(1) On Monday, 280,000 people will receive an email from Government Computer News and Federal Computer Week inviting them to the "National Summit on Planning and Implementing the Twenty Critical Controls." The 120 seats will be gone quickly (some already are). Here's a head start for NewsBites readers. Register at https://1105govinfoevents.com/EventOverview.aspx?Event=CSC09
- - SANS Network Security, San Diego Sept. 14-22; the Fall's biggest security training conference -- 20 full length courses and 16 short courses plus a big exhibition https://www.sans.org/ns2009 - - SANS Virginia Beach August 28 - Sept. 4. 11 full-length courses plus short courses: https://www.sans.org/vabeach09/ - - The Virtualization and Cloud Security Summit on August 17-18 in Washington; courses in the following days https://www.sans.org/info/43118
Researchers Use Return-Oriented Programming to Manipulate eVoting Machine (August 12, 2009)
Researchers from the University of Michigan, the University of California, San Diego, and Princeton University have discovered that the Sequoia AVC Advantage electronic voting machine is vulnerable to an attack that can alter voting tallies. The attack circumvents established security measures aimed at preventing unauthorized code execution. The technique is known as return-oriented programming. The machines were designed to run code only if it is stored on read-only memory chips. The researchers figured out how to get around that problem by "reassembl(ing) programming expressions already found in the targeted software in a way that gives (them) the ability to take complete control over the machine." The machines are widely used in New Jersey, and are also used in parts of Louisiana, Pennsylvania, Wisconsin, Colorado, and Virginia; the voting machine that the researchers used were acquired legally over the Internet. -http://www.computerworld.com/s/article/9136611/Voting_machine_hack_costs_less_th an_100_000?source=rss_security -http://www.theregister.co.uk/2009/08/12/sequoia_evoting_machine_felled/ -http://www.usenix.org/event/evtwote09/tech/full_papers/checkoway.pdf [Editor's Note (Schultz): Voting machine technology has justly been demeaned. Voters should thus be extremely concerned. At the same time, however, it is important to realize that many of these vulnerabilities are exploitable only if a perpetrator has physical access to a voting machine. ]
Quantcast Casts Out Flash Cookies in Wake of Report (August 12, 2009)
In the wake of research published about Flash cookies, online tracking company Quantcast has stopped its practice of recreating customers' cookies with Flash after users deleted the regular cookies. The researchers showed that some websites were circumventing customers' wishes not to be tracked by creating the flash cookies, which are not affected by browser privacy settings. Quantcast made the change to its practices on Tuesday afternoon after the research was published. According to the report, more than half of 100 sites scrutinized for the research used Flash cookies. Adobe has provided instructions for managing Flash cookies on its website. -http://www.wired.com/epicenter/2009/08/flash-cookie-researchers-spark-quantcast- change/ -http://kb2.adobe.com/cps/546/4c68e546.html [Editor's Note (Ranum): The active content ("run whatever some guy over there tells you!") model has always been a threat; there is simply no way around it. I'm only surprised that it has taken so long for Flash to have a spotlight shined on it. If you want to see something really scary, read about the Flash "fscommand" operator - basically it's the equivalent of system(3) in UNIX circa 1985. Running Flash in your browser is the equivalent of giving a command prompt to everyone who owns every website you visit.
(Pescatore): Palm was just outed for the Palm Pre secretly sending location information back to Palm. Hiding behind opt-out language buried in eensy beensy type in voluminous end user licensing agreements is a great way to anger your customers. ]
THE REST OF THE WEEK'S NEWS
Australian Man Charged in Data Theft Trojan and Botnet Case (August 13, 2009)
Judge Grants Preliminary Injunction Barring Sale of RealDVD (August 12, 2009)
A US District Court judge has granted a preliminary injunction that prohibits RealNetworks from selling its RealDVD software. The program allows people to copy movies to their computer hard drives. The ruling extends a temporary injunction that was granted when a group of Hollywood movie studios filed a lawsuit against RealNetworks last fall. Judge Marilyn Patel wrote that while RealDVD offers consumers a way to back up their DVDs, it still violates federal law. The program does not allow consumers to burn new DVDs of the copies they make. -http://www.computerworld.com/s/article/9136580/Judge_rules_against_RealDVD_movie _copying_software
Apple Issues OS X Updates to Fix BIND Vulnerability (August 13, 2009)
Apple has released a security update for Mac OS X 10.5.8 Leopard and 10.4.11 Tiger to address a denial-of-service (DoS) vulnerability in BIND. The flaw could be exploited to crash a vulnerable BIND DNS server with a maliciously crafted dynamic update message. Apple became aware of the vulnerability just two weeks ago. Exploits for the vulnerability have already been found in the wild. -http://www.h-online.com/security/Apple-patches-BIND-DoS-vulnerability--/news/113 990 -http://www.theregister.co.uk/2009/08/12/apple_patches_bind_vuln/ [Editor's Note (Ullrich): This is a new and good pattern for Apple. Typically, Apple publishes large patch sets at irregular times. As a result, open source software, like Bind which is included with OS X, falls behind and is not patched as fast as it should. In this particular case, Apple issues a patch just for this vulnerability within a few days of its usual large patch set instead of keeping OS X users waiting and vulnerable. ]
Microsoft Fixes 19 Vulnerabilities in Nine Security Bulletins (August 11 & 12, 2009)
********************************************************************** The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.
Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/