|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (NewsBites
sans.org)
Date: Fri Oct 05 2007 - 14:09:31 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Some good news finally on the application security front. If we are
ever going to turn the tide against the attackers, we have to find a way
to deploy more secure code. Only programmers who know how to write
secure code can make that happen. The good news is that 23 programmers,
(out of 42 pioneers who took the first exam) passed the GSSP exams in
Secure Coding in Java and Secure Coding in C. Cisco is in the lead
among software and hardware companies with three people passing the
first exams. Other companies with new GSSP certified programmers include
Kaiser Permanente, Siemens, Telus and more. The names and organizations
of people who passed are listed in the last story of this issue.
Momentum on the GSSP has begun. One large US company has told all its
6,500 programmers and outsourced coders that they have until next summer
to pass the secure coding exam or they will not be allowed to touch the
code. And one of the three largest software companies in the world just
sent letters to the ten colleges that supply the most programmers
telling them that job candidates should consider demonstrating secure
coding skills through the GSSP.
Alan
P.S. For a schedule of times and places where programmers can take the
exam: http://www.sans.org/gssp/
*************************************************************************
SANS NewsBites October 5, 2007 Vol. 9, Num. 79
*************************************************************************
TOP OF THE NEWS
RIAA Wins US $222,000 in Damages in Copyright Case
UK Authorities Can Demand Decryption Keys
Dutch Judge Declares Use of eVoting Machine Illegal
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
Microsoft Wins Software Piracy Case in UK
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
GSA Apologizes for California Domain Suspension
DHS Mailing List Problem Causes "Mini-DDoS"
Five Security Related NIST Publications
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
October's Patch Tuesday to Comprise Seven Bulletins
Apple Patches QuickTime Flaw
Vulnerability in Eircomm Customers' Wireless Routers
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Some CISRT Site Visitors Attacked by Malware
MISCELLANEOUS
Twenty-three Programmers Become First GSSP Certified Secure Programmers
LIST OF UPCOMING FREE SANS WEBCASTS
**************************** Sponsored By SANS **************************
The Community of Interest in Network Security (COINS) announces two
events in the Central Florida area:
10/10/07: NETWORK SECURITY & EXPLORING HACKER TECHNIQUES, Orlando,
sponsored by CFITS.org.
http://www.sans.org/info/17341
10/22/07 - 10/27/07: Community SANS Gainesville Security 504:
Hacker Techniques, Exploits and Incident Handling
http://www.sans.org/info/15161
*************************************************************************
TRAINING UPDATE
Where can you find Hacker Exploits, Security Essentials, Forensics,
Wireless, Auditing, CISSP, and SANS' other top-rated courses?
- - Washington DC (12/13-12/18): http://www.sans.org/cdi07
- - New Orleans (1/12-1/17): http://www.sans.org/security08/event.php
- - London (11/26 - 12/1): http://www.sans.org/london07/
- - Chicago (11/2-11/7): http://www.sans.org/chicago07/event.php
- - Tokyo (11/5-11/10): http://www.sans.org/sanstokyo2007_autumn/event.php
*************************************************************************
TOP OF THE NEWS
--RIAA Wins US $222,000 in Damages in Copyright Case
(October 4, 2007)
In the first music piracy case to go to trial, a Minnesota jury has
found Jammie Thomas liable for copyright infringement and said she must
pay US $222,000 - US $9,250 for each of 24 songs listed in the lawsuit.
Thomas was found liable even though the plaintiff, the Recording
Industry Association of America (RIAA), did not have to prove a
file-sharing program was installed on her computer when they examined
her hard drive, nor did they have to prove that it was actually Thomas
at the keyboard. The evidence included the defendants Internet protocol
(IP) address and cable modem identifier associated with sharing 1,700
files.
http://blog.wired.com/27bstroke6/2007/10/riaa-jury-finds.html
http://blogs.pcworld.com/staffblog/archives/005610.html
http://www.usatoday.com/money/media/2007-10-04-downloading-music-trial_N.htm
http://www.news.com/8301-10784_3-9791383-7.html?part=rss&subj=news&tag=2547-1_3-0-20
http://www.nytimes.com/aponline/technology/AP-Downloading-Music.html?ex=1349236800&en=e20df6612f19e706&ei=5088&partner=rssnyt&emc=rss
[Editor's Note (Boeckman): It would be trivial to demonstrate to a jury
how simple it would be to compromise a computer and distribute music
from a remote location without the user ever knowing what happened.
This is an absolutely awful precedent that makes no sense at all.]
--UK Authorities Can Demand Decryption Keys
(October 1 & 3, 2007)
Law enforcement authorities in the UK now have the power to compel
people to reveal decryption keys. If the request is refused, people
could face up to five years in jail. The change comes as Part III of
the Regulation of Investigatory Powers Act (RIPA) was activated as of
October 1. Critics of the measure say that it is not only a violation
of civil liberties - it could be used to force people to incriminate
themselves and expose personal information unrelated to the
investigation - but decryption keys can easily be forgotten.
Additionally, people could pretend to have forgotten the key or have
difficulty convincing a court that they have actually forgotten it.
People have the option of surrendering their key or making it possible
for authorities to view the decrypted material. Under the law, people
who receive a notice requesting their decryption keys "can be prevented
from telling anyone apart from their lawyer" about it. The reason Part
III was not activated when RIPA was passed in 2000 is that encryption
was not widely used at that time.
http://www.theregister.co.uk/2007/10/03/ripa-decryption_keys_power/print.html
http://www.zdnet.co.uk/misc/print/0,1000000169,39289786-39001093c,00.htm
http://www.washingtonpost.com/wp-dyn/content/article/2007/10/01/AR2007100100511_pf.html
[Editor's Note (Shpantzer): Quick survey: How many of us have every PGP
email key they've ever generated, available to them still? How about
the passphrase?]
--Dutch Judge Declares Use of eVoting Machine Illegal
(September 27 & October 1 & 3, 2007)
A judge in Holland has declared use of electronic voting machines
illegal. According to the ruling, machines used in Dutch elections in
November and March did not have adequate authorization and some were not
certified. The most concerning factor for the Dutch government, which
last week decided stop using evoting machines, appeared to be the
absence of a verifiable paper audit trail. Thousands of e-voting
machines are sitting idle in various storage areas; the Dutch government
spent 60 million Euros (US $84.8 million) to purchase the machines, and
storage is costing 700,000 Euros (US $989,000) annually.
http://www.independent.ie/national-news/evoting-plans-hit-by-decision-in-dutch-court-1114882.html
http://www.theregister.co.uk/2007/10/01/dutch_pull_plug_on_evoting/print.html
http://www.engadget.com/2007/09/27/dutch-government-abandons-e-voting-for-red-pencil/
[Editor's Note (Schultz): No one likes to see the kind of money that the
Dutch government has invested in voting machines go wasted. On the other
hand, it is better to waste money than to run a high risk of having
invalid vote counts in elections due to exploitation of vulnerabilities
in voting machines.]
************************* Sponsored Links: ***************************
1) Find out what Seagate knows about secure storage. It could improve
your company's security.
http://www.sans.org/info/17346
2) Learn to select and implement the right tools at the Data Leakage and
Insider Threat Summit December 3-4.
http://www.sans.org/info/17351
3) Disaster Recovery special evening event during SANS Security 2008 in
New Orleans 11-19 January 2008: lessons learned from those who have
lived through it. They'll share the mistakes they made, too. T's in
the evening so you can attend a course and this program, as well.
https://www.sans.org/security08/
*************************************************************************
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
--Microsoft Wins Software Piracy Case in UK
(October 2, 2007)
R J Campbell Ltd. must pay Microsoft GBP 35,000 (US $71,392) for selling
counterfeit Microsoft software on the Internet. The High Court
suggested that the company is likely to be required to make additional
payments. The company was also ordered to take out an advertisement to
publicize the decision.
http://www.vnunet.com/vnunet/news/2200184/microsoft-outs-pirate
http://www.channelregister.co.uk/2007/10/02/microsoft_uk_nabs_grey_market_software_vendor/print.html
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
--GSA Apologizes for California Domain Suspension
(October 4, 2007)
The US General Services Administration (GSA) has apologized for
suspending California's state domain, causing thousands of government
web sites to be inaccessible and making email unusable for state
employees. The decision to suspend the ca.gov domain came after a
redirection attack on the Marin County transportation authority's web
site. The GSA was concerned that the problem, which involved
redirecting users to pornographic web sites, could spread. Governor
Arnold Schwarzenegger called the suspension an overreaction. The
problem was addressed within hours.
http://www.mercurynews.com/news/ci_7083751
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9040858&source=rss_topic17
--DHS Mailing List Problem Causes "Mini-DDoS"
(October 3 & 4, 2007)
A snafu originating with a Department of Homeland Security (DHS) mailing
list resulted in a deluge of messages being sent to all of the list's
subscribers. The problem started when one subscriber responded to the
list address. The message was somehow sent to everyone, as were
messages sent in response. In all, more than 2.2 million extraneous
messages flooded subscribers' inboxes.
http://www.eweek.com/article2/0,1759,2192161,00.asp?kc=EWRSS03119TX1K0000594
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=202201282
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9040878&source=rss_topic17
http://isc.sans.org/diary.html?storyid=3450
--Five Security Related NIST Publications
The National Institute of Standards and Technology (NIST) has released
five new and revised publications related to information security. SP
800-44 version 2, "Guidelines on Securing Public Web Servers;" Draft SP
800-55 Revision 1, "Performance Measurement Guide for Information
Security;" Draft SP 800-61 Revision 1, "Computer Security Incident
Handling Guide;" SP 800-82, "Guide to Industrial Control Systems
Security;" and Draft SP 800-110, Information System Security Reference
Model."
http://csrc.nist.gov/publications/nistpubs/800-44-ver2/SP800-44v2.pdf
http://csrc.nist.gov/publications/drafts/800-55-rev1/Draft-SP800-55r1.pdf
http://csrc.nist.gov/publications/drafts/sp800-61-rev1/Draft-SP800-61rev1.pdf
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
--October's Patch Tuesday to Comprise Seven Bulletins
(October 4, 2007)
According to Microsoft's Advance Notification website, the company will
issue seven security bulletins on Tuesday, October 9. Four have been
given maximum severity ratings of critical; the other three have been
given maximum severity ratings of important. Software affected by the
updates includes Windows 2000, XP and Vista, Internet Explorer, Outlook
Express, Windows Mail, Microsoft Office and Microsoft Office 2004 for
Mac.
http://www.news.com/8301-10784_3-9791304-7.html?part=rss&subj=news&tag=2547-1_3-0-20
http://www.microsoft.com/technet/security/bulletin/ms07-oct.mspx
--Apple Patches QuickTime Flaw
(October 4, 2007)
Apple has released an update for QuickTime for Windows to address a
"command injection" flaw that could be exploited to break into Firefox.
The vulnerability was disclosed a year ago along with another QuickTime
flaw, but only one of the pair was fixed. The vulnerability affects
QuickTime on Windows XP and Vista, but not on Mac OS X.
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=202201130
--Vulnerability in Eircomm Customers' Wireless Routers
(October 2, 2007)
Certain broadband wireless routers used by as many as 250,000 Eircomm
customers are vulnerable to piggybacking, meaning others can use those
customers' wireless connections without their knowledge. Under certain
conditions, the piggybackers could also gain access to the customers'
files or shared network data. The problem lies in the fact that eight
digits of the 16-digit Wired Equivalent Privacy (WEP) network access key
are derived from the routers' serial numbers, which are visible to
people with wireless-enabled computers close by. Eircomm is informing
customers about how to change their default WEP keys.
http://www.theregister.co.uk/2007/10/02/eircom_wireless_security_flaw/print.html
http://home.eircom.net/content/irelandcom/topstories/11215681?view=Eircomnet&cat=Top%20Stories
http://www.siliconrepublic.com/news/news.nv?storyid=single9323
http://www.ireland.com/newspaper/breaking/2007/1002/breaking72.htm
[Editor's Note (Liston): As if WEP was buying them that much protection
to begin with... WEP is a seriously and deeply flawed protocol and as
a practical matter WEP keys can be easily cracked within minutes.
Eircomm's mistake only makes it that much easier.]
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
--Some CISRT Site Visitors Attacked by Malware
(October 2 & 4, 2007)
The Chinese Internet Security Response Team (CISRT) has apologized for
a situation on its websites that causes some visitors to be subjected
to an attack that exploits buffer overflow flaws in BaoFeng Storm, a
browser-based media player. Apparently random site visitors will find
their browsers redirected to sites hosting malware. CISRT believes its
website is the victim of ARP spoofing.
http://www.theregister.co.uk/2007/10/02/chinese_internet_security_response_team_attacked/
http://www.zdnet.com.au/news/security/soa/Chinese-security-team-becomes-malware-victim/0,130061744,339282584,00.htm
[Editor's Note (Liston): If the available information on this attack is
true, it is interesting in that the attack against CISRT appears to be
targeted at the intermediate connection between the visitors and the
CISRT site. If this was indeed an ARP-based attack, the bad-guys have
upped their game, and tracking this down will be very, very difficult.]
MISCELLANEOUS
--Twenty-three Programmers Become First GSSP Certified Secure Programmers
(5 October 2007)
The vanguard of the new wave of programmers with security expertise was
named today by the SANS Institute.
GIAC Certified Secure Programmers in JAVA
Vinay Bansal, Cisco Systems; Jim Horner, Arinbe Technologies, Inc.;
Frank Kim, Kaiser Permanente; Pramod Nair, Unisys; Ricardo Patino, Telus
Security Solutions; Darian Anthony Patrick, Criticode LLC; Craig D.
Williams, Cisco Systems; Richard Wolf, Cisco Systems
GIAC Certified Secure Programmers in C
David Ireland, DI Management Pty Ltd; Aryeh Katz, Arinc; Alex Muratov,
TELUS Security Solutions; Jonathan D. Pittman, The Mississippi State
University Center for Computer Security Research (CCSR); Alan Saqui, CGI
Federal; Jonathan Sharp, Siemens Corporate Research, Inc.; Bill Hannold
The other eight GSSPs have not yet given permission for their names to
be disclosed. More than 70 enterprise partners have committed to using
the GSSP for employee skills development and for ensuring outsourcers
and suppliers have the necessary skills to create secure code.
University partners will be teaching secure coding as part of their core
curriculum.
http://www.sans-ssi.org/ssi_press2.pdf
http://www.sans.org/gssp/
LIST OF UPCOMING FREE SANS WEBCASTS
Ask the Expert: Late-Breaking Computer Attack Vectors by Mike Poor
WHEN: Tuesday, October 16, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKER: Mike Poor
http://www.sans.org/info/16856
Sponsored By: Core Security
This lively session will discuss recent and anticipated computer and
network attack vectors, showing the most powerful tools in the bad guys'
arsenal today and predicting where they are headed in the future.
Specific topics to be discussed include client-side exploitation and the
rise of privilege escalation attacks against Windows Vista and other
operating systems.
Ask the Expert: The Evolution of Access Management
WHEN: Wednesday, October 17, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and Howard Ting
http://www.sans.org/info/16861
Sponsored By: Securent
In this webcast, learn how access control technologies have evolved over
the years, the types of access management solutions organizations are
evaluating today, and the challenges they face in design and
implementation.
SANS Special Webcast: Building Brick Houses
WHEN: Wednesday, October 24, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Gary W. Longsine and Jonathan Ham
http://www.sans.org/info/16851
Sponsored By: Watchfire
With the advent of Web 2.0 interactive applications and demand for
financial, shopping and other applications for hand held devices, never
has secure lifecycle of Web applications been more critical. Leveraging
the same agile application methodologies in use today, Gary W. Longsine
and Jonathan Ham unveil a flexible framework called Scalable and Agile
Lifecycle Security for Applications - or SALSA for short.
Ask the Expert: Log Heaven: How to Simplify Log Management for Compliant,
Secure Operations
WHEN: Thursday, October 25, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and Dave Steidle
http://www.sans.org/info/16866
Sponsored By: netForensics
Join this webcast to learn:
- - - What to consider when evaluating log management solutions
- - - How to use log management to address compliance audits
- - - How to get better security intelligence from existing data
- - - Tips for streamlining log management operations
Tool Talk Webcast: Guidelines for Implementing Role-Based Security
Policies in Unix/Linux Environments
WHEN: Wednesday, October 31, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKER: Alan Dobbs
http://www.sans.org/info/16876
Sponsored By: FoxT
In this webinar, you will discover how FoxT's IT Controls solution
suite is helping organizations, including five of the top ten banks,
resolve access control challenges and achieve unprecedented speed in
adopting role-based security policies across multi-vendor Unix/Linux
infrastructures.
*************************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.
Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer
for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.
Chuck Boeckman is a Principal Information Security Engineer at a
non-profit federally funded research and development corporation that
provides support to the federal government.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin,
Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
iD8DBQFHBnox+LUG5KFpTkYRAnRlAJ425lbgQMNB2UOMJec7YS1u19o3dwCdFDvj
XwxNBQ7Odf8B8FbbbcQDmks=
=3C5o
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]