SANS NewsBites - Volume: X, Issue: 89

*************************************************************************
SANS NewsBites                     November 11, 2008                    Volume: X, Issue: 89
*************************************************************************

TOP OF THE NEWS

  Study Finds Some DNS Servers Still Not Patched Against Cache Poisoning Flaw
  Researchers Publish Paper on Breaking WPA TKIP

THE REST OF THE WEEK'S NEWS

  LEGAL ISSUES
   New Apple Exec Ordered to Stop Work for Possible Non-Compete Violation
  ARRESTS, CHARGES, CONVICTIONS & SENTENCES
   Former Sysadmin Arrested for Alleged Extortion
   Woman Gets Four-Year Sentence for Identity Theft and Credit Card Fraud
   Former Inmate Arrested for Accessing Prison Network
  VULNERABILITIES
   Google Fixes Android Flaw
  DATA LOSS & EXPOSURE
   Australian Federal Police Files Left on Hotel Computer in Nepal
  ATTACKS
   Critical Adobe Flaw is Being Actively Exploited
  MISCELLANEOUS
   Ireland Gets First Computer Emergency Response Team
   Computer Misuse Arrests Doubled In Japan During 2007
   AT&T Experiments with Downloading Limits for Broadband Customers


********************** Sponsored By Ounce Labs, Inc. ********************

Outsourcing is a proven strategy to reduce costs and increase value, but careful planning is required to build stringent software security requirements into contracts ensure that those requirements are met. Download this report for detailed data on how experienced outsourcers are putting in place effective processes to drive the risk out of outsourcing. http://www.sans.org/info/35229

*************************************************************************

TRAINING UPDATE

- - SANS CDI in Washington (12/10-12/16) 30 courses; big security tools expo; lots of evening sessions: http://www.sans.org/cdi08/
- - London (12/1-12/9) http://sans.org/london08/
- - Vancouver (11/17-11/22) http://www.sans.org/vancouver08/
- - Las Vegas (1/24-2/01) http://sans.org/securitywest09/
- - Orlando SANS SCADA Security Summit http://www.sans.org/scada09_summit
and in 100 other cites and on line any time: www.sans.org

*************************************************************************

TOP OF THE NEWS

Study Finds Some DNS Servers Still Not Patched Against Cache Poisoning Flaw (November 10, 2008)

A recent survey of Domain Name System (DNS) servers found that despite widespread press coverage given to a critical DNS vulnerability earlier this year, 25 percent of servers that allow open recursion have not yet been patched. According to the study, 45 percent of administrators responding to the survey said they lack the necessary resources to address the DNS vulnerability, and 30 percent said they do not know enough about DNS to do so. The survey also shows that 90 percent of DNS servers are running recent versions of the Berkeley Internet Name Domain, or BIND 9; there has also been a significant decrease in the use of Microsoft DNS Server, which is not highly secure. One disappointment is the low rate of adoption of DNSSec, "a security protocol that allows DNSD queries and answers to be digitally signed and authenticated;" those statistics could change as .gov domains in the US are required to implement DNSSec by the end of 2009.
-http://www.gcn.com/online/vol1_no1/47524-1.html?topic=security
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9119724&source=rss_topic17
-http://dns.measurement-factory.com/surveys/200810.html
[Editors Note (Northcutt): They can be as disappointed as they want to about the rate of DNSSEC adoption, but it is hard to do. Success in security depends on either automating the fix or making it really easy for the user. ]

Researchers Publish Paper on Breaking WPA TKIP (November 6 & 10, 2008)

Two German university researchers have discovered a combination of techniques that could allow an attacker to compromise Wi-Fi Protected Access (WPA) encryption in less than 15 minutes. The attack does not result in the encryption key being discovered. Rather, the technique allows attackers "to decrypt packets and inject packets with custom content." Martin Beck and Eric Tews present their findings at the PacSec 2008 conference in Tokyo this week. The attack targets the WPA's Temporal Key Integrity Protocol (TKIP).
-http://www.securityfocus.com/news/11537
-http://www.heise-online.co.uk/security/Security-experts-reveal-details-of-WPA-ha
ck--/news/111922
-http://dl.aircrack-ng.org/breakingwepandwpa.pdf
[Editor's Note (Ullrich): Although the attack rather limited, it highlights the fact that WPA and TKIP were meant to serve as a transitional fix for older hardware. WPA2 is the "real fix".
And from Raul Siles at Internet Storm Center: This new research opens the door to new WPA/TKIP attacks and future attack enhancements, so it is time to start applying and planning the appropriate security countermeasures to remove or mitigate this and similar future threats: Update to WPA2/AES as soon as you can! Because the vulnerability is in TKIP, both WPA and WPA2 can be affected. The attack affects WPA2 if configured with TKIP because WPA2 allows both, AES and TKIP (while WPA only allows TKIP).
-http://isc.sans.org/diary.html?storyid=5315]




************************* SPONSORED LINK ******************************

1) "USB Security Software -> Download Now -> Award-Winning USB Auditing, Encryption, and Control" http://www.sans.org/info/35234
2) IDC Webcast: The Attacker Within: How Hackers are Targeting Enterprises from the Inside-Out http://www.sans.org/info/35239

*************************************************************************

THE REST OF THE WEEK'S NEWS

LEGAL ISSUES

New Apple Exec Ordered to Stop Work for Possible Non-Compete Violation (November 8 & 10, 2008)

A judge in New York has issued a preliminary injunction ordering Apple's new executive in charge of the iPhone and the iPod to "immediately cease his employment with Apple Inc. until further order" because of a potential violation of agreement with his former employer, IBM. Mark Papermaster left IBM for Apple in October; the lawsuit alleges his move violates a non-compete clause in his contract that stipulates that he would not work for a competitor within a year of leaving his position at IBM. The crux of the issue is whether Apple and IBM are business competitors.
-http://www.latimes.com/business/la-fi-briefs8-2008nov08,0,6090160.story
-http://www.crn.com/hardware/212001584

ARRESTS, CHARGES, CONVICTIONS & SENTENCES

Former Sysadmin Arrested for Alleged Extortion (November 10, 2008)

A systems administrator who had recently been laid off from Third Avenue Management, a New York-based mutual fund company, has been arrested for allegedly threatening to damage his former employer's servers if they did not meet his demands. Viktor Savtyrev was one of 10 employees who lost their jobs on November 5. All were given a severance package, but several days later, Savtyrev allegedly sent email messages to several people still with the company, including the company's general counsel, saying he was "not satisfied with the terms" of his severance package and threatening to damage the computer systems unless they gave him more money and provided him with extended medical coverage and "excellent" job references. In subsequent communications, Savtyrev allegedly said he would get help attacking the servers from friends in Belarus and that he had already placed several back doors on the company's computer systems. Savtyrev was arrested at his home in Old Bridge, NJ.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9119792&source=rss_topic17
-http://www.nj.com/news/index.ssf/2008/11/old_bridge_computer_tech_charg.html
[Editor's Note (Skoudis): This case is a great illustration for management about the importance of thorough processes for removing employees' access from computer systems after job termination. Further, for recently dismissed sysadmin employees, enterprises should conduct some check of the systems they operated to make sure they left behind nothing nefarious.
(Ullrich): I guess his request for excellent job references will no longer be good much. ]

Woman Gets Four-Year Sentence for Identity Theft and Credit Card Fraud (November 7, 2008)

Kimberly Ann Mavis was sentenced to four years in federal prison without the possibility of parole for her role in an identity fraud scheme. Mavis and a co-conspirator, Jerry Bagby, gained unauthorized access to the customer database of Premier Bank in Overland Park, Kansas and used the purloined information to open credit card accounts in other people's names. Mavis and Bagby used those cards to purchase expensive items, which they later resold for cash. In August, Mavis pleaded guilty to computer fraud, conspiracy, aggravated identity theft and credit card fraud. Bagby pleaded guilty to aggravated identity theft and credit card fraud; he is awaiting sentencing.
-http://www.infozine.com/news/stories/op/storiesView/sid/31730/

Former Inmate Arrested for Accessing Prison Network (November 6, 7 & 8, 2008)

Former Plymouth (Massachusetts) County Correctional Facility inmate Francis G. Janosko has been arrested and charged with damage to a prison's computer network and identity theft. While incarcerated at the facility, Janosko allegedly discovered a way to exploit vulnerabilities in a computer system configured for inmates to conduct legal research so that he could access information about prison employees and make that information available to other inmates. The exposed data include names, home addresses and Social Security numbers (SSNs). If he is convicted, Janosko could face up to 10 years in prison, three years of supervised release and a US $250,000 fine.
-http://boston.fbi.gov/dojpressrel/pressrel08/computerhacking110608.htm
-http://www.theregister.co.uk/2008/11/08/prison_network_hacked/
-http://www.boston.com/news/local/articles/2008/11/07/ex_mass_inmate_charged_in_p
rison_computer_hacking/

VULNERABILITIES

Google Fixes Android Flaw (November 7 & 10, 2008)

Google has fixed a critical vulnerability in its Android operating system. The flaw can cause keystrokes to pass directly to the root shell and be executed with root user privileges. For instance, texting the word "reboot" would actually cause the device to reboot. The flaw affects G1 handset users running Android firmware updates RC 29 and earlier. Google is rolling out the fix to all G1 devices.
-http://blogs.zdnet.com/Burnette/?p=680
-http://blog.wired.com/gadgets/2008/11/google-fixes-an.html
-http://www.theregister.co.uk/2008/11/10/android_bug/
-http://www.heise-online.co.uk/security/Root-rights-on-Google-s-Android--/news/11
1901
[Editor's Note (Skoudis): Wow! What an embarrassing flaw. Just last week, someone asked me whether command-injection flaws were realistic in today's software, or whether they were a thing of the past. This Android vulnerability is a great example indicating that this type of flaw will persist for quite some time.
(Pescatore): Google doesn't make it very easy to figure out how to report security flaws. The standard security real estate most enterprise-oriented software companies use (www.company.com/security) gets you error 404 at Google, as does code.google.com/security. But if you dig around enough, you can find
-http://code.google.com/android/kb/security.html
that gives the email address security@google.com to report bugs. ]

DATA LOSS & EXPOSURE

Australian Federal Police Files Left on Hotel Computer in Nepal (November 7 & 9, 2008)

An Australian Federal Police (AFP) officer based in south Asia has been ordered to return to Australia following the revelation that documents and images from AFP USB data storage device were left in a hotel computer in Kathmandu, Nepal. Other guests at the hotel were reportedly able to view the files, which include a document containing priorities and strategies for the AFP's Bangladesh office and graphic pictures of a plane crash. The officer involved in the incident will assist in the investigation.
-http://www.theage.com.au/news/security/officer-recalled-over-security-lapse/2008
/11/08/1226165363264.html
-http://www.boston.com/news/world/asia/articles/2008/11/08/australia_investigates
_nepal_security_breach/
[Editor's Note (Ullrich): Some people are less careful with public hotel computers then public bathrooms. The opposite should be true. ]

ATTACKS

Critical Adobe Flaw is Being Actively Exploited (November 7, 2008)

Just days after Adobe released a critical security update for Reader and Acrobat, cyber attackers have begun exploiting the flaw to execute malicious code on vulnerable computers. The maliciously crafted PDF files are being spread through drive-by advertisements on suspicious sites. The malware downloads a Trojan horse program from another website. The vulnerability affects versions 8.1.2 and earlier of Adobe Reader; the newly released version 9 is unaffected by the flaw. Users who have not installed the update are urged to do so as soon as possible.
Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=5312
-http://isc.sans.org/diary.html?storyid=5321
-http://www.theregister.co.uk/2008/11/07/adobe_reader_exploit/
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9119538&source=rss_topic17

MISCELLANEOUS

Ireland Gets First Computer Emergency Response Team (November 10, 2008)

Ireland's first national Computer Security Incident Response Team was launched on Monday, November 10. The Irish Reporting and Information Security Service, known as IRISS, is a not for profit company that aims to assist businesses, organisations and individuals to better protect their computer and network systems from threats posed by Internet attacks, hackers and computer viruses. Founded by SANS NewsBites editor, Brian Honan, the Irish Reporting & Information Security Service (IRISS) will provide a range of free services to Irish businesses and consumers in relation to information security issues to help counter the security threats posed to Irish businesses and the Irish Internet space. IRISS's services are built on the WARP (Warning Advice & Reporting Point
-http://www.warp.gov.uk)
model and are provided by a dedicated core of volunteers drawn from Ireland's top Internet security experts with funding for the project coming from private industry, including the SANS Institute.
-http://www.businessworld.ie/cgi-bin/printer_friendly?a=2345192
-http://www.iriss.ie"
-http://www.businessworld.ie/livenews.htm?a=2345192;s=rollingnews.htm
-http://iriss.ie/iriss/
[Editor's Note (Schultz): Starting an incident response team is one of the most challenging tasks an information security professional can undertake. I wish Brian all the success in the world. ]

Computer Misuse Arrests Doubled In Japan During 2007 (November 10, 2008)

Police in Japan reported making more than 1,400 arrests for hacking during 2007, up from 704 in 2006. The figure is 10 times the number in 2003. A large fraction of the arrests were related to obscene literature, child pornography and child dprostitution.
-http://www.pcworld.com/businesscenter/article/153568/hacking_arrests_doubled_in_
japan_in_2007.html

AT&T Experiments with Downloading Limits for Broadband Customers (November 6, 2008)

AT&T has started a test program in Reno, Nevada that places a limit on the amount of downloading and uploading its broadband users are permitted each month. The amount allowed varies depending upon the type of account users have. Users who exceed their allotted limits will receive warning letters for the first two months of overages; after that, they will be charged US $1 per extra gigabyte. AT&T says the pilot program is an attempt to come up with a solution to the problem of a very small percentage of users who consume an inordinate portion of bandwidth.
-http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/11/06/BU7G13UV7I.DTL&t
sp=1
[Editor's Note (Pescatore): Hmmm, if my math is right, if I pay for 6 Mbps connectivity, if I used it 24 hours per day for a month, I could download almost 2,000 GB. The ATT plan would give me the first 80 GB free and then I would pay $1,920/month for the rest? If I only get 80 GB in a month, then I think I'm only getting 240 Kbs connectivity or so. This type of logic is like offering cellphone service pricing where you get unlimited minutes of connectivity but only 5,000 words per month.]


*************************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescastore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Ron Dick headed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Will Pelgrin is Chief Information Security Officer of New York State, chair of the Multi-State Information Sharing and Analysis Center and co-chair of the National ISAC Council.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.


Alan Paller is director of research at the SANS Institute


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/