- - NETWORK SECURITY 2008: Las Vegas (9/28-10/6) 50 courses; big tools expo;
lots of evening sessions: http://www.sans.org/ns2008)
- - Chicago (9/3-9/10) http://www.sans.org/chicago08 AUDIT & COMPLIANCE
- - Monterey (10/31-11/6) http://www.sans.org/info/30738
- - Sydney Australia (10/27-11/1) http://www.sans.org/sydney08/
- - Vancouver (11/17-11/22) http://www.sans.org/vancouver08/
and in 100 other cites and on line any time: www.sans.org
*************************************************************************
TOP OF THE NEWS
--OMB Issues DNSSEC Directive For US Government Agencies
(August 22, 2008)
The Office of Management and Budget (OMB) has told federal chief
information officers that that they have until January 2009 to deploy
Domain Name System Security (DNSSEC) on top level .gov domains.
Agencies must also develop a plan for deploying DNSSEC to "all
applicable information systems" by December 2009.
http://www.gcn.com/online/vol1_no1/46987-1.html
http://www.whitehouse.gov/omb/memoranda/fy2008/m08-23.pdf
[Editor's Note (Pescatore): Definitely a good thing to force some
movement towards DNSSEC but there is a continuing string of "unfunded
mandates" that hit government agencies. It would be nice to see some of
the mythical billions of dollars in National Cyber Security Imitative
funding funneled to actual operational security budgets of actual
government agencies to actually fund something.]
--Judge Says Law Barring Woman from Posting SSNs on Internet is Unconstitutional
(August 22, 2008)
A US District judge has ruled that a law barring BJ Ostergren from
publishing Social Security numbers (SSNs) on the Internet is, in this
specific case, unconstitutional. Ostergren's website contains public
documents that include SSNs of prominent people. Ostergren's point is
to show how the government has failed to protect people's privacy.
http://ap.google.com/article/ALeqM5jiGOcctpSb22Nw59ozzMFCW2hv7gD92NM65G0
[Editor's Note (Northcutt): Virginia is going to have to choose between
two paths: continue to publish social security numbers and other PII on
their state web sites putting their citizens at risk of identity theft,
or start sanitizing the information. The latter is a huge task that
would involve modifying public records. This is a fairly big problem
that Ostergren has brought to light. Here is the suit, even a quick read
and you realize it is slam dunk:
http://www.acluva.org/docket/pleadings/ostergren_complaint.pdf ]]
--TV News Anchor Admits Accessing Co-Worker's eMail Accounts
(August 22, 2008)
Former Philadelphia television news anchor Lawrence Mendte has admitted
he broke into a co-worker's email accounts and leaked information from
the messages to the media. The compromised accounts belonged to
Mendte's former co-anchor Alycia ***; the leaked information
contributed to her losing her job at KYW-TV, the station where she and
Mendte co-anchored the evening news for four years. Mendte was charged
with one count of illegally accessing a computer; if he is found guilty,
he could face up to five years in prison.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9113283&source=rss_topic17
http://www.cnn.com/2008/CRIME/08/22/anchor.email.ap/index.html?eref=rss_tech
--eVoting Vendor Says Dropped Votes Due to Code Error
(August 22 & 25, 2008)
Premier Election Solutions now says the reason its electronic voting
machines dropped hundreds of votes in Ohio's primary election earlier
this year is a logic error in the machines' source code. Premier,
formerly known as Diebold Election Systems, originally said the problem
was due to issues caused by McAfee's antivirus software. While the
antivirus software can trigger the problem, it is the buggy code that
caused the dropped votes in March. Premier has issued an advisory for
users running the affected machines that tells them how to avoid losing
votes; the problem affects at least 1,650 jurisdictions in the US. The
company is also in the process of testing a fix created for the problem.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9113298&intsrc=hm_list
http://www.mercurynews.com/nationworld/ci_10296597
[Editor's Note (Pesctaore): There are so many things wrong with this
story - it is scary to think that a voting machine *needed* AV
software, let alone that AV software *can* trigger votes to be dropped.
But the real issue is why the federal Election Assistance Commission
hasn't done a thing to live up to their charter of "Carrying out duties
related to the testing, certification, decertification, and
recertification of voting system hardware and software." This has been
dragging on since late 2005 when the first version of the Voluntary
Voting System Guidelines came out. The voting machine vendors will
likely have to change their names several more times before we see any
actual security testing of these systems.
(Schultz): Once again we are seeing why voting systems technology is not
ready for prime time.
(Veltsos): The best way to avoid losing votes is to stop using voting
machines from manufacturers who refuse to submit source code for public
scrutiny.]
************************** SPONSORED LINKS: *****************************
1) Visit the SANS Buyers Guide for updated listings and useful
information when selecting the latest in IT security technologies.
http://www.sans.org/info/32164
2) Get real-world forensic techniques from industry-recognized experts
at the Forensics & Incident Response Summit October 13-14 in Las Vegas.
http://www.sans.org/info/32169
3) Rediscover Amsterdam, NL and hear about Process Control Security
issues. - Process Control & SCADA Summit September 8-9.
http://www.sans.org/info/32174
*************************************************************************
THE REST OF THE WEEK'S NEWS
ARRESTS, CHARGES & CONVICTIONS
--Four Arrested in Connection With Credit Card Fraud Scheme
(August 22, 2008)
Four people in Ohio have been arrested in connection with a credit card
fraud scheme. One of the four allegedly used a hidden device to swipe
cards used by customers at the McDonald's drive-through in Liberty, Ohio
where she worked. The device recorded credit and debit card information
that was then allegedly used to manufacture new cards. The group has
allegedly made approximately US $6,000 worth of fraudulent purchases
with the phony cards. When the local police station started receiving
complaints of unauthorized charges on credit cards, they found the
common factor to be having made a credit card purchase at McDonalds;
ultimately the suspicious transactions were traced to a single cashier.
http://www.tribtoday.com/page/content.detail/id/509724.html?nav=5021
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
--Lost Memory Stick Prompts Investigation; Consultancy Contract Suspended
(August 22, 2008)
UK Home secretary Jacqui Smith says an inquiry is underway into the loss
of a memory stick containing personal details of tens of thousands of
criminals in England and Wales. While the data were stored securely
on government systems, an outside contractor, PA Consulting, apparently
downloaded the data in violation of its contract. The contractor had
access to the data because it was working on a research project. The
contractor staff member responsible for the memory stick has been
suspended, and the Home Office is suspending its contract with PA
Consulting.
http://news.bbc.co.uk/2/hi/uk_news/politics/7575989.stm
http://www.zdnet.co.uk/misc/print/0,1000000169,39464518-39001093c,00.htm
http://www.vnunet.com/vnunet/news/2224575/home-office-suspends-pa
[Editor's Note (Schultz): This news item provides another in a long line
of lessons-learned stories concerning information security, namely that
letdowns in this area can and do result in significant business damage
and loss.
(Honan): Use this example with Senior Management to show how poor
security can lose a company business when you next have to justify your
infosec budget.]
VULNERABILITIES
--Nokia Acknowledges Java Flaws in Series 40 Handsets
(August 21 & 22)
Nokia has acknowledged the existence of two vulnerabilities in its
Series 40 handsets. The flaws lie in Sun Microsystems' mobile version
of Java (J2ME) and were brought to the attention of Sun and Nokia by
Adam Gowdiak, who provided each company with a brief overview and
offered detailed reports on the vulnerabilities for US $20,000. Neither
company has confirmed that they have paid Gowdiak, but Sun has announced
that it will be releasing patches for the flaws soon, and Nokia is
looking into measures to prevent their exploitation. One of the flaws
could allow remote access to restricted phone functions; the other could
be exploited to surreptitiously install or run applications on the
devices.http://www.zdnet.co.uk/misc/print/0,1000000169,39464526-39001093c,00.htm
http://www.techworld.com/news/index.cfm?newsID=103368&printerfriendly=1
UPDATES AND PATCHES
--Microsoft Re-issues Incomplete Update Posted to Microsoft Download Center
(August 22, 2008)
Microsoft has released a new version of one of its August 11 security
bulletins because the original version was incomplete. The affected
bulletin is MS08-051, which addresses three flaws in Microsoft Office,
PowerPoint and PowerPoint Viewer. Users who downloaded the fix manually
should apply the new version as soon as possible; users whose systems
were updated through Windows Update or Windows Server Update Services
are already protected. The incomplete version was only posted to the
Microsoft Download Center.
Internet Storm Center Post: http://isc.sans.org/diary.html?storyid=4918
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9113260&source=rss_topic17
http://www.microsoft.com/technet/security/bulletin/MS08-051.mspx
ATTACKS
--Cyber Thieves Steal Best Western Customer Data
(August 25, 2008)
An attacker reportedly breached the security of Best Western Hotels'
online reservation system and may have compromised the names, addresses,
credit card numbers and other personal information of all people who
have stayed at Best Western Hotels since 2007. The attacker appears to
have loaded a Trojan onto a hotel computer and captured the login
information of someone with appropriate clearance to access the customer
information; a spokesperson for Best Western said the company has
disabled the compromised account. The theft "came to light" after
access to the data was offered for sale on the Internet. Best Western
has refuted some of the claims made in the media, noting that the
company's policy is to purge online reservation data as soon as the
customers check out of the hotel. Best Western also maintains that the
breach was limited to "a select portion of data at a single hotel."
http://www.vnunet.com/vnunet/news/2224615/hackers-breach-best-western
http://economictimes.indiatimes.com/articleshow/msid-3400493,flstry-1.cms
http://www.sundayherald.com/news/heraldnews/display.var.2432225.0.0.php
http://www.marketwatch.com/news/story/best-western-responds-sunday-herald/story.aspx?guid={A87F9682-AC67-4803-A135-B6ACF42C0956}&dist=hppr
http://www.securitykarma.com/2008/08/best-western-refutes-breach-claims.html
[Editor's Note (Honan): The facts regarding this story are still
unclear, but given the response by Best Western to the original story
it would appear that the claims are exaggerated. We have had debates
about responsible disclosure in the past perhaps now is the time we need
to debate the need for responsible news reporting.]
--Red Hat and Fedora Servers Attacked
(August 22, 2008)
Attackers have breached infrastructure servers belonging to Red Hat and
the Fedora project. Fedora officials say the company has changed to new
signing keys as a precautionary measure, although they do not think the
fedora package signing key was compromised. Red Hat acknowledged that
code on its system had been tampered with, but says that its content
distribution was unaffected, so users were not served bad code.
Internet Storm Center Posts:
http://isc.sans.org/diary.html?storyid=4919
http://isc.sans.org/diary.html?storyid=4921
http://www.theregister.co.uk/2008/08/22/red_hat_systems_hacked/print.html
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9113299&source=rss_topic17
http://news.cnet.com/8301-1009_3-10023565-83.html?part=rss&subj=news&tag=2547-1009_3-0-20
http://www.heise-online.co.uk/security/Fedora-and-Red-Hat-servers-broken-into--/news/111379s
http://www.securityfocus.com/news/11532
http://rhn.redhat.com/errata/RHSA-2008-0855.html
[Editor's Note (Skoudis): This is a very scary case. At this point,
details about how the attack occurred are slim to none, likely because
the investigation is ongoing. Was it a zero-day vulnerability?
Misconfiguration? Procedure problem? Operator error? As a big Red Hat
and Fedora user, I'd sleep a little better knowing both when the attack
occurred and how it was pulled off.
(Pescatore): This is as big a deal as when it happened to Microsoft
several years ago. Red Hat needs to be very public and very transparent
about what they are going to change to make sure this doesn't happen
again.]
MISCEL***OUS
--CT Gov. Wants Investigation Into Credit Monitoring Company
(August 22, 2008)
Connecticut governor M. Jodi Rell has called for an investigation into
the company hired to provide credit monitoring for people whose personal
data were on a stolen state government laptop computer. Connecticut
state officials hired Debix Identity Protection Network to work with
individuals whose information was on the Department of Revenue Services
computer that was stolen from an employee's car a year ago. A number
of people have complained to the state after they were contacted by
Experian, one of the credit bureaus, asking them to supply government
identification, their Social Security numbers (SSNs) and a utility bill
to allow the monitoring to continue.
http://www.courant.com/business/hc-debix0822.artaug22,0,3146872.story
--Faulty Hardware Component Blamed for Recent Netflix Problems
(August 22, 2008)
Netflix's head of IT Operations has posted an explanation of the
company's recent shipping delay on the Netflix Community Blog.
Apparently a faulty hardware component was responsible for a database
corruption event in the Netflix shipping system; similar events then
began occurring in peripheral databases as well. The company "moved the
shipping system to an isolated environment" and managed to get the
shipping system functional again. Netflix has "taken steps to fortify
[its] shipping system with the acquisition of additional equipment."
http://blog.netflix.com/2008/08/shipping-delay-recap.html
[Editor's Note (Pescatore): Ah, the hardware was at fault because
hardware should never fail? I think the real problem was that there was
nothing that could detect a hardware failure before it led to database
corruption.]
--Australia Chief Justice Sees Concept of Privacy Shifting
(August 21, 2008)
Chief Justice of the High Court of Australia Murray Gleeson said that
"the ground seems to be shifting" in the realm of privacy. Specifically,
the advent of the Internet and cellular phones has led people to
disclose personal information online and to have what would normally be
private conversations in public settings. Justice Gleeson added that
although he wrote a judgment several years ago that "there seemed to
[him] to be certain things which were self-evidently private, [he is]
not sure about that anymore. The very changes that are taking place in
the concept of privacy will be a matter that parliaments have to address
- - and courts." Justice Gleeson will retire at the end of the month.
http://www.smh.com.au/news/technology/no-such-thing-as-privacy-top-judge/2008/08/20/1219262357987.html
--SANS Top Internet Security Risks 2007
In case you missed it earlier this year, or if you want to check out how
the Internet threat landscape has changed (or not) over the last eight
months, here is a slideshow of the SANS' Top Internet Security Risks of
2007, which details an increased focus on targeted phishing attacks as
well as an increase in attacks on web applications.
http://www.eweek.com/c/a/Security/SANS-Top-Internet-Security-Risks-of-2007/
--Software Security Moves From Want To Need
(August 11, 2008)
The growth of attacks through the application layer has resulted in
similar growth in prevention resources being applied by enterprises -
- -- tools, services and skills development. In an article in InformIT,
Gary McGraw talks about the growth and the fact that software security
is finally moving from 'want' to 'need'.
http://www.informit.com/articles/article.aspx?p=1237978
*************************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescastore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's @RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security
courses at Minnesota State University, Mankato. He is the President of
Prudent Security LLC and also serves as the President of the Mankato
Chapter ISSA.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAki0MTMACgkQ+LUG5KFpTkZjJQCfcrflLdzFF23vd7/NqMo8072S
pc8An0G4DzgY+3UWpsQnFDXO3AczeEOV
=BpLp
-----END PGP SIGNATURE-----
