SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume X - Issue #49
June 20, 2008
A surprising result appeared in the first large test of the secure coding assessment exams in Java and C: they found that programmers are exceptionally well versed in the types of vulnerabilities that may crop up, but shockingly unable to find and fix those vulnerabilities. Apparently security awareness classes do not solve the problem, but give false confidence. Another large scale test - on line and live (in DC) - is coming next month, If you have at least 100 programmers and can persuade ten or so to test the assessment and give feedback, please email email@example.com. They will get a lot of value from it.
TOP OF THE NEWSAppeals Court Grants 4th Amendment Protection to Electronic Messages
Software Engineer First to be Sentenced Under Economic Espionage Act
Swedish Parliament Passes Eavesdropping Law
US Congress to Consider Eavesdropping Law
Voting Machine Trade Group Wants to Help Draft Certification Standards
THE REST OF THE WEEK'S NEWSLEGAL MATTERS
High School Seniors Face Prison for Hacking
SPYWARE, SPAM & PHISHING
NebuAd Comes Under Fire for Allegedly Violating User Privacy and Security
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Critical Flaw Affects Firefox Versions 3.0 and 2.x
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Indiana Bank Server Breach Leads to Unauthorized ATM Withdrawals
Citibank Server Breach Likely Source of Compromised ATM Cards
Photobucket Blames DNS Problem for Attack
STANDARDS & BEST PRACTICES
Brokerage Fined for Lax Customer Data Security Safeguards
Smuggling Ring's Computers Held Nuclear Weapon Blueprints
LIST OF UPCOMING FREE SANS WEBCASTS
- - Wash. DC (7/22-7/31) (SANSFIRE 2008) http://www.sans.org/sansfire08
- - Singapore (6/30-7/5) http://www.sans.org/singapore08/
- - Boston (8/9-8/16) http://www.sans.org/boston08/
- - and in 100 other cites and on line any time: www.sans.org
TOP OF THE NEWS
Appeals Court Grants 4th Amendment Protection to Electronic Messages (June 19, 2008)The 9th US Circuit Court of Appeal has ruled that employers may not access employees' text and email messages if the company has contracted with an outside organization to transmit those messages. According to the ruling, employers may only access employees' email if the messages are stored on an internal server. The original case was brought by Ontario, California police officers who sued after a wireless provider gave the police department records of text messages they had received. This is the first federal appellate decision to provide 4th Amendment protection to electronic messages.
[Editor's Note (Schultz): The Fourth Amendment protects individuals from unreasonable search and seizure. As such, a strong case can be made for employees whose contest the right of employers to intercepted and read employees' email. The fact that this ruling basically allows companies access to employees' messages if a company's mail servers are involved, but not when mail services are outsourced is a fascinating twist to this controversial legal issue.
(Skoudis): If this decision holds, it has some pretty important implications on outsourcing of messaging services. On numerous occasions, I've had CIOs tell me that they were thinking about dumping their costly and difficult-to-maintain internal mail infrastructure and going to something like a private branded Gmail. A ruling like this would certainly complicate such plans, especially for enterprise incident handlers.
(Veltsos): While the city had notified employees of its email and text message monitoring policy, it had not consistently applied such policy across its workforce and chose instead to focus on a few individuals. Employers must take notice and review their outsourced communications service contracts to ensure a balance of right-to-monitor, employee privacy expectations, and consistent policy enforcement.]
Software Engineer First to be Sentenced Under Economic Espionage Act (June 18 & 19, 2008)Software engineer Xiaodong Sheldon Meng has been sentenced to two years in prison for economic espionage. Meng will also serve three years of supervised release following the completion of his prison sentence, pay a US $10,000 fine, and forfeit computer equipment seized in his case. The sentence is the first handed down under the Economic Espionage Act of 1996. Meng stole proprietary information from his former employer, Quantum3D Inc., and used it in presentations to make sales to foreign government representatives.
[Editor's Note (Skoudis): This is the first sentence under that 12 year old act. I expect this to be the first of many in coming years, given the evolving nature of espionage. ]
Swedish Parliament Passes Eavesdropping Law (June 19, 2008)New legislation in Sweden will allow the country's intelligence bureau to snoop on international phone calls, email and faxes. The surveillance can be conducted without first obtaining a court order. Critics of the new law say it tramples people's individual rights. Proponents counter that the law is a necessary move to protect national security.
[Editor's Comment (Northcutt): there was blog talk about protesting in the streets and the like before the vote, but after the law was passed as near as I can tell from Internet searches, no such thing happened. The law passed by 143 to 138 and with some maneuvering, it becomes effect in January. This is genuine big brother stuff, so Europe's traditional stand for privacy seems to be softening. You will recall France has passed law to stop Internet piracy that is also fairly invasive. The really interesting thing is that the Scandinavian telephone system is tightly intertwined so this will affect neighboring countries as well:
US Congress to Consider Eavesdropping Law (June 19, 2008)New FISA legislation in the US will allow the country's intelligence bureaus to snoop on international phone calls, email and faxes. The surveillance can be conducted without first obtaining a court order. Critics of the new law say it tramples people's individual rights. Proponents counter that the law is a necessary move to protect national security.
[Editor's Comment (Northcutt): I've got the deja vu feeling all over again ]
Voting Machine Trade Group Wants to Help Draft Certification Standards (June 19, 2008)The Election Technology Council (ETC), an industry trade group that represents voting system providers, has issued a report calling for a voice in developing voting system certification requirements. An ETC report says that the current process, currently overseen by the Election Assistance Commission (EAC), is "a broken system that treats the regulated industry more as an adversary and less as a key stakeholder." Voting system manufacturers are not technically a regulated industry, despite ETC's claim, because EAC is not a regulatory agency and the certification process is voluntary. However, 80 percent of US states require some level of certification for voting systems to be used in elections.
THE REST OF THE WEEK'S NEWS
High School Seniors Face Prison for Hacking (June 18 & 19, 2008)Two California high school students are facing charges for a variety of offenses related to unauthorized access to the school's computers. Tesoro High School senior Omar Khan allegedly stole teachers' login credentials with spyware and used the information to change his grades and those of others. He also allegedly broke into the school building after hours to conduct the attacks. Administrators were alerted to the situation when they noted a change in the normally mediocre student's grades, and they notified authorities. Khan faces a variety of charges including unauthorized computer access, burglary, identity theft and receiving stolen property; if convicted on all counts, he could face up to 38 years in prison. His alleged co-conspirator Tanvir Singh, also a senior, faces charges of hacking, burglary and conspiracy, which could bring him a maximum sentence of three years. Khan and Singh also allegedly broke into the school in an attempt to steal a test.
SPYWARE, SPAM & PHISHING
NebuAd Comes Under Fire for Allegedly Violating User Privacy and Security (June 19, 2008)NebuAd, a targeted behavioral advertising company, has come under fire from advocacy groups for "wiretapping, forgery and browser hijacking." NebuAd is being used by US Internet service providers (ISPs) to provide a service much like that offered by Phorm in the UK. According to a technical report, NebuAd's activity is comparable to a malicious intrusion - it hijacks browsers, conducts man-in-the-middle attacks and performs a number of other objectionable actions.
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Critical Flaw Affects Firefox Versions 3.0 and 2.x (June 19, 2008)Just hours after Mozilla released Firefox version 3.0, researchers have notified the company of a security flaw that could be exploited to execute arbitrary code. The flaw also requires some user action to be exploited. The flaw affects Firefox versions 3.0 and 2.x, which means it was not introduced in the new version of the browser. No details of the flaw will be released until Mozilla has made a fix available.
[Editor's Note (Skoudis): Perhaps this could be a new olympic sport -- speed vulnerability finding. Actually, it sounds like the people who discovered the flaw knew about it before the much-hyped Firefox 3.0 release, and timed their sale of the vulnerability information to TippingPoint to coincide with the 3.0 release. It's just a theory, but I'll bet that the vuln info was much more valuable given the new version hype. ]
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Indiana Bank Server Breach Leads to Unauthorized ATM Withdrawals (June 19, 2008)A server breach at 1st Source Bank in South Bend, Indiana on May 12 is the likely source of information used in a rash of fraudulent ATM transactions in Russia, Ukraine, Turkey and the Czech Republic. The fraud affects bank customers and credit union members of at least six institutions in the area. The breached server held ATM transaction data for 1st Source and other institutions that used 1st Source ATMs. 1st Source shut down all its compromised cards and issued new ones to its members; it also informed the other institutions that the information had been compromised.
Citibank Server Breach Likely Source of Compromised ATM Cards (June 18, 2008)According to court documents, federal prosecutors say that cyber attackers breached the security of a Citibank server that processes ATM withdrawals, possibly harvesting the account details and PINs in real-time during legitimate transactions. Two men have been charged in connection with fraudulent use of the compromised accounts; the pair allegedly withdrew hundreds of thousands of dollars. The men are not believed to be responsible for the server breach, but did obtain the stolen information and used it to manufacture phony ATM cards. The alleged intrusion and subsequent crime spree may also be an explanation for Citibank's decision to reduce the maximum amount for ATM withdrawals late last year. According to a sworn affidavit, Citibank notified the FBI that "a Citibank server that processes ATM withdrawals at 7-Eleven convenience stores had been breached." The two men charged in the case, Yuriy Ryabinin and Ivan Biltse, also allegedly stole significant sums of money through fraudulent use of iWire prepaid MasterCard accounts.
Photobucket Blames DNS Problem for Attack (June 18, 2008)The Photobucket photo sharing website came under DNS attack earlier this week. Instead of seeing pictures, site visitors were instead treated to a message in Turkish from the attacker. Photobucket says the problem was related to "an error in (its) DNS hosting services," and that no personal information was compromised. The problem was fixed within an hour of its discovery. Some researchers say the explanation does not ring true and want Photobucket to clarify the situation.
STANDARDS & BEST PRACTICES
Brokerage Fined for Lax Customer Data Security Safeguards (June 19, 2008)The UK's Financial Services Authority (FSA) has fined Merchant Securities Group Limited GBP 77,000 (US $152,000) for providing inadequate protection for its customers' personal data. Among the problems cited are the use of instant messaging and web-based email and failing to verify the identities of customers who phoned the company. In addition, unencrypted backup tapes of customer data were stored at a staff member's home. There is no evidence that any customer information was compromised.
[Editor's Note (Honan): Having staff take backup tapes home is a common "cost effective" tape offsite solution. However as this story points out that practice exposes data to considerable risk. Given the availability and competitiveness of many Internet based backup solutions these companies should look more closely at this option. ]
Java Jive (June 17, 2008)Risk Advisory Services manager Craig Wright notes that his Internet connected Jura Impressa F90 coffee maker has a number of software flaws that could be exploited to change the brewing strength of the coffee, change the amount of water used for each cup, possibly causing puddles, and engineer incompatible settings that break the machine. Attackers could also "gain access to the Windows XP system it is running on at the level of the user."
[Editor's Note (Honan): On numerous occasions when working with clients I have discovered issues with these type of devices that have undermined the security of their network. Default passwords, misconfigurations and unpatched operating systems can allow these devices be a point of attack onto your network. So make sure you include them in your risk assessment, vulnerability management process and protect them accordingly.
(Veltsos): This past year many security researchers have been raising the alarm about the vulnerabilities hiding in embedded devices. Many such devices run trimmed-down operating systems (often Linux-derived), come bundled with outdated or exploitable programs, and offer little or no patching capability. As more devices become internet-capable, the threat landscape expands into unconventional and often overlooked devices, from coffee makers to fridges, from digital picture frames to internet webcams.
(Kreitner): Finally, cyber security will get some attention when people realize it could mess with their coffee. That's serious. Call in the risk managers. Get on this right away. ]
Smuggling Ring's Computers Held Nuclear Weapon Blueprints (June 15 & 16, 2008)According to a draft report from former UN arms inspector David Albright, an international smuggling ring somehow obtained blueprints for an advanced nuclear warhead. The information was found in 2006 on computers belonging to the group. There is no way of knowing if the information was shared with other countries or groups before the computers were seized.
UPCOMING SANS WEBCAST SCHEDULESANS Special Webcast: Endpoint Security: Point- Solution or Protection Platform
WHEN: Tuesday, June 24, 2008 at 3:00 PM EDT (1900 UTC/GMT)
FEATURING: Stephen Northcutt and Dan Teal
Sponsored By: CoreTrace
The continuous and rapid changes in malware and antivirus solutions are a reflection of the creativity and passion today's hackers and cyber- criminals have for damaging and disrupting an individual or organizational IT environment. As malware improves, better endpoint security solutions must follow. Currently it is unlikely an endpoint system outside of a corporate network could survive a determined attacker's efforts. Classic personal firewall and antivirus solutions are not proving to be enough in the fight against malware and products in these markets are being replaced with endpoint protection often using whitelisting techniques to help enterprises with performance gains and reduction in security related costs. This webcast will discuss the current trends in endpoint solutions and offer guidance on both commercial and free tools to seek the functionality they need, even if it comes from multiple solutions. Join SANS President Stephen Northcutt as he reviews the key features in endpoint security that really matter, how to shop for the best products, and why implementing defense in depth on your organization's endpoint is a best practice.
SANS Special Webcast: Top 10 Oracle Security Risks
WHEN: Wednesday, June 25, 2008 at 3:00 PM EDT (1800 UTC/GMT)
FEATURING: Tanya Baccam
This keynote is an introduction to some of the Oracle Database risks that exist, and highlights the "Top 10" critical areas that should be checking when conducting an Oracle database audit.
Ask the Expert: Lessons from the Frontline: Avoiding Costly Breach
Investigation Mistakes and Downtime
WHEN: Thursday, June 26, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Ed Skoudis
Sponsored By: Mu Security
This webcast will discuss some of the most egregious mistakes made by enterprises and network operators who have suffered costly and/or embarrassing security breaches.
SANS Special Webcast: A 2008 Perspective on Malicious Software
WHEN: Tuesday, July 8, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Lenny Zeltser
In this webcast, Lenny Zeltser surveys the characteristics of today's malware, exemplified by recently-seen bots, downloaders, keyloggers, and malicious scripts. He discusses samples that employed self-defense, social engineering, fast-flux DNS, man-in-the-middle attacks, extortion demands, and so on. Tune in to better understand what we're up against. This talk will expand your perspective of the modern malware landscape, empowering you to adjust your defenses and risk mitigation strategizes.
Internet Storm Center: Threat Update
WHEN: Wednesday, July 9, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Johannes Ullrich and Michael Yaffe
Sponsored By: Core Security
This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Christophe Veltsos is president of the Mankato Chapter of the ISSA.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit