From: The SANS Institute (NewsBitessans.org)
Date: Tue Oct 28 2008 - 15:27:53 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tomorrow is the deadline for early registration discounts on CDI2008,
SANS largest Winter security training conference. In Washington, DC,
December 10-16. http://www.sans.org/cdi08

*************************************************************************
SANS NewsBites October 28, 2008 Vol. 10, Num. 85
*************************************************************************
TOP OF THE NEWS
  NY HS Student Charged with Felonies After Notifying Principal of
     Security Hole
  Final Version of OMB Memo Rolls Back Federal CIOs' Clout
  DHS to Take Over Airline Passenger Screening
THE REST OF THE WEEK'S NEWS
  ARRESTS, CHARGES, CONVICTIONS & SENTENCES
    Convicted Bali Nightclub Bombers to be Executed
  GOVERNMENT SYSTEMS AND HOMELAND SECURITY
    Draft Army Intelligence Paper Voices Concern Over Twitter as
  Potential Terrorist Tool
    FBI: US Business and Government are Targets of Cyber Theft
  EVOTING
    eVoting Machine Study Finds Problems
  VULNERABILITIES
    Another Flaw in Opera Browser
  UPDATES AND PATCHES
    Yahoo! Fixes Cross-Site Scripting Flaw
    Sun Releases Updates for Java System LDAP Java Development Kit and
       JRE6
  ATTACKS
    Trojan Exploits Just-Patched Windows RPC Flaw
  STATISTICS, STUDIES & SURVEYS
    Survey Lists Coolest IT Security Jobs
  MISCELLANEOUS
    Price of Stolen Data Falling, But Cost to Victims is Still High

********************* Sponsored By Ounce Labs, Inc. *********************

Outsourcing is a proven strategy to reduce costs and increase value, but
careful planning is required to build stringent software security
requirements into contracts ensure that those requirements are met.
Download this report for detailed data on how experienced outsourcers
are putting in place effective processes to drive the risk out of
outsourcing.

http://www.sans.org/info/34619
*************************************************************************
TRAINING UPDATE
- - SANS CDI in Washington 30 courses; big security tools expo; lots of
evening sessions: http://www.sans.org/ cdi08/
- - Monterey (10/31-11/6) http://www.sans.org/info/30738
- - Sydney Australia (10/27-11/1) http://www.sans.org/sydney08/
- - Vancouver (11/17-11/22) http://www.sans.org/vancouver08/
and in 100 other cites and on line any time: www.sans.org
*************************************************************************

TOP OF THE NEWS
 --NY HS Student Charged with Felonies After Notifying Principal of Security Hole
(October 24, 25 & 28, 2008)
A 15-year-old Shenendehowa Central School student has been arrested and
charged with computer trespass, unlawful possession of personal
identification information and identity theft, all of which are
felonies. The student allegedly gained access to a school system
database while in a computer class at the school. He then allegedly
emailed the principal, telling him what he had been able to do. The
file was accessible to anyone with a district password, students
included. The district superintendent said that while the file may have
been accessible, it required some know-how to find and access it. The
student has been suspended from school and will face the charges against
him in family court in Saratoga County, NY.
http://timesunion.com/AspStories/story.asp?storyID=732745
http://www.dailygazette.com/news/2008/oct/25/1025_shendata/
http://www.theregister.co.uk/2008/10/28/student_charged/
[Editor's Note (Ullrich): We have to find a better way to deal with
"responsible disclosure". First define what it is, and then how to
include it in our incident handling procedures.
(Liston): Based on a full reading of several articles written on this
matter, the student's motives appear to be somewhat questionable and
certainly more was done here than stumbling across a file and
immediately reporting it. Whether his actions rise to felony status is
for the courts to decide.
(Schultz): I wonder whether the computing system in question had a
warning banner that cautioned against unauthorized access. If it didn't,
it does not seem right to throw the book at a 15-year old student who
used a password that was assigned to him for the access that he
obtained. Additionally, I am not impressed with the casualness of
district administrators toward their own responsibility (or lack
thereof) in securing personal data. One of the administrators shrugged
off the suggestion that the personal data that the student accessed were
not sufficiently protected by saying that the database in question was
only open for "a week or two."
(Northcutt): Tough story, it will take a court of law to sort this one
out I guess, but the fact that he reported it to the principal and then
got arrested does not sit well with me. However, if he took a file, had
a file in his possession with people's identity that doesn't sit well
either. I don't suppose arresting the person that designed the system
is in the cards?]

 --Final Version of OMB Memo Rolls Back Federal CIOs' Clout
(October 24, 2008)
The final version of an Office of Management and Budget (OMB) memo
describing the responsibilities of federal chief information officers
(CIOs) no longer has a clause that stated that CIOs report to agency
heads and that "except where otherwise authorized by law, order, or
waiver from the director of OMB, no other individual in any
organizational component of the agency ... has authorities or
responsibilities that infringe upon those of the agency CIO." Other
changes from earlier drafts of the memo include removing language that
gave CIOs the authority to plan, manage and oversee agencies' IT
portfolios; instead, those responsibilities were given to agency heads.
Some have said that the final draft does not comply with the
Clinger-Cohen Act, which establishes the position of CIO at federal
agencies and requires that they report to agency heads. The changes
appear to be a move to keep power in the hands of political appointees
rather than career executives. (The story includes a link to a tool
that allows readers to compare the final version of the memo with the
most recent draft.)
http://www.nextgov.com/nextgov/ng_20081024_5887.php

 --DHS to Take Over Airline Passenger Screening
(October 22 & 23, 2008)
Starting in January, the responsibility for checking airline travelers'
names against the passenger watch and no-fly lists will pass from the
airlines to the US Department of Homeland Security (DHS). Passengers
will be required to provide their full names, birthdates and genders to
board commercial aircraft. The additional required information is
intended to reduce significantly the number of false positives, or
people whose travel is "wrongly" delayed or prevented. The no-fly list
has fewer than 2,500 names on it; just 10 percent of those are US
citizens. The selectee list, which identifies people who are subject
to additional questioning, contains fewer than 16,000 names, and less
than half are US citizens. The shift comes with the release of the
Secure Flight Final Rule.
http://www.washingtonpost.com/wp-dyn/content/article/2008/10/22/AR2008102202646_pf.html
http://www.tsa.gov/press/releases/2008/1022.shtm

************************* SPONSORED LINK ******************************
1) USB and Laptop Security: Webinar to help secure your mobile workers
and portable data
http://www.sans.org/info/34599
*************************************************************************

THE REST OF THE WEEK'S NEWS
ARRESTS, CHARGES, CONVICTIONS & SENTENCES
 --Convicted Bali Nightclub Bombers to be Executed
(October 24, 2008) and
(December 14, 2004)
Three men convicted of nightclub bombings in Bali that killed more than
200 people in October, 2002 will be executed early next month. The three
were sentenced to death in 2003 by a Bali court. One of the men, Imam
Samudra, published an autobiography in 2004 while in prison. One
chapter in the book is titled "Hacking, Why Not?" in which he exhorts
Muslim extremists to attack US computer systems. The chapter includes
information to help potential attackers steal and use credit card
information.
http://news.yahoo.com/s/nm/20081024/wl_nm/us_indonesia_balibombers
http://www.nytimes.com/2008/10/25/world/asia/25briefs-3TOBEEXECUTE_BRF.html?ref=world
http://www.washingtonpost.com/wp-dyn/articles/A62095-2004Dec13.html
[Editor's Note (Skoudis): The Washington Post sent us a a translated
copy of the chapter urging cyber attacks against the US and its
interests. Although not technically deep, it was chilling. The chapter
provided a roadmap for getting started in computer attacks (such as
tools to use, techniques to master, places to go to learn more, etc.),
as well as religious justifications for such attacks.]

GOVERNMENT SYSTEMS AND HOMELAND SECURITY
 --Draft Army Intelligence Paper Voices Concern Over Twitter as
Potential Terrorist Tool
(October 25 & 27, 2008)
According to a draft US Army intelligence paper, voice-altering
software, Global Positioning System (GPS) maps and the micro-blogging
service Twitter could be used to plan and carry out terrorist attacks.
The report notes that twitter was used to spread news of a recent Los
Angeles (CA) earthquake more quickly than commercial news outlets and
that "Twitter is already used by some members [of social activism, human
rights and other groups] to post and/or support extremist ideologies and
perspectives."
http://news.cnet.com/8301-1009_3-10075487-83.html?part=rss&subj=news&tag=2547-1009_3-0-20
http://www.informationweek.com/news/mobility/messaging/showArticle.jhtml?articleID=211600844
http://www.breitbart.com/article.php?id=081025182242.js2g2op8&show_article=1
http://www.fas.org/irp/eprint/mobile.pdf
[Editor's Note (Pescatore): by now we should know that every new
technology will be used by bad guys *and* good guys, just as souped-up
cars were used by moonshiners and police.
(Northcutt): This one is getting some play already. I read a 2009
Security Prediction today that said Google hacking was the hot new
threat. All social media is vulnerable to social engineering, all social
media gives out so much information an OPSEC person will have a cardiac
attack. So concerns about Twitter may be slightly overblown, but glad
to see they are looking into this and bringing it to each other's
attention. Read a story today about a robber who posted a job ad, told
all the people what to wear, and used them as decoys ( he was dressed
like they were):
http://www.heraldnet.com/article/20081023/OPINION01/710239956 ]

 --FBI: US Business and Government are Targets of Cyber Theft
(October 22, 2008)
Assistant Director in charge of the US FBI's Cyber Division Shawn Henry
said that US government and businesses face a "significant threat" of
cyber attacks from a number of countries around the world. Henry did not
name the countries, but suggested that there are about two dozen that
have developed cyber attack capabilities with the intent of using those
capabilities against the US. The countries are reportedly interested
in stealing data from targets in the US. Henry said businesses and
government agencies should focus on shoring up their systems' security
instead of on the origins of the attacks.
http://www.intergovworld.com/article/24e239a7c0a8000600c26acd165c8672/pg0.htm
[Editor's Note (Pescatore): It really doesn't matter where the attacks
come from, businesses have been getting hit by sophisticated,
financially motivated, targeted attacks for several years now.
(Ullrich): A very wise remark. It doesn't matter who attacks you. The
methods used to attack you and the methods used to defend yourself are
the same. We spend too much time worrying about geographic origins. In
cyberspace, nation states are a legacy concept.]

EVOTING
 --eVoting Machine Study Finds Problems
(October 27, 2008)
A newly-released report says that the electronic voting machines used
in New Jersey and other US states are unreliable and potentially
vulnerable to hacking. A New Jersey judge ordered the report as part
of a lengthy legal battle over the use of the devices, which are Sequoia
AVC Advantage 9.00H direct recording electronic (DRE) touch-screen
voting machines. The report says that the machines can be manipulated
by installing a replacement chip containing malicious software on the
main circuit board.
http://wvgazette.com/News/200810180251?page=1&build=cache
[Editor's Note (Northcutt): And Wired just ran a blog about Betty
Ireland, Secretary of State West Virginia giving a Voting machine exec
an award the day after she did a press release about how they were going
to address "vote switching problems":
http://blog.wired.com/27bstroke6/2008/10/w-virginia-give.html
And a site that collects problems with voting machines:
http://blackboxvoting.com/s9/ ]

VULNERABILITIES
 --Another Flaw in Opera Browser
(October 27, 2008)
Just days after Opera Software released Opera 9.61 to address a handful
of vulnerabilities in the browser, another serious flaw has been
detected. The vulnerability is similar to the cross-site scripting flaw
patched in the recent update; it can be exploited by manipulating users
into viewing a booby-trapped page with the opera browser. Opera is
testing a new update for the browser that will address this new flaw.
http://www.theregister.co.uk/2008/10/27/zero_day_opera_bug/

UPDATES AND PATCHES
 --Yahoo! Fixes Cross-Site Scripting Flaw
(October 27, 2008)
Yahoo! has repaired a cross-site scripting flaw in the hotjobs.yahoo.com
domain that was being exploited to access people's Yahoo! Mail accounts
and restricted areas of the website. Attackers hid JavaScript in
certain pages to steal users' authentication cookies, which then allowed
then to gain control of the users' Yahoo! accounts. Yahoo! fixed the
flaw within hours of learning of it.
http://www.theregister.co.uk/2008/10/27/yahoo_xss_vuln/
[Editor's Note (Skoudis): An XSS flaw in one of the big, popular,
script-laden websites such as web-based e-mail, search engines, auction
sites, social networking, and photo sharing, could cause some immense
damage, beyond the mere information disclosure, e-mail account
hijacking, and rudimentary worms we've seen so far. By hooking browsers
inside of enterprises that view the attacker's content, a bad guy could
wield significant control from those machines, inside the corporate
firewalls that are supposed to protect them. Watch out for this kind
of attack in the near future.]

 --Sun Releases Updates for Java System LDAP Java Development Kit and JRE6
(October 27, 2008)
Sun Microsystems has released a security update to patch a vulnerability
in the search feature of its Java System LDAP Java Development Kit
(JDK). The flaw could potentially be exploited to access unauthorized
information while using applications that use the LDAP JDK library. In
addition to the JDK, the flaw affects Sun Java System Access Manager 7
2005Q4, Access Manager 7.1 and Access Manager 6 2005Q1. Sun has also
released an updated version of Java, JRE6 Update 10, which claims to
"patch in place," meaning that from this point forward, outdated and
unsecure versions will no longer stick around on users' machines.
http://www.heise-online.co.uk/security/Sun-patches-Java-System-LDAP-JDK--/news/111794
http://voices.washingtonpost.com/securityfix/2008/10/java_update_promises_to_remove.html?nav=rss_blog
http://sunsolve.sun.com/search/document.do?assetkey=1-66-242246-1

ATTACKS
 --Trojan Exploits Just-Patched Windows RPC Flaw
(October 24 & 27, 2008)
Just one day after Microsoft released an out-of-cycle patch to fix a
critical remote procedure call (RPC) flaw in the Server service, a
Trojan horse program that exploits the vulnerability has been detected.
The malware could potentially be used to allow infected machines to
infect other unpatched computers on its network with no user
interaction.
http://www.theregister.co.uk/2008/10/24/trojan_exploits_wormable_microsoft_flaw/
http://voices.washingtonpost.com/securityfix/2008/10/data-stealing_trojan_exploitin.html?nav=rss_blog
http://blogs.securiteam.com/index.php/archives/1150
http://www.heise-online.co.uk/security/Windows-RPC-hole-being-exploited-already--/news/111795
[Editor's Note (Ullrich): As of today, we at Internet Storm Center have
learned of versions of the exploit for popular exploit tool kits. The
attacks are beginning.]

STATISTICS, STUDIES & SURVEYS
 --Survey Lists Coolest IT Security Jobs
(October 24, 2008)
A SANS Institute survey of government and non-government security
employees asked respondents to rank the coolest IT security jobs. The
top three coolest jobs according to government IT workers are
information security crime investigator/forensics expert, system,
network and/or penetration tester and forensics analyst. IT security
specialists outside government placed the same three jobs in the top
three rankings in a slightly different order.
http://www.gcn.com/online/vol1_no1/47421-1.html?page=2

MISCELLANEOUS
 --Price of Stolen Data Falling, But Cost to Victims is Still High
(October 27, 2008)
The value of stolen payment card information is estimated to be
one-tenth what it was a decade ago. Part of the reason may be the large
scale of data security breaches that have flooded the black market with
stolen personal financial information. Some data thieves age their
quarry, waiting months to sell it so that the specter of fraud may have
eased for the victims.
http://www.forbes.com/2008/10/25/credit-card-theft-tech-security-cz_tb1024theft_print.html
[Editor's Note (Northcutt): I love the concept: "we sell no identity
before its time." I did some research a couple months ago, and most
people said that value is still $10.00 for a high quality identify, but
some folks are telling me it is closer to $2.50. One thing is certain;
it is worth a *lot* more to the victim.
(Skoudis): The old law of supply and demand is in play here. The supply
of stolen credit cards is way up, the demand is constant or only
slightly increasing, so the price goes down.]

*************************************************************************
The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescastore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board. Will
Pelgrin is Chief Information Security Officer of New York State, chair
of the Multi-State Information Sharing and Analysis Center and co-chair
of the National ISAC Council.

Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkkHaiAACgkQ+LUG5KFpTkZg5wCgnIRlUWWC0XMAxxgT5NAu9PE/
NgIAn0RnCe3IuZzBHEQJa3yPkEteRVht
=fzaj
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]