SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume IX - Issue #80
October 09, 2007
Although the story didn't make "top of the news," every security person (and computer user) would do well to actively take into account John Pescatore's Editor's Note on the "Sun Patches JRE Flaws" article. Not just for Sun, for all non-Windows software.
And a Clarification:
In Friday's edition of NewsBites, we ran a story about an attack on the CISRT website that caused problems for some site visitors. Despite its name, CISRT is an unofficial, small, voluntary group and is not related to the Chinese government's CNCERT/CC.
TOP OF THE NEWSApple Hit with Lawsuit for Update That Disables Hacked iPhones
Retailers Want Credit Card Companies to Retain Data
Managed Services Firm Sees Increasing Attacks Against Utilities
THE REST OF THE WEEK'S NEWSLEGAL MATTERS
Berlin Court Says Federal Ministry of Justice May Not Retain Data
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Network Outage Affected California VA Medical Facilities
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Adobe Publishes Workaround for PDF Flaw
Sun Patches JRE Flaws
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Attacker Suspended eBay Accounts
Stolen Laptop Contains Sensitive Financial Data
College Defends Decision Not to Inform People Affected by Data Exposure
STATISTICS, STUDIES & SURVEYS
Infosec and Governance Spending Up at Financial Firms
Windows XP Users Can Download IE 7 Without WGA Validation
LIST OF UPCOMING FREE SANS WEBCASTS
******************** Sponsored By netForensics, Inc. ********************
*NEW* Whitepaper. Technology now exists to keep track of internal user activity amidst massive amounts of data - without compromising performance. Learn how to prevent data breaches, identify user threats and see who is accessing critical data. This whitepaper reveals 10 proven strategies for rapidly responding to and stopping threats, no matter where they originate.
Where can you find Hacker Exploits, Security Essentials, Forensics, Wireless, Auditing, CISSP, and SANS' other top-rated courses?
- - Washington DC (12/13-12/18): http://www.sans.org/cdi07
- - New Orleans (1/12-1/17): http://www.sans.org/security08/event.php
- - London (11/26 - 12/1): http://www.sans.org/london07/
- - Chicago (11/2-11/7): http://www.sans.org/chicago07/event.php
- - Tokyo (11/5-11/10): http://www.sans.org/sanstokyo2007_autumn/event.php
TOP OF THE NEWS
Apple Hit with Lawsuit for Update That Disables Hacked iPhones (October 8, 2007)A California attorney has filed a class action lawsuit against Apple for its recent iPhone update that rendered modified devices useless. The update included a critical security patch in addition to code that disabled iPhones that had been altered to allow third-party applications to run or to allow service through carriers other than the designated cellular carrier. The lawsuit seeks triple damages and a permanent injunction against Apple that would prohibit it from selling iPhones with software locks, denying warranty service to users of unlocked iPhones and requiring that iPhone owners obtain service only from AT&T.
Retailers Want Credit Card Companies to Retain Data (October 4, 2007)The National Retail Federation (NRF) has sent a letter to the Payment Card Industry (PCI) Security Standards Council asking that retailers no longer be required to store payment card data. Credit card companies can require retailers to store payment card data for as long as 18 months so it can be accessed to resolve disputed charges. In the letter, NRF CIO David Hogan says that credit card companies are making retailers "jump through hoops" to protect the data they store, and that "retailers want to eliminate the incentive for hackers to break into their systems" by not storing the sensitive data. Instead, NRF would like the card companies to assume that responsibility.
[Editor's Note (Pescatore): This will require changes in the payment processing systems and protocols, but reducing how long and in how many places card data is stored is a needed change.]
Managed Services Firm Sees Increasing Attacks Against Utilities (October 5, 2007)Managed security services company SecureWorks says it has seen a 90 percent increase in cyber attacks against its US utilities clients in the last nine months. SecureWorks counts 100 US utilities among its 1,800 clients, and noted that between January and April of this year, it blocked an average of 49 attacks against each utility each day. That figure increased to an average of 93 attacks per day for the period between May and September. "Web browser threats represented a large number of the attacks," according to SecureWorks director of development Wayne Haber.
[Editor's Note (Skoudis): There's a reference to browser-based exploits again, quite common these days. Also, this trend toward an up-tick in utility company attacks is a very big concern, given the video from two weeks ago showing the physical damage a cyber attack can cause.
(Northcutt) I usually go ho hum when an MSP makes an announcement like this, because most of their analysts are off-the-street types with a bit of on the job training, but SecureWorks hires only trained analysts with GIAC certifications, so this does not bode well for the utility companies. ]
************************* Sponsored Links: ***************************
1) Security professionals focus on fighting the most common data threats - - Encryption Summit, December 3-4.
2) More than 2 million URLs world-wide distributed malicious downloads to site visitors. New report provides the latest stats.
3) How are you utilizing sFlow to improve network security and performance?
Register for a FREE webinar "sFlow for Network Security and Traffic Analysis"
THE REST OF THE WEEK'S NEWS
Berlin Court Says Federal Ministry of Justice May Not Retain Data (October 2, 2007)A recently released legal ruling from a local court in Berlin, Germany, prohibits a government site from retaining personal data. Specifically, the Federal Ministry of Justice may not keep personal data gathered through its website "beyond the periods associated with the specific instances of the use of the site." The judges said that it is not difficult to merge gathered data and identify users.
[Editor's Note (Ullrich): This may all sound very strange to US users. But European privacy and consumer protection laws usually favor the consumer. Companies operating in Europe need to be aware of these regulations or they will easily run into legal problems. ]
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Network Outage Affected California VA Medical Facilities (October 5, 2007)An outage of the Veterans Affairs Department's (VA) electronic health records system in late August affected 17 facilities in northern California. Medical practitioners were unable to log on to the Veterans Health Information System and Technology Architecture (VistA) and the Computerized Patient Record System for nine hours. The problem occurred at a VA data processing center in Sacramento. That center was supposed to roll the system over to the Denver regional processing center, but that did not happen. Backup systems did not operate as planned, either. Read-only backup patient data were unavailable due to a scheduled, periodic hospital test account update.
[Editor's Note (Pescatore): Security incidents actually represent a small percentage of application downtime. This type of operational snafu or other forms of human error or environmental problem are the biggest factors. Which means it is important to think about making sure your security controls can avoid such outages - make sure continuity/high availability planning applies to all security systems.]
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Adobe Publishes Workaround for PDF Flaw (October 5 & 8, 2007)Adobe has acknowledged a flaw in its products that could allow an attacker to use maliciously crafted PDF files to take control of vulnerable computers. The problem affects Adobe Reader version 8.2 and earlier; Adobe Acrobat Standard, Professional and Elements 8.1 and earlier; and Adobe Acrobat 3D on systems running Microsoft Windows XP and Internet Explorer 7 (IE 7). Adobe is reportedly developing a fix for the problem in Adobe Reader and Acrobat versions 8.1 and earlier and plans to make it available by the end of October.
[Editor's Note (Skoudis): With this significant flaw, as well as the JRE flaws described elsewhere in this NewsBites, it is very clear that we need to be serious about patching third-party applications on our Windows machines. Whenever we perform a penetration test, we almost always get in via unpatched third-party software. Please, make sure you have a solid process and technical support for testing and deploying patches to non-Microsoft software on Windows machines such as PDF readers, Java Runtime Environments, iTunes, Quicktime, Flash Player, Real Player, Firefox, and others. Leverage tools such as Microsoft's SMS or third-party patch management systems. ]
Sun Patches JRE Flaws (October 3 & 5, 2007)Sun Microsystems has released patches for 11 critical vulnerabilities in its Java Runtime Environment (JRE). The flaws affect JRE versions 1.3.1, 1.4.2, 5.0 and 6.0 on Windows, Linux and Solaris systems. The flaws could be exploited to circumvent security measures, read and manipulate data, and compromise computers.
[Editor's Note (Pescatore): The Adobe and Sun items point out that patching is not just something that has to be done after Microsoft's Vulnerability Tuesday each month. There have been many reports of active exploits against flaws in Solaris in recent months.
(Ullrich): We all know how much fun it is to patch Java. If you don't need it, remove it. If you do need it, make sure you have a good inventory of installed versions and a fool-proof method of keeping them patched. ]
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Attacker Suspended eBay Accounts (October 9, 2007)eBay has acknowledged that a cyber intruder managed to breach a server and temporarily suspend accounts belonging to a small number of members late last week. The accounts have been restored and the people affected by the incident are receiving phone calls. The intruder did not have access to financial data. A spokesperson said, "the fraudster did this by accessing externally visible servers, not by hacking into the eBay site."
[Editor's Note (Ullrich): Nice PR language here. Translation: Account information was stored on insufficiently secured servers. Lucky for us, the intruder only managed to launch a DoS attack and the intruder didn't quite manage to get into any additional systems. On the other hand, DoS attacks against eBay users are somewhat common to prevent them from bidding in the critical moment before an auction is about to close. Typically, the attacker will just log in a few times using the users account name, but wrong passwords, causing the account to be locked. ]
Stolen Laptop Contains Sensitive Financial Data (October 5 & 8, 2007)A laptop computer stolen from an HMRC (HM Revenue and Customs) employee's car on September 20 contains personal and financial data of at least 400 people. The employee had information from financial institutions about account holders for the purpose of conducting a routine audit. The police have been notified, and the HMRC will investigate the incident, which does not involve a third party contractor. The data on the computer are reportedly protected by "complex password and top level encryption." HMRC is urging the financial institutions to inform their clients about the breach.
[Editor's Note (Pescatore): If top level encryption was really in use, no need to actually make public disclosures of lost laptops anymore.]
College Defends Decision Not to Inform People Affected by Data Exposure (October 4, 2007)MacEwan College in Edmonton, Alberta, Canada has acknowledged that it did not notify students and employees following a data security breach that left sensitive, personally identifiable information exposed on the Internet. The decision not to inform the students was based on a risk assessment from the college's Freedom of Information and Protection of Privacy Office, which determined that most people did not realize the nature of the information they could access. The data include scanned images of employee and student credit card numbers, checks, signatures and addresses. The same data were inadvertently made available externally between 2002 and 2003; when that breach was discovered, the data were limited to the internal network, but students could still look at the data. Another external exposure of the data was discovered last year and blamed on recently installed software.
[Editor's Note (Schultz): MacEwan College's Freedom of Information and Protection of Privacy Office's reasoning appears to be specious. It may be true that most people who viewed the sensitive, personal information would not realize what it was, but this does not mean that there is little or no likelihood that one or more unscrupulous individuals realized what this information was and then copied it. ]
STATISTICS, STUDIES & SURVEYS
Infosec and Governance Spending Up at Financial Firms (October 8, 2007)Nearly all of the 169 financial institutions responding to the Deloitte & Touche annual security practices survey say their information security spending is higher this year than it was last year. The companies also said they are placing a stronger focus on IT governance. The greatest increases in spending occurred in audit and certification costs, logical access control products, infrastructure protection devices and compliance and risk management. Eighty-one percent of the responding companies say they have implemented formal information security governance frameworks. Most of the remaining 19 percent say they are in the process of creating such frameworks. Deloitte & Touche says the increase in the adoption of IT governance frameworks appeared to be fueled by government regulation. The survey also asked about the use of wireless technologies; 45 percent of the firms prohibit using wireless LANs, 75 prohibit infrared networking and 13 prohibit the use of mobile devices. The respondents include banks, investment firms and insurance companies from 32 countries.
[Editor's Note (Schultz): The trend towards creating an information security governance framework is indeed becoming quite pronounced. Clearly, technology is critical in achieving desired levels of security. At the same time, however, governance considerations, not technology, need to drive information security practices. ]
Windows XP Users Can Download IE 7 Without WGA Validation (October 5 & 8, 2007)Windows XP users who want to download IE 7 will no longer be required to validate the download through Windows Genuine Advantage (WGA). The requirement was removed because the company believes "the security enhancements to IE 7 are significant enough that it should be available as broadly as possible." Some have voiced the opinion that Microsoft is concerned with a slipping market share and the removal of the WGA authentication requirement is an attempt to boost the browser's use. Before the change, users who wanted to download IE 7 had to subject their computer systems to a validation through WGA to make sure they were running properly licensed software.
[Editor's Note (Northcutt): I can't believe they required WGA to activate IE 7 in the first place. They have stated for years they wanted to have you rent your applications online; the benefit of being the dominant browser in that business model is off the charts:
Software companies always had an ambiguous attitude toward pirated software. In some cases, pirated software helps establish standards that will actually increase sales. If Microsoft would consider piracy a grave business risk, WGA would disable pirated versions of Windows. ]
LIST OF UPCOMING FREE SANS WEBCASTSAsk the Expert: Late-Breaking Computer Attack Vectors by Mike Poor
WHEN: Tuesday, October 16, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKER: Mike Poor
Sponsored By: Core Security
This lively session will discuss recent and anticipated computer and network attack vectors, showing the most powerful tools in the bad guys' arsenal today and predicting where they are headed in the future. Specific topics to be discussed include client-side exploitation and the rise of privilege escalation attacks against Windows Vista and other operating systems.
Ask the Expert: The Evolution of Access Management
WHEN: Wednesday, October 17, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and Howard Ting
Sponsored By: Securent
In this webcast, learn how access control technologies have evolved over the years, the types of access management solutions organizations are evaluating today, and the challenges they face in design and implementation.
SANS Special Webcast: Building Brick Houses
WHEN: Wednesday, October 24, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Gary W. Longsine and Jonathan Ham
Sponsored By: Watchfire
With the advent of Web 2.0 interactive applications and demand for financial, shopping and other applications for hand held devices, never has secure lifecycle of Web applications been more critical. Leveraging the same agile application methodologies in use today, Gary W. Longsine and Jonathan Ham unveil a flexible framework called Scalable and Agile Lifecycle Security for Applications - or SALSA for short.
Ask the Expert: Log Heaven: How to Simplify Log Management for Compliant, Secure Operations
WHEN: Thursday, October 25, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and Dave Steidle
Sponsored By: netForensics
Join this webcast to learn:
- - What to consider when evaluating log management solutions
- - How to use log management to address compliance audits
- - How to get better security intelligence from existing data
- - Tips for streamlining log management operations
Tool Talk Webcast: Eenie-Meenie-Minie-Mo: No Way to Choose a Log Management Solution
WHEN: Tuesday, October 30, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKER: Ansh Patnaik
Sponsored By: ArcSight
Join this Webcast to learn:
- - How to evaluate and select the right log management solution for your environment
- - What big log management mistakes can be avoided, and how to avoid them
- - Why the compliance, security, IT operations, forensics, and helpdesk teams will all applaud you for making the right choice
Tool Talk Webcast: Guidelines for Implementing Role-Based Security Policies in Unix/Linux Environments
WHEN: Wednesday, October 31, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKER: Alan Dobbs
Sponsored By: FoxT
In this webinar, you will discover how FoxT's IT Controls solution suite is helping organizations, including five of the top ten banks, resolve access control challenges and achieve unprecedented speed in adopting role-based security policies across multi-vendor Unix/Linux infrastructures.
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.
Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/