************************** Sponsored By SANS ****************************
How are the latest forensic techniques used to help combat threats in organizations today? Which products are the best in the incident response and computer forensic community? Attend the Forensics & Incident Response Summit October 13-14 and learn the answers to these and other key Forensics & Incident Response questions. http://www.sans.org/info/33064
Exploit Code Released for SCADA Vulnerability (September 10, 2008)
Attack code that exploits a known vulnerability in CitectSCADA software has been published. The person who published the code said he did so to raise awareness about security flaws in SCADA (Supervisory Control and Data Acquisition Systems) because the "vendors are not being held responsible for the software that they're producing." The code was released as a software module for Metasploit, which makes it easier to use. The vulnerability in CitectSCADA was disclosed in June 2008; a patch was released at the same time. Patching industrial systems presents a unique set of concerns; because these systems regulate elements of critical infrastructure such as power and water, downtime has the potential to cause significant problems. -http://www.networkworld.com/news/2008/091008-computer-threat-for-industrial-syst ems.html?hpg1=bn [Editor's Note (Schultz): SCADA system vendors are indeed not being very responsive to customer needs in that they for the most part act oblivious to vulnerabilities found in their systems. Perhaps posting an exploit for the CitectSCADA vulnerability will help shake them out of their complacency, although I genuinely dread to think what might happen if attackers begin using this attack code in the wild. (Guest Editor Raul Siles): We at Internet Storm Center are providing a snort signature to detect the attacks and the traffic peak from Dshield for the associated port. That means this vulnerable port is being targeted in the wild: -http://isc.sans.org/diary.html?storyid=4997]
Law Enforcement Officials Need Warrant to Access Stored Mobile Phone Company Data (September 10 & 11, 2008)
The US District Court for the Western District of Pennsylvania has upheld a lower court decision that says law enforcement officers must obtain a warrant based on probable cause to access mobile phone companies' stored information that allows them to track a suspect's past movements. Earlier cases have established that law enforcement authorities must have a warrant based on probable cause to be able to track phone users' movements in real time. Prior to this case, however, "the government has routinely seized these (old) records without search warrants." -http://www.securityfocus.com/brief/817 -http://www.eff.org/press/archives/2008/09/11 -http://www.eff.org/files/filenode/celltracking/lenihanorder.pdf [Editor's Note (Northcutt): This makes perfect sense, getting a warrant is not that hard, but allowing law enforcement to access personal data with no audit trail can only lead to abuse of the privilege. ]
SF SysAdmin's Lockout Attack on San Francisco City Network May Cost US $1 Million to Fix (September 10 & 11, 2008)
Student Gets Probation for Breaking Into School, Computer (September 10, 2008)
Tesoro High School (Orange County, CA) senior Tanvir Singh has been sentenced to three years of probation and 200 hours of community service for breaking into the school and gaining unauthorized access to a teacher's computer. Singh reached a plea deal with prosecutors that dropped some of the charges against him; he could be called on to testify against another student, Omar Khan, who is believed to have orchestrated the scheme. In addition to his sentence, Singh will pay all court fees and restitution. -http://www.ocregister.com/articles/felony-khan-school-2153228-singh-counts
Spyware Helps Nab Sexual Predator (September 9 & 10, 2008)
The father of a teenage girl, concerned about sudden changes in his daughter's behavior, placed spyware on her computer. It revealed that she had been in communication with a former coach who had previously signed an agreement that prevented him from having contact with the girl. The IM conversations were enough evidence for police to arrest Nicholas Lovell for violating the earlier agreement. Lovell went to trial, where he was found guilty of engaging in sexual activity with a minor and sentenced to four-and-a-half years in jail. -http://www.theregister.co.uk/2008/09/10/web_monitoring_traps_child_abuser/print. html -http://www.getbracknell.co.uk/news/s/2035089_spyware_on_girls_email_snared_her_o lder_man [Editor's Comment (Northcutt): Yayyyyyy dad! Children should not have an expectation of privacy when using a computer. Though the years I have heard some heart-wrenching stories from parents. This is not about trusting your kids, it is about expecting a 15 or 16 year old child to have the tools and experience to withstand a deviant person twice their age.]
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
UK Home Office Terminates Contract With Company That Lost Data (September 10 & 11, 2008)
The UK Home Office has terminated a GBP 1.5 million (US $ 2.63 million) contract with PA Consulting, the company that lost a memory stick containing information about 84,000 prisoners in England and Wales. PA Consulting had been hired "to administer the prisoner-tracking JTrack system." Home Secretary Jacqui Smith said that after reviewing the incident, it was evident that by failing to handle the data in a secure fashion, PA Consulting violated the terms of its contract. The PA Consulting staff member who was responsible for the memory stick has been fired. Other contracts PA Consulting has with the Home Office are currently under review. -http://www.zdnet.co.uk/misc/print/0,1000000169,39486549-39001093c,00.htm -http://www.vnunet.com/computing/news/2225776/government-concludes-pa -http://www.theregister.co.uk/2008/09/11/pa_consulting_home_office_plea/print.htm l -http://www.silicon.com/publicsector/0,3800010403,39286267,00.htm?r=1 [Editor's Note (Pescatore): While the contractor in this case says the breach was due to one employee acting improperly, if a post-incident review shows process and performance failures then losing the contract should be the consequence. (Honan): When outsourcing work to a third party ensure that your contract states clearly what the security requirements are that you are imposing on the outsourcing company and the penalties, including up to termination of the contract, for breaches of the contract. You should also ensure that terminating these contracts is one of the scenarios that should be built into your business continuity plan. ]
Most Data Shared Between NZ Government Agencies are Encrypted (September 9, 2008)
Following a review of data transfer procedures between New Zealand government agencies, Privacy Commissioner Marie Shroff mandated that data shared between agencies must be encrypted. At the time of the review in February 2008, just 19 of 46 data sharing programs were using encryption; now just three of the 46 are not encrypted. Data are shared by tape, CD and floppy disk; one of the sharing arrangements has moved to an online system. -http://computerworld.co.nz/news.nsf/scrt/CF22BCF7E17A0DEFCC2574BE007E4AFD -http://www.nzherald.co.nz/feature/story.cfm?c_id=1501832&objectid=10531292 [Editor's Note (Pescatore): good to see high percentage of physical media are now encrypted but I'll bet there is all kinds of data sharing going on via email. ]
UPDATES AND PATCHES
Apple Releases Updates for QuickTime, iTunes and iPod touch (September 10, 2008)
Man Wants Court Docs off Website, Posts Internal County eMail in Protest (September 10, 2008)
An Arkansas man has posted internal email messages of Pulaski County clerk's office officials to protest the county's refusal to remove some public documents that contain Social Security numbers (SSNs) from its web site. Bill Phillips wants the county to remove Circuit Court records from the site because they contain sensitive personal information. The county blocked access to real estate records of county residents which had previously been available online after the state attorney general said the sensitive data must be redacted from the documents before they can be made publicly available, but the court records remain accessible. Pulaski County Clerk Pat O'Brien is not worried about the emails and other county clerk's office documents being made public. O'Brien says he is "a huge proponent of freedom of information and believe(s) that public records should be accessible online." Software has been purchased to redact the sensitive data from the real estate records, but it would not work for the circuit court documents. In any case, the Arkansas Supreme Court, not the county clerk's office, has jurisdiction over how the court records are managed. -http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti cleId=9114438&source=rss_topic17
Fedora is Issuing Updates (September 10 & 11, 2008)
************************************************************************* The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescastore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security courses at Minnesota State University, Mankato. He is the President of Prudent Security LLC and also serves as the President of the Mankato Chapter ISSA.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/
SANS is the ultimate security training program, bar none. It is the most intensive and informative security conference available. It's a must have for infosec professionals. -Aaron Despain, TriWest Healthcare Alliance