Back to newsletter listDate:
Fri, September 12, 2008 04:05:41 PMFrom:
The SANS Institute
Subject:
SANS NewsBites Vol. 10 Num. 72
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
*************************************************************************
SANS NewsBites September 12, 2008 Vol. 10, Num. 72
*************************************************************************
TOP OF THE NEWS
Exploit Code Released for SCADA Vulnerability
Law Enforcement Officials Need Warrant to Access Stored Mobile Phone
Company Data
SF SysAdmin's Lockout Attack on San Francisco City Network May Cost US
$1 Million to Fix
Google Shortens Time it Will Keep User Search Data
THE REST OF THE WEEK'S NEWS
ARRESTS, CHARGES & CONVICTIONS
Student Gets Probation for Breaking Into School, Computer
Spyware Helps Nab Sexual Predator
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
UK Home Office Terminates Contract With Company That Lost Data
Most Data Shared Between NZ Government Agencies are Encrypted
UPDATES AND PATCHES
Apple Releases Updates for QuickTime, iTunes and iPod touch
Microsoft Issues Four Security Bulletins
DATA LOSS AND EXPOSURE
Man Wants Court Docs off Website, Posts Internal County eMail in
Protest
MISCEL***OUS
Fedora is Issuing Updates
************************** Sponsored By SANS ****************************
How are the latest forensic techniques used to help combat threats in
organizations today? Which products are the best in the incident
response and computer forensic community? Attend the Forensics &
Incident Response Summit October 13-14 and learn the answers to these
and other key Forensics & Incident Response questions.
http://www.sans.org/info/33064
*************************************************************************
TRAINING UPDATE
- - NETWORK SECURITY 2008: Las Vegas (9/28-10/6) 50 courses; big tools
expo; lots of evening sessions: http://www.sans.org/ns2008)
- - Monterey (10/31-11/6) http://www.sans.org/info/30738
- - Sydney Australia (10/27-11/1) http://www.sans.org/sydney08/
- - Vancouver (11/17-11/22) http://www.sans.org/vancouver08/
and in 100 other cites and on line any time: www.sans.org
*************************************************************************
TOP OF THE NEWS
--Exploit Code Released for SCADA Vulnerability
(September 10, 2008)
Attack code that exploits a known vulnerability in CitectSCADA software
has been published. The person who published the code said he did so
to raise awareness about security flaws in SCADA (Supervisory Control
and Data Acquisition Systems) because the "vendors are not being held
responsible for the software that they're producing." The code was
released as a software module for Metasploit, which makes it easier to
use. The vulnerability in CitectSCADA was disclosed in June 2008; a
patch was released at the same time. Patching industrial systems
presents a unique set of concerns; because these systems regulate
elements of critical infrastructure such as power and water, downtime
has the potential to cause significant problems.
http://www.networkworld.com/news/2008/091008-computer-threat-for-industrial-systems.html?hpg1=bn
[Editor's Note (Schultz): SCADA system vendors are indeed not being very
responsive to customer needs in that they for the most part act
oblivious to vulnerabilities found in their systems. Perhaps posting an
exploit for the CitectSCADA vulnerability will help shake them out of
their complacency, although I genuinely dread to think what might happen
if attackers begin using this attack code in the wild.
(Guest Editor Raul Siles): We at Internet Storm Center are providing a
snort signature to detect the attacks and the traffic peak from Dshield
for the associated port. That means this vulnerable port is being
targeted in the wild: http://isc.sans.org/diary.html?storyid=4997]
--Law Enforcement Officials Need Warrant to Access Stored Mobile
Phone Company Data
(September 10 & 11, 2008)
The US District Court for the Western District of Pennsylvania has
upheld a lower court decision that says law enforcement officers must
obtain a warrant based on probable cause to access mobile phone
companies' stored information that allows them to track a suspect's past
movements. Earlier cases have established that law enforcement
authorities must have a warrant based on probable cause to be able to
track phone users' movements in real time. Prior to this case, however,
"the government has routinely seized these [old] records without search
warrants."
http://www.securityfocus.com/brief/817
http://www.eff.org/press/archives/2008/09/11
http://www.eff.org/files/filenode/celltracking/lenihanorder.pdf
[Editor's Note (Northcutt): This makes perfect sense, getting a warrant
is not that hard, but allowing law enforcement to access personal data
with no audit trail can only lead to abuse of the privilege.]
--SF SysAdmin's Lockout Attack on San Francisco City Network
May Cost US $1 Million to Fix
(September 10 & 11, 2008)
The city of San Francisco (CA) Department of Technology estimates that
costs associated with repairing damage done to a city computer network
by a former system administrator will exceed US $1 million. Terry
Childs allegedly locked his superiors out of administrative access to
the FiberWan network by creating a super password. He disclosed the
password only after the city's mayor visited him in jail; his bail had
been set at US $5 million. San Francisco city officials are also trying
to find a networking device called a "terminal server" that Childs
installed. They do not know its physical location and have been unable
to log in to the device, which appears to have allowed Childs remote
access to the network.
http://www.theregister.co.uk/2008/09/10/rogue_sf_sysadmin_may_cost_sf_1m/print.html
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9114479&source=rss_topic17
--Google Shortens Time it Will Keep User Search Data
(September 9, 10 & 12, 2008)
Google has responded to concerns voiced by the European Union's Article
29 Working Body about data privacy by cutting in half the amount of time
it will store user search data before starting to anonymize them.
Google had previously reduced the amount of time it kept data from 24
to 18 months before beginning the anonymization process; under the new
arrangement, Google will begin anonymizing the data after nine months.
EU Justice and Home Affairs Commissioner Jacques Barrot called Google's
move "a step in the right direction," but would like to see the company
reduce the length of time it stores the data to six months.
http://news.bbc.co.uk/2/hi/technology/7605801.stms
http://news.smh.com.au/technology/eu-justice-chief-welcomes-google-privacy-move-20080222-1tt6.html
http://www.nzherald.co.nz/feature/story.cfm?c_id=1501833&objectid=10531528
[Editor's Note (Pescatore): Six months is certainly way better than 18
months, but why isn't the data anonymized immediately?]
************************** SPONSORED LINKS: *****************************
1) Visit the SANS Buyers Guide for updated listings and useful
information when selecting the latest in IT security technologies.
http://www.sans.org/info/33069
2) Protecting Your Highly-Distributed Retail Network: Why PCI
Compliance May Be No Bargain
http://www.sans.org/info/33074
*************************************************************************
THE REST OF THE WEEK'S NEWS
ARRESTS, CHARGES & CONVICTIONS
--Student Gets Probation for Breaking Into School, Computer
(September 10, 2008)
Tesoro High School (Orange County, CA) senior Tanvir Singh has been
sentenced to three years of probation and 200 hours of community service
for breaking into the school and gaining unauthorized access to a
teacher's computer. Singh reached a plea deal with prosecutors that
dropped some of the charges against him; he could be called on to
testify against another student, Omar Khan, who is believed to have
orchestrated the scheme. In addition to his sentence, Singh will pay
all court fees and restitution.
http://www.ocregister.com/articles/felony-khan-school-2153228-singh-counts
--Spyware Helps Nab Sexual Predator
(September 9 & 10, 2008)
The father of a teenage girl, concerned about sudden changes in his
daughter's behavior, placed spyware on her computer. It revealed that
she had been in communication with a former coach who had previously
signed an agreement that prevented him from having contact with the
girl. The IM conversations were enough evidence for police to arrest
Nicholas Lovell for violating the earlier agreement. Lovell went to
trial, where he was found guilty of engaging in sexual activity with a
minor and sentenced to four-and-a-half years in jail.
http://www.theregister.co.uk/2008/09/10/web_monitoring_traps_child_abuser/print.html
http://www.getbracknell.co.uk/news/s/2035089_spyware_on_girls_email_snared_her_older_man
[Editor's Comment (Northcutt): Yayyyyyy dad! Children should not have
an expectation of privacy when using a computer. Though the years I have
heard some heart-wrenching stories from parents. This is not about
trusting your kids, it is about expecting a 15 or 16 year old child to
have the tools and experience to withstand a deviant person twice their
age. ]
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
--UK Home Office Terminates Contract With Company That Lost Data
(September 10 & 11, 2008)
The UK Home Office has terminated a GBP 1.5 million (US $ 2.63 million)
contract with PA Consulting, the company that lost a memory stick
containing information about 84,000 prisoners in England and Wales. PA
Consulting had been hired "to administer the prisoner-tracking JTrack
system." Home Secretary Jacqui Smith said that after reviewing the
incident, it was evident that by failing to handle the data in a secure
fashion, PA Consulting violated the terms of its contract. The PA
Consulting staff member who was responsible for the memory stick has
been fired. Other contracts PA Consulting has with the Home Office are
currently under review.
http://www.zdnet.co.uk/misc/print/0,1000000169,39486549-39001093c,00.htm
http://www.vnunet.com/computing/news/2225776/government-concludes-pa
http://www.theregister.co.uk/2008/09/11/pa_consulting_home_office_plea/print.html
http://www.silicon.com/publicsector/0,3800010403,39286267,00.htm?r=1
[Editor's Note (Pescatore): While the contractor in this case says the
breach was due to one employee acting improperly, if a post-incident
review shows process and performance failures then losing the contract
should be the consequence.
(Honan): When outsourcing work to a third party ensure that your
contract states clearly what the security requirements are that you are
imposing on the outsourcing company and the penalties, including up to
termination of the contract, for breaches of the contract. You should
also ensure that terminating these contracts is one of the scenarios
that should be built into your business continuity plan.]
--Most Data Shared Between NZ Government Agencies are Encrypted
(September 9, 2008)
Following a review of data transfer procedures between New Zealand
government agencies, Privacy Commissioner Marie Shroff mandated that
data shared between agencies must be encrypted. At the time of the
review in February 2008, just 19 of 46 data sharing programs were using
encryption; now just three of the 46 are not encrypted. Data are shared
by tape, CD and floppy disk; one of the sharing arrangements has moved
to an online system.
http://computerworld.co.nz/news.nsf/scrt/CF22BCF7E17A0DEFCC2574BE007E4AFD
http://www.nzherald.co.nz/feature/story.cfm?c_id=1501832&objectid=10531292
[Editor's Note (Pescatore): good to see high percentage of physical
media are now encrypted but I'll bet there is all kinds of data sharing
going on via email.]
UPDATES AND PATCHES
--Apple Releases Updates for QuickTime, iTunes and iPod touch
(September 10, 2008)
Apple has released QuickTime 7.5.5, an update that addresses nine flaws
that could be exploited to create denial-of-service conditions or run
arbitrary code on vulnerable computers. So far this year, Apple has
patched 30 vulnerabilities in QuickTime. Five of the QuickTime flaws
affect both Mac and Windows versions; the remaining four affect only
Windows. Apple Inc. has also issued security updates to address flaws
in iTunes and iPod touch.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9114429&source=rss_topic17s
http://news.cnet.com/8301-1009_3-10036849-83.html?part=rss&subj=news&tag=2547-1009_3-0-20
http://www.securityfocus.com/brief/816
iTunes: http://support.apple.com/kb/HT3025
iPod touch: http://support.apple.com/kb/HT3026
QuickTime: http://support.apple.com/kb/HT3027
[Editor's Note (Honan): Apple's lack of transparency in how it is
patching applications leaves a lot to be desired and could impact the
use of Apple technology within a corporate environment. See the
following insight into the latest patches; An inside look at Apple's
sneaky iTunes 8 upgrade http://blogs.zdnet.com/Bott/?p=536 ]
--Microsoft Issues Four Security Bulletins
(September 9, 2008)
The four security bulletins Microsoft issued on Tuesday, September 9
include fixes for at least eight vulnerabilities in Windows Media
Player, Windows Media Encoder, Microsoft Office and the Microsoft
Windows GDI+ (graphics device interface). The most serious appears to
be a series of flaws in GDI, the component that allows users to view
JPEGs and other images. The five flaws could be exploited to install
malware on vulnerable systems. All four bulletins have maximum severity
ratings of critical. There are no publicly known exploits for the
flaws.
http://www.theregister.co.uk/2008/09/09/microsoft_sept_patch_tuesday/print.html
https://www.microsoft.com/technet/security/bulletin/ms08-sep.mspx
http://www.gcn.com/online/vol1_no1/47102-1.html?topic=security
http://isc.sans.org/diary.html?storyid=5009
DATA LOSS AND EXPOSURE
-- Man Wants Court Docs off Website, Posts Internal County eMail
in Protest
(September 10, 2008)
An Arkansas man has posted internal email messages of Pulaski County
clerk's office officials to protest the county's refusal to remove some
public documents that contain Social Security numbers (SSNs) from its
web site. Bill Phillips wants the county to remove Circuit Court
records from the site because they contain sensitive personal
information. The county blocked access to real estate records of county
residents which had previously been available online after the state
attorney general said the sensitive data must be redacted from the
documents before they can be made publicly available, but the court
records remain accessible. Pulaski County Clerk Pat O'Brien is not
worried about the emails and other county clerk's office documents being
made public. O'Brien says he is "a huge proponent of freedom of
information and believe[s] that public records should be accessible
online." Software has been purchased to redact the sensitive data from
the real estate records, but it would not work for the circuit court
documents. In any case, the Arkansas Supreme Court, not the county
clerk's office, has jurisdiction over how the court records are managed.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9114438&source=rss_topic17
MISCEL***OUS
--Fedora is Issuing Updates
(September 10 & 11, 2008)
The Fedora Project is once again issuing updates several weeks after an
intruder broke into its network. The updates will switch users to new,
secure update servers, from which they can download more updates. All
of the Fedora Project's packages have been signed with a new key.
http://www.zdnet.co.uk/misc/print/0,1000000169,39486961-39001093c,00.htm
http://www.heise-online.co.uk/security/Fedora-8-and-9-updates-begin-to-flow-again--/news/111505
https://fedoraproject.org/w/index.php?title=Enabling_new_signing_key
*************************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescastore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's @RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin,
Ireland.
Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security
courses at Minnesota State University, Mankato. He is the President of
Prudent Security LLC and also serves as the President of the Mankato
Chapter ISSA.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkjKn5gACgkQ+LUG5KFpTkarYgCeLmLdHf32LA3rd8TsXDtpMlpJ
FjMAn0paSDa19wPn2+n3Yj3EK9iGsTZM
=8jgF
-----END PGP SIGNATURE-----
