SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume X - Issue #85
October 28, 2008
Tomorrow is the deadline for early registration discounts on CDI2008, SANS largest Winter security training conference. In Washington, DC, December 10-16. http://www.sans.org/cdi08
TOP OF THE NEWSNY HS Student Charged with Felonies After Notifying Principal of Security Hole
Final Version of OMB Memo Rolls Back Federal CIOs' Clout
DHS to Take Over Airline Passenger Screening
THE REST OF THE WEEK'S NEWSARRESTS, CHARGES, CONVICTIONS & SENTENCES
Convicted Bali Nightclub Bombers to be Executed
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
Draft Army Intelligence Paper Voices Concern Over Twitter as Potential Terrorist Tool
FBI: US Business and Government are Targets of Cyber Theft
eVoting Machine Study Finds Problems
Another Flaw in Opera Browser
UPDATES AND PATCHES
Yahoo! Fixes Cross-Site Scripting Flaw
Sun Releases Updates for Java System LDAP Java Development Kit and JRE6
Trojan Exploits Just-Patched Windows RPC Flaw
STATISTICS, STUDIES & SURVEYS
Survey Lists Coolest IT Security Jobs
Price of Stolen Data Falling, But Cost to Victims is Still High
********************* Sponsored By Ounce Labs, Inc. *********************
Outsourcing is a proven strategy to reduce costs and increase value, but careful planning is required to build stringent software security requirements into contracts ensure that those requirements are met. Download this report for detailed data on how experienced outsourcers are putting in place effective processes to drive the risk out of outsourcing. http://www.sans.org/info/34619">http://www.sans.org/info/34619
- - SANS CDI in Washington 30 courses; big security tools expo; lots of evening sessions: http://www.sans.org/ cdi08/
- - Monterey (10/31-11/6) http://www.sans.org/info/30738
- - Sydney Australia (10/27-11/1) http://www.sans.org/sydney08/
- - Vancouver (11/17-11/22) http://www.sans.org/vancouver08/
and in 100 other cites and on line any time: www.sans.org
TOP OF THE NEWS
NY HS Student Charged with Felonies After Notifying Principal of Security Hole (October 24, 25 & 28, 2008)A 15-year-old Shenendehowa Central School student has been arrested and charged with computer trespass, unlawful possession of personal identification information and identity theft, all of which are felonies. The student allegedly gained access to a school system database while in a computer class at the school. He then allegedly emailed the principal, telling him what he had been able to do. The file was accessible to anyone with a district password, students included. The district superintendent said that while the file may have been accessible, it required some know-how to find and access it. The student has been suspended from school and will face the charges against him in family court in Saratoga County, NY.
[Editor's Note (Ullrich): We have to find a better way to deal with "responsible disclosure". First define what it is, and then how to include it in our incident handling procedures.
(Liston): Based on a full reading of several articles written on this matter, the student's motives appear to be somewhat questionable and certainly more was done here than stumbling across a file and immediately reporting it. Whether his actions rise to felony status is for the courts to decide.
(Schultz): I wonder whether the computing system in question had a warning banner that cautioned against unauthorized access. If it didn't, it does not seem right to throw the book at a 15-year old student who used a password that was assigned to him for the access that he obtained. Additionally, I am not impressed with the casualness of district administrators toward their own responsibility (or lack thereof) in securing personal data. One of the administrators shrugged off the suggestion that the personal data that the student accessed were not sufficiently protected by saying that the database in question was only open for "a week or two."
(Northcutt): Tough story, it will take a court of law to sort this one out I guess, but the fact that he reported it to the principal and then got arrested does not sit well with me. However, if he took a file, had a file in his possession with people's identity that doesn't sit well either. I don't suppose arresting the person that designed the system is in the cards? ]
Final Version of OMB Memo Rolls Back Federal CIOs' Clout (October 24, 2008)The final version of an Office of Management and Budget (OMB) memo describing the responsibilities of federal chief information officers (CIOs) no longer has a clause that stated that CIOs report to agency heads and that "except where otherwise authorized by law, order, or waiver from the director of OMB, no other individual in any organizational component of the agency ... has authorities or responsibilities that infringe upon those of the agency CIO." Other changes from earlier drafts of the memo include removing language that gave CIOs the authority to plan, manage and oversee agencies' IT portfolios; instead, those responsibilities were given to agency heads. Some have said that the final draft does not comply with the Clinger-Cohen Act, which establishes the position of CIO at federal agencies and requires that they report to agency heads. The changes appear to be a move to keep power in the hands of political appointees rather than career executives. (The story includes a link to a tool that allows readers to compare the final version of the memo with the most recent draft.)
DHS to Take Over Airline Passenger Screening (October 22 & 23, 2008)Starting in January, the responsibility for checking airline travelers' names against the passenger watch and no-fly lists will pass from the airlines to the US Department of Homeland Security (DHS). Passengers will be required to provide their full names, birthdates and genders to board commercial aircraft. The additional required information is intended to reduce significantly the number of false positives, or people whose travel is "wrongly" delayed or prevented. The no-fly list has fewer than 2,500 names on it; just 10 percent of those are US citizens. The selectee list, which identifies people who are subject to additional questioning, contains fewer than 16,000 names, and less than half are US citizens. The shift comes with the release of the Secure Flight Final Rule.
************************* SPONSORED LINK ******************************
1) USB and Laptop Security: Webinar to help secure your mobile workers and portable data http://www.sans.org/info/34599
THE REST OF THE WEEK'S NEWS
ARRESTS, CHARGES, CONVICTIONS & SENTENCES
Convicted Bali Nightclub Bombers to be Executed (October 24, 2008) and (December 14, 2004)Three men convicted of nightclub bombings in Bali that killed more than 200 people in October, 2002 will be executed early next month. The three were sentenced to death in 2003 by a Bali court. One of the men, Imam Samudra, published an autobiography in 2004 while in prison. One chapter in the book is titled "Hacking, Why Not?" in which he exhorts Muslim extremists to attack US computer systems. The chapter includes information to help potential attackers steal and use credit card information.
[Editor's Note (Skoudis): The Washington Post sent us a a translated copy of the chapter urging cyber attacks against the US and its interests. Although not technically deep, it was chilling. The chapter provided a roadmap for getting started in computer attacks (such as tools to use, techniques to master, places to go to learn more, etc.), as well as religious justifications for such attacks. ]
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
Draft Army Intelligence Paper Voices Concern Over Twitter as Potential Terrorist Tool (October 25 & 27, 2008)According to a draft US Army intelligence paper, voice-altering software, Global Positioning System (GPS) maps and the micro-blogging service Twitter could be used to plan and carry out terrorist attacks. The report notes that twitter was used to spread news of a recent Los Angeles (CA) earthquake more quickly than commercial news outlets and that "Twitter is already used by some members
[of social activism, human rights and other groups ]
to post and/or support extremist ideologies and perspectives."
[Editor's Note (Pescatore): by now we should know that every new technology will be used by bad guys *and* good guys, just as souped-up cars were used by moonshiners and police.
(Northcutt): This one is getting some play already. I read a 2009 Security Prediction today that said Google hacking was the hot new threat. All social media is vulnerable to social engineering, all social media gives out so much information an OPSEC person will have a cardiac attack. So concerns about Twitter may be slightly overblown, but glad to see they are looking into this and bringing it to each other's attention. Read a story today about a robber who posted a job ad, told all the people what to wear, and used them as decoys ( he was dressed like they were):
FBI: US Business and Government are Targets of Cyber Theft (October 22, 2008)Assistant Director in charge of the US FBI's Cyber Division Shawn Henry said that US government and businesses face a "significant threat" of cyber attacks from a number of countries around the world. Henry did not name the countries, but suggested that there are about two dozen that have developed cyber attack capabilities with the intent of using those capabilities against the US. The countries are reportedly interested in stealing data from targets in the US. Henry said businesses and government agencies should focus on shoring up their systems' security instead of on the origins of the attacks.
[Editor's Note (Pescatore): It really doesn't matter where the attacks come from, businesses have been getting hit by sophisticated, financially motivated, targeted attacks for several years now.
(Ullrich): A very wise remark. It doesn't matter who attacks you. The methods used to attack you and the methods used to defend yourself are the same. We spend too much time worrying about geographic origins. In cyberspace, nation states are a legacy concept. ]
eVoting Machine Study Finds Problems (October 27, 2008)A newly-released report says that the electronic voting machines used in New Jersey and other US states are unreliable and potentially vulnerable to hacking. A New Jersey judge ordered the report as part of a lengthy legal battle over the use of the devices, which are Sequoia AVC Advantage 9.00H direct recording electronic (DRE) touch-screen voting machines. The report says that the machines can be manipulated by installing a replacement chip containing malicious software on the main circuit board.
[Editor's Note (Northcutt): And Wired just ran a blog about Betty Ireland, Secretary of State West Virginia giving a Voting machine exec an award the day after she did a press release about how they were going to address "vote switching problems":
And a site that collects problems with voting machines:
Another Flaw in Opera Browser (October 27, 2008)Just days after Opera Software released Opera 9.61 to address a handful of vulnerabilities in the browser, another serious flaw has been detected. The vulnerability is similar to the cross-site scripting flaw patched in the recent update; it can be exploited by manipulating users into viewing a booby-trapped page with the opera browser. Opera is testing a new update for the browser that will address this new flaw.
UPDATES AND PATCHES
[Editor's Note (Skoudis): An XSS flaw in one of the big, popular, script-laden websites such as web-based e-mail, search engines, auction sites, social networking, and photo sharing, could cause some immense damage, beyond the mere information disclosure, e-mail account hijacking, and rudimentary worms we've seen so far. By hooking browsers inside of enterprises that view the attacker's content, a bad guy could wield significant control from those machines, inside the corporate firewalls that are supposed to protect them. Watch out for this kind of attack in the near future. ]
Sun Releases Updates for Java System LDAP Java Development Kit and JRE6 (October 27, 2008)Sun Microsystems has released a security update to patch a vulnerability in the search feature of its Java System LDAP Java Development Kit (JDK). The flaw could potentially be exploited to access unauthorized information while using applications that use the LDAP JDK library. In addition to the JDK, the flaw affects Sun Java System Access Manager 7 2005Q4, Access Manager 7.1 and Access Manager 6 2005Q1. Sun has also released an updated version of Java, JRE6 Update 10, which claims to "patch in place," meaning that from this point forward, outdated and unsecure versions will no longer stick around on users' machines.
Trojan Exploits Just-Patched Windows RPC Flaw (October 24 & 27, 2008)Just one day after Microsoft released an out-of-cycle patch to fix a critical remote procedure call (RPC) flaw in the Server service, a Trojan horse program that exploits the vulnerability has been detected. The malware could potentially be used to allow infected machines to infect other unpatched computers on its network with no user interaction.
[Editor's Note (Ullrich): As of today, we at Internet Storm Center have learned of versions of the exploit for popular exploit tool kits. The attacks are beginning. ]
STATISTICS, STUDIES & SURVEYS
Survey Lists Coolest IT Security Jobs (October 24, 2008)A SANS Institute survey of government and non-government security employees asked respondents to rank the coolest IT security jobs. The top three coolest jobs according to government IT workers are information security crime investigator/forensics expert, system, network and/or penetration tester and forensics analyst. IT security specialists outside government placed the same three jobs in the top three rankings in a slightly different order.
Price of Stolen Data Falling, But Cost to Victims is Still High (October 27, 2008)The value of stolen payment card information is estimated to be one-tenth what it was a decade ago. Part of the reason may be the large scale of data security breaches that have flooded the black market with stolen personal financial information. Some data thieves age their quarry, waiting months to sell it so that the specter of fraud may have eased for the victims.
[Editor's Note (Northcutt): I love the concept: "we sell no identity before its time." I did some research a couple months ago, and most people said that value is still $10.00 for a high quality identify, but some folks are telling me it is closer to $2.50. One thing is certain; it is worth a *lot* more to the victim.
(Skoudis): The old law of supply and demand is in play here. The supply of stolen credit cards is way up, the demand is constant or only slightly increasing, so the price goes down. ]
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescastore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board. Will Pelgrin is Chief Information Security Officer of New York State, chair of the Multi-State Information Sharing and Analysis Center and co-chair of the National ISAC Council.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/