SANS NewsBites - Volume: X, Issue: 66

*************************************************************************
SANS NewsBites                     August 22, 2008                    Volume: X, Issue: 66
*************************************************************************
TOP OF THE NEWS

  Judge Lets MIT Gag Order Expire
  UK Government Depts. Lost 29 Million Records in One Year
  FCC Orders Comcast to End Discriminatory Traffic Throttling

THE REST OF THE WEEK'S NEWS

  ARRESTS, CHARGES & CONVICTIONS
   Jury Indicts One in Alleged Botnet Scheme
  GOVERNMENT SYSTEMS AND HOMELAND SECURITY
   FEMA PBX System Breached
  POLICY AND LEGISLATION
   Irish Insurance Sector Gets Data Protection Code
  COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
   Gaming Industry to Go After Illegal Filesharers
  UPDATES AND PATCHES
   Apache Fixes Directory Traversal Flaw in Tomcat
   Opera Patches Seven Flaws in Browser
  DATA THEFT AND LOSS
   Data Thieves Hit Galway Retailer
  ATTACKS
   DNS Flaw Exploited at Chinese ISP
  MISCELLANEOUS
   IE 8 Will Offer Cross-Site Scripting Protection and Privacy Mode


*************** SPONSORED BY SANS NETWORK SECURITY 2008  ****************

[Final registration date to avoid late payment penalty is September 3.] The biggest security training program of the Fall is in Las Vegas September 28 - October 6. Fifty courses including Eric Cole's very new "Advanced Security Essentials."  And there are still places available in both of the world-class penetration testing courses.  Plus the Hacker Techniques course, forensics and even training for CISSP exams.  A huge expo and lots of chances for networking with peers in birds of a feather and other evenings sessions. If you can attend only one conference this fall, SANS Network Security should be your choice:
http://www.sans.org/ns2008/

*************************************************************************

TRAINING UPDATE

- - NETWORK SECURITY 2008: Las Vegas (9/28-10/6) 50 courses; big tools expo; lots of evening sessions: http://www.sans.org/ns2008)
- - Chicago (9/3-9/10) http://www.sans.org/chicago08 AUDIT & COMPLIANCE
- - Monterey (10/31-11/6) http://www.sans.org/info/30738
- - Sydney Australia (10/27-11/1) http://www.sans.org/sydney08/
- - Vancouver (11/17-11/22) http://www.sans.org/vancouver08/
and in 100 other cites and on line any time: www.sans.org

*************************************************************************


TOP OF THE NEWS

Judge Lets MIT Gag Order Expire (August 19, 2008)
US District Judge George A. O'Toole did not renew a gag order imposed on three Massachusetts Institute of Technology (MIT) students that prevented them from talking about vulnerabilities they found in the Massachusetts Bay Transportation Authority's (MBTA) electronic payment system.  The judge did not agree with the MBTA's assertion that by disclosing the flaws the students would be violating the Computer Fraud and Abuse Act (CFAA).  The students were represented by the Electronic Frontier Foundation (EFF), which argued that preventing the students from presenting their work at a conference was a violation of their right to free speech.  The judge did not address that issue, choosing instead to "focus on the language in the CFAA."  The students were prevented from giving a talk about their findings at DefCon earlier this month by the now-expired temporary restraining order.
-http://www.theregister.co.uk/2008/08/19/gag_order_lifted/print.html
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9112968&source=rss_topic17

-http://www.securityfocus.com/brief/802
-http://news.cnet.com/8301-1009_3-10020252-83.html?hhTest=1&part=rss&subj
=news&tag=2547-1009_3-0-20

[Editor's Note (Schultz): "Free speech" has increasingly become a bad defense argument against charges of releasing vulnerability and other information that could result in ability to readily compromise systems. One would think that the defense in cases such as the one described in this news item would catch on and try something else.]


UK Government Depts. Lost 29 Million Records in One Year (August 20 & 21, 2008)
In the last 12 months, UK government departments have lost 29 million records containing personal data.  The government asked for departments to include data loss on their financial statements after the loss of two disks containing personally identifiable information of 25 million child benefit claimants last year.  The remaining four million lost records include those of three million driving test candidates reported by the Department of Transport and 620,000 on an unencrypted Ministry of Defence laptop.  In a related story, the Home Office learned earlier this week that an outside contractor lost a memory stick containing personal information about thousands of criminals in England and Wales. The Information Commissioner has been notified.
-http://www.theregister.co.uk/2008/08/20/uk_gov_lost_records/print.html
-http://news.bbc.co.uk/2/hi/uk_news/7575766.stm
-http://afp.google.com/article/ALeqM5jBZonxIDfrQrxX3fLqwpLfPlimoQ


FCC Orders Comcast to End Discriminatory Traffic Throttling (August 20 & 21, 2008)
The US Federal Communications Commission (FCC) has issued a Memorandum Opinion and Order regarding the Comcast traffic throttling issue.  The document states that "Comcast has deployed equipment across its network that monitors its customers' TCP connections using deep packet inspection ...
[and ]
determines how it will route some connections based not on their destinations but on their contents."  The document goes on to call the "practice ... invasive and outright discriminatory."  The FCC will "monitor Comcast's compliance with its pledge" to curtail the use of discriminatory traffic management by requiring Comcast to inform the FCC of the specifics of its current mode of network traffic management "including what equipment has been utilized, when it began to be employed, when and under what circumstances it has been used, how it has been configured, what protocols have been affected, and where it has been deployed."  Comcast must also submit a written plan concerning how it will make the transition from its present system to the new system, and make clear to the FCC and to the public "the network management practices that it intends to deploy ..., including the thresholds that will trigger any limits on customers' access to bandwidth."
-http://www.washingtonpost.com/wp-dyn/content/article/2008/08/20/AR2008082003321_
pf.html

-http://hraunfoss.fcc.gov/edocs_public/attachmatch/FCC-08-183A1.doc



************************** SPONSORED LINKS: *****************************

1) Are you a penetration tester who wants to learn about the latest testing procedures and tools to improve your skills? Come to the Penetration Testing and Ethical Hacking Summit to hear experts discuss policy, process and technical aspects of testing. September 17 - London. http://www.sans.org/info/32038

2) Register for Control Systems Cyber Security Trainings. SANS Process Control and SCADA Summit September 8-9 - Amsterdam, NL. http://www.sans.org/info/32043

3) Join your peers and other professionals at the Forensics & Incident Response Summit October 13-14.
http://www.sans.org/info/32048

*************************************************************************



THE REST OF THE WEEK'S NEWS

ARRESTS, CHARGES & CONVICTIONS


Jury Indicts One in Alleged Botnet Scheme (August 21, 2008)
A Brazilian man has been indicted by a federal grand jury in New Orleans, Louisiana for his alleged involvement with a botnet scheme. Leni de Abreu Neto was charged with one count of conspiracy to cause damage to computers worldwide by allegedly working with another man, Nordin Nasiri of the Netherlands, to "use, maintain, lease and sell an illegal botnet."  Neto allegedly had an agreement with Nasiri to broker the sale of a botnet that Nasiri has created.  Neto was arrested late last month in the Netherlands and is awaiting extradition to the US.  If convicted, Neto faces a maximum sentence of five years in prison followed by three years of supervised release; he also faces a fine of at least US $250,000.  Nasiri was also arrested in the Netherlands and will be prosecuted in that country.
-http://news.cnet.com/8301-1009_3-10022990-83.html?tag=nefd.riv
-http://www.marketwatch.com/news/story/brazilian-man-charged-conspiracy-infect/st
ory.aspx?guid={2AA0AE27-F44C-412B-AC32-7EDB007D322D}&dist=hppr



GOVERNMENT SYSTEMS AND HOMELAND SECURITY


FEMA PBX System Breached (August 20, 2008)
A recently installed voicemail system at the US Federal Emergency Management Agency (FEMA) was breached last weekend and used to make US $12,000 worth of phone calls to numbers in the Middle East and Asia. The system is a Private Branch Exchange (PBX); attacks on this type of system have been around for years, and trained administrators know how to put security measures in place.  FEMA is part of the US Department of Homeland Security (DHS), which issued a warning about this type of attack five years ago.  The incident is under investigation.
-http://www.msnbc.msn.com/id/26319201/
[Editor's Note (Skoudis): This just feels so old-school.  However, it nicely illustrates that we can't focus on defending against only the late-breaking and cool attacks.  We have to maintain diligence on the old stuff too. ]


POLICY AND LEGISLATION


Irish Insurance Sector Gets Data Protection Code (August 20, 2008)
In light of the revelation that insurance companies in Ireland have been using private investigators to obtain personal data held by the Gardai and the Department of Social and Family Affairs, the Irish Data Protection Commissioner's office has issued a Code of Practice on Data Protection for the Insurance Sector.  In a note announcing the publication of the code, the Data Protection Commissioner's Office says that "The Data Protection Acts provide for the preparation of sector-specific codes of practice to allow for a better understanding of the requirements of the Acts. ...In some instances the basic statutory data protection requirements as they are applied within particular sectors can benefit from more detail."
-http://www.breakingnews.ie/ireland/mhqleymhmhid/
-http://www.dataprotection.ie/viewdoc.asp?DocID=841&m=f


COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT


Gaming Industry to Go After Illegal Filesharers (August 20, 2008)
The computer game industry plans to send letters to people in the UK who are suspected of illegally sharing games over the Internet, asking them to pay GBP 300 (US $563 ) to preclude further legal action.  This week, a judge ruled that Isabella Barwinska must pay GBP 16,000 (US $30,053) to Topware Interactive for putting a copy of the company's Dream Pinball game on a filesharing site.  A law firm representing five computer game makers "is applying to the High Court for an order requiring Internet Service providers to hand over the names and addresses of 25,000 individuals suspected of illegally downloading computer games.
-http://www.guardian.co.uk/technology/2008/aug/20/piracy.games
-http://technology.timesonline.co.uk/tol/news/tech_and_web/gadgets_and_gaming/art
icle4569180.ece

-http://www.theregister.co.uk/2008/08/20/davenport_lyons_25000/print.html
-http://www.siliconrepublic.com/news/article/11247/new-media/pinball-pirates-walk
-the-plank



UPDATES AND PATCHES


Apache Fixes Directory Traversal Flaw in Tomcat (August 20, 2008)
The US Computer Emergency Readiness Team (US-CERT) has issued a warning about a directory traversal vulnerability in Apache Tomcat. The flaw could be exploited to gain remote access to files on vulnerable servers. Apache has issued updates to fix the problem in several versions of the Java web server.  Users running Tomcat 4.1.0 through 4.1.37 should upgrade to 4.1.38; users running Tomcat 5.50 through 5.5.26 should upgrade to 5.5.27; users running Tomcat 6.0.0 through 6.0.16 should upgrade to 6.0.18.  The US-CERT warning says that exploit code for the vulnerability has been found on the Internet.
-http://www.heise-online.co.uk/security/US-CERT-warns-of-Tomcat-vulnerability--/n
ews/111358

-http://www.kb.cert.org/vuls/id/343355
[Editor's Note (Skoudis): UTF-8 encoding bites more victims, leading to yet another directory traversal flaw.  We see this kind of thing all the time in our product analysis and research. ]


Opera Patches Seven Flaws in Browser (August 20 & 21, 2008)
Opera has patched seven flaws in its Opera browser, but declined to provide details about one of the flaws.  When pressed on the issue, an Opera spokesperson implied that other software may have the same cross-site scripting vulnerability, and other vendors should be allowed time to fix it before it becomes public knowledge.  Opera 9.52 fixes seven flaws in the Windows edition, five in the Mac edition and six in the Linux edition.  The unexplained cross-site scripting flaw is fixed in all three versions.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9113080&source=rss_topic17

-http://www.securityfocus.com/brief/804


DATA THEFT AND LOSS


Data Thieves Hit Galway Retailer (August 21, 2008)
Gardai have discovered another data breach in Ireland affecting thousands of customers of a large Galway retailer.  This breach is more serious than the one detected earlier this month because the data thieves actually cloned cards from the stolen information and used them to steal money from the customers' accounts.  In the earlier case, the thieves had posed as engineers from banks performing maintenance on card payment terminals and instead tampered with those terminals.  The retailers realized something was wrong and quickly alerted Gardai; the scheme was apparently detected before the criminals had a chance to download the information and use it to commit fraud.  In the more recent case, Gardai believe the thieves used a different technique.  Detectives theorize that an insider may have helped with the data skimming attack. Card number skimmers are now as small as cigarette lighters and can hold thousands of card numbers.
-http://www.irishtimes.com/newspaper/ireland/2008/0821/1219243766638.html


ATTACKS


DNS Flaw Exploited at Chinese ISP (August 21, 2008)
An Internet service provider (ISDP) in China has been hit with a DNS cache poisoning attack.  Users who type in web addresses incorrectly are taken to a page that contains malware that tries to exploit a number of recently disclosed vulnerabilities in Adobe Flash Player, Microsoft Snapshot Viewer and RealNetworks' RealPlayer.  The attack on China Netcom is particularly insidious because it does not reroute all traffic, just mistyped URLs, and it exploits flaws for which patches were only recently released, increasing the likelihood that they have not yet been installed.  Dan Kaminsky, who originally detected the vulnerability and informed vendors months ago, says it is being actively exploited.
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=210200076
-http://blogs.zdnet.com/security/?p=1776
-http://www.networkworld.com/news/2008/082108-china-netcom-falls-prey-to.html?hpg
1=bn

-http://news.cnet.com/8301-1009_3-10022303-83.html?part=rss&subj=news&tag
=2547-1009_3-0-20



MISCELLANEOUS


IE 8 Will Offer Cross-Site Scripting Protection and Privacy Mode (August 20 & 21, 2008)
Microsoft's Internet Explorer 8 (IE 8) browser, which is presently in beta testing, will include a cross-site scripting filter to help protect users from attacks.  Firefox users can install the NoScript plugin, but IE users have had no way to protect themselves from cross-site scripting attacks.  The new release of IE will also allow users to decide how much information the browser keeps about their web surfing habits.  Most users can already do this manually each time they want to clear the data, but IE 8 will have a privacy mode which will automatically clear the data every time.
-http://www.theregister.co.uk/2008/08/20/microsoft_xss_filter/print.html
-http://news.bbc.co.uk/2/hi/technology/7574265.stm
-http://www.download.com/8300-2007_4-12.html?keyword=%22IE+8%22


*************************************************************************
The Editorial Board of SANS NewsBites



Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescastore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa).  He is leading SANS' global initiative to improve application security.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.


Alan Paller is director of research at the SANS Institute


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.


Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.


Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security courses at Minnesota State University, Mankato. He is the President of Prudent Security LLC and also serves as the President of the Mankato Chapter ISSA.


Roland Grefer is an independent consultant based in Clearwater, Florida.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/