From: The SANS Institute (NewsBitessans.org)
Date: Fri Jun 22 2007 - 14:04:54 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Next Wednesday, June 27, is the last day to receive the $150 tuition fee
discount for security training at SANSFIRE in Washington DC.
http://www.sans.org/sansfire07/

*************************************************************************
SANS NewsBites June 22, 2007 Vol. 9, Num. 49
*************************************************************************
TOP OF THE NEWS
  DHS CIO Singled Out for Failure to Address IT Security
  Stored Communications Act Violates Fourth Amendment
  Blackberry Ban for French Government Officials
  Pentagon eMail System Break-In
THE REST OF THE WEEK'S NEWS
  SPYWARE, SPAM & PHISHING
    Spamhaus Puts Austrian Domain Name Registrar on Blocklist
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
    Apple Patches IPv6, Apple TV Flaws
    MPack Detected on More Than 10,000 Websites
  ATTACKS, INTRUSIONS, DATA THEFT & LOSS
    Ohio State Office Interns Took Backup Tapes Home Nightly
    London Stock Exchange Alert System Attacked
  MISCELLANEOUS
    UK Watchdog Says Orange and Littlewoods Violated Data Protection Act
    Atlanta Hospital Audited for HIPAA Compliance
    Court Says No To Voting Machine Source Code Review

********************* Sponsored By ArcSight, Inc. ***********************

*Free Whitepaper: ArcSight Perspectives on Risk* Cyber attacks. Incident
management. Legal issues. Security trends. The subjects are diverse, but
the one powerful message is that security is the most important issue
your company faces. Learn to make better decisions about risk management
with this free collection of articles. Brought to you by ArcSight, the
leader in compliance and security management.
http://www.sans.org/info/9391
*************************************************************************
SANS TRAINING UPDATE: In the next 120 days SANS training will be
available in more than 30 cities in five countries with the biggest
programs in Washington DC at the end of July and Las Vegas the end of
September. Complete schedule at:
http://www.sans.org/training/bylocation/index_all.php
Two other ways to take SANS courses: (1) from your home or office you
can learn from top SANS faculty teaching live on line and you asking
questions in real time - very cool - called SANS HOME
http://www.sans.org/athome/
(2) Or have SANS faculty come to your site and shape the course to your
specific needs: http://www.sans.org/onsite/
*************************************************************************

TOP OF THE NEWS
 --DHS CIO Singled Out for Failure to Address IT Security
(June 20 & 21, 2007)
Recent testimony centering on more than 800 IT security incidents at the
Department of Homeland Security (DHS) has caused House Homeland Security
Committee Chairman Rep. Bennie Thompson (D-Miss.) to question whether
DHS CIO Scott Charbo should continue in his position. Thompson is
skeptical that "Charbo is serious about fixing vulnerabilities in the
department's information technology systems." Thompson was vexed that
it took external auditors to point out to DHS that their IT systems have
serious security problems. Thompson said DHS should serve as an example
to the rest of the government. Additionally, Thompson says that "a 'do
as I say, not as I do' policy is a recipe for disaster, and if we are
serious about the security risks facing our networks, then we need to
start acting and stop posturing." GAO chief technologist Keith Rhodes
tested DHS systems over the last year and said he "would label [DHS] as
being at high risk."
http://computerworld.com/action/article.do?command=viewArticleBasic&articleId=9025420
http://www.govexec.com/story_page.cfm?articleid=37256&dcn=todaysnews
http://www.gcn.com/online/vol1_no1/44521-1.html?topic=security&CMP=OTC-RSS
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=199906038

 --Stored Communications Act Violates Fourth Amendment
(June 19, 2007)
A US federal appeals court upheld a lower court ruling that said law
enforcement agents need warrants to seize web-based email. The Sixth
Circuit Court of Appeals said webmail users have a "reasonable
expectation of privacy" regarding the content of messages stored on a
remote host. The original 2006 ruling, unsuccessfully appealed by the
US government, said the Stored Communications Act (SCA) violates the
Fourth Amendment. The SCA had been used for 20 years to access stored
email without a warrant.
http://www.theregister.co.uk/2007/06/19/webmail_wiretaps_appeal/print.html
http://www.heise-security.co.uk/news/91363

 --Pentagon eMail System Break-In
(June 21, 2007)
A June 20 cyber intrusion at the Pentagon has resulted in disrupted
email service for approximately 1,500 unclassified users. Parts of the
Pentagon's email system were taken offline after they learned of the
intrusion. The incident is under investigation. Defense Secretary
Robert Gates said he was personally unaffected because he does not use
email.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9025442&source=rss_topic17
(Issue discussed approximately 1/3 page down)
http://www.defenselink.mil/transcripts/transcript.aspx?transcriptid=3996
http://www.forbes.com/feeds/ap/2007/06/21/ap3846552.html

 --Blackberry Ban for French Government Officials
(June 19 & 20, 2007)
Citing data security concerns, the French government has renewed its
call for officials and their advisors to stop using Blackberries. Alain
Juillet, senior economic intelligence advisor to the prime minister,
says data transmitted to and from the devices could be intercepted.
Blackberry developer Research in Motion (RIM) disagrees, pointing to
their use of the 256-bit Advanced Encryption Standard (AES) to protect
data transmitted across their networks.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9025310&source=rss_topic17
http://www.ft.com/cms/s/dde45086-1e97-11dc-bc22-000b5df10621.html
[Editor's Note (Schultz): It sounds as if there is little if any factual
basis behind the French government's decision. At the same time,
however, even if data interception is unlikely, there are plenty of
other security-related vulnerabilities in BlackBerries that if unpatched
can cause a wide variety of undesirable outcomes.]

************************* Sponsored Links: ****************************

1) Upcomimg SANS Ask the Expert webcast, June 26th at 1pm EDT "Securing
the Castle: From Doors to Data", Register today.
http://www.sans.org/info/9396

2) How can you effectively address Application Security issues? Find out
at the Application Security Summit August 15-16 in Washington, DC.
http://www.sans.org/info/9401

3) Upcoming WhatWorks webcast on Log Management, June 27th at 1pm EDT.
Register Today.
http://www.sans.org/info/9406
*************************************************************************

THE REST OF THE WEEK'S NEWS
SPYWARE, SPAM & PHISHING
 --Spamhaus Puts Austrian Domain Name Registrar on Blocklist
(June 21, 2007)
Austrian domain name registrar Nic.at has been placed on Spamhaus's
blocklist because it allegedly supplied service to known phishing
domains. The domains reportedly belong to a Russian phishing group that
had used .hk (Hong Kong) domains until that registrar began cracking
down on shady practices. The Austrian registry has reportedly been less
than cooperative, indicating concerns should be addressed to the domain
owners and that they need proof to support claims that the domains in
question had been registered in names of non-existent people and paid
for with stolen credit card information. The listing of Nic.at is
merely symbolic, however; no email is blocked. The purpose of the
listing is to draw attention to the situation.
http://www.theregister.co.uk/2007/06/21/austrian_registrar_phishing_row/print.html
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL55483
[Update from Bill Stearns at the Internet Storm Center): Update, 7/21:
Nic.at has started to suspend phishing domains:
http://www.spamhaus.org/organization/statement.lasso?ref=7 ]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
 --Apple Patches IPv6, Apple TV Flaws
(June 21, 2007)
Apple Computer has released an update for Mac OS X. Version 10.4.10
addresses a flaw in the IPv6 protocol's handling of type 0 routing
headers. The flaw could be exploited to reduce network bandwidth. The
flaw affects Mac OS X versions 10.4.x, but not prior versions. Apple
also released an update for Apple TV. Version 1.1 has a buffer overflow
flaw that could be exploited to cause denial-of-service conditions or
allow arbitrary code execution.
[Internet Storm Center: http://isc.sans.org/diary.html?storyid=3006]
http://www.securityfocus.com/brief/532
http://www.theregister.co.uk/2007/06/20/critical_appletv_patch/print.html
http://docs.info.apple.com/article.html?artnum=305712
http://docs.info.apple.com/article.html?artnum=305631
[Editor's Note (Skoudis): I strongly believe that IPv6 implementations
are going to be a ripe area of vulnerabilities and exploits in the next
few years. We've spent the last 20 years debugging IPv4 stacks the hard
way. Now, with the massively complex IPv6 and some rather messy
implementations, we're going to be facing some rough waters. Macintosh
and OpenBSD (https://www.kb.cert.org/vuls/id/986425) are just the tip
of what I think will be a rather large iceberg.]

 --MPack Detected on More Than 10,000 Websites
(June 20, 2007)
The MPack kit has been detected on at least 10,000 websites worldwide.
MPack attempts to install keystroke logging malware on site visitors'
computers. MPack is sold by Russian hackers for US $1,000 and comes
with one year of technical support. The websites infected with MPack
are often legitimate ones. This most recent infestation is believed to
have come when attackers managed to infiltrate computers at a large
Italian website hosting company. The malware detects the browser being
used and hones its attack accordingly.
[Internet Storm center:
http://isc.sans.org/diary.html?storyid=2991
http://isc.sans.org/diary.html?storyid=3015]
 http://news.bbc.co.uk/2/hi/technology/6221306.stm
[Editor's Note (Skoudis): That last point (detecting the browser type
to hone the attack) is an interesting touch, and shows the increasing
sophistication of these commercialized attacks.]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS
 --Ohio State Office Interns Took Backup Tapes Home Nightly
(June 20, 2007)
Further investigation into the stolen backup tape containing personally
identifiable information of tens if not hundreds of thousands of Ohioans
has revealed that interns had been bringing such tapes home on a regular
basis. According to established procedures, someone from the office
would bring home Ohio Administrative Knowledge System (OAKS) backup
tapes on a daily basis. (OAKS is Ohio's payroll and accounting system.)
That policy was in place because of the high cost of having the tapes
stored elsewhere. The data on the tape stolen from an intern's car on
June 10 were not encrypted. Ohio Governor Ted Strickland has directed
that the data be encrypted from now on. The backup tape storage policy
has been changed so that the tape is now sent to another state facility.
http://www.columbusdispatch.com/dispatch/content/local_news/stories/2007/06/19/BYEDATA.ART_ART_06-19-07_A1_N9728JD.html
[Editor's Note (Schultz): A similar incident involving an organization
that had a policy of having employees bring backup tapes home with them
occurred just several years ago. It is well time that organizations
start learning from the past security-related mistakes of others.]

 --London Stock Exchange Alert System Attacked
(June 20, 2007)
The London Stock Exchange was hit with a denial of service attack that
caused problems for a share price alert service. Flooded with hundreds
of thousands of false alerts, the LSE was unable to generate legitimate
alerts for its users for approximately 48 hours. A spokesperson for the
LSE says the problem has been fixed.
http://www.telegraph.co.uk/money/main.jhtml?xml=/money/2007/06/20/cnlse120.xml
http://www.managementconsultancy.co.uk/computing/news/2192455/london-stock-exchange-hacking

MISCELLANEOUS
 --UK Watchdog Says Orange and Littlewoods Violated Data Protection Act
(June 21, 2007)
The UK Information Commissioner's Office says that the mobile phone
company Orange and the home shopping firm Littlewoods have both engaged
in information processing practices that violate the Data Protection
Act. At Orange, new employees were permitted to share user names and
passwords to access the IT system. Littlewoods continued to send
marketing emails to a customer who has expressly asked them to stop
sending her such messages. Both companies have signed formal
undertakings saying they will comply with the Act.
http://news.bbc.co.uk/2/hi/business/6227748.stm
http://www.out-law.com/page-8165
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9025437&source=rss_topic17

 --Atlanta Hospital Audited for HIPAA Compliance
(June 19, 2007)
The recent revelation that the US Department of Health and Human
Services (HHS) targeted Atlanta's Piedmont Hospital with a Health
Insurance Portability and Accountability Act (HIPAA) compliance audit
has stirred concern among other hospitals around the country about
exactly what information HIPAA auditors will seek. "Neither Piedmont
nor HHS officials have publicly confirmed the audit or spoken about it."
Reports indicate Piedmont was provided a list of 42 items of interest
to HHS and given 10 days to supply the information requested.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9025253&source=rss_topic17
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=296723&source=rss_topic17

 --Court Says No To Voting Machine Source Code Review
(June 19, 2007)
A candidate in a disputed Florida US congressional seat election has
lost a bid to have the source code for the touch screen machines used
in that election examined. Christine Jennings, who lost the election
to Vern Buchanan, wanted the code checked to see if it could be the
cause of apparent voting irregularities. Jennings maintains
approximately 18,000 votes were not counted in the election; she lost
the election by fewer than 400 votes. Jennings may have further
recourse, however, as the alleged undervote is being investigated by
both a US House Committee on Administration appointed task force and the
Government Accountability Office (GAO). Recently enacted legislation
in Florida has banned the use of touchscreen voting systems in the
state.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9025252&source=rss_topic17

*************************************************************************
Upcoming SANS Webcast Schedule

June 26, 2007 Securing the Castle: From Doors to Data
http://www.sans.org/info/9316
Sponsored by: ArcSight http://www.arcsight.com/

June 27, 2007 Log Management
http://www.sans.org/info/9326
Sponsored by: LogLogic http://www.loglogic.com/

June 28, 2007 The Importance of Web Application Security for PCI Compliance
http://www.sans.org/info/9336
Sponsored by: Watchfire http://www.watchfire.com/
*************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer
for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.

Chuck Boeckman is a Principal Information Security Engineer at a
non-profit federally funded research and development corporation that
provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin,
Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

==================================

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iD8DBQFGfBUt+LUG5KFpTkYRAjJAAKCjM7baSuxrsz+PhqhCo5tKmU3R9QCeKltN
EgGJCjXYiWvE36Xl0rL9zNc=
=4m1B
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]