*************** SPONSORED BY SANS NETWORK SECURITY 2008 ****************
[Final registration date to avoid late payment penalty is September 3.] The biggest security training program of the Fall is in Las Vegas September 28 - October 6. Fifty courses including Eric Cole's very new "Advanced Security Essentials." And there are still places available in both of the world-class penetration testing courses. Plus the Hacker Techniques course, forensics and even training for CISSP exams. A huge expo and lots of chances for networking with peers in birds of a feather and other evenings sessions. If you can attend only one conference this fall, SANS Network Security should be your choice: http://www.sans.org/ns2008/
UK Government Depts. Lost 29 Million Records in One Year (August 20 & 21, 2008)
In the last 12 months, UK government departments have lost 29 million records containing personal data. The government asked for departments to include data loss on their financial statements after the loss of two disks containing personally identifiable information of 25 million child benefit claimants last year. The remaining four million lost records include those of three million driving test candidates reported by the Department of Transport and 620,000 on an unencrypted Ministry of Defence laptop. In a related story, the Home Office learned earlier this week that an outside contractor lost a memory stick containing personal information about thousands of criminals in England and Wales. The Information Commissioner has been notified. -http://www.theregister.co.uk/2008/08/20/uk_gov_lost_records/print.html -http://news.bbc.co.uk/2/hi/uk_news/7575766.stm -http://afp.google.com/article/ALeqM5jBZonxIDfrQrxX3fLqwpLfPlimoQ
FCC Orders Comcast to End Discriminatory Traffic Throttling (August 20 & 21, 2008)
The US Federal Communications Commission (FCC) has issued a Memorandum Opinion and Order regarding the Comcast traffic throttling issue. The document states that "Comcast has deployed equipment across its network that monitors its customers' TCP connections using deep packet inspection ... [and ] determines how it will route some connections based not on their destinations but on their contents." The document goes on to call the "practice ... invasive and outright discriminatory." The FCC will "monitor Comcast's compliance with its pledge" to curtail the use of discriminatory traffic management by requiring Comcast to inform the FCC of the specifics of its current mode of network traffic management "including what equipment has been utilized, when it began to be employed, when and under what circumstances it has been used, how it has been configured, what protocols have been affected, and where it has been deployed." Comcast must also submit a written plan concerning how it will make the transition from its present system to the new system, and make clear to the FCC and to the public "the network management practices that it intends to deploy ..., including the thresholds that will trigger any limits on customers' access to bandwidth." -http://www.washingtonpost.com/wp-dyn/content/article/2008/08/20/AR2008082003321_ pf.html -http://hraunfoss.fcc.gov/edocs_public/attachmatch/FCC-08-183A1.doc
1) Are you a penetration tester who wants to learn about the latest testing procedures and tools to improve your skills? Come to the Penetration Testing and Ethical Hacking Summit to hear experts discuss policy, process and technical aspects of testing. September 17 - London. http://www.sans.org/info/32038
2) Register for Control Systems Cyber Security Trainings. SANS Process Control and SCADA Summit September 8-9 - Amsterdam, NL. http://www.sans.org/info/32043
A recently installed voicemail system at the US Federal Emergency Management Agency (FEMA) was breached last weekend and used to make US $12,000 worth of phone calls to numbers in the Middle East and Asia. The system is a Private Branch Exchange (PBX); attacks on this type of system have been around for years, and trained administrators know how to put security measures in place. FEMA is part of the US Department of Homeland Security (DHS), which issued a warning about this type of attack five years ago. The incident is under investigation. -http://www.msnbc.msn.com/id/26319201/ [Editor's Note (Skoudis): This just feels so old-school. However, it nicely illustrates that we can't focus on defending against only the late-breaking and cool attacks. We have to maintain diligence on the old stuff too. ]
POLICY AND LEGISLATION
Irish Insurance Sector Gets Data Protection Code (August 20, 2008)
In light of the revelation that insurance companies in Ireland have been using private investigators to obtain personal data held by the Gardai and the Department of Social and Family Affairs, the Irish Data Protection Commissioner's office has issued a Code of Practice on Data Protection for the Insurance Sector. In a note announcing the publication of the code, the Data Protection Commissioner's Office says that "The Data Protection Acts provide for the preparation of sector-specific codes of practice to allow for a better understanding of the requirements of the Acts. ...In some instances the basic statutory data protection requirements as they are applied within particular sectors can benefit from more detail." -http://www.breakingnews.ie/ireland/mhqleymhmhid/ -http://www.dataprotection.ie/viewdoc.asp?DocID=841&m=f
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Gaming Industry to Go After Illegal Filesharers (August 20, 2008)
Apache Fixes Directory Traversal Flaw in Tomcat (August 20, 2008)
The US Computer Emergency Readiness Team (US-CERT) has issued a warning about a directory traversal vulnerability in Apache Tomcat. The flaw could be exploited to gain remote access to files on vulnerable servers. Apache has issued updates to fix the problem in several versions of the Java web server. Users running Tomcat 4.1.0 through 4.1.37 should upgrade to 4.1.38; users running Tomcat 5.50 through 5.5.26 should upgrade to 5.5.27; users running Tomcat 6.0.0 through 6.0.16 should upgrade to 6.0.18. The US-CERT warning says that exploit code for the vulnerability has been found on the Internet. -http://www.heise-online.co.uk/security/US-CERT-warns-of-Tomcat-vulnerability--/n ews/111358 -http://www.kb.cert.org/vuls/id/343355 [Editor's Note (Skoudis): UTF-8 encoding bites more victims, leading to yet another directory traversal flaw. We see this kind of thing all the time in our product analysis and research. ]
Opera Patches Seven Flaws in Browser (August 20 & 21, 2008)
Data Thieves Hit Galway Retailer (August 21, 2008)
Gardai have discovered another data breach in Ireland affecting thousands of customers of a large Galway retailer. This breach is more serious than the one detected earlier this month because the data thieves actually cloned cards from the stolen information and used them to steal money from the customers' accounts. In the earlier case, the thieves had posed as engineers from banks performing maintenance on card payment terminals and instead tampered with those terminals. The retailers realized something was wrong and quickly alerted Gardai; the scheme was apparently detected before the criminals had a chance to download the information and use it to commit fraud. In the more recent case, Gardai believe the thieves used a different technique. Detectives theorize that an insider may have helped with the data skimming attack. Card number skimmers are now as small as cigarette lighters and can hold thousands of card numbers. -http://www.irishtimes.com/newspaper/ireland/2008/0821/1219243766638.html
DNS Flaw Exploited at Chinese ISP (August 21, 2008)
************************************************************************* The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescastore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security courses at Minnesota State University, Mankato. He is the President of Prudent Security LLC and also serves as the President of the Mankato Chapter ISSA.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/