SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume IX - Issue #84
October 23, 2007
TOP OF THE NEWSLegislators Aim to Give Broad Immunity from Prosecution for Providing Data
Study Analyzes Secret Service Identity Theft Case Data
House Committee Seeks P2P Risk Information from FTC
THE REST OF THE WEEK'S NEWSLEGAL MATTERS
McKinnon May Take His Appeal to the House of Lords
Patriots Win Bid to Obtain Ticket Resellers' Names from Website
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Counterintelligence Exec Says Attacks on Networks Come From All Over the World
Audit Finds Network Access Weaknesses at CT State Agencies
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Adobe Issues Patch for PDF Flaw
Mozilla Patches Browser Flaws
Patch Available for RealPlayer Vulnerability
STATISTICS, STUDIES & SURVEYS
European Banks Not Clear on Best Security Practices
COMMENTARY (CONTROVERSY) ON VERIZON'S RESPONSE TO DISCLOSURE DEMANDS
LIST OF UPCOMING FREE SANS WEBCASTS
*********************** Sponsored By ArcSight, Inc. *********************
Free Whitepaper: Calculating Return on Security Investment
With budgets shrinking and regulations growing, today's IT managers need to justify every security infrastructure purchase. Calculating Return on Security Investment (ROSI) means measuring the intangibles. Learn how to measure ROSI with our free whitepaper.
Brought to you by ArcSight, a leading provider of security and compliance management solutions.
Where can you find Hacker Exploits and SANS other top-rated courses?
London (11/26 - 12/1): http://www.sans.org/london07/
Washington DC (12/13-12/18): http://www.sans.org/london07/
New Orleans (1/12-1/17): http://www.sans.org/security08/event.php
Chicago (11/2-11/7): http://www.sans.org/chicago07/event.php
Tokyo (11/5-11/10): http://www.sans.org/sanstokyo2007_autumn/event.php
How good are the courses? Here's what past attendees said:
"An extraordinary amount of information covered in a week, backed up with excellent documentation for those long winter nights." (Keith Mellism, Canada Life)
"This course has valuable information that can be implemented immediately in the work place." (Christopher O'Brien, Booz Allen Hamilton)
"You will never ever find anything more valuable than SANS super knowledge. Worth the price!!" (Carlos Fragoso, CESCA)
TOP OF THE NEWS
Legislators Aim to Give Broad Immunity from Prosecution for Providing Data (October 22, 2007)After hearing from several telecommunications companies about their compliance with US intelligence agency requests for communication information, the Senate intelligence committee has proposed legislation that would provide telecoms with retroactive immunity from prosecution for divulging personal information. The bill goes further than similar legislation being considered in the House because it extends immunity to web sites, email providers, search engines, ISPs, and IM services. Electronic Privacy Information Center director Marc Rotenberg said his "suspicion is the scope of the immunity provision is the most revealing way to assess the scope of the underlying authority." Some opponents of the bill have expressed concern that granting the immunity could set a dangerous precedent.
[Editor's Note (Ullrich): Immunity is the wrong answer. Vigilance by network operators is our best defense against illegal wiretaps.
(Paller): Immunity is necessary, as are rules and oversight. The fight against cyber crime demands rapid access to data about the origin of network traffic; network operators are the only place to get that data. If the nation needs the network operators' help, we have to provide a safe haven for them. But beyond data access, the nation also needs the network operators to improve security of the networks they provide - from finding and removing infected systems to filtering attacks in progress. That may be enabled through innovation in federal procurement of network services. ]
Study Analyzes Secret Service Identity Theft Case Data (October 22, 2007)A Center for Identity Management and Information Protection study based on the closed cases of 500 individuals arrested by the US Secret Service for identity fraud debunks some widely held myths about the crime. First, just eight percent of those arrested were related to or knew the people from whom they stole identifying information. The reason earlier studies estimated that number to be much higher was that those studies were based on information gathered from victims who had been able to identify the fraudsters. Second, just 20 percent of the cases involved Internet scams and hacking. Dumpster diving and stealing mail accounted for an equal percentage of the cases. Thirty-seven percent of the cases were attributed to using devices such as credit card encoders and telephones. The study also compiled statistics about the characteristics of identity thieves. Two-thirds of those arrested were male, many worked in retail, and most conducted their schemes alone.
House Committee Seeks P2P Risk Information from FTC (October 19, 2007)Members of the House Oversight and Government Reform Committee have sent a letter to the Federal Trade Commission (FTC) asking for descriptions of the security threats peer-to-peer (P2P) file sharing programs present to consumers, and how those threats compare to other online security risks. The committee undertook an investigation and hearing into the matter earlier this year following a US Patent and Trademark office report suggesting that some P2P distributors "repeatedly deployed features" to trick users into sharing files on their computers. The findings indicated the risks from the technology were greater that first thought. The investigation found that common search terms used with popular P2P programs revealed sensitive documents, such as "personal bank records and tax forms, attorney-client memos, corporate strategy documents, corporate accounting documents, government emergency response plans, and even military operation orders."
[Editor's Note (Schmidt): I am very happy to see this action but the problem goes far beyond the FTC and "tricking users" into installing software. This is one of the most under reported security risks that I have seen in the past couple of years. I have seen documents ranging from "confidential" network architecture charts, including passwords to sensitive financial and medical information on some of the world's largest companies. Not only is this data on the file sharing sites but the criminals are searching and pulling down every file they can find. ]
************************* Sponsored Links: ***************************
1) ATTACK ALERT: "How A Hacker Launches A Blind SQL Injection Attack Step-by-Step"- White Paper
2) Link here to take the SANS Database Compliance Survey and register to win a $250 AMEX Gift card.
3) How are you utilizing sFlow to improve security and network performance? Register for a FREE webinar "sFlow for Network Security and Traffic Analysis"
THE REST OF THE WEEK'S NEWS
McKinnon May Take His Appeal to the House of Lords (October 22, 2007)A panel of judges has ruled that Gary McKinnon may appeal his extradition to the US in the House of Lords, the highest court in Britain. McKinnon allegedly broke into several US government and military computer systems. His lawyers believe he should be tried in the UK because the alleged crimes were committed on UK soil and because the case was pursued "for the purpose of prosecuting
on account of his nationality or political opinions." McKinnon allegedly exploited unpatched vulnerabilities in Windows to gain access to the networks.
Patriots Win Bid to Obtain Ticket Resellers' Names from Website (October 18, 2007)California-based StubHub, an online ticket reseller, has given the New England Patriots football team the names of 13,000 individuals who allegedly used its website to sell Patriots tickets. The Patriots had filed a lawsuit, alleging use of the site violated team policy and Massachusetts state law. The Patriots require that any reselling of tickets to their games be conducted through their own website established for that reason. The organization has not said what it plans to do with the list of names, though it is possible that it could revoke the season tickets of people who have used the site. StubHub appealed the initial decision, maintaining that the request for customer information violated its confidentiality agreement with its customers. The appeal was denied.
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Counterintelligence Exec Says Attacks on Networks Come From All Over the World (October 19 & 22, 2007)Speaking at a cyber security symposium last week, Joel Brenner, who serves as the National Counterintelligence Executive and Mission Manager for Counterintelligence in the Office of the Director of National Intelligence, says that US government computer systems experience intrusions from intelligence organizations around the world, not just from China, as recent news stories appear to indicate. Brenner acknowledges that because attackers can disguise the origins of the attacks, the best preventive measure is to bolster government network security.
[Editor's Note (Schultz): From my experience, I would say that Brenner is very much correct. Although there is little doubt that the Peoples Republic of China (PRC) is the source of many attacks against US government systems, IP address spoofing is so commonplace that claims that the PRC is the sole or even the most frequent source of these attacks are extremely dubious.
(Ullrich): Countries like China are frequently pointed out when it comes to cyber attacks. These announcements often coincide with meetings of high level diplomats. However, aside from political saber rattling, the truth is that nation-states hack each other more or less at will. ]
Audit Finds Network Access Weaknesses at CT State Agencies (October 20, 2007)A report from Connecticut's Auditors of Public Accounts says that at several agencies, including the state Department of Revenue Services, some former employees still had active agency computer network accounts. The audit comes in the wake of a theft of a laptop computer from an employee's car; the computer contained personally identifiable information of approximately 106,000 state taxpayers.
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Adobe Issues Patch for PDF Flaw (October 22, 2007)Adobe has released updates for Adobe Reader and Adobe Acrobat to fix security flaws that could allow attackers to gain control of vulnerable systems. To exploit the flaw, attackers would need to manipulate users into opening maliciously crafted Adobe Reader or Adobe Acrobat files. The flaw affects only Windows XP systems with Internet Explorer 7 (IE7) installed.
[Editor's Note (Skoudis): It bothers me when a vendor says something like Adobe said here without further qualification: "A malicious file must be loaded in Adobe Reader or Acrobat by the end user for an attacker to exploit these vulnerabilities." But, that applies to nearly all client-side exploits, and it really isn't a mitigating factor at all. To some users, such language implies that the vulnerability is less serious, as the users think, "I'd never load a malicious file, so the patch isn't important for me." The truth is, it's trivially easy for an attacker to include a link to such a file on the attacker's own website or any of thousands of third-party information sharing sites (blogs, comments, chats... you name it), easily getting users to open a malicious file. If a vendor wants to say that the exploit requires a malicious file to be loaded, they should follow it up with a mention that, "Simply surfing the Internet with our software installed could allow an attacker to take over your machine." ]
Mozilla Patches Browser Flaws (October 19 & 22, 2007)Mozilla has released an update for Firefox to address 10 flaws in the open source browser. Three of the fixes address critical flaws that could be exploited to execute arbitrary code. Another fix updates a July patch for the Universal Resource Identifier (URI) hole that "did not prevent the incorrect file-handling programs from launching.
[The new ]
fix ... detects when Windows would mishandle these URIs so that the wrong program does not get launched."
[Editor's Note (Skoudis): There are a lot of critical issues addressed in this update. If you use Firefox at all in your organization, I urge you to test this new version and deploy it rapidly. I hope you have an enterprise patch deployment process for third-party applications, because planning on end users to download this update themselves isn't reliable at all. ]
Patch Available for RealPlayer Vulnerability (October 19 & 22, 2007)RealNetworks has issued a patch for a vulnerability in all versions of RealPlayer, including the beta of RealPlayer 11. The problem lies in an ActiveX object in the RealPlayer ierpplug.dll component. The flaw is being actively exploited to gain control of Windows-based computers in apparent targeted attacks against an unnamed organization. The malware that exploits the flaw is being served on a number of websites. The flaw does not affect Macintosh and Linux versions of RealPlayer.
[Editor's Note (Pescatore): Lots of client-side vulnerabilities this week and many of the threat reports are showing big increases in client-side attacks. While many enterprises have gotten to where they can push Windows patches to PCs each month within 5 working days, the patches don't always take - it is pretty common to see the patched percentage drop to 80% within a few weeks. Not to mention all the non-Windows patches, like the Adobe, Mozilla and Real Player ones out this week, that often require separate patching mechanisms. Network Access Control (usually without the quarantining aspect) has turned out to be a good way to check the patch status of every PC every time it connects, and to make sure the patched percentage doesn't continue to "droop."]
STATISTICS, STUDIES & SURVEYS
European Banks Not Clear on Best Security Practices (October 22, 2007)RSA's European Information Risk Management survey asked high-level managers at "top tier banks" in northern Europe about their information risk management practices. The survey found that most are misinformed about the effectiveness of various security measures. For instance, just 19 percent of managers responding to the survey were aware that perimeter security alone is not adequate to protect data. Less than half (43 percent) understood the importance of ensuring that their partners, consultants and contractors abide by strong data security practices. The majority of those surveyed said that risk management was a priority. "The aim of the research was to gain insight into how banks manage information risk in a climate where high profile security breaches occur on a weekly basis." The study was conducted by RSA Security and Datamonitor.
[Editor's Note (Schultz): These results show just how much information security managers need to target senior-level management in their security education and awareness efforts. At the same time, however, it is important to realize that the fact that senior-level management tends to be so heavily overloaded makes the likelihood of being able to significantly impact them concerning effective security practices remains dismally low. ]
COMMENTARY (CONTROVERSY) ON VERIZON'S RESPONSE TO DISCLOSURE DEMANDSIn Volume 9, Number 83, Northcutt made a comment about the Verizon response to the House Energy and Commerce Committee letter and invited readers to respond with their thoughts. One note was particularly well balanced and thought provoking and is reproduced below. Northcutt has responded to almost everyone that wrote in, there are still two or three to go and asked what they thought about the idea of a sunshine committee to review the emergency requests (these do not have subpoena review) and the overwhelming majority of readers that replied support the idea of a yearly or more often review of the emergency requests.
(Northcutt): For all the folks that pointed out 94,000 subpoenas and court orders do not equate to 94,000 citizens, you are correct, but keep in mind Verizon is only one carrier, so the number of citizens being monitored exceeds 94,000. Most readers point out that the more troubling problem could be with the emergency requests, they do not require subpoena, simply a signature by an approved requester. Also, two readers were concerned my comments might be an attack on the current Bush administration. Not so; whoever wins the next election is not likely to change this process. It is not the Office of the President, or political appointees that monitor citizens it is Law Enforcement and we are all very thankful that they do so. Nobody wants to see criminals run amuck or a successful terrorist attack on US soil. So the question comes down to the balance between safety and liberty. The letter below gave me the idea of a citizen's sunshine committee to review the emergency requests, I am going to suggest this to my congress critters; who knows, sometimes in an election year our politicians listen to the citizens *smile*]
Guest Commentary reposted with permission (Albert Gidari):
Stephen - this is in response to your comment in the SANS NewsBites Vol. 9 Num. 83 on the Verizon response to the House Energy and Commerce Committee letter. You are outraged over Verizon's response to 94,000 subpoenas and court orders. But your outrage is in response to an understated number. First, the response didn't include Verizon Wireless. The VAST majority of requests for surveillance are made to wireless companies - for example, over 80% of all wiretaps last year occurred on wireless networks, not on local exchange service or on the ISP.
Second, the number relates to the number of requests, not the number of records requested. For example, it is standard practice for a federal pen register order to require the communications provider to disclose the subscriber records for every called number recorded. So one order could and generally does compel the disclosure of dozens of records. That same order is then server on any carrier that provides service to a called number(s), resulting in many more disclosures. That one order lasts 60 days and may yield hundreds of calls, yet each order is treated as one request. Further, it is also common for one subpoena to request subscriber records on multiple numbers. So in fact, if you ask, you will find that the total number of records disclosed is in the hundreds of thousands for all of the major providers.
Third, there is no carrier quibbling with these orders and subpoenas - carriers are compelled to comply. They do not get paid for the privilege either. They have large staffs at the expense of millions of dollars to meet the demand of the thousands of agencies with power to request records who do not have to pay or even take the time to get a judge to approve of it. There is no oversight; there is no minimization. Once obtained, there is no governmental disposal policy (unlike at least the minimization being discussed in regard to FISA right now). Carriers have immunity for complying with such requests, and well they should.
Fourth, the reported disclosures include emergency requests where no subpoena or order was received. Understand, the law permits the disclosure when a service provider has a good faith belief that an emergency requires disclosure. That good faith basis can only be the representation of the law enforcement agent (LEA) that an emergency exists. No carrier personnel can be in the position (especially at their pay grade) of second guessing or analyzing whether the emergency really exists or the LEA is simply trying to avoid getting legal process. The one time they dispute the facts or ask for more evidence is the one time the media will blame them for the resulting harm - look at every case involving location information for cell phones in missing person cases - recall the really unfair criticism of Cingular in regard the Kim case in California. So carriers should not be in the position of guessing whether an emergency really exists; they should have full immunity (as they do under the law today) for complying with an emergency request; and the proper policy outcome is to adopt a form that the LEA must sign under penalty of perjury when submitting the request that an emergency exists.
Fifth, no one seemed outraged by the almost equivalent number of disclosures in civil litigation. In these cases, carriers are compelled to disclose customer calling records to third parties and most often, the customer is unaware of it. There is no notice given to the customer. Some blame the carrier for not voluntarily taking on the notice expense, but shouldn't it really be the obligation of the party seeking the records to ensure the customer has notice and an opportunity to object before production?
Sixth, the Verizon numbers are for criminal matters and most of those were state requests, not federal. These are the theft, murder, fraud cases that are the bread and butter of state prosecutors. Contrary to your outrage on this one Stephen, these folks are not being subjected to monitoring for intel purposes. Verizon provided numbers for criminal cases, not intel matters. We don't know how many records may have been requested or disclosed, if any, under the TSP. But these numbers are not related to that matter.
The balance in customer privacy rights versus legally compelled disclosure was struck by Congress and carriers can do no more than obey the law. In some cases, they can dispute what the law means or requires, and in my experience, they do so (only to be chastised by the judge for having the temerity to ask) when there is a true issue. But government has an obligation to police itself; to pass clear and unambiguous laws regarding when customer information must be disclosed; and, one way to ensure against abuse is to require payment for the records and to publish the total number requested. Sunshine brings heat and light to darkness and that is a good thing.
By the way, you and SANS always produce timely and informative material, even if the commentary sometimes misses the mark - it is passionate and always worth reading! Keep up the good work.
LIST OF UPCOMING FREE SANS WEBCASTSSANS Special Webcast: Building Brick Houses
WHEN: Wednesday, October 24, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Gary W. Longsine and Jonathan Ham
Sponsored By: Watchfire
With the advent of Web 2.0 interactive applications and demand for financial, shopping and other applications for hand held devices, never has secure lifecycle of Web applications been more critical. Leveraging the same agile application methodologies in use today, Gary W. Longsine and Jonathan Ham unveil a flexible framework called Scalable and Agile Lifecycle Security for Applications - or SALSA for short.
Ask the Expert: Log Heaven: How to Simplify Log Management for Compliant, Secure Operations
WHEN: Thursday, October 25, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and Dave Steidle
Sponsored By: netForensics
Join this webcast to learn:
What to consider when evaluating log management solutions How to use log management to address compliance audits How to get better security intelligence from existing data Tips for streamlining log management operations
Tool Talk Webcast: Eenie-Meenie-Minie-Mo: No Way to Choose a Log Management Solution
WHEN: Tuesday, October 30, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKER: Ansh Patnaik
Sponsored By: ArcSight
Join this Webcast to learn:
How to evaluate and select the right log management solution for your environment
What big log management mistakes can be avoided, and how to avoid them
Why the compliance, security, IT operations, forensics, and helpdesk teams will all applaud you for making the right choice
Tool Talk Webcast: Guidelines for Implementing Role-Based Security Policies in Unix/Linux Environments
WHEN: Wednesday, October 31, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKER: Alan Dobbs
Sponsored By: FoxT
In this webinar, you will discover how FoxT's IT Controls solution suite is helping organizations, including five of the top ten banks, resolve access control challenges and achieve unprecedented speed in adopting role-based security policies across multi-vendor Unix/Linux infrastructures.
Tool Talk Webcast: NEW - Web Application Pen Testing with CORE IMPACT
WHEN: Tuesday, November 6, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Anthony Alves
Sponsored By: Core Security Technologies
Core Security Technologies introduces new capabilities for web application penetration testing with CORE IMPACT v7.5. The new release allows security professionals to leverage the product's automated Rapid Penetration Test methodology to identify exposed web applications and interact with backend data - just as an attacker could.
Ask the Expert Webcast: Don't Bring A Knife To a Gunfight! - How threats are easily infiltrating most security deployments
WHEN: Wednesday, November 7, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford, Paul Henry, and Andrew Stevens
Sponsored By: Secure Computing
In this webcast, learn about some of the newest threats spotted in the wild, and why most of today's network firewalls won't be effective at preventing newer attacks.
Internet Storm Center: Threat Update
WHEN: Wednesday, November 14, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Johannes Ullrich
Sponsored By: Core Security Technologies
This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.
Ask the Expert Webcast: Preventing Data Breaches: Protecting Critical Data through Database Compliance Monitoring
WHEN: Thursday, November 15, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and Dave Steidle
Sponsored By: netForensics
Join this webcast to discover how database compliance monitoring can: Safeguard vulnerable and compliance related data by preventing malicious and unauthorized access Effectively mitigate both well-known application-layer attacks, as well as more subtle behavioral attacks
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.
Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/