SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume X - Issue #67
August 26, 2008
September 3 (next Wednesday) is the last date for discounted attendance at SANS big Network Security conference in Las Vegas. http://www.sans.org/info/29439
TOP OF THE NEWSOMB Issues DNSSEC Directive For US Government Agencies
Judge Says Law Barring Woman from Posting SSNs on Internet is Unconstitutional
TV News Anchor Admits Accessing Co-Worker's eMail Accounts
eVoting Vendor Says Dropped Votes Due to Code Error
THE REST OF THE WEEK'S NEWSARRESTS, CHARGES & CONVICTIONS
Four Arrested in Connection With Credit Card Fraud Scheme
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
Lost Memory Stick Prompts Investigation; Consultancy Contract Suspended
Nokia Acknowledges Java Flaws in Series 40 Handsets
UPDATES AND PATCHES
Microsoft Re-issues Incomplete Update Posted to Microsoft Download Center
Cyber Thieves Steal Best Western Customer Data
Red Hat and Fedora Servers Attacked
CT Gov. Wants Investigation Into Credit Monitoring Company
Faulty Hardware Component Blamed for Recent Netflix Problems
Australia Chief Justice Sees Concept of Privacy Shifting
SANS Top Internet Security Risks 2007
Software Security Moves From Want To Need
************************ Sponsored By NitroSecurity *********************
NitroSecurity is the leading supplier of Unified Information Security solutions that provide Edge-to-Core network security for over 500 enterprises. Leveraging decades of R&D and patented data management technology, NitroSecurity delivers a highly integrated, cost effective network security product suite for security information & event management, log management, database activity monitoring, network analysis and intrusion prevention.
- - NETWORK SECURITY 2008: Las Vegas (9/28-10/6) 50 courses; big tools expo; lots of evening sessions: http://www.sans.org/ns2008)
- - Chicago (9/3-9/10) http://www.sans.org/chicago08 AUDIT & COMPLIANCE
- - Monterey (10/31-11/6) http://www.sans.org/info/30738
- - Sydney Australia (10/27-11/1) http://www.sans.org/sydney08/
- - Vancouver (11/17-11/22) http://www.sans.org/vancouver08/
and in 100 other cites and on line any time: www.sans.org
TOP OF THE NEWS
OMB Issues DNSSEC Directive For US Government Agencies (August 22, 2008)The Office of Management and Budget (OMB) has told federal chief information officers that that they have until January 2009 to deploy Domain Name System Security (DNSSEC) on top level .gov domains. Agencies must also develop a plan for deploying DNSSEC to "all applicable information systems" by December 2009.
[Editor's Note (Pescatore): Definitely a good thing to force some movement towards DNSSEC but there is a continuing string of "unfunded mandates" that hit government agencies. It would be nice to see some of the mythical billions of dollars in National Cyber Security Imitative funding funneled to actual operational security budgets of actual government agencies to actually fund something. ]
Judge Says Law Barring Woman from Posting SSNs on Internet is Unconstitutional (August 22, 2008)A US District judge has ruled that a law barring BJ Ostergren from publishing Social Security numbers (SSNs) on the Internet is, in this specific case, unconstitutional. Ostergren's website contains public documents that include SSNs of prominent people. Ostergren's point is to show how the government has failed to protect people's privacy.
[Editor's Note (Northcutt): Virginia is going to have to choose between two paths: continue to publish social security numbers and other PII on their state web sites putting their citizens at risk of identity theft, or start sanitizing the information. The latter is a huge task that would involve modifying public records. This is a fairly big problem that Ostergren has brought to light. Here is the suit, even a quick read and you realize it is slam dunk:
TV News Anchor Admits Accessing Co-Worker's eMail Accounts (August 22, 2008)Former Philadelphia television news anchor Lawrence Mendte has admitted he broke into a co-worker's email accounts and leaked information from the messages to the media. The compromised accounts belonged to Mendte's former co-anchor Alycia Lane; the leaked information contributed to her losing her job at KYW-TV, the station where she and Mendte co-anchored the evening news for four years. Mendte was charged with one count of illegally accessing a computer; if he is found guilty, he could face up to five years in prison.
eVoting Vendor Says Dropped Votes Due to Code Error (August 22 & 25, 2008)Premier Election Solutions now says the reason its electronic voting machines dropped hundreds of votes in Ohio's primary election earlier this year is a logic error in the machines' source code. Premier, formerly known as Diebold Election Systems, originally said the problem was due to issues caused by McAfee's antivirus software. While the antivirus software can trigger the problem, it is the buggy code that caused the dropped votes in March. Premier has issued an advisory for users running the affected machines that tells them how to avoid losing votes; the problem affects at least 1,650 jurisdictions in the US. The company is also in the process of testing a fix created for the problem.
[Editor's Note (Pesctaore): There are so many things wrong with this story - it is scary to think that a voting machine *needed* AV software, let alone that AV software *can* trigger votes to be dropped. But the real issue is why the federal Election Assistance Commission hasn't done a thing to live up to their charter of "Carrying out duties related to the testing, certification, decertification, and recertification of voting system hardware and software." This has been dragging on since late 2005 when the first version of the Voluntary Voting System Guidelines came out. The voting machine vendors will likely have to change their names several more times before we see any actual security testing of these systems.
(Schultz): Once again we are seeing why voting systems technology is not ready for prime time.
(Veltsos): The best way to avoid losing votes is to stop using voting machines from manufacturers who refuse to submit source code for public scrutiny. ]
************************** SPONSORED LINKS: *****************************
1) Visit the SANS Buyers Guide for updated listings and useful information when selecting the latest in IT security technologies. http://www.sans.org/info/32164
2) Get real-world forensic techniques from industry-recognized experts at the Forensics & Incident Response Summit October 13-14 in Las Vegas. http://www.sans.org/info/32169
3) Rediscover Amsterdam, NL and hear about Process Control Security issues. - Process Control & SCADA Summit September 8-9. http://www.sans.org/info/32174
THE REST OF THE WEEK'S NEWS
ARRESTS, CHARGES & CONVICTIONS
Four Arrested in Connection With Credit Card Fraud Scheme (August 22, 2008)Four people in Ohio have been arrested in connection with a credit card fraud scheme. One of the four allegedly used a hidden device to swipe cards used by customers at the McDonald's drive-through in Liberty, Ohio where she worked. The device recorded credit and debit card information that was then allegedly used to manufacture new cards. The group has allegedly made approximately US $6,000 worth of fraudulent purchases with the phony cards. When the local police station started receiving complaints of unauthorized charges on credit cards, they found the common factor to be having made a credit card purchase at McDonalds; ultimately the suspicious transactions were traced to a single cashier.
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
Lost Memory Stick Prompts Investigation; Consultancy Contract Suspended (August 22, 2008)UK Home secretary Jacqui Smith says an inquiry is underway into the loss of a memory stick containing personal details of tens of thousands of criminals in England and Wales. While the data were stored securely on government systems, an outside contractor, PA Consulting, apparently downloaded the data in violation of its contract. The contractor had access to the data because it was working on a research project. The contractor staff member responsible for the memory stick has been suspended, and the Home Office is suspending its contract with PA Consulting.
[Editor's Note (Schultz): This news item provides another in a long line of lessons-learned stories concerning information security, namely that letdowns in this area can and do result in significant business damage and loss.
(Honan): Use this example with Senior Management to show how poor security can lose a company business when you next have to justify your infosec budget. ]
Nokia Acknowledges Java Flaws in Series 40 Handsets (August 21 & 22)Nokia has acknowledged the existence of two vulnerabilities in its Series 40 handsets. The flaws lie in Sun Microsystems' mobile version of Java (J2ME) and were brought to the attention of Sun and Nokia by Adam Gowdiak, who provided each company with a brief overview and offered detailed reports on the vulnerabilities for US $20,000. Neither company has confirmed that they have paid Gowdiak, but Sun has announced that it will be releasing patches for the flaws soon, and Nokia is looking into measures to prevent their exploitation. One of the flaws could allow remote access to restricted phone functions; the other could be exploited to surreptitiously install or run applications on the devices.
UPDATES AND PATCHES
Microsoft Re-issues Incomplete Update Posted to Microsoft Download Center (August 22, 2008)Microsoft has released a new version of one of its August 11 security bulletins because the original version was incomplete. The affected bulletin is MS08-051, which addresses three flaws in Microsoft Office, PowerPoint and PowerPoint Viewer. Users who downloaded the fix manually should apply the new version as soon as possible; users whose systems were updated through Windows Update or Windows Server Update Services are already protected. The incomplete version was only posted to the Microsoft Download Center. Internet Storm Center Post:
Cyber Thieves Steal Best Western Customer Data (August 25, 2008)An attacker reportedly breached the security of Best Western Hotels' online reservation system and may have compromised the names, addresses, credit card numbers and other personal information of all people who have stayed at Best Western Hotels since 2007. The attacker appears to have loaded a Trojan onto a hotel computer and captured the login information of someone with appropriate clearance to access the customer information; a spokesperson for Best Western said the company has disabled the compromised account. The theft "came to light" after access to the data was offered for sale on the Internet. Best Western has refuted some of the claims made in the media, noting that the company's policy is to purge online reservation data as soon as the customers check out of the hotel. Best Western also maintains that the breach was limited to "a select portion of data at a single hotel."
[Editor's Note (Honan): The facts regarding this story are still unclear, but given the response by Best Western to the original story it would appear that the claims are exaggerated. We have had debates about responsible disclosure in the past perhaps now is the time we need to debate the need for responsible news reporting. ]
Red Hat and Fedora Servers Attacked (August 22, 2008)Attackers have breached infrastructure servers belonging to Red Hat and the Fedora project. Fedora officials say the company has changed to new signing keys as a precautionary measure, although they do not think the fedora package signing key was compromised. Red Hat acknowledged that code on its system had been tampered with, but says that its content distribution was unaffected, so users were not served bad code. Internet Storm Center Posts:
[Editor's Note (Skoudis): This is a very scary case. At this point, details about how the attack occurred are slim to none, likely because the investigation is ongoing. Was it a zero-day vulnerability? Misconfiguration? Procedure problem? Operator error? As a big Red Hat and Fedora user, I'd sleep a little better knowing both when the attack occurred and how it was pulled off.
(Pescatore): This is as big a deal as when it happened to Microsoft several years ago. Red Hat needs to be very public and very transparent about what they are going to change to make sure this doesn't happen again. ]
CT Gov. Wants Investigation Into Credit Monitoring Company (August 22, 2008)Connecticut governor M. Jodi Rell has called for an investigation into the company hired to provide credit monitoring for people whose personal data were on a stolen state government laptop computer. Connecticut state officials hired Debix Identity Protection Network to work with individuals whose information was on the Department of Revenue Services computer that was stolen from an employee's car a year ago. A number of people have complained to the state after they were contacted by Experian, one of the credit bureaus, asking them to supply government identification, their Social Security numbers (SSNs) and a utility bill to allow the monitoring to continue.
Faulty Hardware Component Blamed for Recent Netflix Problems (August 22, 2008)Netflix's head of IT Operations has posted an explanation of the company's recent shipping delay on the Netflix Community Blog. Apparently a faulty hardware component was responsible for a database corruption event in the Netflix shipping system; similar events then began occurring in peripheral databases as well. The company "moved the shipping system to an isolated environment" and managed to get the shipping system functional again. Netflix has "taken steps to fortify (its) shipping system with the acquisition of additional equipment."
[Editor's Note (Pescatore): Ah, the hardware was at fault because hardware should never fail? I think the real problem was that there was nothing that could detect a hardware failure before it led to database corruption. ]
Australia Chief Justice Sees Concept of Privacy Shifting (August 21, 2008)Chief Justice of the High Court of Australia Murray Gleeson said that "the ground seems to be shifting" in the realm of privacy. Specifically, the advent of the Internet and cellular phones has led people to disclose personal information online and to have what would normally be private conversations in public settings. Justice Gleeson added that although he wrote a judgment several years ago that "there seemed to (him) to be certain things which were self-evidently private, (he is) not sure about that anymore. The very changes that are taking place in the concept of privacy will be a matter that parliaments have to address - - and courts." Justice Gleeson will retire at the end of the month.
SANS Top Internet Security Risks 2007In case you missed it earlier this year, or if you want to check out how the Internet threat landscape has changed (or not) over the last eight months, here is a slideshow of the SANS' Top Internet Security Risks of 2007, which details an increased focus on targeted phishing attacks as well as an increase in attacks on web applications.
Software Security Moves From Want To Need (August 11, 2008)The growth of attacks through the application layer has resulted in similar growth in prevention resources being applied by enterprises - - -- tools, services and skills development. In an article in InformIT, Gary McGraw talks about the growth and the fact that software security is finally moving from 'want' to 'need'.
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescastore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security courses at Minnesota State University, Mankato. He is the President of Prudent Security LLC and also serves as the President of the Mankato Chapter ISSA.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/