Secure Coding Update: The secure coding flaws found in popular books on programming are now posted at http://www.sans-ssi.org/resources/Winners_of_insecure_coding_contest_20080721.pd f Also the new course on Secure Coding in Java was a huge hit at SANSFIRE as well as in on-site presentations. This is the application security course that we have all needed. Now it is here and it is wonderful. If you have programmers and want to have us train them or if you want to develop in-house trainers to give the course yourself, please email firstname.lastname@example.org today. Alan
************************************************************************* SANS NewsBites July 29, 2008 Volume: X, Issue: 59 *************************************************************************
***************** Protecting the Critical Infrastructures **************
A free program at the European SCADA Security Summit (Amsterdam, Sept 8-9) will show all vendors of control systems how to comply with the new global procurement standards for baking security into the systems they sell. Their compliance will make it possible for electric utilities (large and small) and other buyers of control systems to have much more security than they do now. There is no more valuable initiative in control systems security. Users of control systems will learn about the standards, how attackers are breaking in, and what works to improve their security, as part of the Summit. If you buy control systems, make sure your vendors are complying with the new procurement standards - even in the maintenance of your current systems. Information on the Summit is at: http://www.sans.org/info/30854 Vendors who want to attend the free session should email email@example.com with the subject "SCADA Security Procurement Standards."
The US Federal Communications Commission (FCC) will likely vote this week on an order to enact enforcement against Comcast for deliberately blocking or degrading Internet traffic to thwart filesharing. Comcast says it only slowed traffic for network management during peak usage times. If the FCC agrees that Comcast violated federal policy, Comcast will be prohibited from slowing and blocking traffic and will have to make its practices clear to its customers. Comcast maintains that the FCC does not have the authority to impose penalties. The issue is on the FCC's August 1 agenda. -http://www.informationweek.com/news/services/data/showArticle.jhtml?articleID=20 9602109 -http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/07/28/BUAB120T33.DTL -http://government.zdnet.com/?p=3907 [Editor's Note (Ullrich): This topic may have more impact on network security then many think. A key question that has been heavily debated in the past is whether and how ISPs like Comcast should manage traffic, and whether ISPs should be allowed, or even required, to block some malicious traffic. (Schultz): This case promises to be drawn out and dramatic; Comcast declares that the FCC has no authority in situations such as this one and the FCC maintains that it very much does. Whatever ruling comes out of it will be yet another that helps define the limits of power (or lack thereof) for ISPs, especially big and powerful ones such as Comcast. ]
Internet Giants Urged to Uphold Free Internet Use (July 25, 2008)
Two US legislators are pushing the CEOs of Yahoo!, Google and Microsoft, to adopt "a voluntary code of conduct" which says they will not help foreign governments' attempts to stifle or persecute dissenting Internet users. Senators Dick Durbin (D-Ill.) and Tom Coburn (R-Okla.) say that if the companies do not adopt the policy, they could see legislation that would require them not to cooperate with foreign governments that aim to repress citizens' human rights. Yahoo! has been criticized in the past for providing Chinese authorities with information that led to the arrest of a dissident who was ultimately sentenced to 10 years in prison for forwarding an email to a human rights group. Companies say they are bound to abide by the laws of the countries in which they operate. -http://www.informationweek.com/shared/printableArticle.jhtml?articleID=209601006 [Editor's Note (Northcutt): Planet Earth is very big and the USA's power is shrinking due to fiscal irresponsibility and over confidence in our military capability. We cannot legislate behavior for the rest of the world; rather we should start to pay attention to our own very real domestic problems. ]
Reports Suggest DNS Flaw is Being Actively Exploited (July 25 & 28, 2008)
Companies are being urged to apply patches for the recently disclosed DNS flaw as soon as possible amid "anecdotal evidence" that the vulnerability is already being actively exploited. The flaw could be exploited to redirect Internet users to a site of the attackers choosing, even if users type the correct URL into their browsers themselves. Microsoft and Linux distributors have already released patches for the vulnerability, but Apple has yet to make a fix available. Major vendors, including Apple, were informed of the flaw in March, so they have had some time to prepare a patch. Those operating OS X servers should stop using them for domain name resolution until a patch is available. -http://news.bbc.co.uk/2/hi/technology/7525206.stm -http://www.smh.com.au/news/security/hackers-get-hold-of-critical-internet-flaw/2 008/07/25/1216492691922.html -http://www.heise-online.co.uk/security/DNS-hole-no-patch-yet-from-Apple--/news/1 11187 [Editor's Note (Ullrich): One reason that exploits are not even more frequent is that Bind 9 appears to be immune to current exploits, even if unpatched (thanks Hal for pointing this out to me). And again, Apple is way behind the curve on critical patches to open source software redistributed with their OS. ]
THE REST OF THE WEEK'S NEWS
College Student in Jail for Alleged ID Theft (July 25, 2008)
Six Arrested in Connection with South Korean Data Theft (July 28, 2008)
South Korean police say a Chinese hacker stole South Korean credit data and sold them to an individual who used it to broker "non-institutional" loans for individuals who appeared to need cash. The victims were telephoned and offered the alternative loans. The data were purchased for W15 million (US $14,841); the go-between who purchased the information is believed to have made W2.7 billion (US $2.67 million) in illegal profits. Six other suspects have been arrested; an arrest warrant has been requested for the go-between and another person, both who have fled the country. The stolen data were obtained from banks, loan companies, online retailers and universities. -http://english.chosun.com/w21data/html/news/200807/200807280013.html
Texas Clinic Patient Data Stolen, Used in Payday Loan Fraud (July 24, 2008)
SF Prosecutors Place VPN Usernames and Passwords on Public Record (July 25 & 28, 2008)
San Francisco prosecutors in the case against system administrator Terry Childs have put 150 usernames and access passwords on the public record. The usernames and passwords are used by city officials to access San Francisco's virtual private network (VPN) and were recovered from Childs' computer. The passwords themselves will not get people into the VPN; a second password is required to gain network access. Childs is accused of hijacking the city's computer network by changing the passwords and refusing to give them to administrators. Childs eventually handed the passwords over to San Francisco Mayor Gavin Newsom. A spokesperson for the DA's office says that "court files have been amended." -http://www.theregister.co.uk/2008/07/28/sf_rogue_sysadmin_password_mess/print.ht ml -http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti cleId=9110758&source=rss_topic17 [Editor's Note (Veltsos): San Francisco's latest mishap illustrates how, in the rush to deal with one security issue, we may end up creating new problems. On the bright side, the city learned that some of the passwords are identical to the login names. ]
NIST and George Mason Univ. Develop Attack Graph Analysis (July 23 & 25, 2008)
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescastore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security courses at Minnesota State University, Mankato. He is the President of Prudent Security LLC and also serves as the President of the Mankato Chapter ISSA.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/