From: The SANS Institute (NewsBitessans.org)
Date: Tue Jul 29 2008 - 13:27:47 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Secure Coding Update: The secure coding flaws found in popular books on
programming are now posted at
http://www.sans-ssi.org/resources/Winners_of_insecure_coding_contest_20080721.pdf
Also the new course on Secure Coding in Java was a huge hit at SANSFIRE
as well as in on-site presentations. This is the application security
course that we have all needed. Now it is here and it is wonderful. If
you have programmers and want to have us train them or if you want to
develop in-house trainers to give the course yourself, please email
spasans.org today.
                                        Alan
 ************************************************************************
SANS NewsBites July 29, 2008 Vol. 10, Num.
59
*************************************************************************
TOP OF THE NEWS
  FCC to Vote on Comcast Issue Internet Giants Urged to Uphold Free
  Internet Use Evilgrade Exploits DNS Flaw Reports Suggest DNS Flaw is
  Being Actively Exploited
THE REST OF THE WEEK'S NEWS
  LEGAL MATTERS
    College Student in Jail for Alleged ID Theft
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
    RealPlayer Update Fixes Four Flaws
  ATTACKS, INTRUSIONS, DATA THEFT & LOSS
    Six Arrested in Connection with South Korean Data Theft Texas Clinic
    Patient Data Stolen, Used in Payday Loan Fraud
  STANDARDS & BEST PRACTICES
    NIST Releases Guidance for Securing XP Systems and Security Baseline
       Database
  MISCELLANEOUS
    SF Prosecutors Place VPN Usernames and Passwords on Public Record
    NIST and George Mason Univ. Develop Attack Graph Analysis

***************** Protecting the Critical Infrastructures **************
A free program at the European SCADA Security Summit (Amsterdam, Sept
8-9) will show all vendors of control systems how to comply with the new
global procurement standards for baking security into the systems they
sell. Their compliance will make it possible for electric utilities
(large and small) and other buyers of control systems to have much more
security than they do now. There is no more valuable initiative in
control systems security. Users of control systems will learn about the
standards, how attackers are breaking in, and what works to improve
their security, as part of the Summit. If you buy control systems, make
sure your vendors are complying with the new procurement standards -
even in the maintenance of your current systems. Information on the
Summit is at: http://www.sans.org/info/30854
Vendors who want to attend the free session should email
apallersans.org with the subject "SCADA Security Procurement Standards."
*************************************************************************
TRAINING UPDATE
- - Las Vegas (9/28-10/6) http://www.sans.org/ns2008 NETWORK SECURITY 2008)
- - Boston (8/9-8/16) http://www.sans.org/boston08/
- - Virginia Beach (8/21-8/29): http://www.sans.org/vabeach08/
- - Chicago (9/3-9/10) http://www.sans.org/chicago08 AUDIT & COMPLIANCE
- - and in 100 other cites and on line any time: www.sans.org
*************************************************************************

TOP OF THE NEWS
 --FCC to Vote on Comcast Issue
(July 28, 2008)
The US Federal Communications Commission (FCC) will likely vote this
week on an order to enact enforcement against Comcast for deliberately
blocking or degrading Internet traffic to thwart filesharing. Comcast
says it only slowed traffic for network management during peak usage
times. If the FCC agrees that Comcast violated federal policy, Comcast
will be prohibited from slowing and blocking traffic and will have to
make its practices clear to its customers. Comcast maintains that the
FCC does not have the authority to impose penalties. The issue is on
the FCC's August 1 agenda.
http://www.informationweek.com/news/services/data/showArticle.jhtml?articleID=209602109
http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/07/28/BUAB120T33.DTL
http://government.zdnet.com/?p=3907
[Editor's Note (Ullrich): This topic may have more impact on network
security then many think. A key question that has been heavily debated
in the past is whether and how ISPs like Comcast should manage traffic,
and whether ISPs should be allowed, or even required, to block some
malicious traffic.
(Schultz): This case promises to be drawn out and dramatic; Comcast
declares that the FCC has no authority in situations such as this one
and the FCC maintains that it very much does. Whatever ruling comes out
of it will be yet another that helps define the limits of power (or lack
thereof) for ISPs, especially big and powerful ones such as Comcast.]

 --Internet Giants Urged to Uphold Free Internet Use
(July 25, 2008)
Two US legislators are pushing the CEOs of Yahoo!, Google and Microsoft,
to adopt "a voluntary code of conduct" which says they will not help
foreign governments' attempts to stifle or persecute dissenting Internet
users. Senators Dick Durbin (D-Ill.) and Tom Coburn (R-Okla.) say that
if the companies do not adopt the policy, they could see legislation
that would require them not to cooperate with foreign governments that
aim to repress citizens' human rights. Yahoo! has been criticized in the
past for providing Chinese authorities with information that led to the
arrest of a dissident who was ultimately sentenced to 10 years in prison
for forwarding an email to a human rights group. Companies say they are
bound to abide by the laws of the countries in which they operate.
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=209601006
[Editor's Note (Northcutt): Planet Earth is very big and the USA's power
is shrinking due to fiscal irresponsibility and over confidence in our
military capability. We cannot legislate behavior for the rest of the
world; rather we should start to pay attention to our own very real
domestic problems.]

 --Evilgrade Exploits DNS Flaw
(July 28, 2008)
An exploit package called Evilgrade takes advantage of the automatic
update features in various programs and operating systems to install
malware on vulnerable computers. To work, Evilgrade requires a
man-in-the-middle attack to have been launched against the target; the
recently disclosed DNS vulnerability allows just that. Evilgrade can
infiltrate iTunes, Mac OS X, Winzip, Java, Winamp, OpenOffice and other
programs.
http://www.theregister.co.uk/2008/07/28/pwning_security_updates/print.html
http://www.securityfocus.com/brief/783
http://blogs.zdnet.com/security/?p=1576

 --Reports Suggest DNS Flaw is Being Actively Exploited
(July 25 & 28, 2008)
Companies are being urged to apply patches for the recently disclosed
DNS flaw as soon as possible amid "anecdotal evidence" that the
vulnerability is already being actively exploited. The flaw could be
exploited to redirect Internet users to a site of the attackers
choosing, even if users type the correct URL into their browsers
themselves. Microsoft and Linux distributors have already released
patches for the vulnerability, but Apple has yet to make a fix
available. Major vendors, including Apple, were informed of the flaw
in March, so they have had some time to prepare a patch. Those
operating OS X servers should stop using them for domain name resolution
until a patch is available.
http://news.bbc.co.uk/2/hi/technology/7525206.stm
http://www.smh.com.au/news/security/hackers-get-hold-of-critical-internet-flaw/2008/07/25/1216492691922.html
http://www.heise-online.co.uk/security/DNS-hole-no-patch-yet-from-Apple--/news/111187
[Editor's Note (Ullrich): One reason that exploits are not even more
frequent is that Bind 9 appears to be immune to current exploits, even
if unpatched (thanks Hal for pointing this out to me). And again, Apple
is way behind the curve on critical patches to open source software
redistributed with their OS.]

*************************************************************************

THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
 --College Student in Jail for Alleged ID Theft
(July 25, 2008)
College student Christopher Fowler is in jail for allegedly stealing his
professor's identity to access the school's computer network and change
his grades. Investigators also allege that Fowler broke into the
Georgia Highlands College VoIP system to eavesdrop on phone
conversations. Charges against Fowler include unlawful surveillance or
eavesdropping and computer trespass; he could also be charged with
identity theft.
http://www.myfoxatlanta.com/myfox/pages/News/Detail?contentId=7069233&version=1&locale=EN-US&layoutCode=TSTY&pageId=3.2.1
http://www.ajc.com/metro/content/metro/stories/2008/07/25/georiga_highlands_student_hacker.html

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
 --RealPlayer Update Fixes Four Flaws
(July 25, 2008)
RealNetworks has released a patch for RealPlayer to fix four
vulnerabilities. One is a heap-based buffer overflow in the way frames
are handled in Shockwave Flash (SWF) files. A second flaw is a remote
code execution vulnerability in the RealAudioObjects.RealAudio ActiveX
control. No details have been published about the other two flaws.
RealPlayer versions for Windows, Mac and Linux are all vulnerable to at
least one of the flaws; users are urged to patch as soon as possible.
http://www.theregister.co.uk/2008/07/25/realplayer_vulns_patched/print.html
http://service.real.com/realplayer/security/07252008_player/en/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS
 --Six Arrested in Connection with South Korean Data Theft
(July 28, 2008)
South Korean police say a Chinese hacker stole South Korean credit data
and sold them to an individual who used it to broker "non-institutional"
loans for individuals who appeared to need cash. The victims were
telephoned and offered the alternative loans. The data were purchased
for W15 million (US $14,841); the go-between who purchased the
information is believed to have made W2.7 billion (US $2.67 million) in
illegal profits. Six other suspects have been arrested; an arrest
warrant has been requested for the go-between and another person, both
who have fled the country. The stolen data were obtained from banks,
loan companies, online retailers and universities.
http://english.chosun.com/w21data/html/news/200807/200807280013.html

 --Texas Clinic Patient Data Stolen, Used in Payday Loan Fraud
(July 24, 2008)
The personal information of more than 500 patients at medical clinics
in Fort Bend County, Texas was stolen and used to commit fraud.
Thirty-eight people have been indicted in connection with the identity
theft ring. Two people are suspected of having stolen patient data
while employed at the clinics, one is accused of using the information
to obtain payday loans totaling more than US $230,000 and the rest are
suspected of being involved in efforts to launder the stolen funds.
http://www.fortbendnow.com/pages/full_story?page_label=home&id=119590&article-Local-Medical-Clinic-Patients-Among-500-Victimized-In-Major-Identity-Theft-Ring%20=&widget=push&instance=home_news_bullets&open=&
http://www.chron.com/disp/story.mpl/front/5906582.html

STANDARDS & BEST PRACTICES
 --NIST Releases Guidance for Securing XP Systems and Security Baseline Database
(July 28, 2008)
The National Institute of Standards and Technology (NIST) has released
a draft document, Special Publication 800-68, "Guidance for Securing
Microsoft Windows XP Systems for IT Professionals." The document
provides detailed guidance for securing Windows XP Professional systems
with Service Pack 2 or 3. Along with the draft document, NIST is
releasing a beta version database of baseline security settings for
Windows XP, Vista, Internet Explorer 7 and Windows Firewall as specified
in the Federal Desktop Core Configuration (FDCC). NIST is accepting
public comments on both SP 800-68 and the accompanying database. NIST
has also released a revised version of SP 800-48, "Guide to Securing
Legacy IEEE 802.11 Wireless networks," and SP 800-123, "Guide to General
Server Security."
http://www.gcn.com/online/vol1_no1/46739-1.html?topic=security&CMP=OTC-RSS
http://csrc.nist.gov/itsec/download_WinXP.html
http:csrc.nist.gov/itsec/Draft-SP800-68r1.pdf
http://csrc.nist.gov/publications/nistpubs/800-48-rev1/SP800-48r1.pdf
http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf

MISCELLANEOUS
 --SF Prosecutors Place VPN Usernames and Passwords on Public Record
(July 25 & 28, 2008)
San Francisco prosecutors in the case against system administrator Terry
Childs have put 150 usernames and access passwords on the public record.
The usernames and passwords are used by city officials to access San
Francisco's virtual private network (VPN) and were recovered from
Childs' computer. The passwords themselves will not get people into the
VPN; a second password is required to gain network access. Childs is
accused of hijacking the city's computer network by changing the
passwords and refusing to give them to administrators. Childs eventually
handed the passwords over to San Francisco Mayor Gavin Newsom. A
spokesperson for the DA's office says that "court files have been
amended."
http://www.theregister.co.uk/2008/07/28/sf_rogue_sysadmin_password_mess/print.html
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9110758&source=rss_topic17
[Editor's Note (Veltsos): San Francisco's latest mishap illustrates how,
in the rush to deal with one security issue, we may end up creating new
problems. On the bright side, the city learned that some of the
passwords are identical to the login names.]

 --NIST and George Mason Univ. Develop Attack Graph Analysis
(July 23 & 25, 2008)
NIST and George Mason University have jointly developed Attack Graph
Analysis, a technology that they hope IT managers can use to identify
weaknesses in their systems. Attack Graph Analysis assigns a risk
probability to each possible path an attacker could pursue while
attempting to gain access to a system; the vulnerabilities are assessed
with NIST's National Vulnerability Database.
http://www.eetimes.com/news/latest/showArticle.jhtml?articleID=209601075&printable=true&printable=true
http://www.sciencedaily.com/releases/2008/07/080723144710.htm

*************************************
The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescastore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin,
Ireland.

Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security
courses at Minnesota State University, Mankato. He is the President of
Prudent Security LLC and also serves as the President of the Mankato
Chapter ISSA.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkiPTr4ACgkQ+LUG5KFpTkZ1ugCff1Q6DGTbK6A90SUusLMHbjrp
kYIAoIq9hS1lnocnNMQ4OnGWt3fd4ZXo
=7kwp
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]