|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (NewsBites
sans.org)
Date: Tue Jul 22 2008 - 12:41:57 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
*************************************************************************
SANS NewsBites July 22, 2008 Vol. 10, Num. 57
*************************************************************************
TOP OF THE NEWS
UK Police Data Retention Practices Dealt One-Two Punch
Judge Rules Dutch Univ. Researchers May Publish Report of Oyster RFID
Chip Hack
Maryland Police Infiltrated Activist Organizations
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
Connecticut Prosecutors Haven't Dropped Charges Against Amero
Former UnitedHealthcare Employee Charged in Data Theft Case
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
MoD Revises Lost Laptop Figures
Gordon Brown Aide's BlackBerry Stolen on China Trip
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
RIM Issues Patch for BlackBerry PDF Vulnerability
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
DDoS Attack on Georgian President's Website
Seattle Home Healthcare Co. Agrees to Pay US $100,000 to Settle HIPAA
Violations
Server Stolen from Minneapolis VA Home Holds Residents' Data
MISCELLANEOUS
College Software Texts Found To Teach Insecure Coding
Not Guilty Plea in San Francisco Network Hijacking Case
******************** Sponsored By ArcSight, Inc. ************************
Complimentary Whitepaper: Critical Capabilities for Security Information
and Event Management Technology, 2008
A detailed Gartner research report that offers valuable analysis you can
use to evaluate Security Information and Event Management (SIEM)
solutions for your organization!
Gartner's Critical Capabilities for SIEM helps you evaluate solutions
through three use cases based on major SIEM capabilities. The areas
include ease and speed of deployment, support simplicity and user
acceptance.
http://www.sans.org/info/30918
*************************************************************************
TRAINING UPDATE
- - Las Vegas (9/28-10/6) http://www.sans.org/ns2008 NETWORK SECURITY 2008)
- - Boston (8/9-8/16) http://www.sans.org/boston08/
- - Virginia Beach (8/21-8/29): http://www.sans.org/vabeach08/
- - Chicago (9/3-9/10) http://www.sans.org/chicago08 AUDIT & COMPLIANCE
- - and in 100 other cites and on line any time: www.sans.org
*************************************************************************
TOP OF THE NEWS
--UK Police Data Retention Practices Dealt One-Two Punch
(July 21 & 22, 2008)
The UK's Information Tribunal, formerly known as the Data Protection
Tribunal, has ruled that individuals with years old trivial offenses may
have the information wiped from police computers; presently all
convictions remain in the database for 100 years. The Tribunal's
judgment refers to five specific cases in which the offenses were many
years in the past and have had needlessly negative effects on the
individuals' efforts to pursue their careers. The ruling opens the door
for anyone who has a conviction for a minor offense in his or her youth
and has since remained out of trouble to petition to have the
information stricken from the Police National Computer. In addition,
the Ethics Group, a government appointed advisory body, said that
keeping DNA samples from people arrested but never convicted or charged
with a crime is a potential violation of human rights.
http://www.timesonline.co.uk/tol/news/uk/crime/article4375311.ece
http://www.mailonsunday.co.uk/news/article-1037033/Police-stop-putting-DNA-samples-innocent-volunteers-database-says-Government-body.html
http://www.informationtribunal.gov.uk/
--Judge Rules Dutch Univ. Researchers May Publish Report of Oyster RFID Chip Hack
(July 18 & 21, 2008)
A Dutch judge has ruled that researchers at Radboud University in
Nijmegen, Holland may publish their research about the Mifare Classic
(Oyster) RFID chip. NXP, the company that manufactures the chips, had
filed a lawsuit seeking to prevent the researchers' findings from being
published. NXP said that publishing the information would be
"irresponsible." The researchers do not plan to include details about
how to clone cards that use the chip. The chip is used in Oyster cards,
a prepaid smart card system in the UK, as well as in Hong Kong's travel
card and the Dutch Rijkspas smartcard. In his ruling, the judge
indicated that freedom of speech trumps NXP's commercial interests:
"Damage to NXP is not the result of the publication of the article but
of the production and sale of a chip that appears to have shortcomings."
http://www.theregister.co.uk/2008/07/18/university_can_publish_oyster_research/print.html
http://news.bbc.co.uk/2/hi/technology/7516869.stm
[Editor's Note (Honan): Kudos to the Judge for determining that the
problem lies with manufacturers producing systems/devices with security
weaknesses and not with those who discover those weaknesses.
(Schultz): Fortunately, reason has so far prevailed in this case. As I
said earlier, attempting to suppress knowledge concerning how to crack
the Oyster card amounts to little more than a futile attempt at
"security by obscurity."]
--Maryland Police Infiltrated Activist Organizations
(July 18, 2008)
According to documents obtained through a Maryland Public Information
Act lawsuit, Maryland state police have been infiltrating peace and
anti-death penalty activist organizations and in some instances,
entering the names of some of the members into a law enforcement
database of suspected terrorists and drug traffickers, even though the
individuals' actions were lawful. Nowhere in the documents is there any
indication that the protesters engaged in criminal intent or activity.
State police officials maintain that individuals' civil rights were not
violated.
http://www.baltimoresun.com/news/local/bal-te.md.spy18jul18,0,3787307.story
************************** SPONSORED LINK *****************************
1) FREE WEBCAST: How Central Michigan University Gains Internal Network
Visibility Using StealthWatch - Register Now!
http://www.sans.org/info/30923
*************************************************************************
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
--Connecticut Prosecutors Haven't Dropped Charges Against Amero
(July 10 & 21, 2008)
Connecticut prosecutors have not dropped charges against substitute
teacher Julie Amero despite the fact that the judge in her case vacated
a guilty verdict more than a year ago. Amero was charged three years
ago with risk of injury to a minor after the PC in her classroom began
displaying pornographic pop-ups. Police accused Amero of surfing to
pornographic websites, but researchers later used forensics to
demonstrate that the pop-ups were caused by malicious code on the
computer, not by Amero's actions. The school had not properly updated
security software on the machine.
http://www.securityfocus.com/brief/778
http://www.theregister.co.uk/2008/07/10/smut_pop_up_teacher_update/
[Editor's Comment (Northcutt): This type of thing came up in June in
issue 48 of NewsBites. It certainly illustrates the need for strong
policy and procedures for seizure and examination of the suspect
computer. If we are going to fire people or charge people criminally,
we MUST get our ducks in a row. And what about prevention? You would
think schools would be turning to whitelist software to reduce the
possibility of anyone installing anything for any reason on their
systems:
http://www.sans.org/newsletters/newsbites/newsbites.php?vol=10&issue=48#sID202 ]
--Former UnitedHealthcare Employee Charged in Data Theft Case
(July 15, 2008)
Mike Tyrone Thomas, Jr. has been charged with stealing customer data
while he was employed in the student resources department at
UnitedHealthcare. Thomas allegedly accessed the data in October 2007.
In February 2008, 163 University of California, Irvine graduate students
enrolled in the university's Graduate Student Health Insurance Program
discovered that their tax returns had already been filed; the data thief
was likely hoping to collect their refund checks. UnitedHealthcare has
notified all 1,100 students whose data were accessed.
http://www.csoonline.com/article/437668/UnitedHealthcare_Insider_Charged_in_Cal_Data_Theft?contentId=437668&slug=&source=nlt_csonewswatch
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
--MoD Revises Lost Laptop Figures
(July 18 & 21, 2008)
The UK Ministry of Defence (MoD) now says that it has lost 658 laptop
computers and 121 USB drives since 2004. The 658 laptops were reported
stolen; an additional 89 were reported lost. Just 32 of the laptops
have been recovered. No distinction was made between the number of USB
drives lost or stolen; three of the drives reported missing this year
hold secret information and 19 hold restricted information. Earlier,
MoD said it had lost 347 laptops over the four-year period. The revised
numbers were issued after MoD discovered "anomalies in the reporting
process."
http://www.vnunet.com/vnunet/news/2222068/mod-admits-massive-losses-data
http://news.bbc.co.uk/2/hi/uk_news/7514281.stm
[Editor's Note (Veltsos): IT departments on tight budgets should
consider installing free laptop tracking software as way to locate
missing equipment. Such software is by no means foolproof against a
tech-savvy thief, but the price is right. The laptop tracking software,
Adeona, was developed by the University of Washington and the University
of California San Diego. http://adeona.cs.washington.edu/]
--Gordon Brown Aide's BlackBerry Stolen on China Trip
(July 20, 2008)
An aide to UK Prime Minister Gordon Brown fell prey to a likely
"honeytrap" scheme in January when his BlackBerry phone was stolen after
he brought a woman he met at a disco in China back to his hotel room.
The aide was accompanying the PM on the trip; he reported the device
missing the next morning. Officials suspect the incident was
orchestrated by Chinese intelligence. It was not disclosed whether the
device held top-secret information, but even so, it could potentially
be used to gain access to the Downing Street server. Blackberrys used
by Downing Street staff are password-protected but most are not
encrypted. The aide has been informally reprimanded.
http://www.timesonline.co.uk/tol/news/politics/article4364353.ece
[Editor's Note (Ullrich): A nice reminder to leave electronic devices
at home when traveling abroad. And if you are geek enough to take them,
being all for sudden popular with women is a dead giveaway for an
intelligence operation.
(Northcutt): Classic! If you know anyone going to the Olympics, please
share this story with them and suggest they leave their laptops and
other electronics at home. This will be a field day for Chinese
intelligence gathering. They have been targeting people and are quite
ready:
http://www.sudantribune.com/spip.php?article22984
http://www.iht.com/articles/ap/2007/07/24/asia/AS-GEN-China-Olympic-Intelligence.php
(Paller) Or take "travel-tops" and "travel-phones" that are throw-aways
without sensitive data or access to sensitive systems.
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
--RIM Issues Patch for BlackBerry PDF Vulnerability
(July 21, 2008)
Research in Motion has released a patch for its BlackBerry Enterprise
server (BES) to address a vulnerability in the PDF distiller component
of the BlackBerry attachment service. The flaw could be exploited to
gain access to the server by sending users maliciously crafted PDF
files. RIM advises administrators working in a Windows enterprise
environment to update to BES version 4.1 Service Pack 6 (4.1.6) for
Microsoft Exchange Server.
http://www.gcn.com/online/vol1_no1/46687-1.html?topic=security&CMP=OTC-RSS
http://www.blackberry.com/btsc/dynamickc.do?externalId=KB15766&sliceId=SAL_Public&command=show&forward=nonthreadedKC&kcId=KB15766
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
--DDoS Attack on Georgian President's Website
(July 21, 2008)
The website of Georgian president Mikhail Saakashvili was the target of
a distributed denial-of-service (DDoS) attack over the weekend,
rendering it temporarily inaccessible. Initial analysis of the attack
indicates it may have come from Russian attackers. Tension between
Georgia and Russia has been escalating due to Georgia's bid for NATO
membership as well as the issue of independent republic status for the
Abkhazia region of Georgia, which is supported by Russia but not by
Georgia.
http://www.informationweek.com/news/security/cybercrime/showArticle.jhtml?articleID=209400218
http://www.theregister.co.uk/2008/07/21/georgia_presidential_site_ddos/print.html
http://www.zdnet.co.uk/misc/print/0,1000000169,39450414-39001093c,00.htm
--Seattle Home Healthcare Co. Agrees to Pay US $100,000 to
Settle HIPAA Violations
(July 18, 2008)
Providence Health & Services of Seattle, a home health care services
company, has paid US $100,000 to resolve complaints about breaches of
information privacy and security rules. The company will also make
changes to its policies and procedures to guard against similar
incidents. Providence acknowledges that laptop computers, disks and
tapes that held patient health records were taken from employees' cars
five times in 2005 and 2006. The information on the devices is covered
by the Health Insurance Portability and Accountability Act (HIPAA).
Providence notified affected patients and the Department of Health and
Human Services (HHS). More than 30 patients filed complaints with HHS.
The US $100,000 payment is the outcome of a HHS investigation and
precludes the need to impose a civil penalty.
http://www.govhealthit.com/online/news/350464-1.html
http://www.hhs.gov/ocr/privacy/enforcement/agreement.pdf
[Editor's Note (Ullrich): Some healthcare providers are watching closely
to see whether the fines make it worthwhile for them to pay more
attention to HIPAA. I am not sure $100,000 is enough to will do the
trick.]
--Server Stolen from Minneapolis VA Home Holds Residents' Data
(July 18, 2008)
Among the items stolen from the Minneapolis Veterans Home is a backup
server that contains personally identifiable information of some of the
home's residents and their dependents. Affected individuals are being
notified of the theft by the Minnesota Department of Veterans Affairs,
which operates the home. Officials were not immediately aware of the
server's theft because it was not being used at the time; a newer server
had been installed and the missing server was used as a backup. The
thieves also took a laptop computer that did not contain personally
identifiable information, a Wii game system and other electronic gear.
http://www.startribune.com/local/25623519.html?location_refer=Homepage:latestNews:4
Follow-on: The server held telephone numbers, addresses, next-of-kin
information, dates of birth, Social Security numbers and some medical
information, including diagnoses for the home's 336 residents. The data
"can only be accessed by using a password."
http://www.startribune.com/local/25652209.html?location_refer=Error
MISCELLANEOUS
--College Software Texts Found To Teach Insecure Coding
(July 22, 2009)
Texts from O'Reilly, SAMS, Osbourne, Wrox and Pearson Prentice Hall were
found to present insecure code to readers - thus contributing to weak
secure coding skills. Four individuals were recognized today for their
excellent descriptions of insecure code found in programming texts.
+Craig Wright of BDO Kendalls in Australia was the overall winner with
two first place winners and two honorable mentions. He found errors in:
- The Complete Reference: C 4th Ed. (Osbourne) (Particularly good for
showing how to find bugs using Safari service)
- Programming Embedded Systems in C and C++ (O'Reilly)
- C Primer Plus, Third Edition (SAMS)
- C in a Nutshell (O'Reilly)
+Dr. James Walden of Northern Kentucky University won a first place
award for errors found in "Introduction to Java Programming, 7th
edition" (Pearson Prentice Hall )
+Brian Zaugg won an honorable mention for found errors in Beginning
Ruby: from Novice to Professional (Apress)
+Scott March of Interweb Technologies won an honorable mention for
errors found in Beginning ASP Databases (Wrox) The actual errors will
be posted next week at the SANS web site.
--Not Guilty Plea in San Francisco Network Hijacking Case
(July 21, 2008)
The network administrator accused of hijacking the city of San
Francisco's computer network has pleaded not guilty. The Department of
Telecommunication Information Services (DTIS) has not been able to gain
access to the network hardware since the incident occurred. The
administrator has worked for DTIS for several years.
http://www.heise-online.co.uk/security/San-Francisco-network-hijacker-pleads-not-guilty--/news/111135
*************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescastore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security
courses at Minnesota State University, Mankato. He is the President of
Prudent Security LLC and also serves as the President of the Mankato
Chapter ISSA.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkiGGWgACgkQ+LUG5KFpTkbOmwCbB5xy7AqwzIHelBLxytHJ5UP4
lagAn3eM44hTsNfvv5Qju9tylEsuRjGp
=itpw
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]