SANS NewsBites - Volume: XI, Issue: 64


(1) On Monday, 280,000 people will receive an email from Government Computer News and Federal Computer Week inviting them to the "National Summit on Planning and Implementing the Twenty Critical Controls." The 120 seats will be gone quickly (some already are). Here's a head start for NewsBites readers. Register at https://1105govinfoevents.com/EventOverview.aspx?Event=CSC09

(2) For those of you who cannot get to Washington, or who don't get one of the seats, there is a 60 minutes webcast on the same topic posted at https://www.sans.org/webcasts/show.php?webcastid=92748

(3) A course using vLive (online, but the instructors are live) is available at http://www.sans.org/vlive/courses.php (it is the 5th one down the page.)


Alan

*************************************************************************
SANS NewsBites                     August 14, 2009                    Volume: XI, Issue: 64
*************************************************************************
TOP OF THE NEWS

  Researchers Use Return-Oriented Programming to Manipulate eVoting Machine
  Quantcast Casts Out Flash Cookies in Wake of Report
  Quantcast Casts Out Flash Cookies in Wake of Report

THE REST OF THE WEEK'S NEWS

  ARRESTS, INDICTMENTS & SENTENCES
   Australian Man Charged in Data Theft Trojan and Botnet Case
   Prison Sentence for Personal Data Theft Through LimeWire
   UK Convicts Two for Refusing to Surrender Encryption Keys
  LEGAL ISSUES
   Judge Grants Preliminary Injunction Barring Sale of RealDVD
  UPDATES AND PATCHES
   Apple Issues OS X Updates to Fix BIND Vulnerability
   Microsoft Fixes 19 Vulnerabilities in Nine Security Bulletins
   Apple Releases Safari Update
   WordPress Password Reset Flaw Fixed
  MISCELLANEOUS
   China Will Not Enforce Green Dam Mandate
   China Will Not Enforce Green Dam Mandate


*********************** Sponsored By Q1 Labs ****************************

** A COMPREHENSIVE GUIDE TO NETWORK FRAUD PROTECTION **

Includes LIVE DEMO and COMPLIMENTARY copy of Gartner 2009 SIEM Critical Capabilities Report

Next-generation security information and event management (SIEM) solution integrates Gartner-recommended fraud detection technologies and helps organizations like yours:

* Improve Threat Management
* Thwart Insider Abuse
* Prevent Data Leakage
* Protect Corporate Security & Intellectual Property.

August 18, 2009

REGISTER
10:00 AM EDT Session
https://www.sans.org/info/47219 OR
2:00 PM EDT Session
https://www.sans.org/info/47224

*************************************************************************

TRAINING UPDATE

- - SANS Network Security, San Diego Sept. 14-22; the Fall's biggest security training conference -- 20 full length courses and 16 short courses plus a big exhibition https://www.sans.org/ns2009
- - SANS Virginia Beach August 28 - Sept. 4. 11 full-length courses plus short courses:
https://www.sans.org/vabeach09/
- - The Virtualization and Cloud Security Summit on August 17-18 in Washington; courses in the following days https://www.sans.org/info/43118

Looking for training in your own community?
https://sans.org/community/
Save on On-Demand training (30 full courses) - See samples at https://www.sans.org/ondemand
For a list of all upcoming events, on-line and live: http://www.sans.org

*************************************************************************

TOP OF THE NEWS

Researchers Use Return-Oriented Programming to Manipulate eVoting Machine (August 12, 2009)
Researchers from the University of Michigan, the University of California, San Diego, and Princeton University have discovered that the Sequoia AVC Advantage electronic voting machine is vulnerable to an attack that can alter voting tallies. The attack circumvents established security measures aimed at preventing unauthorized code execution. The technique is known as return-oriented programming. The machines were designed to run code only if it is stored on read-only memory chips. The researchers figured out how to get around that problem by "reassembl(ing) programming expressions already found in the targeted software in a way that gives (them) the ability to take complete control over the machine." The machines are widely used in New Jersey, and are also used in parts of Louisiana, Pennsylvania, Wisconsin, Colorado, and Virginia; the voting machine that the researchers used were acquired legally over the Internet.
-http://www.computerworld.com/s/article/9136611/Voting_machine_hack_costs_less_th
an_100_000?source=rss_security

-http://www.theregister.co.uk/2009/08/12/sequoia_evoting_machine_felled/
-http://www.usenix.org/event/evtwote09/tech/full_papers/checkoway.pdf
[Editor's Note (Schultz): Voting machine technology has justly been demeaned. Voters should thus be extremely concerned. At the same time, however, it is important to realize that many of these vulnerabilities are exploitable only if a perpetrator has physical access to a voting machine. ]


Quantcast Casts Out Flash Cookies in Wake of Report (August 12, 2009)
In the wake of research published about Flash cookies, online tracking company Quantcast has stopped its practice of recreating customers' cookies with Flash after users deleted the regular cookies. The researchers showed that some websites were circumventing customers' wishes not to be tracked by creating the flash cookies, which are not affected by browser privacy settings. Quantcast made the change to its practices on Tuesday afternoon after the research was published. According to the report, more than half of 100 sites scrutinized for the research used Flash cookies. Adobe has provided instructions for managing Flash cookies on its website.
-http://www.wired.com/epicenter/2009/08/flash-cookie-researchers-spark-quantcast-
change/

-http://kb2.adobe.com/cps/546/4c68e546.html
[Editor's Note (Ranum): The active content ("run whatever some guy over there tells you!") model has always been a threat; there is simply no way around it. I'm only surprised that it has taken so long for Flash to have a spotlight shined on it. If you want to see something really scary, read about the Flash "fscommand" operator - basically it's the equivalent of system(3) in UNIX circa 1985. Running Flash in your browser is the equivalent of giving a command prompt to everyone who owns every website you visit.

(Pescatore): Palm was just outed for the Palm Pre secretly sending location information back to Palm. Hiding behind opt-out language buried in eensy beensy type in voluminous end user licensing agreements is a great way to anger your customers. ]




THE REST OF THE WEEK'S NEWS

Australian Man Charged in Data Theft Trojan and Botnet Case (August 13, 2009)
An Australian man has been charged with infecting 3,000 computers with a financial account-stealing Trojan horse program and creating a botnet of 74,000 computers around the world. The charges carry prison sentences of as long as 10 years; the man will remain unnamed until his court appearance on September 4. Police have evidence that incriminates other people as well.
-http://www.msnbc.msn.com/id/32402494/ns/technology_and_science-security/
-http://www.theregister.co.uk/2009/08/13/oz_vxer_cuffed/


Prison Sentence for Personal Data Theft Through LimeWire (August 12 & 13, 2009)
A Seattle man has been sentenced to 39 months in prison for using the LimeWire filesharing network to steal personal information, including tax returns and bank statements. Frederick Eugene Wood searched LimeWire users' hard drives for specific terms, like "statement" and "account," then downloaded the documents and used the information to commit identity fraud. Investigators found personal data belonging to 120 people on Wood's computer. His wallet contained eight driver's licenses, each bearing a different identity.
-http://www.theregister.co.uk/2009/08/12/limewire_scammer_sentenced/
-http://www.computerworld.com/s/article/9136560/Seattle_man_used_Limewire_for_ide
ntity_theft

-http://www.securecomputing.net.au/News/152849,limewire-cited-as-identity-theft-a
ttack-vector.aspx



UK Convicts Two for Refusing to Surrender Encryption Keys (August 11, 2009)
In the UK, two people have been convicted for refusing to surrender encryption keys. The details of the crimes have not been released. In October 2007, Part Three of the Regulation of Investigatory Powers Act of 2000 took effect; section 49 gives law enforcement authorities in the UK the power to demand decryption keys. According to information from the Annual Report of the Chief Surveillance Commissioner to the Prime Minister and Scottish Ministers, between April 1, 2008 and March 31, 2009 there were 26 applications for service under a notice under section 49. Of those, 17 were granted, 15 were served and two people were convicted.
-http://www.theregister.co.uk/2009/08/11/ripa_iii_figures/
-http://www.h-online.com/security/Initial-password-prosecutions-in-UK--/news/1139
91

-http://www.surveillancecommissioners.gov.uk/docs1/osc_annual_rpt_2008_09.pdf


Judge Grants Preliminary Injunction Barring Sale of RealDVD (August 12, 2009)
A US District Court judge has granted a preliminary injunction that prohibits RealNetworks from selling its RealDVD software. The program allows people to copy movies to their computer hard drives. The ruling extends a temporary injunction that was granted when a group of Hollywood movie studios filed a lawsuit against RealNetworks last fall. Judge Marilyn Patel wrote that while RealDVD offers consumers a way to back up their DVDs, it still violates federal law. The program does not allow consumers to burn new DVDs of the copies they make.
-http://www.computerworld.com/s/article/9136580/Judge_rules_against_RealDVD_movie
_copying_software



Apple Issues OS X Updates to Fix BIND Vulnerability (August 13, 2009)
Apple has released a security update for Mac OS X 10.5.8 Leopard and 10.4.11 Tiger to address a denial-of-service (DoS) vulnerability in BIND. The flaw could be exploited to crash a vulnerable BIND DNS server with a maliciously crafted dynamic update message. Apple became aware of the vulnerability just two weeks ago. Exploits for the vulnerability have already been found in the wild.
-http://www.h-online.com/security/Apple-patches-BIND-DoS-vulnerability--/news/113
990

-http://www.theregister.co.uk/2009/08/12/apple_patches_bind_vuln/
[Editor's Note (Ullrich): This is a new and good pattern for Apple. Typically, Apple publishes large patch sets at irregular times. As a result, open source software, like Bind which is included with OS X, falls behind and is not patched as fast as it should. In this particular case, Apple issues a patch just for this vulnerability within a few days of its usual large patch set instead of keeping OS X users waiting and vulnerable. ]


Microsoft Fixes 19 Vulnerabilities in Nine Security Bulletins (August 11 & 12, 2009)
On Tuesday August 11, Microsoft issued nine security bulletins to address a total of 19 vulnerabilities in Windows, the .Net Framework, Microsoft Office, Microsoft Visual Studio, Microsoft ISA Server, Microsoft BizTalk Server, and Remote Desktop Client for Mac. Five of the bulletins were rated critical. One of the bulletins addresses a vulnerability in Web Office Components that has been used in attacks since June. Another bulletin addresses five security flaws in Windows components that use a vulnerable version of the ATL library template.
-http://voices.washingtonpost.com/securityfix/2009/08/microsoft_fixes_19_windows_
sec.html

-http://www.h-online.com/security/19-security-vulnerabilities-fixed-in-Windows-co
mponents-and-applications--/news/113981

-http://www.theregister.co.uk/2009/08/12/august_patch_tuesday/
-http://www.computerworld.com/s/article/9136527/Microsoft_patches_19_bugs_in_swee
ping_security_update

-http://news.cnet.com/8301-13860_3-10307466-56.html?part=rss&subj=news&ta
g=2547-1009_3-0-20

-http://www.securityfocus.com/brief/994
-http://www.microsoft.com/technet/security/bulletin/ms09-aug.mspx


Apple Releases Safari Update (August 12, 2009)
Apple has released an updated version of its Safari web browser. Safari 4.0.3 addresses half a dozen security flaws, including three that could be exploited to execute arbitrary code and one that could be exploited to access sensitive information. Apple has issued updates for Safari every month since May, prompting some to suggest that the company adopt a patch release schedule like those established by Microsoft, Oracle and Adobe.
-http://www.h-online.com/security/Apple-releases-security-update-for-Safari--/new
s/113979

-http://www.scmagazineus.com/For-fourth-month-in-an-row-Safari-updated/article/14
1562/

-http://support.apple.com/kb/HT3733


WordPress Password Reset Flaw Fixed (August 11 & 12, 2009)
WordPress blogging software has been updated to address a flaw that allowed attackers to reset administrator passwords. Prior to the fix, maliciously crafted URLs could be used to circumvent password reset security verification checks; a new password would be sent to the account owner. The situation could prove serious only if the attackers were to have access to the administrators' email accounts to retrieve the new passwords. The flaw exists in version 2.8.3 of the software; users are urged to upgrade to version 2.8.4 as soon as possible.
-http://www.scmagazineus.com/WordPress-issues-new-version-closes-password-flaw/ar
ticle/146339/

-http://www.theregister.co.uk/2009/08/12/wordpress_password_reset_bug/
-http://core.trac.wordpress.org/changeset/11798
[Editor's Note (Pescatore): Every other automated password reset approach needs to make sure they don't have similar vulnerabilities. ]


China Will Not Enforce Green Dam Mandate (August 13 & 14, 2009)
China has backed off from a mandate issued in May requiring that Internet filtering software known as Green Dam-Youth Escort be installed on or accompany all PCs sold in or shipped to that country. Green Dam was designed to prevent children from accessing inappropriate content on the Internet, but the software was also found to block sites the Chinese government might view as politically inflammatory, such as Falun Gong. In addition, California software company Solid Oak plans to take legal action over the filtering software because it maintains Green Dam contains stolen code.
-http://www.computerworld.com/s/article/9136618/China_will_not_enforce_Green_Dam_
porn_filter_plan?source=rss_security

-http://online.wsj.com/article/SB125013563611828325.html


**********************************************************************
The Editorial Board of SANS NewsBites



Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/