******************** Sponsored By Palo Alto Networks ********************
Attention Cisco PIX Users: Now that Cisco announced "end of life" for its PIX Security Appliances, consider a transition to award-winning next generation firewalls from Palo Alto Networks. Get unprecedented visibility and control of all applications, users, and content -and get instant rebates of up to $6,000! Learn more, watch this short webcast. http://www.sans.org/info/33404
Nevada Data Encryption Law Takes Effect October 1 (September 19, 2008)
A Nevada law requiring that businesses encrypt all transmissions of personal, identifiable information over the Internet becomes enforceable as of October 1, 2008. An attorney who has been keeping a close eye on the issue has expressed concern that the statute is overly broad in its definition of what constitutes encryption, does not address industry standards, and is not clear about how those who violate the law will be penalized. -http://blog.baselinemag.com/bottom_line/content/security/nevada_deadline_on_emai l_encryption_looming.html [Editor's Note (Schultz): Interestingly, many of the criticisms of this law have also previously been leveled against SB 1386. SB 1386 nevertheless has had a huge impact on data security notification in most states within the US. ]
North Carolina to Use Scanners to Ensure Voters Receive Proper Ballots (September 19, 2008)
This November, voters in North Carolina will have an increased level of confidence that they are receiving the correct ballot on which to record their votes thanks to the use of scanners. The state uses more than 100 different ballots; voters in North Carolina mark their choices directly on their ballots. Poll workers will scan each voter's voter authorization form as well as the associated ballot; the process should catch any anomalies. The scanners were tested in several municipalities in the state's May primary election and will be used in all precincts in November's election. -http://www.informationweek.com/shared/printableArticle.jhtml?articleID=210602730
Survey Shows Two-Thirds of Organizations Have Experienced Cyber Attacks (September 22, 2008)
According to the US Department of Justice's 2005 National Computer Security Survey, over two-thirds of the more than 7,800 companies responding to the survey experienced at least one cybercrime incident during that year. The incidents were classified as cyber attacks, cyber theft, or other. Three-fourths of the cyber attacks originated from outside the organizations; the same percentage of cyber thefts originated from within the organizations. More than half of the cyber thefts were reported to authorities, while just six percent of cyber attacks were reported. -http://www.securityfocus.com/brief/825 The actual survey results: -http://www.ojp.usdoj.gov/bjs/pub/pdf/cb05.pdf
Former State Dept. Intelligence Analyst Pleads Guilty to Passport File Snooping (September 17 & 22, 2008)
A former US State Department intelligence analyst has pleaded guilty to unauthorized access to a State Department computer for snooping on passport records of well known people. Lawrence Yontz could face up to a year in prison for accessing the files, which include those of major players in the current presidential race. A recent audit found "a general lack of policies, procedures, guidance and training" at the State Department's passport bureau. Yontz admitted to having perused the files of approximately 200 well-known individuals and their families; he will cooperate with the government's continuing investigation. -http://blog.wired.com/27bstroke6/2008/09/idle-curiosity.html -http://www.cnn.com/2008/POLITICS/09/16/passport.snooping/
Citect Acknowledges Seriousness of SCADA Flaw (September 19, 2008)
Citect has replaced its advisory about a flaw in its CitectSCADA (Supervisory Control and Data Acquisition) software. The original advisory downplayed the seriousness of the flaw, but after exploit code for the flaw was published last week, the company replaced the advisory with a more strongly worded version. The person who released the code, said he did so because he did not believe Citect was taking the threat seriously enough; he is pleased that the company has acknowledged the severity of the flaw. Citect released a patch for the flaw in June 2008. -http://www.theregister.co.uk/2008/09/19/scada_advisory_pulled/ -http://www.citect.com/documents/news_and_media/CitectSCADA-security-response.pdf [Editor's Note (Skoudis): Sadly, SCADA vendors usually have to be forced into disclosing the significance of security flaws and the importance of their patches. As an industry, we really need to keep the pressure on the SCADA vendors for quickly and thoroughly fixing flaws, and then warning their customers about the issue. If your organization relies on SCADA devices for your operations, make sure your security personnel are in touch with your main SCADA vendors to get vulnerability information in a timely fashion. (Debate) A small difference of opinion arose among NewsBites editors on whether to list the name of the person who disclose the vulnerability "because he did not believe (the vendor) was taking the threat seriously enough." Editor and security pioneer, Marcus Ranum, had the last word: The people who do exploit and vuln releases do it for attention. Naming them in newsbytes plays right into their hands; I generally recommend that we not reward disclosure, as a matter of policy. Feed cockroaches and you just get more cockroaches. ]
Clickjacking Talk Cancelled (September 19, 2008)
A talk on a type of vulnerability dubbed "clickjacking" scheduled to be delivered at the OWASP Conference has been cancelled. The people presenting the talk became concerned that the flaws are serious enough that it would be irresponsible to disclose them without first giving vendors time to fix them. The experts scheduled to give the talk have contacted vendors whose products are believed to be vulnerable to the type of exploit they had planned to speak about. "Clickjacking" involves a number of flaws that could be exploited to trick users into clicking on a link that is never or perhaps only briefly visible. -http://www.heise-online.co.uk/security/Is-clickjacking-the-next-threat--/news/11 1570 -http://ha.ckers.org/blog/20080915/clickjacking/ [Editor's Note (Skoudis): Kudos to Rsnake and Jeremiah Grossman for acting responsibly here and explaining so clearly their reasons for doing so. They have set an effective standard for us all. ]
UPDATES AND PATCHES
Adobe Will Fix Clipboard Vulnerability in Flash 10 (September 22, 2008)
Palin Should Not Have Used Unsecure eMail for State Business Communication (September 22, 2008)
Government Computer News (GCN) columnist William Jackson does not dispute that breaking into Governor Palin's email account was wrong, but also observes that Palin should have known better than to use unsecured email accounts to conduct state business, ostensibly to prevent the communications from being subject to disclosure laws. -http://www.gcn.com/online/vol1_no1/47187-1.html?topic=security&page=1
Network Provider's Negative Reputation is its Downfall (September 22, 2008)
California based network provider Intercage, also known as Atrivo, has had its last upstream Internet provider pull the plug after coming under fire for supplying service to the company that has been branded a source of malware on the Internet. Atrivo had reportedly been turning a blind eye to spammers and other Internet malware purveyors who were its clients. After reports surfaced in the media several weeks ago about the prevalence of malware emanating from the Atrivo network, most of its upstream providers severed their business relationships with the company. The last remaining provider was pushed to the brink after Spamhaus blacklisted more than 1,000 of its IP addresses. Once the provider, Pacific Internet Exchange (PIE), stopped providing Atrivo with service, Spamhaus removed virtually all of the blocks. Atrivo president and owner Emil Kacperski says he is being treated unfairly and that he received an average of just five complaints a week about malicious domains on his network. While the community is in agreement that consistently problematic customers need to be dealt with, some have voiced the opinion that what occurred with Atrivo was the equivalent of vigilante justice. -http://voices.washingtonpost.com/securityfix/2008/09/internet_shuns_us_based_isp _am.html?nav=rss_blog -http://www.theregister.co.uk/2008/09/22/intercage_goes_dark/print.html
Apple's Patching Process Debated (September 22, 2008)
A number of security experts have said that Apple's unpredictable patching process is problematic, possibly putting companies in a position to decide not to patch because they don't know when the next one will be coming. Others say that it is unfair to compare Apple to Microsoft, which releases patches on a predictable schedule; instead, it should be compared to other Unix vendors. In addition, Apple's tendency to issue patches as soon as they become available gives attackers a smaller window of opportunity than does Microsoft. -http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti cleId=9115288&intsrc=hm_ts_head [Editor's Note (Skoudis): I understand the arguments of both sides, but I really would prefer to see more predictable patch releases from Apple, which would greatly help operations in the enterprise space. Also, it seems to me that the comparison with Unix hardly matters if Apple is gunning for higher market share on corporate desktops by grabbing market share from Windows. ]
************************************************************************* The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescastore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security courses at Minnesota State University, Mankato. He is the President of Prudent Security LLC and also serves as the President of the Mankato Chapter ISSA.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/