From: The SANS Institute (NewsBitessans.org)
Date: Tue Nov 11 2008 - 12:47:34 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

*************************************************************************
SANS NewsBites November 11, 2008 Vol. 10, Num. 89
*************************************************************************
TOP OF THE NEWS
  Study Finds Some DNS Servers Still Not Patched Against Cache Poisoning
     Flaw
  Researchers Publish Paper on Breaking WPA TKIP
THE REST OF THE WEEK'S NEWS
  LEGAL ISSUES
    New Apple Exec Ordered to Stop Work for Possible Non-Compete
       Violation
  ARRESTS, CHARGES, CONVICTIONS & SENTENCES
    Former Sysadmin Arrested for Alleged Extortion
    Woman Gets Four-Year Sentence for Identity Theft and Credit Card
       Fraud
    Former Inmate Arrested for Accessing Prison Network
  VULNERABILITIES
    Google Fixes Android Flaw
  DATA LOSS & EXPOSURE
    Australian Federal Police Files Left on Hotel Computer in Nepal
  ATTACKS
    Critical Adobe Flaw is Being Actively Exploited
  MISCELLANEOUS
    Ireland Gets First Computer Emergency Response Team
    Computer Misuse Arrests Doubled In Japan During 2007
    AT&T Experiments with Downloading Limits for Broadband Customers

********************** Sponsored By Ounce Labs, Inc. ********************

Outsourcing is a proven strategy to reduce costs and increase value, but
careful planning is required to build stringent software security
requirements into contracts ensure that those requirements are met.
Download this report for detailed data on how experienced outsourcers
are putting in place effective processes to drive the risk out of
outsourcing.
http://www.sans.org/info/35229
*************************************************************************
TRAINING UPDATE
- - SANS CDI in Washington (12/10-12/16) 30 courses; big security tools
  expo; lots of evening sessions: http://www.sans.org/ cdi08/
- - London (12/1-12/9) http://sans.org/london08/
- - Vancouver (11/17-11/22) http://www.sans.org/vancouver08/
- - Las Vegas (1/24-2/01) http://sans.org/securitywest09/
- - Orlando SANS SCADA Security Summit http://www.sans.org/scada09_summit
and in 100 other cites and on line any time: www.sans.org
*************************************************************************

TOP OF THE NEWS
 --Study Finds Some DNS Servers Still Not Patched Against Cache
Poisoning Flaw
(November 10, 2008)
A recent survey of Domain Name System (DNS) servers found that despite
widespread press coverage given to a critical DNS vulnerability earlier
this year, 25 percent of servers that allow open recursion have not yet
been patched. According to the study, 45 percent of administrators
responding to the survey said they lack the necessary resources to
address the DNS vulnerability, and 30 percent said they do not know
enough about DNS to do so. The survey also shows that 90 percent of DNS
servers are running recent versions of the Berkeley Internet Name
Domain, or BIND 9; there has also been a significant decrease in the use
of Microsoft DNS Server, which is not highly secure. One disappointment
is the low rate of adoption of DNSSec, "a security protocol that allows
DNSD queries and answers to be digitally signed and authenticated;"
those statistics could change as .gov domains in the US are required to
implement DNSSec by the end of 2009.
http://www.gcn.com/online/vol1_no1/47524-1.html?topic=security
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9119724&source=rss_topic17
http://dns.measurement-factory.com/surveys/200810.html
[Editors Note (Northcutt): They can be as disappointed as they want to
about the rate of DNSSEC adoption, but it is hard to do. Success in
security depends on either automating the fix or making it really easy
for the user.]

 --Researchers Publish Paper on Breaking WPA TKIP
(November 6 & 10, 2008)
Two German university researchers have discovered a combination of
techniques that could allow an attacker to compromise Wi-Fi Protected
Access (WPA) encryption in less than 15 minutes. The attack does not
result in the encryption key being discovered. Rather, the technique
allows attackers "to decrypt packets and inject packets with custom
content." Martin Beck and Eric Tews present their findings at the
PacSec 2008 conference in Tokyo this week. The attack targets the WPA's
Temporal Key Integrity Protocol (TKIP).
http://www.securityfocus.com/news/11537
http://www.heise-online.co.uk/security/Security-experts-reveal-details-of-WPA-hack--/news/111922
http://dl.aircrack-ng.org/breakingwepandwpa.pdf
[Editor's Note (Ullrich): Although the attack rather limited, it
highlights the fact that WPA and TKIP were meant to serve as a
transitional fix for older hardware. WPA2 is the "real fix".
And from Raul Siles at Internet Storm Center: This new research opens
the door to new WPA/TKIP attacks and future attack enhancements, so it
is time to start applying and planning the appropriate security
countermeasures to remove or mitigate this and similar future threats:
Update to WPA2/AES as soon as you can! Because the vulnerability is in
TKIP, both WPA and WPA2 can be affected. The attack affects WPA2 if
configured with TKIP because WPA2 allows both, AES and TKIP (while WPA
only allows TKIP).
http://isc.sans.org/diary.html?storyid=5315]

************************* SPONSORED LINK ******************************
1) "USB Security Software -> Download Now -> Award-Winning USB Auditing,
Encryption, and Control"
http://www.sans.org/info/35234

2) IDC Webcast: The Attacker Within: How Hackers are Targeting
Enterprises from the Inside-Out
http://www.sans.org/info/35239
*************************************************************************

THE REST OF THE WEEK'S NEWS
LEGAL ISSUES
 --New Apple Exec Ordered to Stop Work for Possible Non-Compete Violation
(November 8 & 10, 2008)
A judge in New York has issued a preliminary injunction ordering Apple's
new executive in charge of the iPhone and the iPod to "immediately cease
his employment with Apple Inc. until further order" because of a
potential violation of agreement with his former employer, IBM. Mark
Papermaster left IBM for Apple in October; the lawsuit alleges his move
violates a non-compete clause in his contract that stipulates that he
would not work for a competitor within a year of leaving his position
at IBM. The crux of the issue is whether Apple and IBM are business
competitors.
http://www.latimes.com/business/la-fi-briefs8-2008nov08,0,6090160.story
http://www.crn.com/hardware/212001584

ARRESTS, CHARGES, CONVICTIONS & SENTENCES
 --Former Sysadmin Arrested for Alleged Extortion
(November 10, 2008)
A systems administrator who had recently been laid off from Third Avenue
Management, a New York-based mutual fund company, has been arrested for
allegedly threatening to damage his former employer's servers if they
did not meet his demands. Viktor Savtyrev was one of 10 employees who
lost their jobs on November 5. All were given a severance package, but
several days later, Savtyrev allegedly sent email messages to several
people still with the company, including the company's general counsel,
saying he was "not satisfied with the terms" of his severance package
and threatening to damage the computer systems unless they gave him more
money and provided him with extended medical coverage and "excellent"
job references. In subsequent communications, Savtyrev allegedly said
he would get help attacking the servers from friends in Belarus and that
he had already placed several back doors on the company's computer
systems. Savtyrev was arrested at his home in Old Bridge, NJ.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9119792&source=rss_topic17
http://www.nj.com/news/index.ssf/2008/11/old_bridge_computer_tech_charg.html
[Editor's Note (Skoudis): This case is a great illustration for
management about the importance of thorough processes for removing
employees' access from computer systems after job termination. Further,
for recently dismissed sysadmin employees, enterprises should conduct
some check of the systems they operated to make sure they left behind
nothing nefarious.
(Ullrich): I guess his request for excellent job references will no
longer be good much.]

 --Woman Gets Four-Year Sentence for Identity Theft and Credit Card Fraud
(November 7, 2008)
Kimberly Ann Mavis was sentenced to four years in federal prison without
the possibility of parole for her role in an identity fraud scheme.
Mavis and a co-conspirator, Jerry Bagby, gained unauthorized access to
the customer database of Premier Bank in Overland Park, Kansas and used
the purloined information to open credit card accounts in other people's
names. Mavis and Bagby used those cards to purchase expensive items,
which they later resold for cash. In August, Mavis pleaded guilty to
computer fraud, conspiracy, aggravated identity theft and credit card
fraud. Bagby pleaded guilty to aggravated identity theft and credit
card fraud; he is awaiting sentencing.
http://www.infozine.com/news/stories/op/storiesView/sid/31730/

 --Former Inmate Arrested for Accessing Prison Network
(November 6, 7 & 8, 2008)
Former Plymouth (Massachusetts) County Correctional Facility inmate
Francis G. Janosko has been arrested and charged with damage to a
prison's computer network and identity theft. While incarcerated at the
facility, Janosko allegedly discovered a way to exploit vulnerabilities
in a computer system configured for inmates to conduct legal research
so that he could access information about prison employees and make that
information available to other inmates. The exposed data include names,
home addresses and Social Security numbers (SSNs). If he is convicted,
Janosko could face up to 10 years in prison, three years of supervised
release and a US $250,000 fine.
http://boston.fbi.gov/dojpressrel/pressrel08/computerhacking110608.htm
http://www.theregister.co.uk/2008/11/08/prison_network_hacked/
http://www.boston.com/news/local/articles/2008/11/07/ex_mass_inmate_charged_in_prison_computer_hacking/

VULNERABILITIES
 --Google Fixes Android Flaw
(November 7 & 10, 2008)
Google has fixed a critical vulnerability in its Android operating
system. The flaw can cause keystrokes to pass directly to the root
shell and be executed with root user privileges. For instance, texting
the word "reboot" would actually cause the device to reboot. The flaw
affects G1 handset users running Android firmware updates RC 29 and
earlier. Google is rolling out the fix to all G1 devices.
http://blogs.zdnet.com/Burnette/?p=680
http://blog.wired.com/gadgets/2008/11/google-fixes-an.html
http://www.theregister.co.uk/2008/11/10/android_bug/
http://www.heise-online.co.uk/security/Root-rights-on-Google-s-Android--/news/111901
[Editor's Note (Skoudis): Wow! What an embarrassing flaw. Just last
week, someone asked me whether command-injection flaws were realistic
in today's software, or whether they were a thing of the past. This
Android vulnerability is a great example indicating that this type of
flaw will persist for quite some time.
(Pescatore): Google doesn't make it very easy to figure out how to
report security flaws. The standard security real estate most
enterprise-oriented software companies use (www.company.com/security)
gets you error 404 at Google, as does code.google.com/security. But if
you dig around enough, you can find
http://code.google.com/android/kb/security.html that gives the email
address securitygoogle.com to report bugs.]

DATA LOSS & EXPOSURE
 --Australian Federal Police Files Left on Hotel Computer in Nepal
(November 7 & 9, 2008)
An Australian Federal Police (AFP) officer based in south Asia has been
ordered to return to Australia following the revelation that documents
and images from AFP USB data storage device were left in a hotel
computer in Kathmandu, Nepal. Other guests at the hotel were reportedly
able to view the files, which include a document containing priorities
and strategies for the AFP's Bangladesh office and graphic pictures of
a plane crash. The officer involved in the incident will assist in the
investigation.
http://www.theage.com.au/news/security/officer-recalled-over-security-lapse/2008/11/08/1226165363264.html
http://www.boston.com/news/world/asia/articles/2008/11/08/australia_investigates_nepal_security_breach/
[Editor's Note (Ullrich): Some people are less careful with public hotel computers then public bathrooms. The opposite should be true.]

ATTACKS
 --Critical Adobe Flaw is Being Actively Exploited
(November 7, 2008)
Just days after Adobe released a critical security update for Reader and
Acrobat, cyber attackers have begun exploiting the flaw to execute
malicious code on vulnerable computers. The maliciously crafted PDF
files are being spread through drive-by advertisements on suspicious
sites. The malware downloads a Trojan horse program from another
website. The vulnerability affects versions 8.1.2 and earlier of Adobe
Reader; the newly released version 9 is unaffected by the flaw. Users
who have not installed the update are urged to do so as soon as
possible.
Internet Storm Center:
http://isc.sans.org/diary.html?storyid=5312
http://isc.sans.org/diary.html?storyid=5321
http://www.theregister.co.uk/2008/11/07/adobe_reader_exploit/
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9119538&source=rss_topic17

MISCELLANEOUS
 --Ireland Gets First Computer Emergency Response Team
(November 10, 2008)
Ireland's first national Computer Security Incident Response Team was
launched on Monday, November 10. The Irish Reporting and Information
Security Service, known as IRISS, is a not for profit company that aims
to assist businesses, organisations and individuals to better protect
their computer and network systems from threats posed by Internet
attacks, hackers and computer viruses. Founded by SANS NewsBites
editor, Brian Honan, the Irish Reporting & Information Security Service
(IRISS) will provide a range of free services to Irish businesses and
consumers in relation to information security issues to help counter the
security threats posed to Irish businesses and the Irish Internet space.
IRISS's services are built on the WARP (Warning Advice & Reporting Point
http://www.warp.gov.uk) model and are provided by a dedicated core of
volunteers drawn from Ireland's top Internet security experts with
funding for the project coming from private industry, including the SANS
Institute.
http://www.businessworld.ie/cgi-bin/printer_friendly?a=2345192
http://www.iriss.ie"
http://www.businessworld.ie/livenews.htm?a=2345192;s=rollingnews.htm
http://iriss.ie/iriss/
[Editor's Note (Schultz): Starting an incident response team is one of
the most challenging tasks an information security professional can
undertake. I wish Brian all the success in the world.]

 --Computer Misuse Arrests Doubled In Japan During 2007
(November 10, 2008)
Police in Japan reported making more than 1,400 arrests for hacking
during 2007, up from 704 in 2006. The figure is 10 times the number in
2003. A large fraction of the arrests were related to obscene
literature, child pornography and child dprostitution.
http://www.pcworld.com/businesscenter/article/153568/hacking_arrests_doubled_in_japan_in_2007.html

 --AT&T Experiments with Downloading Limits for Broadband Customers
(November 6, 2008)
AT&T has started a test program in Reno, Nevada that places a limit on
the amount of downloading and uploading its broadband users are
permitted each month. The amount allowed varies depending upon the type
of account users have. Users who exceed their allotted limits will
receive warning letters for the first two months of overages; after
that, they will be charged US $1 per extra gigabyte. AT&T says the
pilot program is an attempt to come up with a solution to the problem
of a very small percentage of users who consume an inordinate portion
of bandwidth.
http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/11/06/BU7G13UV7I.DTL&tsp=1
[Editor's Note (Pescatore): Hmmm, if my math is right, if I pay for 6
Mbps connectivity, if I used it 24 hours per day for a month, I could
download almost 2,000 GB. The ATT plan would give me the first 80 GB
free and then I would pay $1,920/month for the rest? If I only get 80
GB in a month, then I think I'm only getting 240 Kbs connectivity or so.
This type of logic is like offering cellphone service pricing where you
get unlimited minutes of connectivity but only 5,000 words per month. ]

*************************************************************************
The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescastore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Ron Dick headed the National Infrastructure Protection Center (NIPC) at
the FBI and is the incoming President of the InfraGard National Members
Alliance - with 22,000 members.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.

Will Pelgrin is Chief Information Security Officer of New York State,
chair of the Multi-State Information Sharing and Analysis Center and
co-chair of the National ISAC Council.

Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Brian Honan is an independent security consultant based in Dublin,
Ireland.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkkZyNIACgkQ+LUG5KFpTkbCzQCgmhRo0BGswOpasz0w4J2gsiec
8O8AnA2HmDrs/ui87A0r2JMRKJo+hGuq
=GQW2
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]