From: The SANS Institute (NewsBitessans.org)
Date: Fri Aug 22 2008 - 12:00:12 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

*************************************************************************
SANS NewsBites August 22, 2008 Vol. 10, Num. 66
*************************************************************************
TOP OF THE NEWS
  Judge Lets MIT Gag Order Expire
  UK Government Depts. Lost 29 Million Records in One Year
  FCC Orders Comcast to End Discriminatory Traffic Throttling
THE REST OF THE WEEK'S NEWS
  ARRESTS, CHARGES & CONVICTIONS
    Jury Indicts One in Alleged Botnet Scheme
  GOVERNMENT SYSTEMS AND HOMELAND SECURITY
    FEMA PBX System Breached
  POLICY AND LEGISLATION
    Irish Insurance Sector Gets Data Protection Code
  COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
    Gaming Industry to Go After Illegal Filesharers
  UPDATES AND PATCHES
    Apache Fixes Directory Traversal Flaw in Tomcat
    Opera Patches Seven Flaws in Browser
  DATA THEFT AND LOSS
    Data Thieves Hit Galway Retailer
  ATTACKS
    DNS Flaw Exploited at Chinese ISP
  MISCELLANEOUS
    IE 8 Will Offer Cross-Site Scripting Protection and Privacy Mode

*************** SPONSORED BY SANS NETWORK SECURITY 2008 ****************
[Final registration date to avoid late payment penalty is September 3.]
The biggest security training program of the Fall is in Las Vegas
September 28 - October 6. Fifty courses including Eric Cole's very new
"Advanced Security Essentials." And there are still places available
in both of the world-class penetration testing courses. Plus the Hacker
Techniques course, forensics and even training for CISSP exams. A huge
expo and lots of chances for networking with peers in birds of a feather
and other evenings sessions. If you can attend only one conference this
fall, SANS Network Security should be your choice:
http://www.sans.org/ns2008/
*************************************************************************
TRAINING UPDATE
- - NETWORK SECURITY 2008: Las Vegas (9/28-10/6) 50 courses; big tools
expo; lots of evening sessions: http://www.sans.org/ns2008)
- - Chicago (9/3-9/10) http://www.sans.org/chicago08 AUDIT & COMPLIANCE
- - Monterey (10/31-11/6) http://www.sans.org/info/30738
- - Sydney Australia (10/27-11/1) http://www.sans.org/sydney08/
- - Vancouver (11/17-11/22) http://www.sans.org/vancouver08/
and in 100 other cites and on line any time: www.sans.org
*************************************************************************

TOP OF THE NEWS
 --Judge Lets MIT Gag Order Expire
(August 19, 2008)
US District Judge George A. O'Toole did not renew a gag order imposed
on three Massachusetts Institute of Technology (MIT) students that
prevented them from talking about vulnerabilities they found in the
Massachusetts Bay Transportation Authority's (MBTA) electronic payment
system. The judge did not agree with the MBTA's assertion that by
disclosing the flaws the students would be violating the Computer Fraud
and Abuse Act (CFAA). The students were represented by the Electronic
Frontier Foundation (EFF), which argued that preventing the students
from presenting their work at a conference was a violation of their
right to free speech. The judge did not address that issue, choosing
instead to "focus on the language in the CFAA." The students were
prevented from giving a talk about their findings at DefCon earlier this
month by the now-expired temporary restraining order.
http://www.theregister.co.uk/2008/08/19/gag_order_lifted/print.html
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9112968&source=rss_topic17
http://www.securityfocus.com/brief/802
http://news.cnet.com/8301-1009_3-10020252-83.html?hhTest=1&part=rss&subj=news&tag=2547-1009_3-0-20
[Editor's Note (Schultz): "Free speech" has increasingly become a bad
defense argument against charges of releasing vulnerability and other
information that could result in ability to readily compromise systems.
One would think that the defense in cases such as the one described in
this news item would catch on and try something else. ]

 --UK Government Depts. Lost 29 Million Records in One Year
(August 20 & 21, 2008)
In the last 12 months, UK government departments have lost 29 million
records containing personal data. The government asked for departments
to include data loss on their financial statements after the loss of two
disks containing personally identifiable information of 25 million child
benefit claimants last year. The remaining four million lost records
include those of three million driving test candidates reported by the
Department of Transport and 620,000 on an unencrypted Ministry of
Defence laptop. In a related story, the Home Office learned earlier
this week that an outside contractor lost a memory stick containing
personal information about thousands of criminals in England and Wales.
The Information Commissioner has been notified.
http://www.theregister.co.uk/2008/08/20/uk_gov_lost_records/print.html
http://news.bbc.co.uk/2/hi/uk_news/7575766.stm
http://afp.google.com/article/ALeqM5jBZonxIDfrQrxX3fLqwpLfPlimoQ

 --FCC Orders Comcast to End Discriminatory Traffic Throttling
(August 20 & 21, 2008)
The US Federal Communications Commission (FCC) has issued a Memorandum
Opinion and Order regarding the Comcast traffic throttling issue. The
document states that "Comcast has deployed equipment across its network
that monitors its customers' TCP connections using deep packet
inspection ... [and] determines how it will route some connections based
not on their destinations but on their contents." The document goes on
to call the "practice ... invasive and outright discriminatory." The
FCC will "monitor Comcast's compliance with its pledge" to curtail the
use of discriminatory traffic management by requiring Comcast to inform
the FCC of the specifics of its current mode of network traffic
management "including what equipment has been utilized, when it began
to be employed, when and under what circumstances it has been used, how
it has been configured, what protocols have been affected, and where it
has been deployed." Comcast must also submit a written plan concerning
how it will make the transition from its present system to the new
system, and make clear to the FCC and to the public "the network
management practices that it intends to deploy ..., including the
thresholds that will trigger any limits on customers' access to
bandwidth."
http://www.washingtonpost.com/wp-dyn/content/article/2008/08/20/AR2008082003321_pf.html
http://hraunfoss.fcc.gov/edocs_public/attachmatch/FCC-08-183A1.doc

************************** SPONSORED LINKS: *****************************
1) Are you a penetration tester who wants to learn about the latest
testing procedures and tools to improve your skills? Come to the
Penetration Testing and Ethical Hacking Summit to hear experts discuss
policy, process and technical aspects of testing. September 17 - London.
http://www.sans.org/info/32038

2) Register for Control Systems Cyber Security Trainings. SANS Process
Control and SCADA Summit September 8-9 - Amsterdam, NL.
http://www.sans.org/info/32043

3) Join your peers and other professionals at the Forensics & Incident
Response Summit October 13-14.
http://www.sans.org/info/32048
*************************************************************************

THE REST OF THE WEEK'S NEWS
ARRESTS, CHARGES & CONVICTIONS
 --Jury Indicts One in Alleged Botnet Scheme
(August 21, 2008)
A Brazilian man has been indicted by a federal grand jury in New
Orleans, Louisiana for his alleged involvement with a botnet scheme.
Leni de Abreu Neto was charged with one count of conspiracy to cause
damage to computers worldwide by allegedly working with another man,
Nordin Nasiri of the Netherlands, to "use, maintain, lease and sell an
illegal botnet." Neto allegedly had an agreement with Nasiri to broker
the sale of a botnet that Nasiri has created. Neto was arrested late
last month in the Netherlands and is awaiting extradition to the US. If
convicted, Neto faces a maximum sentence of five years in prison
followed by three years of supervised release; he also faces a fine of
at least US $250,000. Nasiri was also arrested in the Netherlands and
will be prosecuted in that country.
http://news.cnet.com/8301-1009_3-10022990-83.html?tag=nefd.riv
http://www.marketwatch.com/news/story/brazilian-man-charged-conspiracy-infect/story.aspx?guid={2AA0AE27-F44C-412B-AC32-7EDB007D322D}&dist=hppr

GOVERNMENT SYSTEMS AND HOMELAND SECURITY
 --FEMA PBX System Breached
(August 20, 2008)
A recently installed voicemail system at the US Federal Emergency
Management Agency (FEMA) was breached last weekend and used to make US
$12,000 worth of phone calls to numbers in the Middle East and Asia. The
system is a Private Branch Exchange (PBX); attacks on this type of
system have been around for years, and trained administrators know how
to put security measures in place. FEMA is part of the US Department
of Homeland Security (DHS), which issued a warning about this type of
attack five years ago. The incident is under investigation.
http://www.msnbc.msn.com/id/26319201/
[Editor's Note (Skoudis): This just feels so old-school. However, it
nicely illustrates that we can't focus on defending against only the
late-breaking and cool attacks. We have to maintain diligence on the
old stuff too.]

POLICY AND LEGISLATION
 --Irish Insurance Sector Gets Data Protection Code
(August 20, 2008)
In light of the revelation that insurance companies in Ireland have been
using private investigators to obtain personal data held by the Gardai
and the Department of Social and Family Affairs, the Irish Data
Protection Commissioner's office has issued a Code of Practice on Data
Protection for the Insurance Sector. In a note announcing the
publication of the code, the Data Protection Commissioner's Office says
that "The Data Protection Acts provide for the preparation of
sector-specific codes of practice to allow for a better understanding
of the requirements of the Acts. ...In some instances the basic
statutory data protection requirements as they are applied within
particular sectors can benefit from more detail."
http://www.breakingnews.ie/ireland/mhqleymhmhid/
http://www.dataprotection.ie/viewdoc.asp?DocID=841&m=f

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
 --Gaming Industry to Go After Illegal Filesharers
(August 20, 2008)
The computer game industry plans to send letters to people in the UK who
are suspected of illegally sharing games over the Internet, asking them
to pay GBP 300 (US $563 ) to preclude further legal action. This week,
a judge ruled that Isabella Barwinska must pay GBP 16,000 (US $30,053)
to Topware Interactive for putting a copy of the company's Dream Pinball
game on a filesharing site. A law firm representing five computer game
makers "is applying to the High Court for an order requiring Internet
Service providers to hand over the names and addresses of 25,000
individuals suspected of illegally downloading computer games.
http://www.guardian.co.uk/technology/2008/aug/20/piracy.games
http://technology.timesonline.co.uk/tol/news/tech_and_web/gadgets_and_gaming/article4569180.ece
http://www.theregister.co.uk/2008/08/20/davenport_lyons_25000/print.html
http://www.siliconrepublic.com/news/article/11247/new-media/pinball-pirates-walk-the-plank

UPDATES AND PATCHES
 --Apache Fixes Directory Traversal Flaw in Tomcat
(August 20, 2008)
The US Computer Emergency Readiness Team (US-CERT) has issued a warning
about a directory traversal vulnerability in Apache Tomcat. The flaw
could be exploited to gain remote access to files on vulnerable servers.
Apache has issued updates to fix the problem in several versions of the
Java web server. Users running Tomcat 4.1.0 through 4.1.37 should
upgrade to 4.1.38; users running Tomcat 5.50 through 5.5.26 should
upgrade to 5.5.27; users running Tomcat 6.0.0 through 6.0.16 should
upgrade to 6.0.18. The US-CERT warning says that exploit code for the
vulnerability has been found on the Internet.
http://www.heise-online.co.uk/security/US-CERT-warns-of-Tomcat-vulnerability--/news/111358
http://www.kb.cert.org/vuls/id/343355
[Editor's Note (Skoudis): UTF-8 encoding bites more victims, leading to
yet another directory traversal flaw. We see this kind of thing all the
time in our product analysis and research.]

 --Opera Patches Seven Flaws in Browser
(August 20 & 21, 2008)
Opera has patched seven flaws in its Opera browser, but declined to
provide details about one of the flaws. When pressed on the issue, an
Opera spokesperson implied that other software may have the same
cross-site scripting vulnerability, and other vendors should be allowed
time to fix it before it becomes public knowledge. Opera 9.52 fixes
seven flaws in the Windows edition, five in the Mac edition and six in
the Linux edition. The unexplained cross-site scripting flaw is fixed
in all three versions.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9113080&source=rss_topic17
http://www.securityfocus.com/brief/804

DATA THEFT AND LOSS
 --Data Thieves Hit Galway Retailer
(August 21, 2008)
Gardai have discovered another data breach in Ireland affecting
thousands of customers of a large Galway retailer. This breach is more
serious than the one detected earlier this month because the data
thieves actually cloned cards from the stolen information and used them
to steal money from the customers' accounts. In the earlier case, the
thieves had posed as engineers from banks performing maintenance on card
payment terminals and instead tampered with those terminals. The
retailers realized something was wrong and quickly alerted Gardai; the
scheme was apparently detected before the criminals had a chance to
download the information and use it to commit fraud. In the more recent
case, Gardai believe the thieves used a different technique. Detectives
theorize that an insider may have helped with the data skimming attack.
Card number skimmers are now as small as cigarette lighters and can hold
thousands of card numbers.
http://www.irishtimes.com/newspaper/ireland/2008/0821/1219243766638.html

ATTACKS
 --DNS Flaw Exploited at Chinese ISP
(August 21, 2008)
An Internet service provider (ISDP) in China has been hit with a DNS
cache poisoning attack. Users who type in web addresses incorrectly are
taken to a page that contains malware that tries to exploit a number of
recently disclosed vulnerabilities in Adobe Flash Player, Microsoft
Snapshot Viewer and RealNetworks' RealPlayer. The attack on China
Netcom is particularly insidious because it does not reroute all
traffic, just mistyped URLs, and it exploits flaws for which patches
were only recently released, increasing the likelihood that they have
not yet been installed. Dan Kaminsky, who originally detected the
vulnerability and informed vendors months ago, says it is being actively
exploited.
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=210200076
http://blogs.zdnet.com/security/?p=1776
http://www.networkworld.com/news/2008/082108-china-netcom-falls-prey-to.html?hpg1=bn
http://news.cnet.com/8301-1009_3-10022303-83.html?part=rss&subj=news&tag=2547-1009_3-0-20

MISCELLANEOUS
 --IE 8 Will Offer Cross-Site Scripting Protection and Privacy Mode
(August 20 & 21, 2008)
Microsoft's Internet Explorer 8 (IE 8) browser, which is presently in
beta testing, will include a cross-site scripting filter to help protect
users from attacks. Firefox users can install the NoScript plugin, but
IE users have had no way to protect themselves from cross-site scripting
attacks. The new release of IE will also allow users to decide how much
information the browser keeps about their web surfing habits. Most
users can already do this manually each time they want to clear the
data, but IE 8 will have a privacy mode which will automatically clear
the data every time.
http://www.theregister.co.uk/2008/08/20/microsoft_xss_filter/print.html
http://news.bbc.co.uk/2/hi/technology/7574265.stm
http://www.download.com/8300-2007_4-12.html?keyword=%22IE+8%22

 *************************************************************************
The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescastore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin,
Ireland.

Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security
courses at Minnesota State University, Mankato. He is the President of
Prudent Security LLC and also serves as the President of the Mankato
Chapter ISSA.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkiu594ACgkQ+LUG5KFpTkYs1ACeOnCBwuqQZ3vL8RKS8KXlZE5R
vSwAnA1itJAgm+04BmnNcBLTkx5O58pw
=4tyj
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]